LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-15-2011, 05:11 AM   #1
joe_gubat
LQ Newbie
 
Registered: Jun 2011
Posts: 6

Rep: Reputation: Disabled
Unhappy iptables


I have a linux box with 2 nics and configured iptables for my firewall. I DROP all the tables except for port 22 and 80 and apparently I can still use the FTP and torrent which is not on ACCEPT list. below is configuration of the iptables:
(external:eth0) w/ internet
(external ip: 124.xxx.xxx.xxx)
(internal:eth1) local network
(internal ip: 192.168.1.1)


iptables -P FORWARD DROP
iptables -L
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 124.xxx.xxx.xxx
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -D INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -D OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
iptables -D INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -D OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP

Need help!

I think in someway i miss something. Can anyone help on this thanks!

Thanks!

Last edited by joe_gubat; 06-15-2011 at 09:20 AM.
 
Old 06-15-2011, 10:03 PM   #2
rayfordj
Member
 
Registered: Feb 2008
Location: Texas
Distribution: Fedora, RHEL, CentOS
Posts: 488

Rep: Reputation: 78
Given your rules, any client connection forward from LAN is allowed and subsequent (related,established) connections coming from Internet is allowed (forwarded) back to client. This is often typical or common of "simple" firewall/router configs I have observed.

Additionally, the -D option is to delete a rule from the given chain.

If for example, you only wish to allow LAN clients to access standard web ports (80,443), you might do something like this:
(going off the top of my head, but believe it to be accurate)
Code:
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 124.xxx.yyy.zzz
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -m tcp -p tcp -m multiport \
     --dports 80,443 -j ACCEPT -m comment --comment "LAN Client to Web"
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j REJECT

What is it exactly you wish to accomplish? And from where... Internet to LAN? LAN to Internet? LAN to router/firewall?
 
Old 06-16-2011, 12:41 AM   #3
joe_gubat
LQ Newbie
 
Registered: Jun 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
i want to accomplish here is that all connection will pass through the firewall which I can block certain ports like 21.

by the way, thanks for the reply.
 
Old 06-16-2011, 01:22 AM   #4
joe_gubat
LQ Newbie
 
Registered: Jun 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
i tried your code and still no luck with the browsing. below is the code:

# Generated by iptables-save v1.4.4
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [2079:187489]
:OUTPUT ACCEPT [95:10817]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -m tcp -p tcp -m multiport --dports 80,22 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j REJECT
COMMIT
# Completed on Thu Jun 16 10:56:06 2011
# Generated by iptables-save v1.4.4 on Thu Jun 16 10:56:06 2011
*nat
:PREROUTING ACCEPT [2616:162629]
:OUTPUT ACCEPT [26:1799]
:POSTROUTING ACCEPT [26:1799]
-A POSTROUTING -o eth0 -j SNAT --to 124.xxx.yyy.zzz
COMMIT
# Completed on Thu Jun 16 10:56:06 2011
 
Old 06-16-2011, 10:22 AM   #5
rayfordj
Member
 
Registered: Feb 2008
Location: Texas
Distribution: Fedora, RHEL, CentOS
Posts: 488

Rep: Reputation: 78
If this isn't closer to what you seek then we'll need to discuss in a bit more detail your configuration and testing methodology.

Code:
iptables -F

iptables -t nat -P PREROUTING DROP
iptables -t nat -A PREROUTING -i eth1 -s 192.168.1.0/24 -m tcp -p tcp -m multiport \
     --dports 22,80,443 -j ACCEPT -m comment --comment "LAN Client to Web and SSH"
iptables -t nat -A PREROUTING -i eth1 -s 192.168.1.0/24 -j REJECT

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -m tcp -p tcp -m multiport --dports 22,80,443 \
     -m state --state NEW -j ACCEPT -m comment --comment "LAN to Router-Firewall"
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -m icmp -p icmp -j ACCEPT
iptables -A INPUT -i eth1 -j REJECT

iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -m tcp -p tcp -m multiport \
     --dports 22,80,443 -j ACCEPT -m comment --comment "LAN Client to Web and SSH"
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j REJECT

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 124.xxx.yyy.zzz
 
Old 06-22-2011, 04:43 AM   #6
joe_gubat
LQ Newbie
 
Registered: Jun 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
i did try it again using the latest code that you gave me, still the browsing doesn't work. but i have ssh.
 
Old 06-22-2011, 09:52 AM   #7
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,396
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
I recommend using a canned firewall package that is tailored to your common scenario. There are many non-obvious ways to harden a firewall, and a good package will employ these. The package I have used for years and prefer is HomeLanSecurity. It provides a convenient structure for customization, and can be installed as a standard service with the usual 'start/stop/restart' capability.
--- rod.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables can't initialize iptables table `filter': Bad file descriptor donalbane Linux - Networking 2 08-17-2011 09:36 AM
iptables error in android: iptables-save and iptables-restore not working preetb123 Linux - Mobile 5 04-11-2011 02:56 PM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 03:24 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM


All times are GMT -5. The time now is 03:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration