IPTables on a RH3 box

tarballed · 12-06-2004, 05:01 PM

Evening everyone.

Working on learning IPTables here. But I have a quick question.

I need to setup IPTables on a RH box that is inside our private network. It is a pretty important system, so security needs to be very tight.

With that in mind, what i wanted to do was setup IPTables on the box to only allow access to certain ports from certain IP addresses. Also, I do not need to do any sort of NAT our routing on the box. The only thing I need to do is allow access to the box on certain ports from a specific network range.

Should not be to terrible I am guessing. Im hoping at least.

My main question is on the outbound traffic. It will only need to leave outbound, via port 80 (does web checks on a vendors site) and im also guessing the port for RHN.

With that in mind, can I pretty much just setup some rules to just allow what I want, and deny everything else?

Never really worked with iPtables before. Have a lot of experience with PF and IPF/IPFW.

Anyway, just wanted to get some feedback from people with more experience.

Cheers,

Tarballed

Butt-Ugly · 12-06-2004, 05:22 PM

tarballed,

You need something like this, where all packets a explicitly dropped, then only allow the selective packets that are needed.

Code:

#!/bin/sh
#
#       Firewall Script

### Remove all previous rules, and delete any user defined chains
iptables -F
iptables -X

### Set the default policies to drop
iptables -P INPUT   DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP

### Loopback device OK
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

###############################################################
### OUTBOUND Rule: Allow ALL packets out the external device
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

### OUTBOUND Rule: Allow ONLY NEW packets on these ports.
# (After NEW connection is established, the above rule allows all following packets)
iptables -A OUTPUT -m state --state NEW -m tcp -p tcp --syn --dport 80 -j ACCEPT

###############################################################
### INBOUND Rule: Allow ALL packets if a connection already exists
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

### INBOUND Rule: Allow ONLY NEW packets on these ports.
# (After NEW connection is established, the above rule allows all following packets)
iptables -A INPUT -s 192.168.1.25 -m state --state NEW -m tcp -p tcp --syn --dport 80  -j ACCEPT
iptables -A INPUT -s 192.168.1.26 -m state --state NEW -m tcp -p tcp --syn --dport 80  -j ACCEPT

You will need to adjust the inbound and outbound rules to suit your requirements.

If you need more info on firewall concepts, I've drafted this: http://www.brennan.id.au/06-Firewall_Concepts.html

Hope it helps..

BU

tarballed · 12-06-2004, 05:24 PM

Thanks bu!!

That's great. I really appreciate your help, script and the link!

Cheers,

tarballed

Butt-Ugly · 12-06-2004, 05:27 PM

No probs,

You'll notice the script is similar to the one on the link, I just removed the different interfaces out to suit your needs.

Quick and easy, but you need to test it.

BU.

tarballed · 12-06-2004, 06:11 PM

One last questoin:

Can I build these rules remotely? Or do I have to be at the terminal?

Playing around, I keep locking myself out.

I appreciate it.

Butt-Ugly · 12-06-2004, 09:24 PM

Yes you can do all your rules remotely.

But if you put the wrong rule in you might get locked out, then you'll need to access the terminal

BU.