Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have arranged a small private LAN (192.168.1.0/24). Following are some specs I have configured,
192.168.1.10 dns
192.168.1.11 sendmail
192.168.1.12 apache | vsftp l smb
AND the clients 192.168.1.20 - 192.168.1.25
Apart from the above I want to allow SSH on all the machines.
And also allow pinging (SNMP) within the LAN.
In addition to the above I have a configured a GW
(outside eth1 192.168.0.100 and inside eth0 192.168.1.1)
I have already put some masquerade rules to allow my private LAN clients to access the internet thru the GW and it is working fine.
The rules are as follows,
iptables -t nat POSTROUTING -o eth1 -j MASQUERADE
iptabkes -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptabkes -A FORWARD -d 192.168.1.0/24 -j ACCEPT
iptabkes -A FORWARD -s ! 192.168.1.0/24 -j DROP
Considering the rules 3 and 4: I see a conflict, 3 says whatever the s but the d is the specified one then forward. And 4 says if the s is NOT the specified one then drop.
Does that mean that U first check the d, and if it is matching then U forward, otherwise then U check the s and if it is NOT matching U drop ? Is that correct?
OK. Now what I actually want is a set of RULES (separately for the SERVERS and Clients) to do ONLY the abovementioned and shutdown everything else.
The rules are evaluated in the order, one after the next until the packet matches a terminating target (ACCEPT/DROP). Once the packet matches, no more rules will be evaluated. So rule order is very important. Your rules would look like this:
If source is 192.168.1.0/24 then forward
If destination is 192.168.1.0/24 then forward
If source is not 192.168.1.0/24 then drop packet.
I would at the very least recommend that you include in the rule the interface that the traffic should be passing through to reduce spoofing. Like this:
iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT
iptabkes -A FORWARD -i eth1 -d 192.168.1.0/24 -j ACCEPT
You'll also need to define default policies for the firewall and add rules to block traffic going to the firewall itself. This is a very minimal configuration you can use:
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -t nat POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -s ! 192.168.1.0/24 -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
However, I would recommend removing the second to last rule as it is unnecessary. Also I'm kind of unsure of what kind of traffic you'd like to allow through the firewall. Do you only need the LAN system to be able access the internet or do you need to allow machines outside the LAN to have access to those services inside the LAN (dns, sendmail, apache)? If you only need to allow internet access to the clients, then you can tighten access even further.
Last edited by Capt_Caveman; 09-24-2005 at 02:32 PM.
To Capt_caveman
First of all sorry for replying late, I was out.
Thanx for your reply and pointing out to include the interfaces.
And the answer for your question is that: I only want the LAN to access the Internet thru my GW and nothing else. So, tell me how I can tighten the firewall further.
In that case, this would restrict access further:
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -t nat POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Keep in mind that this is a absolutely bare minimum script and I would recommend logging/dropping bad packets (like "new not syn" and the bogon IP addresses).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.