LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-26-2001, 12:17 PM   #1
hazza96
Member
 
Registered: Apr 2001
Location: Brisbane, Australia
Distribution: Ubuntu
Posts: 146

Rep: Reputation: 15
iptables rules


I have a Mandrake 8.0 server that runs several services:
1. Samba for all the internal Windows clients.
2. Forwarding DNS server.
3. DHCP server for all the Windows client's.
4. Telnet.
5. Webmin.
6. On-demand ppp connection for modem sharing.
7. squid proxy (planned for the future).

What I want to do is find a tool that will create iptable rules for me based on my answers to questions, I have not been able to find any, they are all for ipchains.

I have really really tried to read the HOWTO's for iptables and ended up more confused than ever.

Can anyone give me some iptables rules that will allow any connection from the 192.168.1.0 (eth0) network to the above services and forward just about everything else to the ppp connection (including ICQ)?
 
Old 08-27-2001, 12:20 PM   #2
jrmann1999
Member
 
Registered: Feb 2001
Location: Texas
Distribution: Slackware, Mandrake, LFS
Posts: 306

Rep: Reputation: 30
Here goes, hope this helps.

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#^---- This does your outbound Masquerade that will send it to
# your ppp0 interface(if it's your default route).

/sbin/iptables -N tcp-table
/sbin/iptables -N udp-table
/sbin/iptables -N icmp-table

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A INPUT -s 10.10.0.0/8 -j ACCEPT
# ^---This is a BAD idea, but a crude way to allow out all
# outbound traffic from your private subnet
/sbin/iptables -A INPUT -p tcp -j tcp-table
/sbin/iptables -A INPUT -p udp -j udp-table
/sbin/iptables -A INPUT -p icmp -j icmp-table
/sbin/iptables -P INPUT DROP

/sbin/iptables -A tcp-table -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A tcp-table -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A tcp-table -p tcp --dport 80 -j ACCEPT
#/sbin/iptables -A tcp-table -p tcp --dport 113 -j ACCEPT
#^--- Enable only for auth services
/sbin/iptables -A tcp-table -p tcp -j LOG --log-prefix "Netfilter(tcp): "

/sbin/iptables -A udp-table -p udp --dport 53 -j ACCEPT
/sbin/iptables -A udp-table -p udp --dport 89 -j ACCEPT
/sbin/iptables -A udp-table -p udp -j LOG --log-prefix "Netfilter(udp): "

/sbin/iptables -A icmp-table -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A icmp-table -p icmp --icmp-type 3 -j ACCEPT
/sbin/iptables -A icmp-table -p icmp --icmp-type 5 -j ACCEPT
/sbin/iptables -A icmp-table -p icmp --icmp-type 11 -j ACCEPT
/sbin/iptables -A icmp-table -p icmp -j LOG --log-prefix "Netfilter(icmp): "


Hope these help, to add more services(say to the tcp table) just add a similar entry and change the --dport to the correct port. and defanately FIND OUT HOW THESE WORK before you implement them.

J
 
Old 08-29-2001, 12:31 AM   #3
hazza96
Member
 
Registered: Apr 2001
Location: Brisbane, Australia
Distribution: Ubuntu
Posts: 146

Original Poster
Rep: Reputation: 15
Thanks for your reply.

I am starting to understand it now. I took the rules you gave me and started playing with them. Each time I did I learnt something, I am now working on the rules for my network using those as a base.

The problem I am experiencing is getting ICQ to work.

I can connect to the ICQ network and go 'on-line' etc, the problem I am having is requesting a chat from someone else that is on-line or even sending them a file.

The chat isn't that important it's the file sending that I really need. Something I have considered is opening a particular port and setting ICQ to that.

Anyone know of a less vulnerable port? or a different solution?
 
Old 09-09-2001, 12:16 PM   #4
hazza96
Member
 
Registered: Apr 2001
Location: Brisbane, Australia
Distribution: Ubuntu
Posts: 146

Original Poster
Rep: Reputation: 15
I got ICQ to work.

I found that it wasn't my firewall at all but the firewall of the guy that I was trying to chat/send file to.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM
iptables rules Fatz Linux - Security 1 08-05-2004 07:04 AM
iptables rules chrisfirestar Linux - Security 2 10-29-2003 03:30 AM
IPTables rules dkny01 Linux - Networking 6 10-23-2003 01:52 AM
iptables rules Darin Linux - Security 1 01-23-2003 05:32 PM


All times are GMT -5. The time now is 04:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration