Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Iv been sitting here for the last few days and cant seem to get hang of the iptables stuff.
How can I open port 80 to the web server whos on another box on the lan? I'v tried a zillion things but nothing works. All i found so far either old or for different distro and...well Iam about to give it up. Running fresh install of Debian with no gui btw.
And how come port 22 is open? I thought I closed it.
Code:
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j DROP
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -i eth0 -j DROP
iptables -A FORWARD -p udp -s 192.168.0.0/24 -i eth0 -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth0 -o eth0 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
Working with iptables is an art as well as a science. Do you have to do it manually? Firestarter is an easy and fairly secure GUI. Shorewall or some other front-end for iptables is easier and as secure as you want to make it.
Working with iptables is an art as well as a science. Do you have to do it manually? Firestarter is an easy and fairly secure GUI. Shorewall or some other front-end for iptables is easier and as secure as you want to make it.
true enough, but the op did state that this is a cli only box he is working on, so not really a viable option.
Ok, now its kinda working. Well, that is the port is open, but clients dont get any pages from the web server.
This is my iptables now:
Code:
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -s the.bad.guy.ip -j DROP
iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP
#iptables -A FORWARD -p tcp -s 192.168.0.0/24 -i eth0 -j DROP
#iptables -A FORWARD -p udp -s 192.168.0.0/24 -i eth0 -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth0 -d 192.168.0.120 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-dest 192.168.0.120:80
iptables -A FORWARD -i eth0 -o eth0 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
Now, I can connect to the web server from the inside with no problem. But not from the outside. And I can get out from the web server (Lynx) with no problem.
Can any one see any problems with the table? Think Im going iptables-blind :P
It appears that you are trying to build a firewall to protect a home network on a DSL connection. May I suggest the nicely tailored setup HomeLANSecurity, which is easy to figure out & easy to add stuff for your specific purposes. It just makes a lot of sense to me, to use a mature configuration, in which someone has paid a lot of attention to details, and has had the benefit of many previous users' input. You can still modify it to your specification, in case it doesn't do everything you want (ie. hacking is encouragead).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.