Solved

IPtables rules needed

Posted on 2003-10-24
8
975 Views
Last Modified: 2010-04-22
Hi Everybody!

Ok, lotsa points cause with everything else I have on my plate I have no time to learn IPtables at all right now and need pretty detailed responses.


Got a server:

incoming:

SSH
FTP
Web server on 80

I would like FTP to be active(? - as in I can do multiple downloads at the same time by connecting on higher ports)

I need to be able to ftp out from the server, and my web scripts need to connect to a pop3 server.

The box does not need to NAT anything or porcess any traffic outside of itself.

I have command line and webmin to implement your solutions.
0
Comment
Question by:Squeebee
  • 3
  • 3
  • 2
8 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 250 total points
ID: 9619357
Here you go...

#!/bin/sh
#
# This is a simple, reasonably complete local host based firewall suitable for
# protecting a server that might be exposed to malicous activity.
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
#
# I find it easier to modify this file and run it (make sure it is executable
# with 'chmod +x iptables-host') to change the rulesets, rather than modifying
# the running rules. That way I have a readable record of the firewall
# configuration.
#
# Author: Jim Levie (jim@entrophy-free.net)
#
# Set an absolute path to IPTABLES.
#
IPT="/sbin/iptables"
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP

$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Now allow Internet hosts access to those services we provide. Note that
# enabling inbound FTP 20 & 21 tcp will also require allowing ports
# 1024:65535/tcp. Which in itself is good enough reason not to allow FTP
# connections and to only allow ssh/scp/sftp.
#
# Allow ssh from anywhere to this server
#
$IPT -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
#
# HTTP access from anywhere
#
$IPT -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
#
# FTP access from anywhere
#
$IPT -A INPUT -p tcp -s 0/0 --dport 20 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 1024:65535 -j ACCEPT
#
# If there are trusted nodes you can allow then access to everything with
# something like this. Be sure to set IP to be that of this system if you enable one of these.
#
#IP1=10.0.0.1
#$IPT -A INPUT -s 10.0.0.0/24 -d $IP1 -j ACCEPT
#$IPT -A INPUT -s 10.0.0.2 -d $IP1 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything not already matched gets firewalled and logged.
#
$IPT -A INPUT -j firewalled
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9619738
If I understand that last line it will call a firewalled chain, where is the firewalled chain?
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 250 total points
ID: 9620906
jlevie, should you forward policy not be like:
  $IPT -P FORWARD DROP
well, it seems to be your sample script, but you never know ..
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9620932
I have actually managed to build the firewall myself thanks to a fairly easy interface in webmin. I will split points between the two of you for bothering to help, thanks.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 9622161
whow, didn't expect to be graded here. The answer was by jlevie.
Thanks anyway, and good luck.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9622384
ahoffman,

On a host firewall routing would be not be enabled so I see no no point in messing with the FORWARD chain.
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9623009
ahoffman:

Eh, they are only points, might as well spread them around.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9623318
only points, nothing more ?!

jlevie, my DROP policy is secure/paranoid security, just in case someone enables routing and does not check the firewall (have seen admins doing this sevaral times):
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now