LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-31-2011, 04:48 AM   #1
masatheesh
Member
 
Registered: Aug 2007
Distribution: CentOS 5.0,CentOS 5.5
Posts: 47

Rep: Reputation: 15
Question Regarding iptables


Hi,

Can someone please let me know strong iptables rules? Below entries are in iptables file.Here Y.Y.Y.Y is another branch public IP.This server acts as gateway+squid server.Further it will serve company's intranet page also using httpd.OS is CentOS 5.0.

Code:
*nat
:PREROUTING ACCEPT [263:34346]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [12:2316]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 9595 -j LOG --log-prefix "TT :"
-A PREROUTING -s Y.Y.Y.Y -i eth0 -p tcp -m tcp --dport 9595 -j DNAT --to-destination 192.168.1.123:9000
-A PREROUTING -i eth0 -p tcp -m tcp --dport 4777 -j LOG --log-prefix "VNC :"
-A PREROUTING -s Y.Y.Y.Y -i eth0 -p tcp -m tcp --dport 4777 -j DNAT --to-destination 192.168.1.16:5900
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [271:35674]
:FORWARD ACCEPT [38:1838]
:OUTPUT ACCEPT [4594:364180]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
#-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
#-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 0/0 -i eth0 -p tcp -m tcp --dport 7522 -j LOG --log-prefix "SSH: "
-A INPUT -s Y.Y.Y.Y -i eth0 -p tcp -m tcp --dport 7522 -j ACCEPT
#-A INPUT -s 0/0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.16/255.255.255.0 -i eth0 -p tcp -j ACCEPT
#To serve intranet page
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 8500 -j ACCEPT
#to provide Squid
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 2372 -j ACCEPT
#To access other local systems using vnc from this server
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 5900 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -s ! 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 3128 -j DROP
-A INPUT -s ! 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 2372 -j DROP
-A INPUT -s ! 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 111 -j DROP
-A INPUT -s ! 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 605 -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 924 -j DROP
COMMIT
Thanks for your time.

Last edited by unSpawn; 03-31-2011 at 11:20 PM. Reason: //Added BB code tags
 
Old 04-03-2011, 09:00 PM   #2
WildPossum
Member
 
Registered: Feb 2004
Location: Sydney - Australia
Distribution: OpenSUSE, Ubuntu, Mythbuntu, iMedia, Embedded Linux
Posts: 44

Rep: Reputation: 18
Rather then just plodding down a group of possible tables,
tell us in your own words what your trying to establish.

Then it is easier to work thru.
Cheers.
 
1 members found this post helpful.
  


Reply

Tags
firewall, iptables, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables can't initialize iptables table `filter': Bad file descriptor donalbane Linux - Networking 2 08-17-2011 08:36 AM
On what basis CHAIN integer values are generated in IPtables under iptables file? haariseshu Linux - Server 3 11-05-2009 04:25 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 06:08 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM


All times are GMT -5. The time now is 09:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration