LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-15-2013, 10:46 AM   #1
tendaimagore
LQ Newbie
 
Registered: Oct 2010
Posts: 7

Rep: Reputation: 0
Iptables Rules


I need assistance in setting rules in iptables. I have Fedora with the following network cards configs

eth1 216.xxx.xxx.xxx (Public)
eth0 172.xxx.xxx.1 (LAN)

I want to set rules that block all ports except
the ones I use eg. 25,110,80,443,143,21,22 and I would like to forward port 3389 to 172.xxx.xxx.2. I'm new to this so I would really appreciate your help.

many thanks.

Last edited by tendaimagore; 07-15-2013 at 10:47 AM. Reason: Forgot something else
 
Old 07-15-2013, 11:14 AM   #2
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 4,430

Rep: Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349
Mr Google says Fedora has this. https://fedoraproject.org/wiki/How_t...iptables_rules
 
1 members found this post helpful.
Old 07-16-2013, 12:00 PM   #3
tendaimagore
LQ Newbie
 
Registered: Oct 2010
Posts: 7

Original Poster
Rep: Reputation: 0
ok thanks allend, I was able to understand the iptables a bit, but I'm still kind of finding it a bit tricky coz after I set the INPUT default to drop its not looking up any other rules, its just taking the DROP default, ok maybe if I could get an actual handheld assistance I would really appreciate it. I have a server that uses the basic ports 22,25,110,143,443,80 they have internet and email and so fourth and would like to block all other ports. I want ssh to be available to 2 IPs from the internet and open for the LAN. How do I do that, I will read up on it I promise, but right now I really need the commands for the above scenario, I have a client that needs this implemented ASAP and understanding is taking a bit of time, but will mos def get it later on.

Many, many thanks
 
Old 07-16-2013, 12:29 PM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,052

Rep: Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881
Cool

Quote:
Originally Posted by tendaimagore View Post
I was able to understand the iptables a bit...
There are many references to iptables on the internet; some favourites are:
http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html
http://www.linuxhomenetworking.com/w...Using_iptables
http://www.frozentux.net/documents/iptables-tutorial/

that last one is a bit long, but it does cover everything (pretty much) and is well explained. the other two are more like 'well worked out examples' rather than actual manuals.


Quote:
Originally Posted by tendaimagore View Post
coz after I set the INPUT default to drop its not looking up any other rules, its just taking the DROP default...
It sounds like you may not have the rule set that you think that you have got. List the ruleset.

If something surprising is still happening, you will want to log some stuff, so that you can see what is going on. Add log instructions, and see what is going on.

Quote:
Originally Posted by tendaimagore View Post
I have a server that uses the basic ports 22,25,110,143,443,80 they have internet and email and so fourth and would like to block all other ports.
You need a chain that accepts the traffic on the numbered ports (I'm guessing that you probably don't need all protocols on all of those ports, but you probably don't need to tidy that detail up just yet) and then drops or rejects the traffic that remains.

Quote:
Originally Posted by tendaimagore View Post
...I want ssh to be available to 2 IPs from the internet and open for the LAN...
Well, ssh is a bit of a subject in itself, but read this. In any case, you will have decided on a strategy that you will use to defend ssh which either does or does not involve moving ssh to a non-standard port.

Bearing in mind what the real ssh port number is (either standard or non-standard) allow traffic from one of your ips to that port, allow traffic from your other ip, drop the rest of the traffic to that port. (If you can restrict things to a couple of nominated ip addresses, that's quite a useful security measure (may not be good enough as the _only_ security measure, but still...), but most people can't manage that)

Quote:
...but will mos def get it later on...
He's called Yasiin Bey now
 
2 members found this post helpful.
Old 07-17-2013, 08:48 AM   #5
tendaimagore
LQ Newbie
 
Registered: Oct 2010
Posts: 7

Original Poster
Rep: Reputation: 0
@salasi, your reply just made my day, and why I love this forum. Anway I was able to add the rules I wanted and blocked off all traffic except the ones specified, I was able to forward the 3389 port and even took it a step further blocked all incoming ping requests except for specified addresses, my goodness one just feels good when you get at least the basic understanding of things. So just in-case someone is in the same predicament, here's what I did.
eth0 - 216.xxx.xxx.xxx (public)
eth1 - 172.xxx.xxx.xxx (local)
comp - 172.xxx.xxx.2 (LAN machine)port 3389 to be forwarded to here
My Internet IP where I'm ssh'ng from is 196.xxx.xxx.xxx/24

# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -p tcp -s 172.xxx.xxx.xxx/16 -i eth1 -j ACCEPT
# iptables -A INPUT -p tcp -s 196.xxx.xxx.xxx/24 --dport 22 -j ACCEPT
# iptables -A INPUT -i eth0 -s 196.xxx.xxx.xxx/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT (This will allow ping requests coming from my Internet IP)
# iptables -t nat POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED, ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

To Open Port 3389

# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 172.xxx.xxx.2:3389
(NOTE: this rule/line has to be above the POSTROUTING MASQUERADE rule to take
effect)
# iptables -A FORWARD -d 172.xxx.xxx.2 -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT

Then DROP All Remaining INPUT Traffic

# iptables -A INPUT -p tcp -m state --state NEW -m tcp -j DROP (this drops all new incoming traffic not specified)
# iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP (this drops all ping requests except those specified)

TESTING RESULTS:
I can only ssh from my internet ip 196.xxx.xxx.xxx and the LAN 172.xxx.xxx.xxx network, all other ssh's are droped. I can only ping from 196.xxx.xxx.xxx and 172.xxx.xxx.xxx, all other pings are droped. I can Remote into 172.xxx.xxx.2 (however, this is open for any internet address)and I'm still browsing and receiving mail.

Now a trick is to set the INPUT and FORWARD default policies to DROP and then set the rules,however, all this will do is save you the head ache of having to set the DROP rules (those who are well advanced can correct me if I'm wrong). But I prefer the one above.

Many thanks to everyone.
 
  


Reply

Tags
block, blocking, firewall, iptables, port


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] during system startup, iptables rules not loaded from /etc/sysconfig/iptables danyim Linux - Security 3 04-13-2013 03:09 AM
iptables - Anyone using iptables with 50,000+ rules? lrirwin Linux - Networking 1 03-21-2012 07:35 PM
Restore iptables Rules that have been saved with iptables-save tiuz Linux - Security 4 08-14-2010 06:50 PM
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 10:50 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM


All times are GMT -5. The time now is 04:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration