am i doing this correctly?
Hello
Would just like you to take a look at my iptables firewall rule set.. and let me know if i am missing anything out, or not allowing any essentials through, for an efficient and effective linux router: # Clear those tablez iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -t nat -F iptables -t mangle -F iptables -X # Do the funky masquerading iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # INPUT iptables -A INPUT -i eth0 -j ACCEPT iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 113 -j REJECT --reject-with tcp-reset iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -j REJECT # FORWARD: Allow all connectionz out, but only existing and related ones # back in iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCE PT iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT iptables -A FORWARD -j REJECT NTL has been a little slow recently, although I know they're having DNS problems ... Just wanted to make sure it wasn't partly my fault! TIA Duncan |
I'd say that you'd be better off using the default policy's for a chain instead of using an all matching iptables -A INPUT -j REJECT. So ...
Code:
iptables -P INPUT drop HTH Jamie... |
you are not suppose to use -j MASQUERADING on ethernet device only on dhcp ppp adapters.
put iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT on top (use -I instead of -A) |
Quote:
I thought that the ESTABLISHED,RELATED rules that I have for INPUT and FORWARD, would also include all the related ICMP codes?? Am i wrong, and need to explicity allow other ICMP types through?? Noerr: i have an iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT rule? Sorry i am a little confused as to what you mean, you need MASQUERADING and forwarding for it to work ... Duncan |
Quote:
Quote:
cheers Jamie... |
your probably right about masquerading ( but every manual says that you are only suppose to use it with dhcp)
regarding: iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT i would execute above before iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT so it's higher in the list of ip tables ( if you use -A -add chain it will add it at the end of rules, if you use -I it will insert it on the top of the list -- that was my point ) note however if you block your INPUT you won't be able to use dns, rpc from your server and I think that closed port 113 (auth) is slowing your network down (I maybe wrong) |
Quote:
Are you saying the iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT rule should be first, or the rule with ESTABLISHED,RELATED?? I have a rule that rejects port 113 (auth) with tcp-reset.. so that shouldn't be the problem ..... Cheers Duncan |
sorry for being uclear
this should go first iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT |
Thank you .. that is what i have first: here are my two FORWARD chain rules:
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT Simple, but should be everything necessary?? |
Quote:
Quote:
cheers Jamie... |
Quote:
cheers Jamie... |
good innit :p
gotta love stateful firewalls. But I am assuming these two rules alone cater for all needed ICMP messages too? I use the following rule for port 113 iptables -A INPUT -i eth1 -p tcp --dport 113 -j REJECT --reject-with tcp-reset Means the port is closed immediately with a TCP RST packet.. Cheers Duncan |
Quote:
cheers Jamie... |
but i dont need to allow any extra types through, that aren't requested/apply to those rules?
for example.... i allow icmp echo requests, so i can reply to them .... any others? Duncan |
Incomming you'll want to allow echo-requests in typically, but also there are ICMP messages like destination unreachable etc etc that you should look into. Did you follow the URL in my first post?
cheers Jamie... |
All times are GMT -5. The time now is 01:38 AM. |