LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-28-2006, 01:54 AM   #1
yongitz
Member
 
Registered: Nov 2005
Location: Davao City, Philippines
Distribution: RHEL, CentOS, Ubuntu, Mint
Posts: 139

Rep: Reputation: 20
iptables question


hi guys! i have setup my firewall with iptables and was setup to be the gateway of my internal network. i was a bit confused on how to make my firewall to allow my internal network to access ports/services say 80,143,443,25,22,21,8080,8088 and other port that i will be needing in the future and block all other ports that are not specified. the current configuration allow my network to access almost everything in the internet. again, how do i just selectively open ports that i will be using and all others that are not specified. i am posting my current configuration for your reference. any suggestions or modifications are very much welcomed. thanks!

#!/bin/sh
#--------------------------
# rc.firewall-iptables
#--------------------------------------------------------
# Setting up the location of iptables and kernel modules
#--------------------------------------------------------

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

EXTIP="xxx.xxx.xxx.xx"

#-------------------------------------------------
# Verification of modules/Load necessary modules
#------------------------------------------------
$DEPMOD -a
$MODPROBE ip_tables
$MODPROBE ip_conntrack
$MODPROBE iptable_nat

#-----------------------------------------------------------------------------
# clear ang existing rules: set default policy
#-----------------------------------------------------------------------------
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F
$IPTABLES -t nat -F

#---------------------------------------------------------------------------
# Enable IP forwarding
#---------------------------------------------------------------------------
#echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
#-----------------------------------------------------------------
# Prevent SYN floods from consuming memory resources:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#to be placed into /etc/rc.d/rc.local

#----------------------------------------------------------------
# Allow ESTABLISHED and RELATED packets to all chains
#----------------------------------------------------------------
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#---------------------------------------------------------------
# Allow port 22 (SSH) connection to the firewall (for remote admin purposes)
#---------------------------------------------------------------
$IPTABLES -A INPUT -p tcp -i eth0 --dport 24 --sport 1024:65535 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth1 --dport 24 --sport 1024:65535 -m state --state NEW -j ACCEPT

#-------------------
# Allow DNS traffic
#-------------------
$IPTABLES -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
$IPTABLES -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT

#---------------------------------------------------------------
# Allow FW to send ICMP echo-request and receive echo-replies
#------------------------------------------
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

#----------------------------------
# Allow FW to receive ICMP echo-requet and send echo-replies
#-----------------------------------------------------------
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# For DHCP server:
#------------------------------------------
$IPTABLES -A INPUT -i eth1 -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p udp --sport 68 --dport 67 -j ACCEPT

#---------------------------------------------------------------
# Enable simple IP forwarding and Masquerading
# Allow Outbound: NEW,ESTABLISHED,ReLATED; Allow Inbound: ESTABLISED,RLATED
#---------------------------------------------------------------
#echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.3.0/24 -j MASQUERADE
$IPTABLES -A POSTROUTING -t nat -o eth0 -s 192.168.3.0/24 -d 0/0 -j MASQUERADE
$IPTABLES -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#alternative
#$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.3.0/24 -j SNAT --to $EXTIP

#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the
# internal network
#---------------------------------------------------------------
#$IPTABLES -A INPUT -j ACCEPT -p all -s 192.168.3.0/24 -i eth1
#$IPTABLES -A OUTPUT -j ACCEPT -p all -d 192.168.3.0/24 -o eth1

#--------------------------------------------------------------------------
# Deny any incoming packet outside the network which has a spoofed source address from the local networks
#-------------------------------------------------------------------------------------------
$IPTABLES -A INPUT -i eth0 -s 192.168.3.0/24 -j DROP
$IPTABLES -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP

#--------------------------------------------------------------------------
# Enable PORTFW of defined ports' traffic from the external interface
#--------------------------------------------------------------------------
#SMTP on 192.168.3.2
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 25 --sport 1024:65535 -j DNAT --to 192.168.3.2:25
#HTTP on 192.168.3.200
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 80 --sport 1024:65535 -j DNAT --to 192.168.3.200:80
#POP3 on 192.168.3.2
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 110 --sport 1024:65535 -j DNAT --to 192.168.3.2:110
#SSH on 192.168.3.2
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 22 --sport 1024:65535 -j DNAT --to 192.168.3.2:22
#HTTP/mascad on 192.168.3.200
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 7070 --sport 1024:65535 -j DNAT --to 192.168.3.200:7070
#HTTP 192.168.3.2
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 82 --sport 1024:65535 -j DNAT --to 192.168.3.2:82


#------------------------------------------------------------------------------------
# Allow forwarding of new and existing defined ports connectins from the external interface.
# This is required if the default FORWARD policy is DENY.
#--------------------------------------------------------------------------------

#port 25/SMTP on 192.168.3.2
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.3.2 --dport 25 --sport 1024:65535 -m state --state NEW -j ACCEPT
#PORT 80/HTTP on 192.168.3.200
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.3.200 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
#port 110/POP on 192.168.3.2
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.3.2 --dport 110 --sport 1024:65535 -m state --state NEW -j ACCEPT
#port 22/SSH on 192.168.3.2
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.3.2 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
#port 8081 on 192.168.3.200
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.3.200 --dport 7070 --sport 1024:65535 -m state --state NEW -j ACCEPT
#port 82 on 192.168.3.2
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.3.2 --dport 82 --sport 1024:65535 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Last edited by yongitz; 09-28-2006 at 06:39 AM.
 
Old 08-28-2006, 05:05 AM   #2
Centinul
Member
 
Registered: Jun 2005
Distribution: Gentoo
Posts: 552

Rep: Reputation: 30
Just do something along the lines of:

Code:
$IPTABLES -A FORWARD -s <INTERNAL NETWORK> --dport <HTTP, HTTPS, etc> -m state --state NEW -j ACCEPT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables question vijeesh Linux - Newbie 2 08-06-2006 04:20 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
iptables question wardialer Linux - Security 13 02-14-2005 05:03 PM
Question on IPTABLES brokenflea Linux - Networking 3 02-10-2004 10:53 PM
iptables question Ice9 Linux - Networking 1 02-20-2003 03:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration