Monday, November 2, 2009

Linux Securirty Notes 15: IPTables 6: Routing - Forward Chain


IPTables Routing (Forward Chain)
           The Forward chain holds the rules that take care of routing
Enabling the Routing.
#sysctl
This is the key utilities which shows the running kernel parameters.
#syscltl net.ipv4.ip_forward
This will show the status of the IPV4 routing in our local system.
# echo 1 > /proc/sys/net/ipv4/ip_forward
This will turn on the routing in kernel.
# vim /etcv/sysctl.conf
net.ipv4.ip_forward = 1
This will make the routing permanent.
# route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.10
This will make the net routing in Linux host.

Forward Chain to Manage the Routing.
     All the packets that is subjected to route will traverse through Forward Chain in a Linux router.

Defining the Forward chain policy
1. Initially make the default policy to Drop all the routing traffic in firewall
# iptables -P FORWARD DROP
This will make all the routing traffic to be dropped as a default policy.
2. Specify only certain source network to be routed
# iptables -A FORWARD -s 192.168.1.0/24 -d 10.0.0.0/8 -j ACCEPT
This will allow the traffic from 192.168.1.0 network to 10.0.0.0. But the traffic from 10.0.0.0/8 network if comes back will not be accepted until & unless we define a state rule or a rule that allows the traffic from the given source.
or
# iptables -A FORWARD -m state --state NEW,ESTABLISHED -s 192.168.1.0/24 -j ACCPET
This will allow and route all the new and established connection from the network 192.168.1.0 to any destination
3. Accept the return traffic
# iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
This will allow/accept all the established connection in the forward chain. This will allow the return traffic.
or define a rule that allows the return traffic from the network 10.0.0.0/8. Here usage of the "state" rule makes the definition of the firewall rule more easier and secure.

Logging the routing traffic in FORWARD Chain:
# iptables -N ROUTELOG
# iptables -A FORWARD -j ROUTELOG
# IPTABLES -I ROUTELOG -j LOG
This will create a new chain and starts logging all the routing activities.

Allowing a subnet to access outer world web
# iptables -A FORWARD -s 10.0.0.0/24 -p tcp --dport 80 -j ACCEPT

Allow the UDP(DNS) queries to outside
# iptables -A FORWARD -s 10.0.0.0/24 -p udp --dport 53 -j ACCEPT
Posted by at
Labels: ,

No comments:

Post a Comment

tag ur valuable ideas below

Subscribe to: Post Comments (Atom)