LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-13-2003, 11:52 AM   #1
goldfish
Member
 
Registered: Aug 2003
Location: UK
Distribution: Gentoo / Debian
Posts: 58

Rep: Reputation: 15
Configuring IPTABLES


Okay, im at a bit of a loss with this one. The only way i can see to get iptables to work properly with my servers that im running on my Debian box is to start it up after all the servers have loaded. But then when i restart (which does happen occasionally) it blocks everything up again!

Ive got Apache, SSH, vsftp, and a pop3 server running on this box, and i want all of the servers to be able to access the net from bootup.

I also need to find some info concerning mysql-server, and how to make sure that only localhost can access it.
 
Old 10-13-2003, 01:01 PM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
If your iptables rules are blocking your servers, it just means your rules aren't set up properly. On my box, the iptables rules are loaded before the ethernet card is brought up, which is definitely before any servers are started and none of my servers (httpd, sshd, mysqld) have any problem with access.

If you want to block external access to mysql, you can do it with a rule like this:

iptables -A INPUT -i eth0 -p TCP --dport 3306 -j DROP


This would drop anything heading for port 3306 (assuming that is what you are running mysql on) that is coming from your ethernet card (again assuming your external connection is on eth0). Unless I'm completely mistaken, this should still allow localhost to access mysql.
 
Old 10-14-2003, 01:21 PM   #3
goldfish
Member
 
Registered: Aug 2003
Location: UK
Distribution: Gentoo / Debian
Posts: 58

Original Poster
Rep: Reputation: 15
Thanks.

Is there any sort of newbies guide to iptables anywhere? All i need to do really is know how to allow access to certain ports (TCP) on my ethernet card. i.e. to allow requests on port 80, 23, 21, etc etc.
 
Old 10-14-2003, 02:22 PM   #4
Mathieu
Senior Member
 
Registered: Feb 2001
Location: Montreal, Quebec, Canada
Distribution: RedHat, Fedora, CentOS, SUSE
Posts: 1,403

Rep: Reputation: 46
Take a look at the documents and tutorials on netfilter / iptables.
Look for the Packet Filtering HowTOs.
http://www.netfilter.org/documentation/
 
Old 10-14-2003, 03:45 PM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
There is also the iptables tutorial at FrozenTux. It is kind of heavy going, but pretty much everything you need to know is in there somewhere.

However, opening up specific ports is pretty easy. Personally, I think it is best to lock everything down by having the table defaults set to DROP like this:

iptables -P INPUT DROP

Then I open just the ports I want, like ssh:

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

That way everything gets dumped except the traffic that you specifically allow. To my way of thinking that is much better than allowing everything and only denying the things you think of.

Last edited by Hangdog42; 10-14-2003 at 03:50 PM.
 
Old 10-15-2003, 03:50 PM   #6
goldfish
Member
 
Registered: Aug 2003
Location: UK
Distribution: Gentoo / Debian
Posts: 58

Original Poster
Rep: Reputation: 15
Thanks

Umm, there is one problem with the above tip. It seems i cant access anything from the box any more. I.e. mozilla wont work, apt-get wont work, they dont resolve host names. What should i make unblocked to allow me to use www browsers and apt-get?
 
Old 10-15-2003, 05:14 PM   #7
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
You need to allow NEW, ESTABLISHED and RELATED packets through the firewall. So on my input chain, I've got these two rules:

iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED, RELATED -j ACCEPT

You also might need:
iptables -A INPUT -p tcp --syn -j ACCEPT

And on the OUTPUT chain I do the same thing only the --state is NEW,ESTABLISHED,RELATED for both tcp and udp:

iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


Rather than looking at specific ports, these rules look at the state of the packet and NEW,ESTABLISHED and RELATED states are all states from connections originating within your computer so someone from the outside can't use them to get in. See the FrozenTux tutorial for the fine details.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Configuring iptables at start up gezzam Mandriva 2 03-24-2005 02:12 AM
configuring iptables to allow ping notolerance Linux - Security 2 01-10-2005 08:01 PM
Newbie needs help configuring iptables imsam Linux - Security 1 10-30-2004 07:05 AM
need help configuring IPTables to allow Samba through Hockeyfan Linux - Networking 2 05-31-2004 10:47 PM
configuring IPtables e1000 Slackware 8 11-09-2003 03:51 AM


All times are GMT -5. The time now is 09:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration