Red Hat Enterprise Linux 5 Administration Unleashed

502CHAPTER 24Configuring a FirewallFor example, to allow SSH connections:iptables -A INPUT -p tcp --sport 22 -j ACCEPTiptables -A OUTPUT -p tcp --dport 22 -j ACCEPT. On an internal webserver with eth1 connected to the internal network and eth0connected to the Internet, only accept web connections from internal clients onport 80, assuming all internal packets are routed to eth1. Drop all packets comingfrom the Internet, regardless of the port.iptables -A INPUT -i eth0 -j DROPiptables -A INPUT -p tcp --sport 80 -i eth1 -j ACCEPTiptables -A OUTPUT -p tcp --dport 80 -i eth1 -j ACCEPT. Allow the server to masquerade packets from other systems using it as a gateway:iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEFor this to work, IP forwarding must also be enabled in the kernel by changing thevalue of net.ipv4.ip_forward to 1 in /etc/sysctl.conf by the root user:net.ipv4.ip_forward=1Changes to this file do not take effect until the sysctl -p command is executed byroot.. Using the connlimit match extension, limit the number of simultaneous SSHconnections to the server per client IP address to 3:iptables -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECTEnabling the Default FirewallIf you just need to set which ports should accept connections and which ports should denyrequests for connections, you can enable the default Red Hat Enterprise Linux firewall andthen specify specific ports on which to allow connections. This default firewall is a predefinedset of IPTables rules. Using this default set of rules and then adding ports on which toaccept connections instead of writing your own custom IPTables rules works best for desktopsystems that aren’t offering any server or network services and single-purpose systems thatonly need to accept connections on specific ports such as the FTP port for an FTP server.To enable the default firewall, use the Security Level Configuration program in Red HatEnterprise Linux. To start the program, select Administration, Security Level and Firewallfrom the System menu on the top panel on the desktop or execute the system-configsecuritylevelcommand. This is the same application used in the Setup Agent the firsttime the system is booted as mentioned in Chapter 2, “Post-Installation Configuration.” Ifyou configured a security level with the Setup Agent, it can be modified with this tool atany time. To use this program, you must have the system-config-securitylevel RPMpackage installed. Refer to Chapter 3 for details on installing software.