Solved

iptables question

Posted on 2004-04-12
5
313 Views
Last Modified: 2010-04-20
Hi,

Anyone can give me example how to :

- block any access to port 1241 from internet
- block any access to port 199 from internet
- block any access from network 60.10.10.0/16
- block any access from ip 65.10.10.4
- log those above

using iptables on redhat 9.0

Thank you.
0
Comment
Question by:kapot
5 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 135 total points
ID: 10809213
> - block any access to port 1241 from internet
> - block any access to port 199 from internet

This is best managed by setting the default INPUT stance to deny and then including:

iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP

towards the beginning of your rule set script and ending the script with:

#
# Anything that hasn't already matched gets logged and then dropped.
#
iptables  -A INPUT -j firewalled

Using a default INPUT stance of deny means that all inbound connections except those that you explicity permit will be denied.

> - block any access from network 60.10.10.0/16
> - block any access from ip 65.10.10.4

iptables -a INPUT -i OUTSIDE_NIC -s 60.10.10.0/16 -j firewalled
iptables -a INPUT -i OUTSIDE_NIC -s 65.10.10.4 -j firewalled

Note that these restrictions only apply to connections initiated from outside. If you want to stop clients inside of the firewall from using those ports or accessing those network/IP's you need to modify the FORWARD chain.
0
 

Author Comment

by:kapot
ID: 10810806
This means that I have to write down all permitted ports ?
Could you please give me the examples ? I increased the question points.

I use the server for this :
- web traffic at port 80
- ssh traffic at port 22
- ftp traffic at port 21
- mail traffic at port 25 (no imap, no pop3)

# start script

iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP

# define permitted port here

# end permitted port

iptables -a INPUT -i OUTSIDE_NIC -s 60.10.10.0/16 -j firewalled
iptables -a INPUT -i OUTSIDE_NIC -s 65.10.10.4 -j firewalled

# Anything that hasn't already matched gets logged and then dropped.

iptables  -A INPUT -j firewalled

# end script



0
 
LVL 12

Expert Comment

by:j2
ID: 10811396
Why not use a package such as shorewall (www.shorewall.net) which gives you an easy to configure wrapper around ip-tables, as well as being a secure setup?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10815712
> This means that I have to write down all permitted ports ?

Using a default INPUT of deny you do have to explictly list those ports that are allowed to open a connection from outside. For the ports mentioned in the above comment that would look like:

iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 80 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 25 -j ACCEPT


You will need to configure your FTP server to restrict the range of ephemeral ports it uses, which vsftpd & proftpd allows for. I'd suggest using something like 60000-65535 for the inbound FTP connection and then adding one more rule that looks like:

iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 60000:65535 -j ACCEPT
0
 
LVL 1

Expert Comment

by:djluff
ID: 10898205
fwbuilder (www.fwbuilder.org) is a great graphical tool to configure iptables. Highly recomended rather than using the iptables commands manually.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question