Monday, November 2, 2009

Linux Securirty Notes 15: IPTables 6: Routing - Forward Chain

IPTables Routing (Forward Chain)
           The Forward chain holds the rules that take care of routing
Enabling the Routing.
This is the key utilities which shows the running kernel parameters.
#syscltl net.ipv4.ip_forward
This will show the status of the IPV4 routing in our local system.
# echo 1 > /proc/sys/net/ipv4/ip_forward
This will turn on the routing in kernel.
# vim /etcv/sysctl.conf
net.ipv4.ip_forward = 1
This will make the routing permanent.
# route add -net netmask gw
This will make the net routing in Linux host.

Forward Chain to Manage the Routing.
     All the packets that is subjected to route will traverse through Forward Chain in a Linux router.

Defining the Forward chain policy
1. Initially make the default policy to Drop all the routing traffic in firewall
# iptables -P FORWARD DROP
This will make all the routing traffic to be dropped as a default policy.
2. Specify only certain source network to be routed
# iptables -A FORWARD -s -d -j ACCEPT
This will allow the traffic from network to But the traffic from network if comes back will not be accepted until & unless we define a state rule or a rule that allows the traffic from the given source.
# iptables -A FORWARD -m state --state NEW,ESTABLISHED -s -j ACCPET
This will allow and route all the new and established connection from the network to any destination
3. Accept the return traffic
# iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
This will allow/accept all the established connection in the forward chain. This will allow the return traffic.
or define a rule that allows the return traffic from the network Here usage of the "state" rule makes the definition of the firewall rule more easier and secure.

Logging the routing traffic in FORWARD Chain:
# iptables -N ROUTELOG
# iptables -A FORWARD -j ROUTELOG
This will create a new chain and starts logging all the routing activities.

Allowing a subnet to access outer world web
# iptables -A FORWARD -s -p tcp --dport 80 -j ACCEPT

Allow the UDP(DNS) queries to outside
# iptables -A FORWARD -s -p udp --dport 53 -j ACCEPT

No comments:

Post a Comment

tag ur valuable ideas below