Solved

IPtables rules needed

Posted on 2003-10-24
8
972 Views
Last Modified: 2010-04-22
Hi Everybody!

Ok, lotsa points cause with everything else I have on my plate I have no time to learn IPtables at all right now and need pretty detailed responses.


Got a server:

incoming:

SSH
FTP
Web server on 80

I would like FTP to be active(? - as in I can do multiple downloads at the same time by connecting on higher ports)

I need to be able to ftp out from the server, and my web scripts need to connect to a pop3 server.

The box does not need to NAT anything or porcess any traffic outside of itself.

I have command line and webmin to implement your solutions.
0
Comment
Question by:Squeebee
  • 3
  • 3
  • 2
8 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 250 total points
ID: 9619357
Here you go...

#!/bin/sh
#
# This is a simple, reasonably complete local host based firewall suitable for
# protecting a server that might be exposed to malicous activity.
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
#
# I find it easier to modify this file and run it (make sure it is executable
# with 'chmod +x iptables-host') to change the rulesets, rather than modifying
# the running rules. That way I have a readable record of the firewall
# configuration.
#
# Author: Jim Levie (jim@entrophy-free.net)
#
# Set an absolute path to IPTABLES.
#
IPT="/sbin/iptables"
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP

$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Now allow Internet hosts access to those services we provide. Note that
# enabling inbound FTP 20 & 21 tcp will also require allowing ports
# 1024:65535/tcp. Which in itself is good enough reason not to allow FTP
# connections and to only allow ssh/scp/sftp.
#
# Allow ssh from anywhere to this server
#
$IPT -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
#
# HTTP access from anywhere
#
$IPT -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
#
# FTP access from anywhere
#
$IPT -A INPUT -p tcp -s 0/0 --dport 20 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 1024:65535 -j ACCEPT
#
# If there are trusted nodes you can allow then access to everything with
# something like this. Be sure to set IP to be that of this system if you enable one of these.
#
#IP1=10.0.0.1
#$IPT -A INPUT -s 10.0.0.0/24 -d $IP1 -j ACCEPT
#$IPT -A INPUT -s 10.0.0.2 -d $IP1 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything not already matched gets firewalled and logged.
#
$IPT -A INPUT -j firewalled
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9619738
If I understand that last line it will call a firewalled chain, where is the firewalled chain?
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 250 total points
ID: 9620906
jlevie, should you forward policy not be like:
  $IPT -P FORWARD DROP
well, it seems to be your sample script, but you never know ..
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9620932
I have actually managed to build the firewall myself thanks to a fairly easy interface in webmin. I will split points between the two of you for bothering to help, thanks.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 9622161
whow, didn't expect to be graded here. The answer was by jlevie.
Thanks anyway, and good luck.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9622384
ahoffman,

On a host firewall routing would be not be enabled so I see no no point in messing with the FORWARD chain.
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9623009
ahoffman:

Eh, they are only points, might as well spread them around.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9623318
only points, nothing more ?!

jlevie, my DROP policy is secure/paranoid security, just in case someone enables routing and does not check the firewall (have seen admins doing this sevaral times):
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now