LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-15-2003, 08:54 PM   #1
Tigger
Member
 
Registered: May 2003
Posts: 168

Rep: Reputation: 30
iptables help please


Hi

I am back again!! Please help!! Going crazy with iptables.

Can someone tell me how to write the following so that i can input into my iptables please?

reject udp anywhere anywhere udp dpts:0: reject with icmp port unreachable
reject udp anywhere anywhere udp dpt:nfs reject with icmp port unreachable
reject tcp anywhere anywhere tcp dpts:x11:6009 flags syn,rst,ack/syn reject with icmp port unreachable
reject tcp anywhere anywhere tcp dpts:xfs:flags syn rst,ack/syn reject with icmp port unreachable
reject tcp anywhere anywhere tcp dpts:0:1023 flags syn, rst, ack/syn reject with icmp port unreachable

Also, how do i stop people from using my bandwidth. I am using red hat 8 server with and adsl connection hosting web and mail server. Apache 2 and sendmail.

thanks again
 
Old 06-15-2003, 10:40 PM   #2
je_fro
Member
 
Registered: Nov 2002
Location: /texas/austin/home/desk
Distribution: Gentoo
Posts: 341

Rep: Reputation: 30
I'm not an iptables decompiler, sorry...

Aren't there kernel modules to allow bandwith limiting?
I'm sure redHat has something for you. A traffic shaper?

If you setup Squid, you can use it to control bandwith.

http://sp9wun.republika.pl/linux/shaperd_cbq_en.html

Wish I could be more help...
 
Old 06-15-2003, 11:11 PM   #3
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
sorry, what i mean is how can i stop people out on the internet from hacking into my server and using my bandwidth? Will squid do this for me?

thanks
 
Old 06-15-2003, 11:21 PM   #4
je_fro
Member
 
Registered: Nov 2002
Location: /texas/austin/home/desk
Distribution: Gentoo
Posts: 341

Rep: Reputation: 30
Squid is a proxy server.

The best thing you can do is write a strong iptables ruleset. They have quite a few posts here containing them. Adapt one to your needs.

Here's one example:

http://www.linuxquestions.org/questi...threadid=61681
 
Old 06-16-2003, 12:46 AM   #5
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
sorry, this really confuses me.

What would i need to add? I only have a very simple firewall and i do not know how to add the ones in my first thread.

I know what i want and have been playing but am not getting anywhere.

Can anyone help?
 
Old 06-16-2003, 01:19 AM   #6
je_fro
Member
 
Registered: Nov 2002
Location: /texas/austin/home/desk
Distribution: Gentoo
Posts: 341

Rep: Reputation: 30
It's a research project.

Parse the iptables HOWTO for info that pertains to you.
I'm just guessing here, but I'd try this:

iptables -A MY_EXAMPLE_RULE -p icmp -s 0.0.0.0 --dport 0 -j REJECT \
--reject-with destination-unreachable

I pieced that together with scraps from the following rules, which I got by searching G4L.
It probably won't work, but it's a place to start.
__________________________________________________________
IPTABLES -A CHECK_PROBES -p udp -s 0.0.0.0 --dport 0 \
-j LOG_DROP

IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type destination-unreachable -j ACCEPT

reject udp anywhere anywhere udp dpts:0: reject with icmp port unreachable

iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
___________________________________________________________

Last edited by je_fro; 06-16-2003 at 01:20 AM.
 
Old 06-16-2003, 01:36 AM   #7
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
thanks

What i have been trying is the following but not sure this is it. Can you help please?

iptables -A INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
iptables -A INPUT -p udp -m udp --dport 0:1023 --syn -j REJECT
iptables -A INPUT -p udp -m udp --dport 2049 -j REJECT
iptables -A INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
iptables -A INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
iptables -A INPUT -p tcp -m tcp --dport 2049 -j REJECT

Do i need the -m in here?

thanks again
 
Old 06-16-2003, 01:42 AM   #8
je_fro
Member
 
Registered: Nov 2002
Location: /texas/austin/home/desk
Distribution: Gentoo
Posts: 341

Rep: Reputation: 30
Hmm...

Dude, I'm just a newbie stalling you until somebody who knows what they're talking about shows up.....

But,

I would do it like this:
iptables -A INPUT -p tcp --syn --dport 0:1023 -j REJECT

or maybe like this....
iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state \
--state NEW -j REJECT --reject-with tcp-reset

I don't know if that's what you want, though.

Are you running the script and then checking the output with:
iptables -L

?
 
Old 06-16-2003, 03:03 AM   #9
dyugle
LQ Newbie
 
Registered: Dec 2002
Posts: 3

Rep: Reputation: 0
I use shorewall as my firewall and it has all sorts of traffic shaping controls that you can play with. It uses stateful iptables and allows dynamic blacklisting of selected ips as well. Check it out. I believe it comes as mandrakes firewall or you can download it from sourceforge. I use it on a striped down version of redhat on my router, a three interface gateway, to set up a dmz where I run a game server out of and it seems to be fairly secure. However I also use daemon tools on the server machine to keep it up and running and provide another level of security. Running Tripwire or some other intrusion detection product is a good idea to make sure no one has gotten into your server and mucked around with it. I would shy away from writing your own firewall because stateful filtering can be very tricky and shorewall seems to be customizable enough to do most jobs. I hope this is useful.
D
 
Old 06-16-2003, 08:27 AM   #10
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
je-fro, no i ran lokkit and then customised it a little to suit my needs

I check it by running iptables -L

I do not know how to run a script. How is that done?

thanks
 
Old 06-16-2003, 08:42 AM   #11
je_fro
Member
 
Registered: Nov 2002
Location: /texas/austin/home/desk
Distribution: Gentoo
Posts: 341

Rep: Reputation: 30
Copy the following and save it as firescript. Make it executable by:

chmod 777 firescript

Then do:

su
<passwd>
sh firescript

Then check and see what it gives by:
iptables -L
Good Luck!






#!/bin/sh


echo -e "\n\tLoading Firewall Rules"
# Enable forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
LAN_IP_NET1='192.168.0.1/24'
LAN_IP_NET2='192.168.1.1/24'
LAN_IP_NET3='192.168.2.1/24'
LAN_NIC1='eth1'
LAN_NIC2='eth2'
LAN_NIC3='eth3'
#WAN_IP='65.65.96.38'
WAN_NIC='eth0'

# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -X

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT



iptables -N port-scan
iptables -A INPUT -i $WAN_NIC -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
iptables -A port-scan -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A port-scan -j LOG --log-prefix "IPTABLES PORT-SCAN:"
iptables -A port-scan -j DROP

iptables -N spoofing
iptables -A INPUT -i $WAN_NIC -s 10.0.0.0/8 -j spoofing
#iptables -A INPUT -i $WAN_NIC -s 172.16.0.0/12 -j spoofing
iptables -A INPUT -i $WAN_NIC -s 192.168.0.0/16 -j spoofing
iptables -A INPUT -i $WAN_NIC -s 224.0.0.0/4 -j spoofing
iptables -A INPUT -i $WAN_NIC -s 240.0.0.0/5 -j spoofing
iptables -A INPUT -i $WAN_NIC -d 127.0.0.0/8 -j spoofing
iptables -A spoofing -j LOG --log-prefix "IPTABLES SPOOFING:"
iptables -A spoofing -j DROP

iptables -N bad_tcp_packets
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPTABLES NEW NOT SYN: "
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# enable Masquerade and forwarding
iptables -A FORWARD -i $LAN_NIC1 -o $WAN_NIC -j ACCEPT
iptables -A FORWARD -i $LAN_NIC2 -o $WAN_NIC -j ACCEPT
iptables -A FORWARD -i $LAN_NIC3 -o $WAN_NIC -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.0.2 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.2 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.2 -j MASQUERADE

iptables -A FORWARD -i $LAN_NIC1 -j ACCEPT
iptables -A FORWARD -i $LAN_NIC2 -j ACCEPT
iptables -A FORWARD -i $LAN_NIC3 -j ACCEPT

iptables -A FORWARD -p tcp -j bad_tcp_packets
iptables -A FORWARD -i $WAN_NIC -o $LAN_NIC1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $WAN_NIC -o $LAN_NIC2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $WAN_NIC -o $LAN_NIC3 -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A FORWARD -i $LAN_NIC1 -o $WAN_NIC -j ACCEPT
#iptables -A FORWARD -i $LAN_NIC2 -o $WAN_NIC -j ACCEPT
iptables -A FORWARD -i $LAN_NIC1 -o $LAN_NIC2 -j ACCEPT # -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_NIC2 -o $LAN_NIC1 -j ACCEPT #-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_NIC1 -o $LAN_NIC3 -j ACCEPT #-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_NIC3 -o $LAN_NIC1 -j ACCEPT #-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_NIC2 -o $LAN_NIC3 -j ACCEPT #-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_NIC3 -o $LAN_NIC2 -j ACCEPT #-m state --state ESTABLISHED,RELATED -j ACCEPT

# Open ports on router for server/services
iptables -A INPUT -p tcp -j bad_tcp_packets
iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 21 -j ACCEPT
iptables -A INPUT -s 192.168.0.2 -d 192.168.0.1 -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.0.2 -d 192.168.1.1/24 -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s $LAN_IP_NET1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s $LAN_IP_NET2 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s $LAN_IP_NET3 -j ACCEPT

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo -e "\n\n\tDone Loading Rules\n"
 
Old 06-16-2003, 08:46 AM   #12
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
oh my goodness, what is this actually doing?

I am running red hat 8 server and trying to host web and mail.

Do i just add in port 25 ACCEPT? I have only got one network card

thanks again
 
Old 06-16-2003, 08:49 AM   #13
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
as an addon to the above response, will this script stop anyone from trying to hack into my server and using my bandwidth? I want to be able to stop anyone from doing this.

thanks again
 
Old 06-16-2003, 08:54 AM   #14
je_fro
Member
 
Registered: Nov 2002
Location: /texas/austin/home/desk
Distribution: Gentoo
Posts: 341

Rep: Reputation: 30
No, that's just an example.

That's an old, scratch firewall I had sitting around. It was for a 4 NIC box I had been playing with. I don't know if it will, " stop anyone from trying to hack into my server and using my bandwidth"
...but it's a good place to start. Customize it for your needs. Maybe try shorewall like dyugle suggests, or go here:

http://iptables.1go.dk/index1.php

..and plug in what you need.
 
Old 06-16-2003, 08:57 AM   #15
Tigger
Member
 
Registered: May 2003
Posts: 168

Original Poster
Rep: Reputation: 30
thanks je-fro for your help.

I will try what you have given me and let you know how i go
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
An error occured getting IPtables status from the command /etc/rc.d/init.d/iptables s CrazyMAzeY Linux - Newbie 10 08-12-2010 06:25 AM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 03:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
iptables book wich one can you pll recomment to be an iptables expert? linuxownt Linux - General 2 06-26-2003 05:38 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM


All times are GMT -5. The time now is 12:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration