LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-19-2006, 11:47 AM   #1
asimov
Member
 
Registered: Oct 2004
Location: Israel
Distribution: Debian
Posts: 37

Rep: Reputation: 15
Question need help with iptables rules


I've just created a server for my family use: it serves as a HTTP, SMTP, SSH and FTP server, and it's routing my home LAN.

As Ubuntu Dapper comes with no firewall (policy ACCEPT) as default, I need to configure a firewall asap.

My needs are: the services i've mentioned, and of course, the ability to browse form any of the LAN clients.

1. I've created a script with all my iptables rules, that is lunched from /etc/rc.local. Is the interface been configured before the execution of rc.local? If so, how can I make the firewall available before the connection to the internet is made?

2. My iptables script is as follows; Can you please have a look at it and see if it's OK?

Thanks.

Code:
#!/bin/sh

#Flush The Remains
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F

#Set Policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#loopback can do anything
$IPTABLES -A INPUT -i lo -j ACCEPT

#Enable Internet Conncection Sharing
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#HTTP OK
iptables -A INPUT -p tcp -dport 80 -j ACCEPT

#SSH OK
iptables -A INPUT -p tcp -dport 22 -j ACCEPT

#SMTP OK
iptables -A INPUT -p tcp -dport 25 -j ACCEPT

#FTP OK
iptables -A INPUT -p tcp -dport 20 -j ACCEPT
 
Old 07-19-2006, 02:02 PM   #2
seneschal
LQ Newbie
 
Registered: Jul 2006
Location: Minnesota
Distribution: RHEL, Debian, Ubuntu
Posts: 27

Rep: Reputation: 15
You're going to need to add a few rules to explain to IPTables exactly how it should route traffic from your home LAN. I assume that you have one public IP and you're running a DHCP server to assign private IPs to all of your home computers on the LAN. If that's the case, then you should check out some documentation on performing NAT (Network Address Translation) with IPTables (A NAT Tutorial). Once you have that working (or if you already do), you should change the policy on FORWARD to be DROP and add rules allowing only traffic from your LAN to be forwarded out. You don't want to be forwarding arbitrary traffic from the internet. In general, it's best to allow only traffic you know you want through your firewall, not to disallow traffic you don't want.

On a slightly different note, it's very unwise to run FTP, as it sends passwords in cleartext. I recommend disabling the FTP service and using SFTP and/or SCP in it's place. Both of those protocols will encrypt all of your traffic.
 
Old 07-19-2006, 03:44 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
your best bet is to forget rc.local and instead use the iptables-save command after executing the script manually... then you know it will be working the way it's meant to... rc.local gets executed way too late in the startup process for it to be used for a firewall script... here's a cleaned-up version of your script... execute this and then do an iptables-save once you've confirmed it works well... make sure you don't have any firewall stuff in your rc.local...

Code:
#!/bin/sh

IPT="/sbin/iptables"
WAN_IFACE="eth0"
LAN_IFACE="eth1"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle


$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

###############################################################################
### INPUT Rules (for WAN side):
###############################################################################

$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 21 \
-m state --state NEW -j ACCEPT

# Are you 100% sure you want SSH on the WAN side?
$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 22 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 25 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

# Uncomment to allow the WAN side to respond to PINGs:
#$IPT -A INPUT -p ICMP -i $WAN_IFACE --icmp-type 8 ! --fragment \
#-m state --state NEW -j ACCEPT


###############################################################################
### INPUT Rules (for LAN side):
###############################################################################

$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 21 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 22 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 25 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p ICMP -i $LAN_IFACE --icmp-type 8 ! --fragment \
-m state --state NEW -j ACCEPT


###############################################################################
### FORWARD/POSTROUTING Rules:
###############################################################################

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m state --state NEW -j ACCEPT

$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
as you can see, one of the things i changed is your FORWARD policy, because having it set to ACCEPT is a _very_ bad idea...

Last edited by win32sux; 07-22-2006 at 08:56 PM.
 
  


Reply

Tags
firewall, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM
iptables rules puding Linux - Networking 2 08-09-2004 11:46 PM
iptables rules Hegemon Linux - Networking 0 01-28-2004 03:20 AM
IPTables rules dkny01 Linux - Networking 6 10-23-2003 01:52 AM
iptables rules Darin Linux - Security 1 01-23-2003 05:32 PM


All times are GMT -5. The time now is 09:59 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration