Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
When i run the command ipfilter-restore IPFilterMod.txt i get an error saying: Line 7 failed.
/Andy
This is a shell script to generate your iptables rules; it should run as a shell script, rather than being 'restored'. 'restore' and 'save' are complements and should be used as a pair. And corp has beaten me to the comment about the #!/bin/bash.
Finnally I got the script up and running and have only a few more questions. Thank you all for valuable input:-)
At the top I have default DROP for all chains. But how can i achieve to only drop traffic on the internet interface (eth0) and on the lan(eth2) and DMZ(eth1) REJECT not allowed traffic?
The script now looks like this:
Code:
#!/bin/bash
#Flush current rules
iptables -F
#standard rules stopper alt default uten en lyd###################
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
################################################################################################################################
#INPUT Rules
# ping 2 firewall
iptables -A INPUT -p ICMP -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p ICMP -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 --icmp-type echo-reply -j ACCEPT
#SSH 2 firewall
iptables -A INPUT -p tcp -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 --dport 22 -m state --state NEW -j ACCEPT
#Internet 2 firewall
################################################################################################################################
#Forward rules
#dmz access 2 debianupdate
iptables -A FORWARD -p tcp -s 192.168.10.2 -i eth1 -o eth0 -d 128.39.3.170 --dport 80 -j ACCEPT
#Svar from debianupdate
iptables -A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -m state --state ESTABLISHED,RELATED -j ACCEPT
#lan 2 webserver
iptables -A FORWARD -p tcp -s 192.168.20.0/24 -i eth2 -o eth1 -d 192.168.10.2 --dport 80 -j ACCEPT
#webserver back 2 lan
iptables -A FORWARD -i eth1 -o eth2 -d 192.168.20.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#lan 2 internet
iptables -A FORWARD -p tcp -s 192.168.20.0/24 -i eth2 -o eth0 -j ACCEPT
# 2 LAN fro, internett
iptables -A FORWARD -i eth0 -o eth2 -d 192.168.20.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#internet 2 webserver
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.10.2 --dport 80 -j ACCEPT
#Ping 2 webserver
iptables -A FORWARD -p ICMP -s 192.168.20.0/24 -i eth2 -o eth1 -d 192.168.10.2 --icmp-type echo-request -j ACCEPT
#Ping reply from webserver
iptables -A FORWARD -p ICMP -s 192.168.10.2 -i eth1 -o eth2 -d 192.168.20.0/24 --icmp-type echo-reply -j ACCEPT
################################################################################################################################
#output rules
#ping reply so FW can send ping
iptables -A OUTPUT -p ICMP -s 192.168.20.1 -o eth2 -d 192.168.20.0/24 --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p ICMP -s 192.168.20.1 -o eth2 -d 192.168.20.0/24 --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p ICMP -s 192.168.10.1 -o eth1 -d 192.168.10.0/24 --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p ICMP -s 192.168.10.1 -o eth1 -d 192.168.10.0/24 --icmp-type echo-reply -j ACCEPT
#SSH reply from input chaing
iptables -A OUTPUT -s 192.168.20.1 -o eth2 -d 192.168.20.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
################################################################################################################################
#NAT rules
#Internet access to http in DMZ from internet
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 80 -j DNAT --to-destination 192.168.10.2
#Masquerade rules
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.20.0/24 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.10.0/24 -d 0/0 -j MASQUERADE
/sbin/iptables-save
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.