What seems so simple on paper seems to be alot more complex then I thought.

My whole goal is to create an iptable on a server of mine which will block all incoming traffic that is outside the network, but would still allow the server to communicate to the outside world, like a one way window.

Pretty much so far I have
iptables -A INPUT -s 192.168.1.1/24 -j ACCEPT
iptables -A INPUT -p tcp -j ACCEPT
iptables -P INPUT DROP


So, I'm looking at this and thinking to myself I haven't really done anything since people from the outside can still access services since I am allowing tcp.

Is there a way to block all external traffic but still allow the box to have some access to the outside world?

You have to specify service by service, which you want to leave open, instead of just letting everything in.

Eg:
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

After you specify what you want to accept you can restrict everything else with something like
Eg:
-A INPUT -j REJECT --reject-with icmp-host-prohibited

"reject-with icmp-host-prohibited" is more graceful than just dropping the packets

Thank you SkyEye for the reply.

Should have known to specify the allow list on a service/port level rather then all at once. I must have had a brain fart.

Thanks for your help.

You are welcome. LQ is here to help.

Hello,

There is a module called ip_conntrack (and another called ip_conntrack_ftp) which works to classify traffic into the following states: NEW, ESTABLISHED, RELATED, INVALID. This module (along with the correct rules) will provide you with exactly what you need (man iptables and look for "state").

What you basically want to do is apply a default DROP policy for the INPUT table, then allow outgoing traffic, then allow all incoming traffic that is RELATED or ESTABLISHED. Don't forget to allow ALL traffic FROM/TO the loopback device (127.0.0.1/8) for some services to wrok correctly.

Cheers

1 members found this post helpful.

Thanks Notwerk for the reply.

I'll give that a look into.

I found some old iptable scripts on an old server and was looking through that just to help give me an idea where to head off next and I noticed something.

-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j ACCEPT

Would it be safe to assume that on that bit it allows all internal subnet traffic to go on it merry way? Since all address in 192.168.1.xxx are source and destination.

Looks to me like it would, but still trying to figure it all out.

That's perfectly correct.

Personally, i also prefer to specify the in/out device by adding -o eth0 and -i eth0 to the rules, respectively.

But i guess to each their own

hi Argo,

maybe this basic can help :
scenario of eth0 as intintf,
and eth1 as extintf :

iptables -A INPUT -i lo -s 127.0.0.1/8 -j ACCEPT
iptables -A INPUT -i <your_intintf> -s <your_intaddr/mask> -j ACCEPT
iptables -A INPUT -i <your_extintf> -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i <your_extintf> -m state ! --state RELATED,ESTABLISHED -j LOG
iptables -A INPUT -i <your_extintf> -m state ! --state RELATED,ESTABLISHED -j DROP
iptables -P INPUT DROP

the purpose of defining the inteface for your incoming traffic is to get easier monitoring and in creating rule definition/troubleshooting.
and remember to always allow loopback traffic (lo) -- otherwise your console will be locked-

HTH,

Cheers.

Excellent, thanks rossonieri#1.

I seem to have everything I need thanks to all your help. So thanks to everyone.

But I have another question that relates to this.

I've been noticing some odd logs appering in my /var/log/samba dir, with these names:
67.119.221.166.log
24.222.130.30.log
etc..

Log contants are:
[2007/06/14 18:50:27, 0] lib/access.c:check_access(328)
Denied connection from (*ip addy*)

Now, these are not part of my network and I went ahead and tried to make some iptable rules to make my samba internal only.

I've searched and tried a few things but to no avail. Heres what I've tried (I have a default policy for DROP btw):
-A FORWARD -p tcp -s 192.168.1.0/255.255.255.0 --dport 137:139 -j ACCEPT
-A FORWARD -p udp -s 192.168.1.0/255.255.255.0 --dport 137:139 -j ACCEPT
####
-I INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 135 -j ACCEPT
-I INPUT -s 192.168.1.0/255.255.255.0 -p udp --dport 137:138 -j ACCEPT
-I INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 139 -j ACCEPT
-I INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 445 -j ACCEPT
-I OUTPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 135 -j ACCEPT
-I OUTPUT -s 192.168.1.0/255.255.255.0 -p udp --dport 137:138 -j ACCEPT
-I OUTPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 139 -j ACCEPT
-I OUTPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 445 -j ACCEPT
###

But this dosen't seem to work as about an hour after I applied them I had an outside.IP.address.log file created. Any ideas would be greatly appericated.

OK,
now SAMBA

check your rule which state which interface SAMBA listening for client request -- change to your internal interface.

for the iptables,
just try my previous post - analyze it, and develop again with FORWARD statement :
this is from yours :
-A FORWARD -p tcp -s 192.168.1.0/255.255.255.0 --dport 137:139 -j ACCEPT
-A FORWARD -p udp -s 192.168.1.0/255.255.255.0 --dport 137:139 -j ACCEPT

and change to this :

-A FORWARD -i <intintf> -p tcp -s 192.168.1.0/255.255.255.0 -o <intintf> --dport 137:139 -j ACCEPT
-A FORWARD -i <intintf> -p udp -s 192.168.1.0/255.255.255.0 -o <intintf> --dport 137:139 -j ACCEPT

the log probably still there - but you should see whether your data is going outside or not.

HTH.

Cheers.

Excellent, thanks again Ross. I'll give that a try today.

Check out shorewall ... http://www.shorewall.net.