LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-07-2009, 04:45 PM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Rep: Reputation: 30
iptables different ports on each ip address


What is the best way to set up port rules for 2 different IP addresses with iptables? eg
212.xxx.xxx.xxx open 80, 3128, DNS, and ICMP
213.xxx.xxx.xxx open 22 only.
 
Old 08-08-2009, 01:27 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Well if they are on the same machine, then you'd just use standard iptables commands. Probably best to start off doing it with the system-config-security tool though if you're not familiar with iptables. There's nothign specifically interesting about doing it for two different IP adddress, it's still standard iptables if you do want to do it directly yourself.


/sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW -d 213.x.y.z/32 --destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -j DROP

etc...


http://linux.sys-con.com/node/32837

Last edited by acid_kewpie; 08-08-2009 at 01:33 AM.
 
Old 08-08-2009, 01:38 AM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
I get a bad argument error when using this:

Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [24:1764]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#accept SSH on this IP only
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j -d 88.xxx.xxx.xxx/32 ACCEPT
#SSL
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
#DNS
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
#RANDOM PORTS
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 3306 -m state --state NEW -j ACCEPT
#CONTROL PANEL
-A INPUT -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT
#RANDOM PORTS
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
#PING
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#NO IDEA
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT

Last edited by qwertyjjj; 08-08-2009 at 01:54 AM.
 
Old 08-08-2009, 02:04 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
/32 makes it host specific, not sure if it's compulsory or not.
 
Old 08-08-2009, 02:05 AM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
ACCEPT is an option to -j. you can't put things between them.
 
Old 08-08-2009, 02:19 AM   #6
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by acid_kewpie View Post
ACCEPT is an option to -j. you can't put things between them.
So, it has to be?
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -d 88.xxx.xxx.xxx/32 -j ACCEPT

Is it a bad idea to allow all icmp requests?
 
Old 08-09-2009, 02:20 PM   #7
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
So, it has to be?
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -d 88.xxx.xxx.xxx/32 -j ACCEPT
 
Old 08-09-2009, 02:39 PM   #8
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
That should work just fine.

As to whether it's bad to allow ICMP packets:
Peoples views differ. According to the TCP/IP RFCs it's a
must; but many firewalling folk (and mainly from the dark, errh,
windows side) feel that stealthily dropping them is a good idea.



Cheers,
Tink
 
Old 08-09-2009, 02:43 PM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Well remember also that there are LOTS of different types of ICMP packets not just echo-request and echo-reply for ping, and there are plenty of attacks that use certain obscure types. So you should really accept by exception, not by default. That's the theory at least.
 
Old 08-09-2009, 02:44 PM   #10
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Tinkster View Post
That should work just fine.

As to whether it's bad to allow ICMP packets:
Peoples views differ. According to the TCP/IP RFCs it's a
must; but many firewalling folk (and mainly from the dark, errh,
windows side) feel that stealthily dropping them is a good idea.



Cheers,
Tink
......
 
Old 08-10-2009, 09:22 AM   #11
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
If I want to forward port 80 to port 3128 with the above iptables script do I only need to add:
-t nat -A PREROUTING -i eth0 -p tcp --dport 80 \ -j REDIRECT --to-port 3128

Last edited by qwertyjjj; 08-10-2009 at 09:23 AM.
 
Old 08-12-2009, 07:59 AM   #12
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Is the following okay for ICMP?
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d 88.xxx.xxx.xxx -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT
-A INPUT -d 88.xxx.xxx.xxx -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 8080 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d 88.xxx.xxx.xxx -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 88.xxx.xxx.xxx -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT

SHould I add this for syn flood? I guess the last DROP is not needed if I add it to the rulebase above?
Code:
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
open ports for utorrent using iptables n close smpt to that ports shtorrent00 Linux - Networking 2 09-30-2008 04:34 PM
how? redirect apache2 outbound ports to specific ports w/iptables? nowshining Linux - Security 5 05-27-2008 03:46 AM
reject all ip & ports and allow only some ports with iptables ysar68 Linux - Security 1 05-12-2007 09:50 PM
Block Ports - And Address - Redhat 9 stuartornum Linux - Networking 1 04-26-2006 06:29 PM
Should i use the eth0 ip address of my internet ip address when applying iptables ForumKid Linux - Security 2 01-03-2002 09:54 AM


All times are GMT -5. The time now is 01:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration