iptables - I think i have it covered. Can someone tell me if its right
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
eth0 should only allow port 25 traffic
eth1 should onlly allow port 110 and port 22 traffic.
This is my iptables.
iptables -P INPUT DROP
iptables -A INPUT -s 192.168.2.2 -p tcp --dport smtp -j ACCEPT
iptables -A INPUT -s 192.168.2.3 -p tcp --dport pop3 -j ACCEPT
iptables -A INPUT -s 192.168.2.3 -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j DROP
I figure that once i get the ports straightened out, then i can worry about syn/icmp stuff. I have to take it one step at a time or else I wont understand what Im doing.
Thanks as always
Its also written as --source-port or could be written as <from IP> <portname|portranges>, in Rusty's ipchains scripts this was known as the variable $UNPRIVPORTS which is aptly named, because this handles an unprivileged portrange, the notation <lowest port>:<highest port> makes it a range.
Only the root user is allowed to bind to ports below 1024, known as the privileged ports, while regular users can't, so basically this rule translates to "allow traffic to my TCP port 25, initiated by regular users".
I think I would do best to give you an answer so you can troubleshoot this yourself, add the following lines:
# Make new chain that log's traffic and drops
iptables -A N LOG_DROP
# Add chain
iptables -A LOG_DROP
# Set up logging rule
iptables -A LOG_DROP -j LOG --log-level info --log-prefix "FIREWALL: "
# Finally drop it
iptables -A LOG_DROP -j DROP
now change the "-j DROP"'s to read "-j LOG_DROP", and this way, whenever traffic hits the fw, you'll see what you'll need to adjust.
Did you mean to put a "." before the /sbin as that won't work.
Also why don't you change the eth1's nic to a 10.0.0.0 address so the network is easier to understand.
Anyway here's some more info.
flush the chains each time you run the script with these lines.
iptables -F
iptables -X
iptables -F -t nat
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
I would like to recommend you 1)change *all* rules (that is all ACCEPT *and* DENY targets) to include logging as shown below with the DROP targets, 2) tell us verbosely *how* you are testing you can't receive mail and 3) post your full iptables script w/o interpretation and 4) the firewall log with logging on all targets on.
This may be a true mofo to solve, but being the community we are I'm confident we'll get there someway.
Hey,
I hacked up a few peoples scripts and came up with the below. Im taking it one step at a time. My first problem is that i cannot ssh from 10.0.0.2 to 192.168.3.3
FYI: eth0=192.168.3.2
eth1 = 192.168.3.3
Please see the log below. It looks like its trying to hit eth0 instead of eth1. Its mixing them up for somereason. ANy idea why?
With the script below i can send/receive/read email. SSH is the problem. once thats solved, I will then tighten the bitc* up.
Thanks dude!!
#!/bin/sh
# you set the permission as follow:
# chown root.root scriptname
# chmod 700 scriptname
#=============== Start
# Load the netfilter modules
/sbin/depmod -a
/sbin/modprobe ip_tables
This seems to be a problem with the nic cars being on the same subnet or something. I have posted a question in the network forum and I will post back here when i figure this out, just in case other people have this problem.
First of all I am a newbie to Linux. I just started to play around with it in December. I did however play around with it to design a firewall for a customer of mine using iptables. I just wanted to ask a question. I see that you are using a private address for your example. It even shows a private address for your Internet connection. You may want to use the forward chain if you have a publice address going through nat to a private address. That is how I got it to work for my client. If you would like a sample script I used, just let me know.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.