LinuxQuestions.org - iptables rules

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - iptables rules (https://www.linuxquestions.org/questions/linux-security-4/iptables-rules-5878/)

I have a Mandrake 8.0 server that runs several services:
1. Samba for all the internal Windows clients.
2. Forwarding DNS server.
3. DHCP server for all the Windows client's.
4. Telnet.
5. Webmin.
6. On-demand ppp connection for modem sharing.
7. squid proxy (planned for the future).

What I want to do is find a tool that will create iptable rules for me based on my answers to questions, I have not been able to find any, they are all for ipchains.

I have really really tried to read the HOWTO's for iptables and ended up more confused than ever.

Can anyone give me some iptables rules that will allow any connection from the 192.168.1.0 (eth0) network to the above services and forward just about everything else to the ppp connection (including ICQ)?

Here goes, hope this helps.

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#^---- This does your outbound Masquerade that will send it to
# your ppp0 interface(if it's your default route).

/sbin/iptables -N tcp-table
/sbin/iptables -N udp-table
/sbin/iptables -N icmp-table

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A INPUT -s 10.10.0.0/8 -j ACCEPT
# ^---This is a BAD idea, but a crude way to allow out all
# outbound traffic from your private subnet
/sbin/iptables -A INPUT -p tcp -j tcp-table
/sbin/iptables -A INPUT -p udp -j udp-table
/sbin/iptables -A INPUT -p icmp -j icmp-table
/sbin/iptables -P INPUT DROP

/sbin/iptables -A tcp-table -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A tcp-table -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A tcp-table -p tcp --dport 80 -j ACCEPT
#/sbin/iptables -A tcp-table -p tcp --dport 113 -j ACCEPT
#^--- Enable only for auth services
/sbin/iptables -A tcp-table -p tcp -j LOG --log-prefix "Netfilter(tcp): "

/sbin/iptables -A udp-table -p udp --dport 53 -j ACCEPT
/sbin/iptables -A udp-table -p udp --dport 89 -j ACCEPT
/sbin/iptables -A udp-table -p udp -j LOG --log-prefix "Netfilter(udp): "

/sbin/iptables -A icmp-table -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A icmp-table -p icmp --icmp-type 3 -j ACCEPT
/sbin/iptables -A icmp-table -p icmp --icmp-type 5 -j ACCEPT
/sbin/iptables -A icmp-table -p icmp --icmp-type 11 -j ACCEPT
/sbin/iptables -A icmp-table -p icmp -j LOG --log-prefix "Netfilter(icmp): "

Hope these help, to add more services(say to the tcp table) just add a similar entry and change the --dport to the correct port. and defanately FIND OUT HOW THESE WORK before you implement them.

J

Thanks for your reply.

I am starting to understand it now. I took the rules you gave me and started playing with them. Each time I did I learnt something, I am now working on the rules for my network using those as a base.

The problem I am experiencing is getting ICQ to work.

I can connect to the ICQ network and go 'on-line' etc, the problem I am having is requesting a chat from someone else that is on-line or even sending them a file.

The chat isn't that important it's the file sending that I really need. Something I have considered is opening a particular port and setting ICQ to that.

Anyone know of a less vulnerable port? or a different solution?

I got ICQ to work.

I found that it wasn't my firewall at all but the firewall of the guy that I was trying to chat/send file to.