Solved

iptables question

Posted on 2004-04-12
5
327 Views
Last Modified: 2010-04-20
Hi,

Anyone can give me example how to :

- block any access to port 1241 from internet
- block any access to port 199 from internet
- block any access from network 60.10.10.0/16
- block any access from ip 65.10.10.4
- log those above

using iptables on redhat 9.0

Thank you.
0
Comment
Question by:kapot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 135 total points
ID: 10809213
> - block any access to port 1241 from internet
> - block any access to port 199 from internet

This is best managed by setting the default INPUT stance to deny and then including:

iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP

towards the beginning of your rule set script and ending the script with:

#
# Anything that hasn't already matched gets logged and then dropped.
#
iptables  -A INPUT -j firewalled

Using a default INPUT stance of deny means that all inbound connections except those that you explicity permit will be denied.

> - block any access from network 60.10.10.0/16
> - block any access from ip 65.10.10.4

iptables -a INPUT -i OUTSIDE_NIC -s 60.10.10.0/16 -j firewalled
iptables -a INPUT -i OUTSIDE_NIC -s 65.10.10.4 -j firewalled

Note that these restrictions only apply to connections initiated from outside. If you want to stop clients inside of the firewall from using those ports or accessing those network/IP's you need to modify the FORWARD chain.
0
 

Author Comment

by:kapot
ID: 10810806
This means that I have to write down all permitted ports ?
Could you please give me the examples ? I increased the question points.

I use the server for this :
- web traffic at port 80
- ssh traffic at port 22
- ftp traffic at port 21
- mail traffic at port 25 (no imap, no pop3)

# start script

iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP

# define permitted port here

# end permitted port

iptables -a INPUT -i OUTSIDE_NIC -s 60.10.10.0/16 -j firewalled
iptables -a INPUT -i OUTSIDE_NIC -s 65.10.10.4 -j firewalled

# Anything that hasn't already matched gets logged and then dropped.

iptables  -A INPUT -j firewalled

# end script



0
 
LVL 12

Expert Comment

by:j2
ID: 10811396
Why not use a package such as shorewall (www.shorewall.net) which gives you an easy to configure wrapper around ip-tables, as well as being a secure setup?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10815712
> This means that I have to write down all permitted ports ?

Using a default INPUT of deny you do have to explictly list those ports that are allowed to open a connection from outside. For the ports mentioned in the above comment that would look like:

iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 80 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 25 -j ACCEPT


You will need to configure your FTP server to restrict the range of ephemeral ports it uses, which vsftpd & proftpd allows for. I'd suggest using something like 60000-65535 for the inbound FTP connection and then adding one more rule that looks like:

iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 60000:65535 -j ACCEPT
0
 
LVL 1

Expert Comment

by:djluff
ID: 10898205
fwbuilder (www.fwbuilder.org) is a great graphical tool to configure iptables. Highly recomended rather than using the iptables commands manually.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question