LinuxQuestions.org - iptables different ports on each ip address

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - iptables different ports on each ip address (https://www.linuxquestions.org/questions/linux-newbie-8/iptables-different-ports-on-each-ip-address-745891/)

iptables different ports on each ip address

What is the best way to set up port rules for 2 different IP addresses with iptables? eg
212.xxx.xxx.xxx open 80, 3128, DNS, and ICMP
213.xxx.xxx.xxx open 22 only.

Well if they are on the same machine, then you'd just use standard iptables commands. Probably best to start off doing it with the system-config-security tool though if you're not familiar with iptables. There's nothign specifically interesting about doing it for two different IP adddress, it's still standard iptables if you do want to do it directly yourself.

/sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW -d 213.x.y.z/32 --destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -j DROP

etc...

http://linux.sys-con.com/node/32837

I get a bad argument error when using this:

Code:

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [24:1764]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#accept SSH on this IP only

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j -d 88.xxx.xxx.xxx/32 ACCEPT

#SSL

-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

#DNS

-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT

#RANDOM PORTS

-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 3306 -m state --state NEW -j ACCEPT

#CONTROL PANEL

-A INPUT -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT

#RANDOM PORTS

-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT

-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT

#PING

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT



#NO IDEA

-A INPUT -j DROP

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

COMMIT

/32 makes it host specific, not sure if it's compulsory or not.

ACCEPT is an option to -j. you can't put things between them.

Quote:

Originally Posted by acid_kewpie (Post 3635447)

ACCEPT is an option to -j. you can't put things between them.

So, it has to be?
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -d 88.xxx.xxx.xxx/32 -j ACCEPT

Is it a bad idea to allow all icmp requests?

So, it has to be?
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -d 88.xxx.xxx.xxx/32 -j ACCEPT

That should work just fine.

As to whether it's bad to allow ICMP packets:
Peoples views differ. According to the TCP/IP RFCs it's a
must; but many firewalling folk (and mainly from the dark, errh,
windows side) feel that stealthily dropping them is a good idea.

Cheers,
Tink

Well remember also that there are LOTS of different types of ICMP packets not just echo-request and echo-reply for ping, and there are plenty of attacks that use certain obscure types. So you should really accept by exception, not by default. That's the theory at least.

Quote:

Originally Posted by Tinkster (Post 3636867)

......

If I want to forward port 80 to port 3128 with the above iptables script do I only need to add:
-t nat -A PREROUTING -i eth0 -p tcp --dport 80 \ -j REDIRECT --to-port 3128

Is the following okay for ICMP?

Code:



*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource

-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP

-A INPUT -d 88.xxx.xxx.xxx -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT

-A INPUT -d 88.xxx.xxx.xxx -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 3128 -j ACCEPT

-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 8080 -j ACCEPT

-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT

-A INPUT -d 88.xxx.xxx.xxx -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -s 88.xxx.xxx.xxx -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

COMMIT

SHould I add this for syn flood? I guess the last DROP is not needed if I add it to the rulebase above?

Code:

iptables -N syn_flood

iptables -A INPUT -p tcp --syn -j syn_flood

iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN

iptables -A syn_flood -j DROP