Solved

IPtables rules needed

Posted on 2003-10-24
8
976 Views
Last Modified: 2010-04-22
Hi Everybody!

Ok, lotsa points cause with everything else I have on my plate I have no time to learn IPtables at all right now and need pretty detailed responses.


Got a server:

incoming:

SSH
FTP
Web server on 80

I would like FTP to be active(? - as in I can do multiple downloads at the same time by connecting on higher ports)

I need to be able to ftp out from the server, and my web scripts need to connect to a pop3 server.

The box does not need to NAT anything or porcess any traffic outside of itself.

I have command line and webmin to implement your solutions.
0
Comment
Question by:Squeebee
  • 3
  • 3
  • 2
8 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 250 total points
ID: 9619357
Here you go...

#!/bin/sh
#
# This is a simple, reasonably complete local host based firewall suitable for
# protecting a server that might be exposed to malicous activity.
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
#
# I find it easier to modify this file and run it (make sure it is executable
# with 'chmod +x iptables-host') to change the rulesets, rather than modifying
# the running rules. That way I have a readable record of the firewall
# configuration.
#
# Author: Jim Levie (jim@entrophy-free.net)
#
# Set an absolute path to IPTABLES.
#
IPT="/sbin/iptables"
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP

$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Now allow Internet hosts access to those services we provide. Note that
# enabling inbound FTP 20 & 21 tcp will also require allowing ports
# 1024:65535/tcp. Which in itself is good enough reason not to allow FTP
# connections and to only allow ssh/scp/sftp.
#
# Allow ssh from anywhere to this server
#
$IPT -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
#
# HTTP access from anywhere
#
$IPT -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
#
# FTP access from anywhere
#
$IPT -A INPUT -p tcp -s 0/0 --dport 20 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 1024:65535 -j ACCEPT
#
# If there are trusted nodes you can allow then access to everything with
# something like this. Be sure to set IP to be that of this system if you enable one of these.
#
#IP1=10.0.0.1
#$IPT -A INPUT -s 10.0.0.0/24 -d $IP1 -j ACCEPT
#$IPT -A INPUT -s 10.0.0.2 -d $IP1 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything not already matched gets firewalled and logged.
#
$IPT -A INPUT -j firewalled
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9619738
If I understand that last line it will call a firewalled chain, where is the firewalled chain?
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 250 total points
ID: 9620906
jlevie, should you forward policy not be like:
  $IPT -P FORWARD DROP
well, it seems to be your sample script, but you never know ..
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 17

Author Comment

by:Squeebee
ID: 9620932
I have actually managed to build the firewall myself thanks to a fairly easy interface in webmin. I will split points between the two of you for bothering to help, thanks.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9622161
whow, didn't expect to be graded here. The answer was by jlevie.
Thanks anyway, and good luck.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9622384
ahoffman,

On a host firewall routing would be not be enabled so I see no no point in messing with the FORWARD chain.
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9623009
ahoffman:

Eh, they are only points, might as well spread them around.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9623318
only points, nothing more ?!

jlevie, my DROP policy is secure/paranoid security, just in case someone enables routing and does not check the firewall (have seen admins doing this sevaral times):
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question