LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-17-2003, 05:26 PM   #1
Neomaster
Member
 
Registered: May 2003
Location: Digital world
Posts: 113

Rep: Reputation: 15
Question Iptables Question


#!/bin/sh
#
# The location of the IPTables binary file on your system.
IPT="/sbin/iptables"

# The Internet interface. For ADSL or Dialup users, this should be "ppp0".
# For a cable modem connection, this will probably be "eth0".
INT="eth0"

# Out with the old stuff.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# Use this for NAT or IP Masquerading.
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE

# This rule protects your fowarding rule.
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP

# Port forwarding looks like this.
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to 192.168.0.50
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to 192.168.0.50
#$IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to 192.168.0.50
# These two redirect a block of ports, in both udp and tcp.
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.50
#$IPT -t nat -A PREROUTING -i $INT -p udp --dport 2300:2400 -j DNAT --to 192.168.0.50

# This rule will accept connections from local machines.
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s 192.168.0.0/24 -d 0/0 -p all -j ACCEPT

# Drop bad packets.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j DROP


Someone told me i setup my policies wroung.And i was told it will drop my network so how.Can you guy's find the prob?


 
Old 06-17-2003, 06:44 PM   #2
zmedico
Member
 
Registered: Feb 2002
Location: Mission Viejo, California, USA
Distribution: Gentoo
Posts: 707

Rep: Reputation: 30
You can log the stuff that gets dropped in /var/log/messages for debugging purposes:


$IPT -A INPUT -j LOG -m limit --limit 30/minute --log-prefix "Dropping: "
 
Old 06-17-2003, 07:17 PM   #3
Neomaster
Member
 
Registered: May 2003
Location: Digital world
Posts: 113

Original Poster
Rep: Reputation: 15
How would i debug iptable just like any other script?Where where you talking about log iptables in the script?


 
Old 06-18-2003, 12:05 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If you want to debug it like that, just put a line before each of the DROP rules that has a target of LOG instead of DROP. For example:

$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j LOG
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP

This will log a message in /var/log/messages. You might want to use the --log-prefix option with a short descriptor of which rule is being logged.

However, it does look like your rules could be a problem. Specifically, you're default input rule is DROP. So you're going to have to define ALL the traffic you want to allow. So you'll definitely need a rule that allows connections that are related to previously established connections. Alot of protocols will establish connections on a specific port number, but will then hand off the connnection to some other random port. So you'll need something like:

$IPT _A INPUT -i $INT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Old 06-18-2003, 09:24 AM   #5
Neomaster
Member
 
Registered: May 2003
Location: Digital world
Posts: 113

Original Poster
Rep: Reputation: 15
If you want to debug it like that, just put a line before each of the DROP rules that has a target of LOG instead of DROP. For example:

$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j LOG
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP




So that how you debug.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables question iomari Linux - Security 4 01-13-2005 01:14 AM
Iptables Question? unixfreak Linux - Security 1 09-01-2004 09:23 PM
iptables Question gauge73 Linux - Networking 3 12-14-2003 01:02 AM
IPtables Question jacovds Linux - Security 10 11-17-2003 10:46 AM
iptables question Texicle Slackware 7 01-19-2003 01:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration