Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-27-2006, 11:38 AM
|
#1
|
Member
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217
Rep:
|
Iptables
Well, here is the setup... I have a RH8 box running apache and bind. It is working as a both www server and dns server. now, here is my static ip.. 202.202.202.202
1) I want to deny all incoming requests.
2) I want to accept incomings from any addr to my ip (eth0) on port 80, so that people can browse sites from this machine.
3) I want to accept incomings for the DNS. I mean since this is a DNS server, it gives repplies to ppl for the zones it have. And also if will give reply for the zones it doesn't have by resolving the addrs.(I think here we can free the outgoing so dns will ask for addrs. And only accepted ins so it'll reply for ppls query (no matter whether it is in the server or not).)
4) I will allow all ICMP to come in and out.
Now what is the possible script could be?? Note that this machine is not a NAT.
Mishu~~
|
|
|
02-27-2006, 02:32 PM
|
#2
|
LQ Guru
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131
Rep:
|
sounds simple to me. 1) deny all from input, 2) accept certain types of connections. you just need to read
especially the sections that contain information about --in-interface or --dport or --source or --destination and so on. denying everything except for the special rules:
/sbin/iptables -P INPUT DROP
then just list the connections you do want to pass through, like:
/sbin/iptables -A INPUT --destination 202.202.202.202 --in-interface eth0 -j ACCEPT
that would accept everything that's coming in from eth0 to the address 202.202.202.202; you could also add -dport <portnumber> to specify the destination port, etc..that's all explained very well in iptables' manpages, and at iptables.org
|
|
|
03-03-2006, 06:05 AM
|
#3
|
Member
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217
Original Poster
Rep:
|
okk... here it is..
i tried using -P INPUT DROP and it brouht me a horrible thing. i'm changing this to this....
iptables -A INPUT -s 0/0 -d 202.202.202.202 -i eth0 -j DROP
iptables -A INPUT -s 0/0 -d 202.202.202.202 -dport 80 -j ACCEPT
iptables -A INPUT -s 0/0 -d 202.202.202.202 -dport 53 -j ACCEPT
Will this work so ppl can reach me only using port 80 (www) and to get dns resolved from me?? Note: I will also resolve DNS from others so 53 in-out for DNS right?? Now, is this that i've given or
iptables -A INPUT -s 0/0 -d 202.202.202.202 -dport 80 -j ACCEPT
iptables -A INPUT -s 0/0 -d 202.202.202.202 -dport 53 -j ACCEPT
iptables -A INPUT -s 0/0 -d 202.202.202.202 -i eth0 -j DROP
This one?? Which one will first block all then allow limited??
|
|
|
03-03-2006, 12:17 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by aq_mishu
Which one will first block all then allow limited??
|
you don't wanna do that with rules... you wanna set your policy to DROP, and then that way only packets matching your ACCEPT rules will be allowed... it's a very bad idea to use rules instead of policy... the policies were created for a reason...
|
|
|
03-03-2006, 12:26 PM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
here, execute this script and you should be set... the script will first flush-out any rules you might have in your chains, and then it basically sets your INPUT policy to DROP while adding ACCEPT rules for HTTP/DNS/PINGs, like what you've said you need:
Code:
#!/bin/sh
IPT="/sbin/iptables"
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
once the script has been executed and you've tested it works fine, you can proceed to do an "iptables-save" to make the change permanent...
make sure you have forwarding disabled in your /etc/sysctl.conf:
Code:
net.ipv4.ip_forward = 0
Last edited by win32sux; 03-03-2006 at 12:27 PM.
|
|
|
03-03-2006, 12:38 PM
|
#6
|
Member
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217
Original Poster
Rep:
|
is for default policy to drop all. that's okk.. then
Quote:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
For ?? I mean i just want to know and to be clear.. I'm puzzled
Quote:
$IPT -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP --dport 53 -m state --state NEW -j ACCEPT
|
If I do this, then 80 and 53 will come in to me.. okk.. now if i also want go go out using 53 and 80, then also okk I think. Right?? But I found after this, 53 out is not working. I think 53udp is used to send the requests and the ans comes with another port... is it??
Quote:
$IPT -A INPUT -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
|
if i use only ICMP and donot mention any type, all icmps will work right?? then after the answears and clarifications, i can proceed...
But thanks for your works for me.
|
|
|
03-03-2006, 12:46 PM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
- the ESTABLISHED,RELATED rule is to accept packets which are part of an existing connection, or a connection directly related to it...
http://wiki.linuxquestions.org/wiki/Iptables
- yes, if you don't specify the icmp type then all types will be allowed...
- yes, all outgoing packets are allowed, because the OUTPUT policy is set to ACCEPT...
- i don't know why your dns isn't working... if you think it's because of the firewall then just add a LOG rule to the end of the INPUT chain and it will log anything that goes to DROP because of the policy... you can then post the logged lines here to get feedback...
Code:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
you can monitor you log file in a terminal while the problem occurs with a:
Code:
tail -f /var/log/syslog
Last edited by win32sux; 03-03-2006 at 12:52 PM.
|
|
|
All times are GMT -5. The time now is 02:00 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|