LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-09-2003, 11:23 AM   #1
aqoliveira
Member
 
Registered: Dec 2001
Location: Portugal
Distribution: /Red Hat/Fedora/Solaris
Posts: 620

Rep: Reputation: 30
Help with IPtable Rules


Howzit

Im trying to setup a FW with iptables I understand the rules and how in setting up the rules. This is the problem that I have let me break it down. Have a box that is a FW/Gateway with 2 NICs 1= private network (192.168.0.0) 2= public Network (fix IP). Network has 2 box s 1*W2K 1*RH

My gateway has an IP of 192.168.0.1
My W2K has IP of 192.168.0.2
My RH has IP of 192.168.0.3.

This is my iptables rules forget about my service its just a test for now is it safe enough and r my other machines protected?

# Generated by iptables-save v1.2.7a on Tue Dec 9 15:27:02 2003
*nat
:PREROUTING ACCEPT [13137:752677]
:POSTROUTING ACCEPT [12:1192]
:OUTPUT ACCEPT [34:2637]
[32:1925] -A POSTROUTING -j SNAT --to-source (fixed ip)
[0:0] -A POSTROUTING -o eth1 -j SNAT --to-source (fixed ip)
COMMIT
# Completed on Tue Dec 9 15:27:02 2003
# Generated by iptables-save v1.2.7a on Tue Dec 9 15:27:02 2003
*filter
:INPUT DROP [377:61312]
:FORWARD ACCEPT [102:10179]
:OUTPUT ACCEPT [3368:381403]
[26:2300] -A INPUT -i lo -j ACCEPT
[[3146:246200] -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
[1:60] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
[484:92062] -A INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Dec 9 15:27:02 2003

Thanking everyone for their input

chow
 
Old 12-09-2003, 12:41 PM   #2
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
Hi,
first of all
Quote:
This is my iptables rules forget about my service its just a test for now is it safe enough and r my other machines protected?
I can't understand what you mean in the line above (probably I'm just going stupid).

Well, first of all...
Code:
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
this rule is not safe at all. If you want to avoid people from the outside to open a connection you should not trust ip addresses at all. To this rule, add the interface.
Example:
if eth0 is your NIC for the private network...
Code:
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
This is safe enough.
Then you have to add (if you wish to) the rules reguarding what you can catch from the web.
If I were you, I'd set to DROP the OUTPUT and FORWARD too and try to get some documentation about the ports you need to make all your services work.
 
Old 12-10-2003, 04:25 AM   #3
aqoliveira
Member
 
Registered: Dec 2001
Location: Portugal
Distribution: /Red Hat/Fedora/Solaris
Posts: 620

Original Poster
Rep: Reputation: 30
howzit

thanks for a quick response but can u explain this a little futher:

Quote:
If I were you, I'd set to DROP the OUTPUT and FORWARD too and try to get some documentation about the ports you need to make all your services work.
chow
 
Old 12-10-2003, 10:00 AM   #4
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
Well, everything depends on what you need. Let's assume the gaway give access to the internet to the LAN.
eth0 is linked to the lan and eth1 in linked to the internet.
so let's turn FORWARD policy to DROP.
Code:
iptables -P FORWARD DROP
Now, let's decide which services the clients need.
Code:
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT  #enable www requests out
Code:
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -j ACCEPT #enable ftp requests out
Now, here's the problem. The answer will be dropped. So, avoiding everything to be forwarded, you can use this rule.
Code:
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT #any connection started from the lan, can get their answer
Quick explaination :
ESTABLISHED means if you started the connection you'll get the answer.
RELATED if a connection needs other ports, these are RELATED; example: passive ftp.
You should then do the same with the OUTPUT.

Using these rules you can avoid traffic generated by applications you don't know (windows spyware, many worms etc).
Adding some LOG rules checking most vulnerable ports you can also detect the presence of possible worms in your lan.
Another interesting thing is, using this technique you can reduce the risks of buggy programs in the clients.
If you need more, let us know
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTable rules RecoilUK Linux - Security 1 05-27-2005 07:25 PM
Remove iptable rules greenthing Linux - Networking 11 03-03-2005 08:15 AM
Verifying IPTable rules... Ateo Linux - Networking 1 02-02-2005 03:33 PM
iptable-rules for eDonkey? grubjo Linux - Networking 2 08-01-2002 06:38 AM
Iptable rules for Gnutella al_erola Linux - Security 5 03-06-2002 03:21 AM


All times are GMT -5. The time now is 08:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration