Link to home
Start Free TrialLog in
Avatar of Kyle Abrahams, PMP
Kyle Abrahams, PMPFlag for United States of America

asked on

Linux Firewall Rules

Hey all,

Need a standard set of rules that I can apply to Linux (Red Hat 9 specifically) IPtables.  Basically I want to allow web (80) and remote admin if possible.  After that, deny everything else and log it.  

I'm a complete new at Linux, so verbose commands etc would be very helpful.  Thanks!

Avatar of Kyle Abrahams, PMP
Kyle Abrahams, PMP
Flag of United States of America image

ASKER

(I realize there is no set standard, but I want the most secure/restrictive settings possible.)
Avatar of IceRaven
IceRaven

Hi ged325,

I would use this iptables generator

Easy to use, great security, the file that is generated has the information on how to implement it in a redhat system.

Cheers,
IceRaven
ASKER CERTIFIED SOLUTION
Avatar of IceRaven
IceRaven

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Still looking into this, sorry I haven't responded in a while, things got a little hectic around here, didn't forget about ya.

I've tried using that script:  Here are the rules:
I've put as many comments as possible, but it's still cutting off my 80 from the internal network.  (Haven't tried from web.)

NOTE:
192.168.4.1 = webserver  (windows Machine)
192.168.4.2 = Local side address of firewall.
192.168.3.2 = Internet side of address of firewall.


Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          
bad_packets  all  --  anywhere             anywhere          
ACCEPT     all  --  192.168.4.0/24       anywhere          
ACCEPT     all  --  anywhere             192.168.4.255      
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
tcp_inbound  tcp  --  anywhere             anywhere          
udp_inbound  udp  --  anywhere             anywhere          
icmp_packets  icmp --  anywhere             anywhere          

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
bad_packets  all  --  anywhere             anywhere          
tcp_outbound  tcp  --  anywhere             anywhere          
udp_outbound  udp  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.4.1        tcp dpt:http
LOG        all  --  anywhere             anywhere           limit: avg 3/min burst 3 LOG level warning prefix `FORWARD packet died: '

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
DROP       icmp --  anywhere             anywhere           state INVALID
ACCEPT     all  --  192.168.4.2          anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  Linux-Firewall       anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
LOG        all  --  anywhere             anywhere           limit: avg 3/min burst 3 LOG level warning prefix `OUTPUT packet died: '

Chain bad_packets (2 references)
target     prot opt source               destination        
LOG        all  --  anywhere             anywhere           state INVALID LOG level warning prefix `Invalid packet: '
DROP       all  --  anywhere             anywhere           state INVALID
bad_tcp_packets  tcp  --  anywhere             anywhere          
RETURN     all  --  anywhere             anywhere          

Chain bad_tcp_packets (1 references)
target     prot opt source               destination        
RETURN     tcp  --  anywhere             anywhere          
LOG        tcp  --  anywhere             anywhere           state NEW tcp flags:!SYN,RST,ACK/SYN LOG level warning prefix `New not syn:'
DROP       tcp  --  anywhere             anywhere           state NEW tcp flags:!SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere          

Chain icmp_packets (1 references)
target     prot opt source               destination        
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded
RETURN     icmp --  anywhere             anywhere          

Chain icmp_pakets (0 references)
target     prot opt source               destination        

Chain tcp_inbound (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:https
#35 shouldn't be in here, I need to remove.
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:35  
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
RETURN     tcp  --  anywhere             anywhere          

Chain tcp_outbound (1 references)
target     prot opt source               destination        
REJECT     tcp  --  anywhere             anywhere           tcp dpt:irc reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:telnet reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:nntp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:ftp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:ftp-data reject-with icmp-port-unreachable
#5190 AIM, 4443 Yahoo, 1863 MSN
REJECT     tcp  --  anywhere             anywhere           tcp dpt:5190 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:4443 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:1863 reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere          

Chain udp_inbound (1 references)
target     prot opt source               destination        
#drop netbios noise.
DROP       udp  --  anywhere             anywhere           udp dpt:netbios-ns
DROP       udp  --  anywhere             anywhere           udp dpt:netbios-dgm
RETURN     udp  --  anywhere             anywhere          

Chain udp_outbound (1 references)
target     prot opt source               destination        
REJECT     udp  --  anywhere             anywhere           udp dpt:4000 reject-with icmp-port-unreachable
ACCEPT     udp  --  anywhere             anywhere          
checking logs:

"New Not Syn: " In=eth0 (192.168.3.2.),   out=eth0, SRC= 192.168.4.1, dst = 192.168.3.1(machine I'm trying to access from),
LEN = 48 TOS=0x00 TTL = 127 ID = 1527 DF PROTO = TCP SPT = 80 DPT = 3492 WINDOW = 64240 RES=0x00 ACK SYN URGP
Got it, Had to add:

ACCEPT     tcp  --  192.168.4.1             anywhere           tcp spt:http  flags:SYN, FIN, ACK/SYN
RETURN     tcp  --  192.168.4.1             anywhere           tcp spt:http  flags:SYN, FIN, ACK/SYN


to bad_tcp_packets.


Thanks for your help.
Glad you sorted it out!

Cheers,
IceRaven.