Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm attempting to rewrite my firewall script. As quite frankly, my old one is really really basic and it's causing me no amount of hassle.
I wanted to configure :
1) My ppp0 connection (broadband) to be shared with the other computers on my local network (eth0).
2) Drop everything by default, and only accept packets i want to accept.
So i did a bit of googling and came up with this (which i wrote myself) :
# Clear existing rules
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
# Set up gateway
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow the loopback interface to be used by local machine
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
# Allow established connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
# Allow FTP Access
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 21 -j ACCEPT
iptables -A INPUT -p udp -i ppp0 --dport 21 -j ACCEPT
# Allow SSH Access
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i ppp0 --dport 22 -j ACCEPT
# Allow Apache Access
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i ppp0 --dport 80 -j ACCEPT
# Allow Local Samba Connections
iptables -A INPUT -p tcp -i eth0 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 137 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 138 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 138 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 139 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 139 -j ACCEPT
# Allow IMAP Access
iptables -A INPUT -p tcp -i eth0 --dport 143 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 143 -j ACCEPT
iptables -A INPUT -p udp -i ppp0 --dport 143 -j ACCEPT
# Allow SMTP Access
iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 25 -j ACCEPT
iptables -A INPUT -p udp -i ppp0 --dport 25 -j ACCEPT
# DROP anything else
iptables -P INPUT DROP
It works in a way, as i can ssh from my local network to my server, i can get to my webserver LOCALLY only, and not from my domain name. And i can see my samba shares and access them. However it does not allow me to share the inetnet connection. And this is a pain in the arse. Any help appreciated. The four entries for each port number was my attempt to allow both local and remote (through the broadband from outside) access to services i have running.
Sorry to be a complete dumbass, but please elaboutate a little... Is my existing script ok?? Do i add that rule or replace one with it???
IPTables is still one of those things that get me down. I don't understand it, and I can't seem to be able to find a "Simple" walkthrough explaining how it works.
I'm by no means a linux noob, i've been at it for two years now, and have everything except security sorted. I run my own mail server, samba server, apache server, dns server, you name it... But it's all at a risk as my firewall script sucks.
All i want to do, is to share out my Internet connection (PPP0) and allow only those ports that I specify to be available from the outside, ie, port 80 for apache, port 22 for ssh connections. My local lan (eth0, 192.168.7.*) should be allowed full access to all services. I've a wireless laptop and my gaming desktop that i use, so those two would not need to be affected by the wall. I would like to drop ANY packets incoming from the internet other than those that i allow. From what i've read this is the best, most secure way of doing things.
As I wrote: you can replace your rule or add the second rule to the existing ones. If any doubts just write "iptables --append FORWARD -j ACCEPT" against yours "iptables --append FORWARD --in-interface eth0 -j ACCEPT"
Location: Nowhere Special (if you don't get it, rent Blazing Saddles)
Distribution: Gentoo Linux
Posts: 63
Rep:
in case you were wondering & i have a question too
This is my very first post on linuxquestions.org by the way
haha i like that one...
ANYWAYS!
just so you know, for startup scripting purposes it's very inefficient to have every single command typed out in a bash script like that. instead use
Code:
iptables-save > /path/to/saved-rules
to save at shutdown and
Code:
iptables-restore < /path/to/saved-rules
to load at startup. *^*BE SURE*^* to disable read-write access for all other usrs but root to this saved rules file.
now for my question. in the man page of iptables, and in your script for that matter, there's a switch in there called --tcp-option ! 2. the manual does not tell you exactly what it does -- only how to use it. that's what you get for reading man pages so what the heck does it do anyway?
Location: Nowhere Special (if you don't get it, rent Blazing Saddles)
Distribution: Gentoo Linux
Posts: 63
Rep:
one more thing
this part of yor script...
Code:
iptables -A OUTPUT -o lo -p all -j ACCEPT
is redundant as iptables's defauld OUTPUT policy is ACCEPT.
and all of the times you let access of eth0 to certain ports, is there a really good reason why not just to give eth0 access to all of your ports? if not, then replace those rules with
Code:
iptables -A INPUT -i eth0 -j ACCEPT
so, as Tom Hanks once said, "That's all I have to say about that."
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.