Tagged: iptables


How to make iptables rules permanent

To setup persistant iptables rules, after we enter our iptables as usual, we export them to config file.

iptables-save > /etc/iptables.conf

Edit your global rc.local file [/etc/rc.local] with your favorite editor and before the ‘exit 0’ add:

iptables-restore < /etc/iptables.conf

Save and restart, your iptables rules are now permanent

DMZ/HotLAN Traffic to LAN 0

DMZ/HotLAN Traffic to LAN

What we are essentially going to do here is to punch a hole through our proxy using iptables

The basic syntax for letting an entire DMZ network use a particular port on LAN is as follows..

iptables -I FORWARD -s DMZNetwork/24 -d LANNetwork/24 -p tcp --dport 80 -j ACCEPT

This will let the DMZ network communicate to the LAN network but only via port 80 (in the case where you have an internal server or multiple internal servers you wish everyone to access).

To let only one ip through (for instance if you want your mail server to authenticate with an active directory or ldap/ldaps server

iptables -I FORWARD -s -d -p tcp --dport 636 -j ACCEPT

Where is the machine on the hotlan/dmz and is our Active Directory/Ldaps server..

Note: the above example is set for ldaps, if you prefer use ldap (unencrypted, not recommended) change to port 389