LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   iptables (https://www.linuxquestions.org/questions/linux-newbie-8/iptables-886442/)

joe_gubat 06-15-2011 04:11 AM
iptables
 
I have a linux box with 2 nics and configured iptables for my firewall. I DROP all the tables except for port 22 and 80 and apparently I can still use the FTP and torrent which is not on ACCEPT list. below is configuration of the iptables:
(external:eth0) w/ internet
(external ip: 124.xxx.xxx.xxx)
(internal:eth1) local network
(internal ip: 192.168.1.1)


iptables -P FORWARD DROP
iptables -L
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 124.xxx.xxx.xxx
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -D INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -D OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
iptables -D INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -D OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP

Need help!

I think in someway i miss something. Can anyone help on this thanks!

Thanks!

rayfordj 06-15-2011 09:03 PM
Given your rules, any client connection forward from LAN is allowed and subsequent (related,established) connections coming from Internet is allowed (forwarded) back to client. This is often typical or common of "simple" firewall/router configs I have observed.

Additionally, the -D option is to delete a rule from the given chain.

If for example, you only wish to allow LAN clients to access standard web ports (80,443), you might do something like this:
(going off the top of my head, but believe it to be accurate)
Code:
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 124.xxx.yyy.zzz
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -m tcp -p tcp -m multiport \
    --dports 80,443 -j ACCEPT -m comment --comment "LAN Client to Web"
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j REJECT

What is it exactly you wish to accomplish? And from where... Internet to LAN? LAN to Internet? LAN to router/firewall?

joe_gubat 06-15-2011 11:41 PM
i want to accomplish here is that all connection will pass through the firewall which I can block certain ports like 21.

by the way, thanks for the reply.

joe_gubat 06-16-2011 12:22 AM
i tried your code and still no luck with the browsing. below is the code:

# Generated by iptables-save v1.4.4
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [2079:187489]
:OUTPUT ACCEPT [95:10817]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -m tcp -p tcp -m multiport --dports 80,22 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j REJECT
COMMIT
# Completed on Thu Jun 16 10:56:06 2011
# Generated by iptables-save v1.4.4 on Thu Jun 16 10:56:06 2011
*nat
:PREROUTING ACCEPT [2616:162629]
:OUTPUT ACCEPT [26:1799]
:POSTROUTING ACCEPT [26:1799]
-A POSTROUTING -o eth0 -j SNAT --to 124.xxx.yyy.zzz
COMMIT
# Completed on Thu Jun 16 10:56:06 2011

rayfordj 06-16-2011 09:22 AM
If this isn't closer to what you seek then we'll need to discuss in a bit more detail your configuration and testing methodology.

Code:

iptables -F

iptables -t nat -P PREROUTING DROP
iptables -t nat -A PREROUTING -i eth1 -s 192.168.1.0/24 -m tcp -p tcp -m multiport \
    --dports 22,80,443 -j ACCEPT -m comment --comment "LAN Client to Web and SSH"
iptables -t nat -A PREROUTING -i eth1 -s 192.168.1.0/24 -j REJECT

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -m tcp -p tcp -m multiport --dports 22,80,443 \
    -m state --state NEW -j ACCEPT -m comment --comment "LAN to Router-Firewall"
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -m icmp -p icmp -j ACCEPT
iptables -A INPUT -i eth1 -j REJECT

iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -m tcp -p tcp -m multiport \
    --dports 22,80,443 -j ACCEPT -m comment --comment "LAN Client to Web and SSH"
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j REJECT

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 124.xxx.yyy.zzz

joe_gubat 06-22-2011 03:43 AM
i did try it again using the latest code that you gave me, still the browsing doesn't work. but i have ssh.

theNbomr 06-22-2011 08:52 AM
I recommend using a canned firewall package that is tailored to your common scenario. There are many non-obvious ways to harden a firewall, and a good package will employ these. The package I have used for years and prefer is HomeLanSecurity. It provides a convenient structure for customization, and can be installed as a standard service with the usual 'start/stop/restart' capability.
--- rod.


All times are GMT -5. The time now is 10:56 AM.