LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 04-30-2008, 08:11 AM   #1
khandu
Member
 
Registered: Sep 2003
Posts: 79

Rep: Reputation: 0
Unhappy Some iptables settings for testing needed


Hi

I am using Fedora Core 8 on vmware with vista. my windows and linux can ping each other and I am also connected to another vmware via crossover cable. we all can ping each other no problems in that.

Now on Linux I am suppose to test some iptables commands. I am mentioning the ones below which I couldn't do and need help in that.

1) reject all traffic coming to all UDP ports (see if you can block all of them, if you cannot then try to block some UDP ports).

2) allow traffic coming to port 80 but reject traffic coming out through port 80.

3) block all email coming in and out of your network. Internal email is allowed.

What command to use for it and how do I test blocked UDP ports??

My another problem is testing. for internal network testing what we have done is put crossover cables in same subnet 192.168.1.1 etc.. and we all can ping each other and we are on same subnet. Now we are suppose to check some access from external network (like question 3). If we change the subnet of 1 computer to 10.0.0.0 or something we anyways cannot ping each other so cannot test any packets coming in or out. So via crossover cable is it possible to test external network and internal network both?

thanks alot
 
Old 04-30-2008, 11:37 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by khandu View Post
1) reject all traffic coming to all UDP ports (see if you can block all of them, if you cannot then try to block some UDP ports).
I assume you only want to block incoming UDP streams which aren't related to outgoing ones. Because if you filter all incoming UDP packets then you won't, for example, be able to receive results for your DNS queries. So:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p UDP -j DROP
Quote:
2) allow traffic coming to port 80 but reject traffic coming out through port 80.
If by "coming out" you mean from the box itself:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p TCP --dport 80 -m state --state NEW -j REJECT
If by "coming out" you mean from the network:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE \
--dport 80 -m state --state NEW -j REJECT

Quote:
3) block all email coming in and out of your network. Internal email is allowed.
Code:
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE \
-m multiport --dports 25,110 -m state --state NEW -j REJECT
Keep in mind that these are simply direct answers to the questions. I don't suggest you actually go about doing this like this in real life. You really should take the opposite approach instead. In other words, filter everything then make ACCEPT rules for the stuff you want to allow.

Quote:
What command to use for it and how do I test blocked UDP ports??
Start by reading about using Nmap with UDP.

Quote:
via crossover cable is it possible to test external network and internal network both?
Yes.

Last edited by win32sux; 04-30-2008 at 11:40 AM.
 
Old 05-01-2008, 04:59 AM   #3
khandu
Member
 
Registered: Sep 2003
Posts: 79

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
I assume you only want to block incoming UDP streams which aren't related to outgoing ones. Because if you filter all incoming UDP packets then you won't, for example, be able to receive results for your DNS queries. So:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p UDP -j DROP
If by "coming out" you mean from the box itself:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p TCP --dport 80 -m state --state NEW -j REJECT
If by "coming out" you mean from the network:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE \
--dport 80 -m state --state NEW -j REJECT

Code:
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE \
-m multiport --dports 25,110 -m state --state NEW -j REJECT
Keep in mind that these are simply direct answers to the questions. I don't suggest you actually go about doing this like this in real life. You really should take the opposite approach instead. In other words, filter everything then make ACCEPT rules for the stuff you want to allow.

Start by reading about using Nmap with UDP.

Yes.
hey how do u test external network via crossover cable?? as i have mentioned above internal we can test.. how can i make 1 external network and then try the iptables rules??
 
Old 05-01-2008, 02:11 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by khandu View Post
hey how do u test external network via crossover cable?? as i have mentioned above internal we can test.. how can i make 1 external network and then try the iptables rules??
It really is as simple as plugging your laptop into the WAN interface of the iptables box and running your tests. You can give your laptop pretty much any Internet IP you wish.

Last edited by win32sux; 05-01-2008 at 02:12 PM.
 
Old 05-01-2008, 07:38 PM   #5
khandu
Member
 
Registered: Sep 2003
Posts: 79

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
It really is as simple as plugging your laptop into the WAN interface of the iptables box and running your tests. You can give your laptop pretty much any Internet IP you wish.
Oh did i forget to mention the linux is running on a laptop and is directly connected to another laptop via crossover cable. so i dont think there is any WAN interface in a laptop. Hope i m right about it..
 
Old 05-01-2008, 10:02 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by khandu View Post
Oh did i forget to mention the linux is running on a laptop and is directly connected to another laptop via crossover cable. so i dont think there is any WAN interface in a laptop. Hope i m right about it..
It's the WAN interface on your iptables router/gateway/firewall - not the laptop. You'd plug your laptop into the WAN interface of the iptables router/gateway/firewall and test the WAN side from there. Perhaps I am not understanding your setup/question correctly. I've just re-read your first post and it sounds like you are trying to simulate some sort of network by using two machines, a crossover cable, and virtual machines. Is that the case? I was operating under the impression that this all revolved around one, real, iptables router/gateway/firewall.
 
Old 05-02-2008, 09:42 PM   #7
khandu
Member
 
Registered: Sep 2003
Posts: 79

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
I've just re-read your first post and it sounds like you are trying to simulate some sort of network by using two machines, a crossover cable, and virtual machines. Is that the case?
Yes that is correct. Just two laptops and a crossover cable.. no other hardware involved
 
Old 05-02-2008, 10:47 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by khandu View Post
Yes that is correct. Just two laptops and a crossover cable.. no other hardware involved
Oh, okay. Cool. I'm gonna go ahead and move this over to Networking then, as it'll get more adequate exposure there. I personally don't have any experience using iptables with virtual machines, so I can't be of much help - but there's tons of LQ members who are very familiar with this sort of thing so help should be on the way.
 
  


Reply

Tags
iptables, network


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Testing IPTables SBN Linux - Security 2 10-26-2007 05:03 AM
testing iptables performance testing pavan.daemon Linux - Networking 2 09-28-2007 06:22 PM
Mic setup and testing it (Help Needed) TitaniumTaz Debian 5 09-25-2005 09:30 PM
iptables testing program metallica1973 Linux - Security 7 04-29-2005 10:50 PM
Testing IPTABLES Firewall 1jamie Linux - Security 6 08-28-2003 09:17 AM


All times are GMT -5. The time now is 05:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration