LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Some iptables settings for testing needed (https://www.linuxquestions.org/questions/linux-networking-3/some-iptables-settings-for-testing-needed-638869/)

khandu 04-30-2008 07:11 AM
Some iptables settings for testing needed
 
Hi

I am using Fedora Core 8 on vmware with vista. my windows and linux can ping each other and I am also connected to another vmware via crossover cable. we all can ping each other no problems in that.

Now on Linux I am suppose to test some iptables commands. I am mentioning the ones below which I couldn't do and need help in that.

1) reject all traffic coming to all UDP ports (see if you can block all of them, if you cannot then try to block some UDP ports).

2) allow traffic coming to port 80 but reject traffic coming out through port 80.

3) block all email coming in and out of your network. Internal email is allowed.

What command to use for it and how do I test blocked UDP ports??

My another problem is testing. for internal network testing what we have done is put crossover cables in same subnet 192.168.1.1 etc.. and we all can ping each other and we are on same subnet. Now we are suppose to check some access from external network (like question 3). If we change the subnet of 1 computer to 10.0.0.0 or something we anyways cannot ping each other so cannot test any packets coming in or out. So via crossover cable is it possible to test external network and internal network both?

thanks alot

win32sux 04-30-2008 10:37 AM
Quote:
Originally Posted by khandu (Post 3137645)
1) reject all traffic coming to all UDP ports (see if you can block all of them, if you cannot then try to block some UDP ports).
I assume you only want to block incoming UDP streams which aren't related to outgoing ones. Because if you filter all incoming UDP packets then you won't, for example, be able to receive results for your DNS queries. So:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p UDP -j DROP
Quote:
2) allow traffic coming to port 80 but reject traffic coming out through port 80.
If by "coming out" you mean from the box itself:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p TCP --dport 80 -m state --state NEW -j REJECT
If by "coming out" you mean from the network:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE \
--dport 80 -m state --state NEW -j REJECT

Quote:
3) block all email coming in and out of your network. Internal email is allowed.
Code:
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE \
-m multiport --dports 25,110 -m state --state NEW -j REJECT
Keep in mind that these are simply direct answers to the questions. I don't suggest you actually go about doing this like this in real life. You really should take the opposite approach instead. In other words, filter everything then make ACCEPT rules for the stuff you want to allow.

Quote:
What command to use for it and how do I test blocked UDP ports??
Start by reading about using Nmap with UDP.

Quote:
via crossover cable is it possible to test external network and internal network both?
Yes.

khandu 05-01-2008 03:59 AM
Quote:
Originally Posted by win32sux (Post 3137826)
I assume you only want to block incoming UDP streams which aren't related to outgoing ones. Because if you filter all incoming UDP packets then you won't, for example, be able to receive results for your DNS queries. So:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p UDP -j DROP
If by "coming out" you mean from the box itself:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p TCP --dport 80 -m state --state NEW -j REJECT
If by "coming out" you mean from the network:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE \
--dport 80 -m state --state NEW -j REJECT

Code:
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE \
-m multiport --dports 25,110 -m state --state NEW -j REJECT
Keep in mind that these are simply direct answers to the questions. I don't suggest you actually go about doing this like this in real life. You really should take the opposite approach instead. In other words, filter everything then make ACCEPT rules for the stuff you want to allow.

Start by reading about using Nmap with UDP.

Yes.
hey how do u test external network via crossover cable?? as i have mentioned above internal we can test.. how can i make 1 external network and then try the iptables rules??

win32sux 05-01-2008 01:11 PM
Quote:
Originally Posted by khandu (Post 3138539)
hey how do u test external network via crossover cable?? as i have mentioned above internal we can test.. how can i make 1 external network and then try the iptables rules??
It really is as simple as plugging your laptop into the WAN interface of the iptables box and running your tests. You can give your laptop pretty much any Internet IP you wish.

khandu 05-01-2008 06:38 PM
Quote:
Originally Posted by win32sux (Post 3138969)
It really is as simple as plugging your laptop into the WAN interface of the iptables box and running your tests. You can give your laptop pretty much any Internet IP you wish.
Oh did i forget to mention the linux is running on a laptop and is directly connected to another laptop via crossover cable. so i dont think there is any WAN interface in a laptop. Hope i m right about it..

win32sux 05-01-2008 09:02 PM
Quote:
Originally Posted by khandu (Post 3139258)
Oh did i forget to mention the linux is running on a laptop and is directly connected to another laptop via crossover cable. so i dont think there is any WAN interface in a laptop. Hope i m right about it..
It's the WAN interface on your iptables router/gateway/firewall - not the laptop. You'd plug your laptop into the WAN interface of the iptables router/gateway/firewall and test the WAN side from there. Perhaps I am not understanding your setup/question correctly. I've just re-read your first post and it sounds like you are trying to simulate some sort of network by using two machines, a crossover cable, and virtual machines. Is that the case? I was operating under the impression that this all revolved around one, real, iptables router/gateway/firewall.

khandu 05-02-2008 08:42 PM
Quote:
Originally Posted by win32sux (Post 3139365)
I've just re-read your first post and it sounds like you are trying to simulate some sort of network by using two machines, a crossover cable, and virtual machines. Is that the case?
Yes that is correct. Just two laptops and a crossover cable.. no other hardware involved

win32sux 05-02-2008 09:47 PM
Quote:
Originally Posted by khandu (Post 3140596)
Yes that is correct. Just two laptops and a crossover cable.. no other hardware involved
Oh, okay. Cool. I'm gonna go ahead and move this over to Networking then, as it'll get more adequate exposure there. I personally don't have any experience using iptables with virtual machines, so I can't be of much help - but there's tons of LQ members who are very familiar with this sort of thing so help should be on the way.


All times are GMT -5. The time now is 09:45 AM.