Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 7th November 2007, 15:36
fbifido fbifido is offline
Junior Member
 
Join Date: Dec 2006
Posts: 15
Thanks: 0
Thanked 0 Times in 0 Posts
Default RedHat AS 4 firewall iptables question.

Hi,
I am new to linux firewall, so i don't know how to ask my questions, so i will try my best to let you see what's in my head.

look at the picture i attach.

eth1: static 65.183.x.x
eth0: static 192.168.0.1

workstaions: static 192.168.0.x

I was tring to protect my server with a firewall, and did it using iptables.

can someone look at my iptables below and help me out.

my request:
1. I need to block all ports that can be access from eth1(outside the firewall)
2. The same for eth0.
I want to beable to open a port at anytime for eth1 or eth0 or both.
I also want to forward a port or two to any workstation of my choice.

3. I need all the common ports like 25,22,21,53,80,110,143,443,995 to be setup, but not running for eth1. Only port that will be running on eth1 is 80, so that i can access my webmail when i am away from the office.
I want to beable to enable a port or disable a port as i need them.

4. If i disable say port 22 from eth1, that been no one can ssh into my system from the internet, i want to beable to enable it on eth0, so that any or one workstation can still ssh out to the internet or within the LAN.

5. question: if my mailserver pop3 my mails from the internet, do i need to enable port 25 on eth1, what if i relay all the outgoing mails to my pop3 provider?

6. This is what i know about INPUT, if you set a rule for INPUT, then it only apply the any traffic comming from the internet (eth1), and it you set a rule for OUTPUT it only apply to packets comming from the workstations (eth0).
where dos FORWARD flaw in this now, is it when INPUT is done processing the packets from the internet, then it past it on to FORWARD?

7. I am not too sure about my iptable file below, i was reading and the parts that make sence i just copy and paste.

8. i have more question, but........


The info in this iptable if patch from reading on these forums.

#!/bin/bash
#
# This script file will make a firewall that will be in memory.

IPTABLES="/sbin/iptables"

# Remove any existing rules from all chains
$IPTABLES --flush
$IPTABLES --delete-chain

# Allow packet forwaring
echo "1" > /proc/sys/net/ipv4/ip_forward

# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Set the default policy to DROP
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP

# Rules to allow ALTEROO to come into our system.
$IPTABLES -A INPUT -s 224.0.0.251 -d 192.168.0.1 -p udp -m udp --dport 5353 -j ACCEPT

# Enable all pipes to communicate with the firewall.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

# Allow DNS zone transfers
$IPTABLES -A INPUT -i eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT

# BAD GUYS, Block source IP Address.
$IPTABLES -A INPUT -s 192.168.0.39 -j DROP
$IPTABLES -A INPUT -s 192.168.0.57 -j DROP

# Block Port number
$IPTABLES -A INPUT -i eth1 -p tcp --dport 25 -j REJECT
$IPTABLES -A INPUT -i eth1 -p tcp --dport 22 -j REJECT
$IPTABLES -A INPUT -i eth1 -p tcp --dport 8080 -j REJECT
$IPTABLES -A INPUT -i eth1 -p tcp --dport 3128 -J REJECT

# Open ports for Server
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 22 -j ACCEPT # SSH
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 80 -j ACCEPT # HTTP
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 443 -j ACCEPT # HTTPs

$IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp --dport 110 -j ACCEPT # POP3
$IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp --dport 995 -j ACCEPT # POP3s
$IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT # SMTP


# Allow any traffic from localhost
$IPTABLES -A INPUT -p icmp -j ACCEPT # ICMP/Ping
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j MASQUERADE

# Global Rejects must come Last
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A FORWARD -j REJECT
Attached Images
 
Reply With Quote
Sponsored Links
  #2  
Old 7th November 2007, 22:03
technick technick is offline
Junior Member
 
Join Date: May 2006
Posts: 19
Thanks: 0
Thanked 0 Times in 0 Posts
Default

First off, the rules you have posted are a mess. In one line you close a port and further down you reopen the port. IPTables is incredibly powerful and simple at the same time once you are in the correct frame of mind.

The best thing I see in your existing rules is your default policy value to drop all traffic by default.

Follow me for a second with my line of thinking. Since your default policy is to drop all traffic (INPUT,OUTPUT,FORWARD), why do you specify again to drop certain ports? Here is an example of what I am talking about.

# Block Port number
$IPTABLES -A INPUT -i eth1 -p tcp --dport 22 -j REJECT

(Ok, here we are blocking port 22 on eth1 specifically)

# Open ports for Server
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 22 -j ACCEPT # SSH

(This is telling iptables that its ok to talk to any network on port 22)

Personally I would of done this.

iptables –A INPUT -i eth0 -j ACCEPT

You should really look into the program “Firewall Builder”

Found here.

http://www.fwbuilder.org/
Reply With Quote
  #3  
Old 9th November 2007, 22:13
fbifido fbifido is offline
Junior Member
 
Join Date: Dec 2006
Posts: 15
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

I redid my iptable script,

Please have a look:

#!/bin/bash
#
# This script file will make a firewall that will be in memory.
# eth1 points to the internet.
# eth0 points to my network.

IPTABLES="/sbin/iptables"

# Remove any existing rules from all chains
$IPTABLES --flush
$IPTABLES --delete-chain

# Allow packet forwaring
echo "1" > /proc/sys/net/ipv4/ip_forward

# Set the default policy to DROP
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP

# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

$IPTABLES -A INPUT -p icmp -s 0/0 --icmp-type 8 -j ACCEPT # ICMP/Ping
$IPTABLES -A INPUT -p icmp -s 0/0 --icmp-type 11 -j ACCEPT # ICMP/Ping

$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j MASQUERADE

# Rules to allow ALTEROO to come into our system.
$IPTABLES -A INPUT -s 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT

# Enable all pipes to communicate with the firewall.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

# Allow DNS zone transfers
$IPTABLES -A INPUT -i eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT

# BAD GUYS, Block source IP Address.
$IPTABLES -A INPUT -s 192.168.0.39 -j DROP
$IPTABLES -A INPUT -s 192.168.0.57 -j DROP

# Open ports for outside of server users (webmail)
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 80 -j ACCEPT # HTTP
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 443 -j ACCEPT # HTTPs

$IPTABLES -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT # POP3
$IPTABLES -A INPUT -i eth0 -p tcp --dport 995 -j ACCEPT # POP3s
$IPTABLES -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT # SMTP
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT # SSH
$IPTABLES -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT # FTP
$IPTABLES -A INPUT -i eth0 -p tcp --dport 631 -j ACCEPT # ipp printers
$IPTABLES -A INPUT -i eth0 -p tcp --dport 9100 -j ACCEPT # hp printers

# ---[ Application allowed on my network ]---

# MSN Messenger
$IPTABLES -A INPUT -i eth0 -p tcp --dport 6891:6892 -j ACCEPT # MSN file send
$IPTABLES -A INPUT -i eth0 -p tcp --dport 1863 -j ACCEPT # messaging
$IPTABLES -A INPUT -i eth0 -p tcp --dport 5190 -j ACCEPT # video
$IPTABLES -A INPUT -i eth0 -p tcp --dport 6901 -j ACCEPT # voice

# Yahoo Messenger
$IPTABLES -A INPUT -i eth0 -p tcp --dport 5000:5001 -j ACCEPT # voice chat
$IPTABLES -A INPUT -i eth0 -p tcp --dport 5050 -j ACCEPT # messaging
$IPTABLES -A INPUT -i eth0 -p tcp --dport 5100 -j ACCEPT # webcam/video

# BitTorrent
$IPTABLES -A INPUT -s 192.168.0.21 -p tcp --dport 6881:6999 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.21 -p udp --dport 6881:6999 -j ACCEPT


# Global Rejects must come Last
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A FORWARD -j REJECT
$IPTABLES -A OUTPUT -j REJECT
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 18:30
Question about Bind and ISP-COnfig Firewall denmaus Installation/Configuration 1 23rd February 2007 16:00
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 21:42
Firewall question for Virtual Users/domains using postfix/courier/MySQL toastmaster HOWTO-Related Questions 1 25th January 2006 07:04
question about the builtin firewall Ovidiu Installation/Configuration 1 9th October 2005 18:30


All times are GMT +2. The time now is 11:21.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.