Regarding iptables

masatheesh · 03-31-2011, 04:48 AM

Hi,

Can someone please let me know strong iptables rules? Below entries are in iptables file.Here Y.Y.Y.Y is another branch public IP.This server acts as gateway+squid server.Further it will serve company's intranet page also using httpd.OS is CentOS 5.0.

Code:

*nat
:PREROUTING ACCEPT [263:34346]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [12:2316]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 9595 -j LOG --log-prefix "TT :"
-A PREROUTING -s Y.Y.Y.Y -i eth0 -p tcp -m tcp --dport 9595 -j DNAT --to-destination 192.168.1.123:9000
-A PREROUTING -i eth0 -p tcp -m tcp --dport 4777 -j LOG --log-prefix "VNC :"
-A PREROUTING -s Y.Y.Y.Y -i eth0 -p tcp -m tcp --dport 4777 -j DNAT --to-destination 192.168.1.16:5900
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [271:35674]
:FORWARD ACCEPT [38:1838]
:OUTPUT ACCEPT [4594:364180]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
#-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
#-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 0/0 -i eth0 -p tcp -m tcp --dport 7522 -j LOG --log-prefix "SSH: "
-A INPUT -s Y.Y.Y.Y -i eth0 -p tcp -m tcp --dport 7522 -j ACCEPT
#-A INPUT -s 0/0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.16/255.255.255.0 -i eth0 -p tcp -j ACCEPT
#To serve intranet page
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 8500 -j ACCEPT
#to provide Squid
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 2372 -j ACCEPT
#To access other local systems using vnc from this server
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 5900 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -s ! 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 3128 -j DROP
-A INPUT -s ! 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 2372 -j DROP
-A INPUT -s ! 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 111 -j DROP
-A INPUT -s ! 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 605 -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 924 -j DROP
COMMIT

Thanks for your time.

WildPossum · 04-03-2011, 09:00 PM

Rather then just plodding down a group of possible tables,
tell us in your own words what your trying to establish.

Then it is easier to work thru.
Cheers.