LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-12-2010, 03:45 PM   #1
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Rep: Reputation: Disabled
Question iptables: Block all traffic on NAT except for port 22 for eth0


Hi all,

I need some help with my iptables configuration. I don't know much about how to configure NAT in iptables. I have been looking for information and examples on the internet, but couldn't find much or at least I thought I couldn't. Below you can find my current iptables rules. You should know that this is on my server at home and I am using it for testing. eth0 is configured to get a dynamic ip address and eth1 has a static ip address. Dhcpd and bind is running on eth1. Now what I actually want is that only port 22 (ssh) is accessable via eth0. All other traffic trying to connect to eth0 should be blocked. Traffic on eth1 should be possible, although I don't know yet which ports should be open as I haven't finished the server yet. Can someone tell me how to do the part for eth0?

Code:
*nat
:PREROUTING ACCEPT [14:1106]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [38:2992]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [10242:993398]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9846:4285563]
-A FORWARD -i eth1 -j ACCEPT
COMMIT
TIA,
Arjan.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 01-12-2010, 05:12 PM   #2
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES11 / FC20/ OES / CentOS
Posts: 606

Rep: Reputation: 32
Quote:
Now what I actually want is that only port 22 (ssh) is accessable via eth0.

iptables -I INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Quote:
All other traffic trying to connect to eth0 should be blocked.
iptables -A INPUT -i eth0 -j DROP

BTW:

I always start with

iptables -F INPUT << This flushes the rules for INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP << This sets the "default" rule to DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

For internel network maybe set the default roule to reject that help keeping the timout low.

Remember to have direct access to the pc where you edit the iptables as it might be hard to always have to reboot the machine because you could not access it remote anymore.
 
2 members found this post helpful.
Old 01-12-2010, 06:41 PM   #3
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Original Poster
Rep: Reputation: Disabled
If I try these rules, then nothing seems to work.

Quote:
Originally Posted by saavik View Post
I always start with

iptables -F INPUT << This flushes the rules for INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP << This sets the "default" rule to DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
But your suggestion did help me! Thanks!!!
 
Old 01-12-2010, 06:51 PM   #4
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,467
Blog Entries: 11

Rep: Reputation: 184Reputation: 184
Quote:
Originally Posted by Blue_Ice View Post
If I try these rules, then nothing seems to work.
(Bad that the rule get not quoted)
As those rules just block everything this might be the explanation.
Also as saavik said this is just the start. It blocks just everything. So everything else needs to be allowed
Code:
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
to have at least http going (--dport 80 for HTTP traffic).
Maybe allow 53 on tcp and udp to have some DNS traffic.

See /etc/services and check what services you would like to open up to the outer world.
At least you would need
53 tcp/udp for dns
80/443 tcp for http/https

Maybe check out http://www.netfilter.org/ to get a better view of normal usage of iptables

*Edit later*
What I total forgot that iptables STACK
So first deny everything like saavik put in his rules and then allow all you want. First iptables rule of his post.

Last edited by zhjim; 01-12-2010 at 06:57 PM.
 
Old 01-12-2010, 07:33 PM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
Just to clarify, 'DENY' is a rule(!) specific option, and the opposite of 'ACCEPT'.
'DROP' is a table(!) default Policy ie if a pkt fails to match any rule in the table, then this option then applies...
IOW, rule options and table options are 2 different things.
 
  


Reply

Tags
iptables, nat


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables Rule to Block all LAN traffic mrant Linux - Networking 11 02-28-2010 02:53 AM
[HELP] redirect traffic to spesific port based on Traffic Content using iptables summersgone Linux - Server 2 06-22-2009 12:26 PM
How to block ALL traffic except port 443 carlozrox Linux - Security 2 03-11-2009 06:15 AM
How can I block all traffic to port 110 to and IP using IPtables? abefroman Linux - Networking 8 11-16-2005 08:26 PM
iptables : how do I block inbound traffic from one ip address only? Apollo77 Linux - Security 7 03-22-2004 11:22 AM


All times are GMT -5. The time now is 10:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration