Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian 5 - Slackware 13.1 - Arch - Some others linuxes/*BSDs through KVM and Xen
Posts: 329
Rep:
An advice:
Instead of -A, use -I. Just in case your distro already has a firewall configured, -I will insert your rule on top of their rules. Good for experimenting :-)
And, insert another 2 rules for chain OUTPUT. You're allowing packets to enter (INPUT), and you should let packets to go out too (OUTPUT)
Instead of -A, use -I. Just in case your distro already has a firewall configured, -I will insert your rule on top of their rules. Good for experimenting :-)
And, insert another 2 rules for chain OUTPUT. You're allowing packets to enter (INPUT), and you should let packets to go out too (OUTPUT)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -I OUTPUT -o eth2 -p tcp --sport 80 -j ACCEPT
This will not impact other nic cards (like eth0 and eth1).
That firewall will only allow outgoing traffic originating from port 80 on eth2. Everything incoming for eth2, and absolutely everything on all other cards will be dropped, both incoming and outgoing. Is that really what you want?
If you would explain a bit more about the different cards and what you're trying to accomplish, we probably could point you in a better direction.
default oplicy rule will not ipmact eth0 and eth1? am I right?
No, the default policy will affect ALL interfaces. You'll need to add additional rules to cover eth0 and eth1. Those can be pretty broad, like just accepting all traffic on the interface:
Code:
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
This rule means that the only traffic that gets out of eth2 MUST be coming from port 80. Unless you've taken some steps to limit whatever is sending packets to port 80, then you're going to have trouble. For example, if you are trying to limit eth2 to web traffic, you would need to modify this rule somewhat:
This would allow a browser to send from any port but the only stuff that would get through would be packets destined for port 80 on the other end, which is where most web servers listen.
Again, if you could give us some background on what you're trying to accomplish, we might be able to give better advice.
No, the default policy will affect ALL interfaces. You'll need to add additional rules to cover eth0 and eth1. Those can be pretty broad, like just accepting all traffic on the interface:
Code:
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
Now this bugs me:
This rule means that the only traffic that gets out of eth2 MUST be coming from port 80. Unless you've taken some steps to limit whatever is sending packets to port 80, then you're going to have trouble. For example, if you are trying to limit eth2 to web traffic, you would need to modify this rule somewhat:
This would allow a browser to send from any port but the only stuff that would get through would be packets destined for port 80 on the other end, which is where most web servers listen.
Again, if you could give us some background on what you're trying to accomplish, we might be able to give better advice.
Thank you very much for your response.
I'm trying to accomplish to allow internet users to access web site over port 80 on eth2. They shouldn't have access to any other port on eth2.
OK, web servers usually listen on port 80, but they may return information on other ports. So your default policy is good, you only want traffic to come in on port 80, but you want it to be able to leave on any port. So introducing states on the outbound chain might be useful:
Code:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A OUTPUT -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
So the eth0 and eth1 lines should allow all traffic in and out on those two interfaces. The INPUT line for eth2 should only allow traffic heading for port 80, where hopefully your web server is listening. The OUTPUT line for eth2 allows any packets that have the ESTABLISHED or RELATED states, which basically means they have to be in response to an established connection. Since only port 80 accepts incoming connections, that should mean that it will be the only thing generating ESTABLISHED or RELATED packets.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
