Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

iptables question

Posted on 2004-04-12
5
Medium Priority
?
334 Views
Last Modified: 2010-04-20
Hi,

Anyone can give me example how to :

- block any access to port 1241 from internet
- block any access to port 199 from internet
- block any access from network 60.10.10.0/16
- block any access from ip 65.10.10.4
- log those above

using iptables on redhat 9.0

Thank you.
0
Comment
Question by:kapot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 540 total points
ID: 10809213
> - block any access to port 1241 from internet
> - block any access to port 199 from internet

This is best managed by setting the default INPUT stance to deny and then including:

iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP

towards the beginning of your rule set script and ending the script with:

#
# Anything that hasn't already matched gets logged and then dropped.
#
iptables  -A INPUT -j firewalled

Using a default INPUT stance of deny means that all inbound connections except those that you explicity permit will be denied.

> - block any access from network 60.10.10.0/16
> - block any access from ip 65.10.10.4

iptables -a INPUT -i OUTSIDE_NIC -s 60.10.10.0/16 -j firewalled
iptables -a INPUT -i OUTSIDE_NIC -s 65.10.10.4 -j firewalled

Note that these restrictions only apply to connections initiated from outside. If you want to stop clients inside of the firewall from using those ports or accessing those network/IP's you need to modify the FORWARD chain.
0
 

Author Comment

by:kapot
ID: 10810806
This means that I have to write down all permitted ports ?
Could you please give me the examples ? I increased the question points.

I use the server for this :
- web traffic at port 80
- ssh traffic at port 22
- ftp traffic at port 21
- mail traffic at port 25 (no imap, no pop3)

# start script

iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP

# define permitted port here

# end permitted port

iptables -a INPUT -i OUTSIDE_NIC -s 60.10.10.0/16 -j firewalled
iptables -a INPUT -i OUTSIDE_NIC -s 65.10.10.4 -j firewalled

# Anything that hasn't already matched gets logged and then dropped.

iptables  -A INPUT -j firewalled

# end script



0
 
LVL 12

Expert Comment

by:j2
ID: 10811396
Why not use a package such as shorewall (www.shorewall.net) which gives you an easy to configure wrapper around ip-tables, as well as being a secure setup?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10815712
> This means that I have to write down all permitted ports ?

Using a default INPUT of deny you do have to explictly list those ports that are allowed to open a connection from outside. For the ports mentioned in the above comment that would look like:

iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 80 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 25 -j ACCEPT


You will need to configure your FTP server to restrict the range of ephemeral ports it uses, which vsftpd & proftpd allows for. I'd suggest using something like 60000-65535 for the inbound FTP connection and then adding one more rule that looks like:

iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 60000:65535 -j ACCEPT
0
 
LVL 1

Expert Comment

by:djluff
ID: 10898205
fwbuilder (www.fwbuilder.org) is a great graphical tool to configure iptables. Highly recomended rather than using the iptables commands manually.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to demonstrate how we can use conditional statements using Python.
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question