LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-06-2008, 11:57 AM   #1
jocast
Member
 
Registered: May 2004
Location: Laredo
Distribution: FC3
Posts: 185

Rep: Reputation: 30
Iptables Example


hello there.
I need an exaple of IPtables that is DROP by default. with
internet sharing, just the port 80, 110, 25 open for all network
and 4899 to one workstation which i'll be accesing remotely.

i tried this but not success

#!/bin/sh
## SCRIPT de IPTABLES - ejemplo del manual de iptables
## Ejemplo de script para firewall entre redes con DROP por defecto
## Pello Xabier Altadill Izura
## www.pello.info - pello@pello.info

echo -n Aplicando Reglas de Firewall...

## FLUSH de reglas
iptables -F
iptables -X
iptables -Z
iptables -t nat -F

## Establecemos politica por defecto: DROP!!!
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

## Empezamos a filtrar
## Nota: eth0 es el interfaz conectado al router y eth1 a la LAN

# A nuestro firewall tenemos acceso total desde la nuestra IP
iptables -A INPUT -s my.home.ip.addr -j ACCEPT
iptables -A OUTPUT -d my.home.ip.addr -j ACCEPT

# Para el resto no hay acceso al firewall
# En principio esta de más, pero si rebajamos los permisos temporalmente
# nos cubre las espaldas
iptables -A INPUT -s 0.0.0.0/0 -j DROP

## Ahora podemos ir metiendo las reglas para cada servidor
## Como serán paquetes con destino a otras máquinas se aplica FORWARD

# Aceptamos que vayan a puertos 80
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -p tcp --dport 80 -j ACCEPT
# Aceptamos que vayan a puertos https
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -p tcp --dport 443 -j ACCEPT

# Aceptamos que vayan a puertos 25
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -p tcp --dport 80 -j ACCEPT
# Aceptamos que vayan a puertos 110
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -p tcp --dport 80 -j ACCEPT

# Aceptamos que consulten los DNS
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -p udp --dport 53 -j ACCEPT

## Servidor remoto
# Acceso a puerto 4899
iptables -A FORWARD -d 192.168.1.12 -p tcp --dport 4899 -j ACCEPT
iptables -A FORWARD -s 192.168.1.12 -p tcp --sport 4899 -j ACCEPT

# Acceso a nuestra ip para gestionarlo
iptables -A FORWARD -s my.home.ip.addr -d 192.168.1.12 -p tcp --dport 22 -j ACCEPT

iptables -A FORWARD -s 192.168.1.12 -d my.home.ip.addr -p tcp --sport 22 -j ACCEPT

# Y denegamos el resto. Si se necesita alguno, ya avisaran
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -j DROP

# El resto, cerrar
iptables -A FORWARD -d 192.168.1.12 -j DROP


# Ahora hacemos enmascaramiento de la red local
# y activamos el BIT DE FORWARDING (imprescindible!!!!!)
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# Con esto permitimos hacer forward de paquetes en el firewall, o sea
# que otras máquinas puedan salir a traves del firewall.
echo 1 > /proc/sys/net/ipv4/ip_forward


## Y ahora cerramos los accesos indeseados del exterior:
# Nota: 0.0.0.0/0 significa: cualquier red

# Cerramos el rango de puerto bien conocido
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 1:1024 -j DROP
iptables -A INPUT -s 0.0.0.0/0 -p udp --dport 1:1024 -j DROP

# Cerramos un puerto de gestión: webmin
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 10000 -j DROP

echo " OK . Verifique que lo que se aplica con: iptables -L -n"

# Fin del script
 
Old 02-06-2008, 04:46 PM   #2
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 62
It might be easier to use this link to generate the firewall iptables for you. I know the default is drop on what it generates. http://easyfwgen.morizot.net/gen/

Brian
 
Old 02-07-2008, 05:51 PM   #3
jocast
Member
 
Registered: May 2004
Location: Laredo
Distribution: FC3
Posts: 185

Original Poster
Rep: Reputation: 30
I dont think is DROP since it says

# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

at the endo if the blocking area
 
Old 02-08-2008, 06:13 AM   #4
gundelgauk
Member
 
Registered: Jul 2003
Distribution: Gentoo
Posts: 168

Rep: Reputation: 30
The line
Code:
iptables -A INPUT -s 0.0.0.0/0 -j DROP
is redundant since your default policy for INPUT is DROP anyways. Even worse, it might introduce unwanted behavior because it is a very early rule in the table. You should just take it out.


Other than that, I don't understand your comments but I take it you want a masquerading (NAT) router that only routes ports 80, 110 and 25 for your entire network and forwards incoming connections from the internet on port 4899 to a specific machine inside your network?

You could use something like
Code:
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 --destination-port 80 -j MASQUERADE
iptables -A FORWARD -s 192.168.1.0/24 --destination-port 80 -m state --state NEW -j ACCEPT
I use such a rule, but without the --destination-port, so I can't confirm 100% that it works the way you want.

The port forwarding for the one workstation is easy but takes three rules:
Code:
iptables -t nat -A PREROUTING -p tcp --destination-port 4899 -j DNAT --to-destination 192.168.1.xxx
iptables -A FORWARD -i ppp0 -p tcp -d 192.168.1.xxx --destination-port 4899 -m state --state NEW -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --destination-port 4899 -m state --state NEW -j ACCEPT

Don't just copy/paste this, however. I didn't confirm it.
 
Old 02-28-2008, 09:32 AM   #5
jocast
Member
 
Registered: May 2004
Location: Laredo
Distribution: FC3
Posts: 185

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by gundelgauk View Post
I don't understand your comments but I take it you want a masquerading (NAT) router that only routes ports 80, 110 and 25 for your entire network and forwards incoming connections from the internet on port 4899 to a specific machine inside your network?
Yes is exactly what i want including forwards incoming AND OUTGOING connections from / TO the internet on port 4899 to a specific machine inside my network

Quote:
Originally Posted by gundelgauk View Post
The port forwarding for the one workstation is easy but takes three rules:
Code:
iptables -t nat -A PREROUTING -p tcp --destination-port 4899 -j DNAT --to-destination 192.168.1.xxx
iptables -A FORWARD -i ppp0 -p tcp -d 192.168.1.xxx --destination-port 4899 -m state --state NEW -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --destination-port 4899 -m state --state NEW -j ACCEPT
tried that without success
 
Old 02-28-2008, 09:57 AM   #6
jocast
Member
 
Registered: May 2004
Location: Laredo
Distribution: FC3
Posts: 185

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Brian1 View Post
It might be easier to use this link to generate the firewall iptables for you. I know the default is drop on what it generates. http://easyfwgen.morizot.net/gen/

Brian
I tried this but i don't understand what to do with the file. It says
I have fedora

# Redhat/Fedora installation instructions
#
# 1. Have the system link the iptables init.d startup script into run states
# 2, 3, and 5.
# chkconfig --level 235 iptables on
no problem doing this

# 2. Save this script and execute it to load the ruleset from this file.
# You may need to run the dos2unix command on it to remove carraige returns.
dos2unix says there is a problem converting the file nothing else

# 3. To have it applied at startup, copy this script to
# /etc/init.d/iptables. It accepts stop, start, save, and restore
# arguments. (You may wish to save the existing one first.)
# Alternatively, if you issue the 'service iptables save' command
# the init.d script should save the rules and reload them at runtime.
here is my biggest problem. will i replace all the file iptables content woth my firewall file content?
i already mada a backup and replaced the conten but iptables didn't work
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 02:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 06:08 AM
iptables book wich one can you pll recomment to be an iptables expert? linuxownt Linux - General 2 06-26-2003 04:38 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration