I've been having a difficult time trying to get this configuration to work properly. I'm learning iptables, from FreeBSD/PF. I've read tutorials, books, etc, and I can't seem to figure out why this isn't working.
The primary motivation behind this was to to limit access to port 22 (we're getting slammed with dictionary attacks) - but generally, we need the below configuration to work.
With this file, installed in /etc/sysconfig/iptables, people from the outside can get to port 22.
It's possible the sheer amount of time I've spent on this has me overlooking something very simple. So a second, more experienced pair of eyes is needed.
I'd appreciate any feedback.
When I removed the line:
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
It seemed to work, but we ended up having troubles with the other ports, so I just reverted to this version.
Thanks!
(obviously, the x's and W's are here for illustrative purposes ;-))
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -s x.x.x.0/255.255.255.0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s x.x.x.0/255.255.255.0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -d x.x.x.x -p tcp -m state --state NEW -m tcp --dport XXXX -j ACCEPT
-A RH-Firewall-1-INPUT -d x.x.x.x -p tcp -m state --state NEW -m tcp --dport XXXX -j ACCEPT
-A RH-Firewall-1-INPUT -s x.x.x.0/255.255.255.0 -p tcp -m state --state NEW -m tcp --dport 3333 -j ACCEPT
-A RH-Firewall-1-INPUT -s x.x.x.x -p tcp -m state --state NEW -m tcp --dport VVVV -j ACCEPT
-A RH-Firewall-1-INPUT -s x.x.x.x -p tcp -m state --state NEW -m tcp --dport WWWW -j ACCEPT
-A RH-Firewall-1-INPUT -j DROP
COMMIT