Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

iptables question

Posted on 2004-04-12
5
Medium Priority
?
338 Views
Last Modified: 2010-04-20
Hi,

Anyone can give me example how to :

- block any access to port 1241 from internet
- block any access to port 199 from internet
- block any access from network 60.10.10.0/16
- block any access from ip 65.10.10.4
- log those above

using iptables on redhat 9.0

Thank you.
0
Comment
Question by:kapot
5 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 540 total points
ID: 10809213
> - block any access to port 1241 from internet
> - block any access to port 199 from internet

This is best managed by setting the default INPUT stance to deny and then including:

iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP

towards the beginning of your rule set script and ending the script with:

#
# Anything that hasn't already matched gets logged and then dropped.
#
iptables  -A INPUT -j firewalled

Using a default INPUT stance of deny means that all inbound connections except those that you explicity permit will be denied.

> - block any access from network 60.10.10.0/16
> - block any access from ip 65.10.10.4

iptables -a INPUT -i OUTSIDE_NIC -s 60.10.10.0/16 -j firewalled
iptables -a INPUT -i OUTSIDE_NIC -s 65.10.10.4 -j firewalled

Note that these restrictions only apply to connections initiated from outside. If you want to stop clients inside of the firewall from using those ports or accessing those network/IP's you need to modify the FORWARD chain.
0
 

Author Comment

by:kapot
ID: 10810806
This means that I have to write down all permitted ports ?
Could you please give me the examples ? I increased the question points.

I use the server for this :
- web traffic at port 80
- ssh traffic at port 22
- ftp traffic at port 21
- mail traffic at port 25 (no imap, no pop3)

# start script

iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP

# define permitted port here

# end permitted port

iptables -a INPUT -i OUTSIDE_NIC -s 60.10.10.0/16 -j firewalled
iptables -a INPUT -i OUTSIDE_NIC -s 65.10.10.4 -j firewalled

# Anything that hasn't already matched gets logged and then dropped.

iptables  -A INPUT -j firewalled

# end script



0
 
LVL 12

Expert Comment

by:j2
ID: 10811396
Why not use a package such as shorewall (www.shorewall.net) which gives you an easy to configure wrapper around ip-tables, as well as being a secure setup?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10815712
> This means that I have to write down all permitted ports ?

Using a default INPUT of deny you do have to explictly list those ports that are allowed to open a connection from outside. For the ports mentioned in the above comment that would look like:

iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 80 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 25 -j ACCEPT


You will need to configure your FTP server to restrict the range of ephemeral ports it uses, which vsftpd & proftpd allows for. I'd suggest using something like 60000-65535 for the inbound FTP connection and then adding one more rule that looks like:

iptables -a INPUT -i OUTSIDE_NIC -d 0/0 -p tcp --dport 60000:65535 -j ACCEPT
0
 
LVL 1

Expert Comment

by:djluff
ID: 10898205
fwbuilder (www.fwbuilder.org) is a great graphical tool to configure iptables. Highly recomended rather than using the iptables commands manually.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Fine Tune your automatic Updates for Ubuntu / Debian
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month12 days, 5 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question