LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-29-2004, 09:29 PM   #1
itebooks
LQ Newbie
 
Registered: Feb 2004
Posts: 9

Rep: Reputation: 0
Post Iptable and ipchains question


I am newbie to linux.
I have a linux 9.0 server, and I want to setup firewall. But I don't know how to set it.

I don't know which is better between Iptable and ipchains. And if I set up the firewall, hosts.allow and hosts.deny can still work?

Look for answers. Thanks!
 
Old 03-29-2004, 10:11 PM   #2
Lleb_KCir
Senior Member
 
Registered: Nov 2003
Location: Orlando FL
Distribution: Debian
Posts: 1,765

Rep: Reputation: 45
iptables is the newer and from what ive read more secure and flexible vs of the two.

as for hosts.allow/deny from what ppl here have stated they are only for LAN access to your system and not WAN.
 
Old 03-29-2004, 11:07 PM   #3
itebooks
LQ Newbie
 
Registered: Feb 2004
Posts: 9

Original Poster
Rep: Reputation: 0
Can anyone give me a configuration example of the iptables?
Thanks in advance!
 
Old 03-30-2004, 05:25 PM   #4
eccles23
Member
 
Registered: Jun 2003
Location: Australia
Distribution: Gentoo/kernel 2.6.2
Posts: 45

Rep: Reputation: 15
yeah use iptables.

the general idea is to first write a rule that rejects everything, and then ABOVE that (in a script) put lines that selectively allow what you want...

eg: (in this example, I defined some variables at the start of the file, so I could use them and save typing later in the file... if you want to see the actual iptables commands then just substitute the variables (the ones starting with $) for the definitions at the start of the file...

Quote:

# DEFINE VARIABLES
ip="/sbin/iptables -v" # calls the iptables program
new="-m state --state NEW" # new incoming connection (syn) attempts
est="-m state --state ESTABLISHED,RELATED" # packets that are connected to an established connection (eg replies from web pages)
udp="-p udp"
tcp="-p tcp"
icmp="-p icmp"
tdport="-p tcp --dport"
udport="-p udp --dport"
dnat="-j DNAT --to-destination"
inet=`ifconfig | grep -A1 eth0 | grep -v eth0 | awk '{ print $2 }' | awk -F: '{ print $2 }'` # this grabs my current ip address for my external interface - useful if you use DHCP.
network="192.168.0.0/24"
accept="-j ACCEPT"
reject="-j REJECT --reject-with icmp-host-unreachable"
input="$ip -t filter -A INPUT"
forward="$ip -t filter -A FORWARD"
postroute="$ip -t nat -A POSTROUTING"
preroute="$ip -t nat -A PREROUTING"
from_loop="-i lo"
from_lan="-i eth1 -s 192.168.0.0/255.255.255.0"
from_internet="-i eth0"


# FLUSH TABLES

$ip -t nat -F
$ip -t filter -F
$ip -t nat -X
$ip -t filter -X
$ip -t nat -Z
$ip -t filter -Z

# RULES

$input $from_loop $accept # accept loopback traffic
$input $from_lan $accept # accept incoming LAN traffic
$forward $from_lan $accept # accept LAN->net traffic
$postroute -s $network -j SNAT --to-source $inet # ip masquerading for LAN

$preroute $from_internet $tdport 8888 $dnat $eccles:80 #example of port forwarding (IT MUST GO HERE)

$input $from_internet $tdport 21 $accept # accept incoming FTP
$input $from_internet $tdport 22 $accept # accept incoming SSH

$input $from_internet $icmp $accept # accept ping packets
$input $from_internet $est $accept # accept replies to established connections
$input $from_internet $new $reject # reject everything else
as you can see all the variables are very messy - I haven't got around to cleaning it up - but this is a cut down version of my rules anyway - but it would be an excellent starting point I think. it basically locks out everything except things that are replies to your own outgoing requests... It does a little bit of port forwarding, and also opens some holes in the firewall. generally try to restrict these holes to trusted networks. eg if you want to SSH from your girlfriends place or work but pretty much nowhere else, then just allow those IP addresses (or in the case of a dialup connection, allow the subnet that the ISP allocates their IPs from)...

hope this helps
 
Old 03-30-2004, 05:31 PM   #5
AutOPSY
Member
 
Registered: Mar 2004
Location: US
Distribution: Redhat 9 - Linux 2.6.3
Posts: 836

Rep: Reputation: 31
the host access control files are a tcp-wrapper for tcpd, hosts.allow and hosts.deny are for any computer with matching IP/hostname entries.
 
Old 03-30-2004, 05:42 PM   #6
eccles23
Member
 
Registered: Jun 2003
Location: Australia
Distribution: Gentoo/kernel 2.6.2
Posts: 45

Rep: Reputation: 15
if that was too confusing, then here is a version I just wrote for you that has all the variables already substituted:

Quote:

#!/bin/bash

inet=`ifconfig | grep -A1 eth0 | grep -v eth0 | awk '{ print $2 }' | awk -F: '{ print $2 }'`

## FLUSH TABLES
/sbin/iptables -v -t nat -F
/sbin/iptables -v -t filter -F
/sbin/iptables -v -t nat -X
/sbin/iptables -v -t filter -X
/sbin/iptables -v -t nat -Z
/sbin/iptables -v -t filter -Z

## RULES

# These lines are so that you don't lock yourself out of your own network/net connection. leave them in.
/sbin/iptables -v -t filter -A INPUT -i lo -j ACCEPT
/sbin/iptables -v -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -v -t filter -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -v -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source $inet


# The next line is for port forwarding. if you need it then change the ports and ip address to suit your system.
# /sbin/iptables -v -t nat -A PREROUTING -i eth0 -p tcp --dport 8888 -j DNAT --to-destination 192.168.0.5:80


# The next two lines are for allowing incoming FTP and SSH respectively, uncomment if you need it.
# /sbin/iptables -v -t filter -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
# /sbin/iptables -v -t filter -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT


# This line allows incoming ping requests.
/sbin/iptables -v -t filter -A INPUT -i eth0 $icmp -j ACCEPT


# These lines are probably the most important for security - don't change them.
/sbin/iptables -v -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -v -t filter -A INPUT -i eth0 -m state --state NEW -j REJECT --reject-with icmp-host-unreachable

so... basically, if you are set up so that your internet connection is via eth0 (ie your first network card - eg if you have cable or ADSL) and your internal network is on eth1, then this file should work flawlessly with no changes (assuming you are using the 192.168.0.0 subnet - if not then you can change it to what you use).

if you are using a modem then it will need various changes...

as it is if your config matches (ie eth0 = internet, eth1 = LAN, subnet = 192.168.0.0) then you can just copy that into a file, make it executable (chmod +x iptables.rules) and execute it (./iptables.rules).

you can check the rules afterwards by doing "iptables -L".
of course you need iptables compiled into the kernel, including the other rulesets (mangle, etc).

Hope this is helpful.

(oh and of course you can execute any one of those lines by hand just by typing it in at the console as root).
 
Old 03-30-2004, 05:48 PM   #7
MunterMan
Member
 
Registered: Nov 2003
Location: The North of England
Distribution: Suse 10.3
Posts: 172

Rep: Reputation: 30
Open a terminal and type in
InteractiveBastille

This will take you through loads of questions, with helpful suggestions and answers. As well as configuring lots of other security features it sets up your iptables.

www.bastille-linux.org
 
Old 04-06-2004, 07:40 AM   #8
itebooks
LQ Newbie
 
Registered: Feb 2004
Posts: 9

Original Poster
Rep: Reputation: 0
Special thanks to eccles23.

But there still some problem.

I just have one server.
The server provide HTTP and ftp service. And I use ssh to manage the server remotely.
the http use 80 and 8080 port.
the ftp use 20,21,2120~2124 port.

All other services will be denied.


I the the following script, but it may seens to have some problem:





#!/bin/sh

Server_Ip="123.12.12.4"

# export ,import
#iptables-save > iptables-script
#iptables-restore iptables-script

#add core model
#/sbin/modprobe ip_conntrack
#/sbin/modprobe iptable_nat

#allow ip forward
#echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat

# don't allow ping
iptables -A INPUT -p icmp -j DROP

# web config
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -f -s 61.0.0.0/8 -d $Server_Ip -p tcp --dport 80 -j DROP
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 8080 -j ACCEPT

# ssh config,just allow 123.111.* and 210.* to connect the server.
iptables -A INPUT -f -s 123.111.0.0/16 -d $Server_Ip --dport 22 -j ACCEPT
iptables -A INPUT -f -s 210.0.0.0/8 -d $Server_Ip --dport 22 -j ACCEPT

# ftp config
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 2020 -j ACCEPT
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 2021 -j ACCEPT
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 2022 -j ACCEPT
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 2023 -j ACCEPT
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 2024 -j ACCEPT

#allow loopback address
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

#special disable some port
iptables -A INPUT -o eth1 -p tcp --dport 3306 -j DROP
iptables -A INPUT -o eth1 -p tcp --dport 8005 -j DROP
iptables -A INPUT -o eth1 -p tcp --dport 8009 -j DROP
iptables -A INPUT -o eth1 -p tcp --dport 783 -j DROP
iptables -A INPUT -o eth1 -p tcp --dport 631 -j DROP
iptables -A INPUT -o eth1 -p udp --dport 689 -j DROP
iptables -A INPUT -o eth1 -p udp --dport 631 -j DROP

# drop all
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP


Last edited by itebooks; 04-06-2004 at 07:46 AM.
 
Old 04-06-2004, 07:54 AM   #9
itebooks
LQ Newbie
 
Registered: Feb 2004
Posts: 9

Original Poster
Rep: Reputation: 0
If I want to deny 123.4.1.1 and allow all other connecton,
Which confiure to be used?
1.

iptables -A INPUT -f -d $Server_Ip -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -f -s 123.4.1.1/32 -d $Server_Ip -p tcp --dport 80 -j DROP

or:
2.

iptables -A INPUT -f -s 123.4.1.1/32 -d $Server_Ip -p tcp --dport 80 -j DROP
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 80 -j ACCEPT


Only obvious allowed connection will be processed,so where to put the deny config. At the begining of the chain,or at the end of the chain?
 
Old 04-07-2004, 12:26 AM   #10
itebooks
LQ Newbie
 
Registered: Feb 2004
Posts: 9

Original Poster
Rep: Reputation: 0
Exclamation

AnyOne can help me,Please!
Thanks in advance.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
simple iptable question ALInux Linux - Networking 2 11-16-2005 05:08 AM
question about ipchains wedgeworth Linux - Software 4 12-31-2003 10:34 AM
The Ipchains and Iptable blues KneeLess Linux - Newbie 1 05-18-2003 10:39 AM
ipchains question(s) wushumasterku Linux - General 4 08-22-2002 08:57 AM
Ipchains question jrmann1999 Linux - Networking 1 02-08-2001 02:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration