Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
the general idea is to first write a rule that rejects everything, and then ABOVE that (in a script) put lines that selectively allow what you want...
eg: (in this example, I defined some variables at the start of the file, so I could use them and save typing later in the file... if you want to see the actual iptables commands then just substitute the variables (the ones starting with $) for the definitions at the start of the file...
Quote:
# DEFINE VARIABLES
ip="/sbin/iptables -v" # calls the iptables program
new="-m state --state NEW" # new incoming connection (syn) attempts
est="-m state --state ESTABLISHED,RELATED" # packets that are connected to an established connection (eg replies from web pages)
udp="-p udp"
tcp="-p tcp"
icmp="-p icmp"
tdport="-p tcp --dport"
udport="-p udp --dport"
dnat="-j DNAT --to-destination"
inet=`ifconfig | grep -A1 eth0 | grep -v eth0 | awk '{ print $2 }' | awk -F: '{ print $2 }'` # this grabs my current ip address for my external interface - useful if you use DHCP.
network="192.168.0.0/24"
accept="-j ACCEPT"
reject="-j REJECT --reject-with icmp-host-unreachable"
input="$ip -t filter -A INPUT"
forward="$ip -t filter -A FORWARD"
postroute="$ip -t nat -A POSTROUTING"
preroute="$ip -t nat -A PREROUTING"
from_loop="-i lo"
from_lan="-i eth1 -s 192.168.0.0/255.255.255.0"
from_internet="-i eth0"
as you can see all the variables are very messy - I haven't got around to cleaning it up - but this is a cut down version of my rules anyway - but it would be an excellent starting point I think. it basically locks out everything except things that are replies to your own outgoing requests... It does a little bit of port forwarding, and also opens some holes in the firewall. generally try to restrict these holes to trusted networks. eg if you want to SSH from your girlfriends place or work but pretty much nowhere else, then just allow those IP addresses (or in the case of a dialup connection, allow the subnet that the ISP allocates their IPs from)...
# These lines are so that you don't lock yourself out of your own network/net connection. leave them in.
/sbin/iptables -v -t filter -A INPUT -i lo -j ACCEPT
/sbin/iptables -v -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -v -t filter -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -v -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source $inet
# The next line is for port forwarding. if you need it then change the ports and ip address to suit your system.
# /sbin/iptables -v -t nat -A PREROUTING -i eth0 -p tcp --dport 8888 -j DNAT --to-destination 192.168.0.5:80
# The next two lines are for allowing incoming FTP and SSH respectively, uncomment if you need it.
# /sbin/iptables -v -t filter -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
# /sbin/iptables -v -t filter -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# This line allows incoming ping requests.
/sbin/iptables -v -t filter -A INPUT -i eth0 $icmp -j ACCEPT
# These lines are probably the most important for security - don't change them.
/sbin/iptables -v -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -v -t filter -A INPUT -i eth0 -m state --state NEW -j REJECT --reject-with icmp-host-unreachable
so... basically, if you are set up so that your internet connection is via eth0 (ie your first network card - eg if you have cable or ADSL) and your internal network is on eth1, then this file should work flawlessly with no changes (assuming you are using the 192.168.0.0 subnet - if not then you can change it to what you use).
if you are using a modem then it will need various changes...
as it is if your config matches (ie eth0 = internet, eth1 = LAN, subnet = 192.168.0.0) then you can just copy that into a file, make it executable (chmod +x iptables.rules) and execute it (./iptables.rules).
you can check the rules afterwards by doing "iptables -L".
of course you need iptables compiled into the kernel, including the other rulesets (mangle, etc).
Hope this is helpful.
(oh and of course you can execute any one of those lines by hand just by typing it in at the console as root).
This will take you through loads of questions, with helpful suggestions and answers. As well as configuring lots of other security features it sets up your iptables.
I just have one server.
The server provide HTTP and ftp service. And I use ssh to manage the server remotely.
the http use 80 and 8080 port.
the ftp use 20,21,2120~2124 port.
All other services will be denied.
I the the following script, but it may seens to have some problem:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.