Solved

iptables question

Posted on 2004-04-12
5
299 Views
Last Modified: 2010-04-20
Hi,

Anyone can give me example how to :

- block any access to port 1241 from internet
- block any access to port 199 from internet
- block any access from network 60.10.10.0/16
- block any access from ip 65.10.10.4
- log those above

using iptables on redhat 9.0

Thank you.
0
Comment
Question by:kapot
5 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 135 total points
ID: 10809213
> - block any access to port 1241 from internet
> - block any access to port 199 from internet

This is best managed by setting the default INPUT stance to deny and then including:

iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP

towards the beginning of your rule set script and ending the script with:

#
# Anything that hasn't already matched gets logged and then dropped.
#
iptables  -A INPUT -j firewalled

Using a default INPUT stance of deny means that all inbound connections except those that you explicity permit will be denied.

> - block any access from network 60.10.10.0/16
> - block any access from ip 65.10.10.4

iptables -a INPUT -i OUTSIDE_NIC -s 60.10.10.0/16 -j firewalled
iptables -a INPUT -i OUTSIDE_NIC -s 65.10.10.4 -j firewalled

Note that these restrictions only apply to connections initiated from outside. If you want to stop clients inside of the firewall from using those ports or accessing those network/IP's you need to modify the FORWARD chain.
0
 

Author Comment

by:kapot
ID: 10810806
This means that I have to write down all permitted ports ?
Could you please give me the examples ? I increased the question points.

I use the server for this :
- web traffic at port 80
- ssh traffic at port 22
- ftp traffic at port 21
- mail traffic at port 25 (no imap, no pop3)

# start script

iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP

# define permitted port here

# end permitted port

iptables -a INPUT -i OUTSIDE_NIC -s 60.10.10.0/16 -j firewalled
iptables -a INPUT -i OUTSIDE_NIC -s 65.10.10.4 -j firewalled

# Anything that hasn't already matched gets logged and then dropped.

iptables  -A INPUT -j firewalled

# end script



0
 
LVL 12

Expert Comment

by:j2
ID: 10811396
Why not use a package such as shorewall (www.shorewall.net) which gives you an easy to configure wrapper around ip-tables, as well as being a secure setup?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10815712
> This means that I have to write down all permitted ports ?

Using a default INPUT of deny you do have to explictly list those ports that are allowed to open a connection from outside. For the ports mentioned in the above comment that would look like:

iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 80 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 25 -j ACCEPT


You will need to configure your FTP server to restrict the range of ephemeral ports it uses, which vsftpd & proftpd allows for. I'd suggest using something like 60000-65535 for the inbound FTP connection and then adding one more rule that looks like:

iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 60000:65535 -j ACCEPT
0
 
LVL 1

Expert Comment

by:djluff
ID: 10898205
fwbuilder (www.fwbuilder.org) is a great graphical tool to configure iptables. Highly recomended rather than using the iptables commands manually.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now