LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-04-2003, 02:56 PM   #1
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
IPTables Sanity Check


Sanity check... My machine is sitting behind a router that forwards all HTTP,HTTPS,and SSH requests to my server. I'm also running a MySQL database, CUPS, and SENDMAIL but those work locally on the server so there is no need for the router to forward those requests. Because these services are working locally I don't think it is necessary to define them in the "TCP rules" section below. I need a good pair of eyes to look at this one since I am an iptables newbie. Also what is the difference between iptables and ip6tables?

# IPTables Script

# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# (2) User-Defined chain for ACCEPTed TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

# (3) INPUT chain rules

# Rules for incoming packets from the LAN
iptables -A INPUT -p ALL -i eth0 -s 192.168.0.0/8 -j ACCEPT

# Packets for established connections
iptables -A INPUT -p ALL -d 192.168.0.100 -m state --state ESTABLISHED,RELATED -j ACCEPT

# TCP rules

# SSH
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
# HTTP
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
# IDENTD (Necessary for IRC ?????)
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 113 -j okay
# HTTPS (SSL)
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
# IPP
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 631 -j okay
# MySQL
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 3306 -j okay


# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j okay
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j okay


# ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT

# (4) OUTPUT chain rules
# Only output packets with local addresses (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.100 -j ACCEPT
iptables -A OUTPUT -p ALL -s 68.46.153.117 -j ACCEPT
 
Old 03-04-2003, 03:29 PM   #2
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
1) Your router is on the network 192.168.0.0/8, so by accepting all traffic from that network, you are accepting all traffic from the router also and hence, all traffic from the internet. This of course assumes your router is on eth0.

2) ip6tables is iptables for the IPv6 protocol.
 
Old 03-04-2003, 03:48 PM   #3
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Original Poster
Rep: Reputation: 57
Well the routers public IP address is the one given to me by my ISP. Its something like 68.46.34.129 . From the LAN the routers IP is 192.168.0.1 . I see what you are saying. Isn't this how I want it setup though. It does allow everything from the router in but then it runs through the rest of the rules doesn't it check to make sure that they are valid requests to the server?
 
Old 03-06-2003, 08:49 PM   #4
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Original Poster
Rep: Reputation: 57
Okay I found a new problem with these iptables rules. For some reason I am unable to print while these rules are in effect. I have opened port 631 (IPP). I use CUPS for printing.

Does CUPS use UDP packets? I'm sure I'm missing something very simple here.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cpp fails sanity check??? dinolinux Debian 2 07-30-2005 11:43 AM
./configure sanity check xushi Slackware 9 06-18-2005 04:47 PM
cpp sanity check alexrait1 Slackware 6 04-24-2005 08:43 AM
sanity check failed for g++ pablovschby Programming 2 11-08-2004 02:39 AM
Quick Sanity Check sub-genius Slackware 5 07-15-2003 11:28 AM


All times are GMT -5. The time now is 11:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration