LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-13-2008, 05:02 AM   #1
chochem
LQ Newbie
 
Registered: May 2008
Posts: 29

Rep: Reputation: 15
need help reviewing iptables rules


I'm setting up my router with iptables and I was wondering if I could get somebody more experienced with this to review my setup. It's running a nubmer of services (printer, NAS, wireless) but mostly for my own benefit, so I just want to be able to acces them from my laptop and not for internet users to see them - with the exception of it also running rtorrent (ports 51777:51780). Forwarding I've allowed the most common ones plus a hole for a couple of transmission torrents on 51413 and Nicotine/Soulseek on 2234-2240.

Does this look reasonable? Any glaring holes? I have been wondering a bit why I need to allow established/related for INPUT. I can log in to the router without it but no internet (DNS?)

Code:
# FORWARD
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -p tcp -m multiport --dport 21,25,80,443 -j ACCEPT
iptables -A FORWARD -p tcp --dport 51413 -j ACCEPT
iptables -A FORWARD -p tcp --dport 2234:2240 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# INPUT
iptables -P INPUT DROP
iptables -F INPUT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 51777:51780 -j ACCEPT
iptables -A INPUT -p tcp -i ! vlan1 -j ACCEPT
iptables -A INPUT -p udp -i ! vlan1 -j ACCEPT
(vlan1 is the device with my external IP according to ifconfig, so I gather that means it's the 'this way to the internet' hole )

Thanks in advance.

Last edited by chochem; 09-13-2008 at 05:08 AM.
 
Old 09-13-2008, 10:44 PM   #2
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
Allow established related, allows responses to your calls to come back in.

## --- FORWARD CHAIN --- ##
# Stateful inspection -- Forward in connections already established
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state --state ESTABLISHED,RELATED -j ACCEPT

## --- INPUT CHAIN --- ##
# Stateful inspection -- Allow packets in from connections already established
$IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

Where EXT_IF=ppp0 INT_IF=eth0
 
Old 09-14-2008, 03:49 AM   #3
chochem
LQ Newbie
 
Registered: May 2008
Posts: 29

Original Poster
Rep: Reputation: 15
Thanks but I got that part already. What I meant was that since I already had rules allowing tcp/udp traffic from any other interface than the outward one (vlan), I didn't understand what I needed the state one for.
 
Old 09-14-2008, 06:01 AM   #4
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
OK, sorry, I missed the point and I may not be experienced enough.

But to try and be helpfull, there is a site called "easyfwgen"

that may help you configure the firewall (iptables), but you probably don't need that.

There is also a few sites that you can use to check, shields-up from www.GRC.com (Gibson Research Corp.) but only checks the first 1500 ports, so most used.

and http://www.dslreports.com/ this is a bit more complicated but offers a real perspective of what ports are accessible from the web.

I hope this helps.

Even if you run the easyfwgen to get an idea, save you iptables file first, of course, but this may shine some light where we have missed.

Also, iptables is pretty secure (stealthy) with out user intervention.

See how you go, and I hope that an expert soon corrects me if I am wrong (outrageously)

I'm pretty sure it is good as you have it, but I hope I have given you a few ways to check.

Sincerely, Glenn
 
Old 09-14-2008, 06:08 AM   #5
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
The "state", means one you have already started (stateful)

If you ask for it you get a response from it (the web page)

State full inspection means that the packet is checked to see if you asked for it, if so you get it, but If someone (un-like me) tries to dial you up (or ping your IP adress), there is no Prerequisite state on your system, so the incoming request is dropped, no response, and so the target, from the web is stealthy (does not exist). Iptables Is very good at this..
 
Old 09-15-2008, 03:39 AM   #6
chochem
LQ Newbie
 
Registered: May 2008
Posts: 29

Original Poster
Rep: Reputation: 15
Thanks for the links - I'll check 'em out
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 09:50 PM
where are my new iptables-rules? xpucto Fedora 4 03-21-2007 07:42 AM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
iptables rules chrisfirestar Linux - Security 2 10-29-2003 02:30 AM
iptables rules hazza96 Linux - Security 3 09-09-2001 11:16 AM


All times are GMT -5. The time now is 03:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration