Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I want to set rules that block all ports except
the ones I use eg. 25,110,80,443,143,21,22 and I would like to forward port 3389 to 172.xxx.xxx.2. I'm new to this so I would really appreciate your help.
Last edited by tendaimagore; 07-15-2013 at 10:47 AM.
Reason: Forgot something else
ok thanks allend, I was able to understand the iptables a bit, but I'm still kind of finding it a bit tricky coz after I set the INPUT default to drop its not looking up any other rules, its just taking the DROP default, ok maybe if I could get an actual handheld assistance I would really appreciate it. I have a server that uses the basic ports 22,25,110,143,443,80 they have internet and email and so fourth and would like to block all other ports. I want ssh to be available to 2 IPs from the internet and open for the LAN. How do I do that, I will read up on it I promise, but right now I really need the commands for the above scenario, I have a client that needs this implemented ASAP and understanding is taking a bit of time, but will mos def get it later on.
that last one is a bit long, but it does cover everything (pretty much) and is well explained. the other two are more like 'well worked out examples' rather than actual manuals.
Originally Posted by tendaimagore
coz after I set the INPUT default to drop its not looking up any other rules, its just taking the DROP default...
It sounds like you may not have the rule set that you think that you have got. List the ruleset.
If something surprising is still happening, you will want to log some stuff, so that you can see what is going on. Add log instructions, and see what is going on.
Originally Posted by tendaimagore
I have a server that uses the basic ports 22,25,110,143,443,80 they have internet and email and so fourth and would like to block all other ports.
You need a chain that accepts the traffic on the numbered ports (I'm guessing that you probably don't need all protocols on all of those ports, but you probably don't need to tidy that detail up just yet) and then drops or rejects the traffic that remains.
Originally Posted by tendaimagore
...I want ssh to be available to 2 IPs from the internet and open for the LAN...
Well, ssh is a bit of a subject in itself, but read this. In any case, you will have decided on a strategy that you will use to defend ssh which either does or does not involve moving ssh to a non-standard port.
Bearing in mind what the real ssh port number is (either standard or non-standard) allow traffic from one of your ips to that port, allow traffic from your other ip, drop the rest of the traffic to that port. (If you can restrict things to a couple of nominated ip addresses, that's quite a useful security measure (may not be good enough as the _only_ security measure, but still...), but most people can't manage that)
@salasi, your reply just made my day, and why I love this forum. Anway I was able to add the rules I wanted and blocked off all traffic except the ones specified, I was able to forward the 3389 port and even took it a step further blocked all incoming ping requests except for specified addresses, my goodness one just feels good when you get at least the basic understanding of things. So just in-case someone is in the same predicament, here's what I did.
eth0 - 216.xxx.xxx.xxx (public)
eth1 - 172.xxx.xxx.xxx (local)
comp - 172.xxx.xxx.2 (LAN machine)port 3389 to be forwarded to here
My Internet IP where I'm ssh'ng from is 196.xxx.xxx.xxx/24
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -p tcp -s 172.xxx.xxx.xxx/16 -i eth1 -j ACCEPT
# iptables -A INPUT -p tcp -s 196.xxx.xxx.xxx/24 --dport 22 -j ACCEPT
# iptables -A INPUT -i eth0 -s 196.xxx.xxx.xxx/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT (This will allow ping requests coming from my Internet IP)
# iptables -t nat POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED, ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
To Open Port 3389
# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 172.xxx.xxx.2:3389
(NOTE: this rule/line has to be above the POSTROUTING MASQUERADE rule to take
# iptables -A FORWARD -d 172.xxx.xxx.2 -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
Then DROP All Remaining INPUT Traffic
# iptables -A INPUT -p tcp -m state --state NEW -m tcp -j DROP (this drops all new incoming traffic not specified)
# iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP (this drops all ping requests except those specified)
I can only ssh from my internet ip 196.xxx.xxx.xxx and the LAN 172.xxx.xxx.xxx network, all other ssh's are droped. I can only ping from 196.xxx.xxx.xxx and 172.xxx.xxx.xxx, all other pings are droped. I can Remote into 172.xxx.xxx.2 (however, this is open for any internet address)and I'm still browsing and receiving mail.
Now a trick is to set the INPUT and FORWARD default policies to DROP and then set the rules,however, all this will do is save you the head ache of having to set the DROP rules (those who are well advanced can correct me if I'm wrong). But I prefer the one above.