Hi there,

We have changed our router setup, and our server that was once protected by our router firewall is now in a dmz type of setup.

How do I setup iptables to work with an internal ip, that gets forwarded from and external ip. Do I filter by just the port? Or just the internal or external ip w/ the port?

Any good references?

What iptables are you refering to? The iptables on the server itself?

Yes the program "iptables".

I usually use firewall builder to create the rules.
Usually the ips are external static. So it's easy.

This one has an internal ip of 192.168.X.X

Where do I go from here?

What services are running on the box? It's basically just a matter of filtering incoming packets that aren't destined to any of those services, and also preventing any outgoing connections (unless you need the box to establish connections for some reason).

I don't care what goes out of the box, i usually let everything out.

What I need in, is 22, 25, 80, 443

Everything else, I just want dropped.

Wow, that sucks.

Cool, then something like this should work fine:You'd need to add to it if you want to restrict connections in some way. Like, say for example you don't want to allow fellow machines on the DMZ to connect to the server, etc.

Can you tell me why I wouldn't want to let everything out? There are only two people who "do" anything on the box, which is me and the boss. Is there another reason why I wouldn't want to have that?

Sure, I can give you an example: Let's say your Apache daemon gets cracked, but the cracker is not able to achieve privilage escalation. If you have firewalled outgoing connections, the damage will be somewhat contained, as she won't be able to connect to other machines on your DMZ/LAN/WAN. But if you had no outgoing firewall rules, she can now use her non-root privilages as a launchpad for other cyber attacks on your DMZ/LAN/WAN.

The point is, if there is no reason for your server to start connections on its own, then you can have your firewall make sure that doesn't happen. And you can also have it let you know whenever something on the server does indeed try to establish an outgoing connection.

Good point....

Sorry to be such a newb at this...

How do you stop the external connections? This wouldn't stop other connections such as port 80 from going out then would it?

The example I posted would prevent any outgoing connections from being made, and it would log whenever an attempt to establish one is made. This has no effect on incoming connections, as they will be served well thanks to the OUTPUT rule allowing outgoing packets of states RELATED/ESTABLISHED. We just don't want any packets that are *not* RELATED/ESTABLISHED to exit the box, unless we made exceptions for them.

excellant. this takes care of my short term problem. I guess I need to go learn how to do all this one my own now. I really appreciate, thanks a lot.

You're very welcome. If you need any more help with this let us know.

Looks like I'll take you up on your offer.....

Here's my current rules:

</code>
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "
iptables -A INPUT -j LOG --log-prefix "OUTPUT DROP: "
iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 2401 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 3306 -s xxx.xxx.xxx.xxx -j ACCEPT
</code>

I need this to be able to connect to an external server that is used for a databases. I thought just putting line 3: in there, that it'd be able to connect externaly, but it doesn't allow it. Also I do need this server to send out emails and that is not working.

Am I way off base here with these rules? Or just missing something?

The rules work fine for the most part though, when you do an nmap, only ports 22, 25 (closed for some reason), 80, 443, 2401 show up.

I am able to connect to all those ports, minus 25. I just can't get out from the server.

Thanks,

Okay, got the mysql issue straightened out, so far.

Here's the updated IPTABLES.

<code>
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "
iptables -A INPUT -j LOG --log-prefix "OUTPUT DROP: "
iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 2401 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -s <mysql_server> -j ACCEPT

iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
</code>

It seems to have fixed the mysql problem, but I'm left with the sendmail not sending messages out. They are going straight to /var/spool/clientmqueue/ Also, when I do an nmap, it shows that port 25 - closed. How can I open this up to allow mail out.

default deny 4tw!