LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Help with IPtable Rules (http://www.linuxquestions.org/questions/linux-security-4/help-with-iptable-rules-124237/)

aqoliveira 12-09-2003 11:23 AM

Help with IPtable Rules
 
Howzit

Iīm trying to setup a FW with iptables I understand the rules and how in setting up the rules. This is the problem that I have let me break it down. Have a box that is a FW/Gateway with 2 NICs 1= private network (192.168.0.0) 2= public Network (fix IP). Network has 2 box s 1*W2K 1*RH

My gateway has an IP of 192.168.0.1
My W2K has IP of 192.168.0.2
My RH has IP of 192.168.0.3.

This is my iptables rules forget about my service itīs just a test for now is it safe enough and r my other machines protected?

# Generated by iptables-save v1.2.7a on Tue Dec 9 15:27:02 2003
*nat
:PREROUTING ACCEPT [13137:752677]
:POSTROUTING ACCEPT [12:1192]
:OUTPUT ACCEPT [34:2637]
[32:1925] -A POSTROUTING -j SNAT --to-source (fixed ip)
[0:0] -A POSTROUTING -o eth1 -j SNAT --to-source (fixed ip)
COMMIT
# Completed on Tue Dec 9 15:27:02 2003
# Generated by iptables-save v1.2.7a on Tue Dec 9 15:27:02 2003
*filter
:INPUT DROP [377:61312]
:FORWARD ACCEPT [102:10179]
:OUTPUT ACCEPT [3368:381403]
[26:2300] -A INPUT -i lo -j ACCEPT
[[3146:246200] -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
[1:60] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
[484:92062] -A INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Dec 9 15:27:02 2003

Thanking everyone for their input

chow

TheIrish 12-09-2003 12:41 PM

Hi,
first of all
Quote:

This is my iptables rules forget about my service itīs just a test for now is it safe enough and r my other machines protected?
I can't understand what you mean in the line above (probably I'm just going stupid).

Well, first of all...
Code:

-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
this rule is not safe at all. If you want to avoid people from the outside to open a connection you should not trust ip addresses at all. To this rule, add the interface.
Example:
if eth0 is your NIC for the private network...
Code:

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
This is safe enough.
Then you have to add (if you wish to) the rules reguarding what you can catch from the web.
If I were you, I'd set to DROP the OUTPUT and FORWARD too and try to get some documentation about the ports you need to make all your services work.

aqoliveira 12-10-2003 04:25 AM

howzit

thanks for a quick response but can u explain this a little futher:

Quote:

If I were you, I'd set to DROP the OUTPUT and FORWARD too and try to get some documentation about the ports you need to make all your services work.
chow

TheIrish 12-10-2003 10:00 AM

Well, everything depends on what you need. Let's assume the gaway give access to the internet to the LAN.
eth0 is linked to the lan and eth1 in linked to the internet.
so let's turn FORWARD policy to DROP.
Code:

iptables -P FORWARD DROP
Now, let's decide which services the clients need.
Code:

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT  #enable www requests out
Code:

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -j ACCEPT #enable ftp requests out
Now, here's the problem. The answer will be dropped. So, avoiding everything to be forwarded, you can use this rule.
Code:

iptables -A FORWARD -i eth1 -o eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT #any connection started from the lan, can get their answer
Quick explaination :
ESTABLISHED means if you started the connection you'll get the answer.
RELATED if a connection needs other ports, these are RELATED; example: passive ftp.
You should then do the same with the OUTPUT.

Using these rules you can avoid traffic generated by applications you don't know (windows spyware, many worms etc).
Adding some LOG rules checking most vulnerable ports you can also detect the presence of possible worms in your lan.
Another interesting thing is, using this technique you can reduce the risks of buggy programs in the clients.
If you need more, let us know


All times are GMT -5. The time now is 12:41 AM.