Help with IPtable Rules

aqoliveira · 12-09-2003, 11:23 AM

Howzit

I´m trying to setup a FW with iptables I understand the rules and how in setting up the rules. This is the problem that I have let me break it down. Have a box that is a FW/Gateway with 2 NICs 1= private network (192.168.0.0) 2= public Network (fix IP). Network has 2 box s 1*W2K 1*RH

My gateway has an IP of 192.168.0.1
My W2K has IP of 192.168.0.2
My RH has IP of 192.168.0.3.

This is my iptables rules forget about my service it´s just a test for now is it safe enough and r my other machines protected?

# Generated by iptables-save v1.2.7a on Tue Dec 9 15:27:02 2003
*nat
:PREROUTING ACCEPT [13137:752677]
:POSTROUTING ACCEPT [12:1192]
:OUTPUT ACCEPT [34:2637]
[32:1925] -A POSTROUTING -j SNAT --to-source (fixed ip)
[0:0] -A POSTROUTING -o eth1 -j SNAT --to-source (fixed ip)
COMMIT
# Completed on Tue Dec 9 15:27:02 2003
# Generated by iptables-save v1.2.7a on Tue Dec 9 15:27:02 2003
*filter
:INPUT DROP [377:61312]
:FORWARD ACCEPT [102:10179]
:OUTPUT ACCEPT [3368:381403]
[26:2300] -A INPUT -i lo -j ACCEPT
[[3146:246200] -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
[1:60] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
[484:92062] -A INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Dec 9 15:27:02 2003

Thanking everyone for their input

chow

TheIrish · 12-09-2003, 12:41 PM

Hi,
first of all

Quote:

This is my iptables rules forget about my service it´s just a test for now is it safe enough and r my other machines protected?

I can't understand what you mean in the line above (probably I'm just going stupid).

Well, first of all...

Code:

-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT

this rule is not safe at all. If you want to avoid people from the outside to open a connection you should not trust ip addresses at all. To this rule, add the interface.
Example:
if eth0 is your NIC for the private network...

Code:

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

This is safe enough.
Then you have to add (if you wish to) the rules reguarding what you can catch from the web.
If I were you, I'd set to DROP the OUTPUT and FORWARD too and try to get some documentation about the ports you need to make all your services work.

aqoliveira · 12-10-2003, 04:25 AM

howzit

thanks for a quick response but can u explain this a little futher:

Quote:

If I were you, I'd set to DROP the OUTPUT and FORWARD too and try to get some documentation about the ports you need to make all your services work.

chow

TheIrish · 12-10-2003, 10:00 AM

Well, everything depends on what you need. Let's assume the gaway give access to the internet to the LAN.
eth0 is linked to the lan and eth1 in linked to the internet.
so let's turn FORWARD policy to DROP.

Code:

iptables -P FORWARD DROP

Now, let's decide which services the clients need.

Code:

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT  #enable www requests out

Code:

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -j ACCEPT #enable ftp requests out

Now, here's the problem. The answer will be dropped. So, avoiding everything to be forwarded, you can use this rule.

Code:

iptables -A FORWARD -i eth1 -o eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT #any connection started from the lan, can get their answer

Quick explaination :
ESTABLISHED means if you started the connection you'll get the answer.
RELATED if a connection needs other ports, these are RELATED; example: passive ftp.
You should then do the same with the OUTPUT.

Using these rules you can avoid traffic generated by applications you don't know (windows spyware, many worms etc).
Adding some LOG rules checking most vulnerable ports you can also detect the presence of possible worms in your lan.
Another interesting thing is, using this technique you can reduce the risks of buggy programs in the clients.
If you need more, let us know