[SOLVED] iptables: Block all traffic on NAT except for port 22 for eth0

Blue_Ice · 01-12-2010, 02:45 PM

Hi all,

I need some help with my iptables configuration. I don't know much about how to configure NAT in iptables. I have been looking for information and examples on the internet, but couldn't find much or at least I thought I couldn't. Below you can find my current iptables rules. You should know that this is on my server at home and I am using it for testing. eth0 is configured to get a dynamic ip address and eth1 has a static ip address. Dhcpd and bind is running on eth1. Now what I actually want is that only port 22 (ssh) is accessable via eth0. All other traffic trying to connect to eth0 should be blocked. Traffic on eth1 should be possible, although I don't know yet which ports should be open as I haven't finished the server yet. Can someone tell me how to do the part for eth0?

Code:

*nat
:PREROUTING ACCEPT [14:1106]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [38:2992]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [10242:993398]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9846:4285563]
-A FORWARD -i eth1 -j ACCEPT
COMMIT

TIA,
Arjan.

saavik · 01-12-2010, 04:12 PM

Quote:

Now what I actually want is that only port 22 (ssh) is accessable via eth0.

iptables -I INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Quote:

All other traffic trying to connect to eth0 should be blocked.

iptables -A INPUT -i eth0 -j DROP

BTW:

I always start with

iptables -F INPUT << This flushes the rules for INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP << This sets the "default" rule to DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

For internel network maybe set the default roule to reject that help keeping the timout low.

Remember to have direct access to the pc where you edit the iptables as it might be hard to always have to reboot the machine because you could not access it remote anymore.

Blue_Ice · 01-12-2010, 05:41 PM

If I try these rules, then nothing seems to work.

Quote:

Originally Posted by saavik

I always start with

iptables -F INPUT << This flushes the rules for INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP << This sets the "default" rule to DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

But your suggestion did help me! Thanks!!!

zhjim · 01-12-2010, 05:51 PM

Quote:

Originally Posted by Blue_Ice

If I try these rules, then nothing seems to work.

(Bad that the rule get not quoted)
As those rules just block everything this might be the explanation.
Also as saavik said this is just the start. It blocks just everything. So everything else needs to be allowed

Code:

iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

to have at least http going (--dport 80 for HTTP traffic).
Maybe allow 53 on tcp and udp to have some DNS traffic.

See /etc/services and check what services you would like to open up to the outer world.
At least you would need
53 tcp/udp for dns
80/443 tcp for http/https

Maybe check out http://www.netfilter.org/ to get a better view of normal usage of iptables

*Edit later*
What I total forgot that iptables STACK
So first deny everything like saavik put in his rules and then allow all you want. First iptables rule of his post.

chrism01 · 01-12-2010, 06:33 PM

Just to clarify, 'DENY' is a rule(!) specific option, and the opposite of 'ACCEPT'.
'DROP' is a table(!) default Policy ie if a pkt fails to match any rule in the table, then this option then applies...
IOW, rule options and table options are 2 different things.