Iptable and ipchains question

itebooks · 03-29-2004, 09:29 PM

I am newbie to linux.
I have a linux 9.0 server, and I want to setup firewall. But I don't know how to set it.

I don't know which is better between Iptable and ipchains. And if I set up the firewall, hosts.allow and hosts.deny can still work?

Look for answers. Thanks!

Lleb_KCir · 03-29-2004, 10:11 PM

iptables is the newer and from what ive read more secure and flexible vs of the two.

as for hosts.allow/deny from what ppl here have stated they are only for LAN access to your system and not WAN.

itebooks · 03-29-2004, 11:07 PM

Can anyone give me a configuration example of the iptables?
Thanks in advance!

eccles23 · 03-30-2004, 05:25 PM

yeah use iptables.

the general idea is to first write a rule that rejects everything, and then ABOVE that (in a script) put lines that selectively allow what you want...

eg: (in this example, I defined some variables at the start of the file, so I could use them and save typing later in the file... if you want to see the actual iptables commands then just substitute the variables (the ones starting with $) for the definitions at the start of the file...

Quote:

# DEFINE VARIABLES
ip="/sbin/iptables -v" # calls the iptables program
new="-m state --state NEW" # new incoming connection (syn) attempts
est="-m state --state ESTABLISHED,RELATED" # packets that are connected to an established connection (eg replies from web pages)
udp="-p udp"
tcp="-p tcp"
icmp="-p icmp"
tdport="-p tcp --dport"
udport="-p udp --dport"
dnat="-j DNAT --to-destination"
inet=`ifconfig | grep -A1 eth0 | grep -v eth0 | awk '{ print $2 }' | awk -F: '{ print $2 }'` # this grabs my current ip address for my external interface - useful if you use DHCP.
network="192.168.0.0/24"
accept="-j ACCEPT"
reject="-j REJECT --reject-with icmp-host-unreachable"
input="$ip -t filter -A INPUT"
forward="$ip -t filter -A FORWARD"
postroute="$ip -t nat -A POSTROUTING"
preroute="$ip -t nat -A PREROUTING"
from_loop="-i lo"
from_lan="-i eth1 -s 192.168.0.0/255.255.255.0"
from_internet="-i eth0"

# FLUSH TABLES

$ip -t nat -F
$ip -t filter -F
$ip -t nat -X
$ip -t filter -X
$ip -t nat -Z
$ip -t filter -Z

# RULES

$input $from_loop $accept # accept loopback traffic
$input $from_lan $accept # accept incoming LAN traffic
$forward $from_lan $accept # accept LAN->net traffic
$postroute -s $network -j SNAT --to-source $inet # ip masquerading for LAN

$preroute $from_internet $tdport 8888 $dnat $eccles:80 #example of port forwarding (IT MUST GO HERE)

$input $from_internet $tdport 21 $accept # accept incoming FTP
$input $from_internet $tdport 22 $accept # accept incoming SSH

$input $from_internet $icmp $accept # accept ping packets
$input $from_internet $est $accept # accept replies to established connections
$input $from_internet $new $reject # reject everything else

as you can see all the variables are very messy - I haven't got around to cleaning it up - but this is a cut down version of my rules anyway - but it would be an excellent starting point I think. it basically locks out everything except things that are replies to your own outgoing requests... It does a little bit of port forwarding, and also opens some holes in the firewall. generally try to restrict these holes to trusted networks. eg if you want to SSH from your girlfriends place or work but pretty much nowhere else, then just allow those IP addresses (or in the case of a dialup connection, allow the subnet that the ISP allocates their IPs from)...

hope this helps

AutOPSY · 03-30-2004, 05:31 PM

the host access control files are a tcp-wrapper for tcpd, hosts.allow and hosts.deny are for any computer with matching IP/hostname entries.

eccles23 · 03-30-2004, 05:42 PM

if that was too confusing, then here is a version I just wrote for you that has all the variables already substituted:

Quote:

#!/bin/bash

inet=`ifconfig | grep -A1 eth0 | grep -v eth0 | awk '{ print $2 }' | awk -F: '{ print $2 }'`

## FLUSH TABLES
/sbin/iptables -v -t nat -F
/sbin/iptables -v -t filter -F
/sbin/iptables -v -t nat -X
/sbin/iptables -v -t filter -X
/sbin/iptables -v -t nat -Z
/sbin/iptables -v -t filter -Z

## RULES

# These lines are so that you don't lock yourself out of your own network/net connection. leave them in.
/sbin/iptables -v -t filter -A INPUT -i lo -j ACCEPT
/sbin/iptables -v -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -v -t filter -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -v -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source $inet

# The next line is for port forwarding. if you need it then change the ports and ip address to suit your system.
# /sbin/iptables -v -t nat -A PREROUTING -i eth0 -p tcp --dport 8888 -j DNAT --to-destination 192.168.0.5:80

# The next two lines are for allowing incoming FTP and SSH respectively, uncomment if you need it.
# /sbin/iptables -v -t filter -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
# /sbin/iptables -v -t filter -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# This line allows incoming ping requests.
/sbin/iptables -v -t filter -A INPUT -i eth0 $icmp -j ACCEPT

# These lines are probably the most important for security - don't change them.
/sbin/iptables -v -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -v -t filter -A INPUT -i eth0 -m state --state NEW -j REJECT --reject-with icmp-host-unreachable

so... basically, if you are set up so that your internet connection is via eth0 (ie your first network card - eg if you have cable or ADSL) and your internal network is on eth1, then this file should work flawlessly with no changes (assuming you are using the 192.168.0.0 subnet - if not then you can change it to what you use).

if you are using a modem then it will need various changes...

as it is if your config matches (ie eth0 = internet, eth1 = LAN, subnet = 192.168.0.0) then you can just copy that into a file, make it executable (chmod +x iptables.rules) and execute it (./iptables.rules).

you can check the rules afterwards by doing "iptables -L".
of course you need iptables compiled into the kernel, including the other rulesets (mangle, etc).

Hope this is helpful.

(oh and of course you can execute any one of those lines by hand just by typing it in at the console as root).

MunterMan · 03-30-2004, 05:48 PM

Open a terminal and type in
InteractiveBastille

This will take you through loads of questions, with helpful suggestions and answers. As well as configuring lots of other security features it sets up your iptables.

www.bastille-linux.org

itebooks · 04-06-2004, 07:40 AM

Special thanks to eccles23.

But there still some problem.

I just have one server.
The server provide HTTP and ftp service. And I use ssh to manage the server remotely.
the http use 80 and 8080 port.
the ftp use 20,21,2120~2124 port.

All other services will be denied.

I the the following script, but it may seens to have some problem:

#!/bin/sh

Server_Ip="123.12.12.4"

# export ,import
#iptables-save > iptables-script
#iptables-restore iptables-script

#add core model
#/sbin/modprobe ip_conntrack
#/sbin/modprobe iptable_nat

#allow ip forward
#echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat

# don't allow ping
iptables -A INPUT -p icmp -j DROP

# web config
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -f -s 61.0.0.0/8 -d $Server_Ip -p tcp --dport 80 -j DROP
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 8080 -j ACCEPT

# ssh config,just allow 123.111.* and 210.* to connect the server.
iptables -A INPUT -f -s 123.111.0.0/16 -d $Server_Ip --dport 22 -j ACCEPT
iptables -A INPUT -f -s 210.0.0.0/8 -d $Server_Ip --dport 22 -j ACCEPT

# ftp config
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 2020 -j ACCEPT
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 2021 -j ACCEPT
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 2022 -j ACCEPT
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 2023 -j ACCEPT
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 2024 -j ACCEPT

#allow loopback address
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

#special disable some port
iptables -A INPUT -o eth1 -p tcp --dport 3306 -j DROP
iptables -A INPUT -o eth1 -p tcp --dport 8005 -j DROP
iptables -A INPUT -o eth1 -p tcp --dport 8009 -j DROP
iptables -A INPUT -o eth1 -p tcp --dport 783 -j DROP
iptables -A INPUT -o eth1 -p tcp --dport 631 -j DROP
iptables -A INPUT -o eth1 -p udp --dport 689 -j DROP
iptables -A INPUT -o eth1 -p udp --dport 631 -j DROP

# drop all
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

itebooks · 04-06-2004, 07:54 AM

If I want to deny 123.4.1.1 and allow all other connecton,
Which confiure to be used?
1.

iptables -A INPUT -f -d $Server_Ip -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -f -s 123.4.1.1/32 -d $Server_Ip -p tcp --dport 80 -j DROP

or:
2.

iptables -A INPUT -f -s 123.4.1.1/32 -d $Server_Ip -p tcp --dport 80 -j DROP
iptables -A INPUT -f -d $Server_Ip -p tcp --dport 80 -j ACCEPT

Only obvious allowed connection will be processed,so where to put the deny config. At the begining of the chain,or at the end of the chain?

itebooks · 04-07-2004, 12:26 AM

AnyOne can help me,Please!
Thanks in advance.