Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 277
  • Last Modified:

Linux Firewall Rules

Hey all,

Need a standard set of rules that I can apply to Linux (Red Hat 9 specifically) IPtables.  Basically I want to allow web (80) and remote admin if possible.  After that, deny everything else and log it.  

I'm a complete new at Linux, so verbose commands etc would be very helpful.  Thanks!

0
Kyle Abrahams
Asked:
Kyle Abrahams
  • 5
  • 3
1 Solution
 
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
(I realize there is no set standard, but I want the most secure/restrictive settings possible.)
0
 
IceRavenCommented:
Hi ged325,

I would use this iptables generator

Easy to use, great security, the file that is generated has the information on how to implement it in a redhat system.

Cheers,
IceRaven
0
 
IceRavenCommented:
Hi ged325,

Use this site, just enter your computer and port details.  Instructions for installing the file are included in the file that is produced in the end.

http://www.e3.com.au/firewall/index.php

Cheers,
IceRaven
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
Still looking into this, sorry I haven't responded in a while, things got a little hectic around here, didn't forget about ya.

0
 
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
I've tried using that script:  Here are the rules:
I've put as many comments as possible, but it's still cutting off my 80 from the internal network.  (Haven't tried from web.)

NOTE:
192.168.4.1 = webserver  (windows Machine)
192.168.4.2 = Local side address of firewall.
192.168.3.2 = Internet side of address of firewall.


Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          
bad_packets  all  --  anywhere             anywhere          
ACCEPT     all  --  192.168.4.0/24       anywhere          
ACCEPT     all  --  anywhere             192.168.4.255      
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
tcp_inbound  tcp  --  anywhere             anywhere          
udp_inbound  udp  --  anywhere             anywhere          
icmp_packets  icmp --  anywhere             anywhere          

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
bad_packets  all  --  anywhere             anywhere          
tcp_outbound  tcp  --  anywhere             anywhere          
udp_outbound  udp  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.4.1        tcp dpt:http
LOG        all  --  anywhere             anywhere           limit: avg 3/min burst 3 LOG level warning prefix `FORWARD packet died: '

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
DROP       icmp --  anywhere             anywhere           state INVALID
ACCEPT     all  --  192.168.4.2          anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  Linux-Firewall       anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
LOG        all  --  anywhere             anywhere           limit: avg 3/min burst 3 LOG level warning prefix `OUTPUT packet died: '

Chain bad_packets (2 references)
target     prot opt source               destination        
LOG        all  --  anywhere             anywhere           state INVALID LOG level warning prefix `Invalid packet: '
DROP       all  --  anywhere             anywhere           state INVALID
bad_tcp_packets  tcp  --  anywhere             anywhere          
RETURN     all  --  anywhere             anywhere          

Chain bad_tcp_packets (1 references)
target     prot opt source               destination        
RETURN     tcp  --  anywhere             anywhere          
LOG        tcp  --  anywhere             anywhere           state NEW tcp flags:!SYN,RST,ACK/SYN LOG level warning prefix `New not syn:'
DROP       tcp  --  anywhere             anywhere           state NEW tcp flags:!SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere          

Chain icmp_packets (1 references)
target     prot opt source               destination        
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded
RETURN     icmp --  anywhere             anywhere          

Chain icmp_pakets (0 references)
target     prot opt source               destination        

Chain tcp_inbound (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:https
#35 shouldn't be in here, I need to remove.
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:35  
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
RETURN     tcp  --  anywhere             anywhere          

Chain tcp_outbound (1 references)
target     prot opt source               destination        
REJECT     tcp  --  anywhere             anywhere           tcp dpt:irc reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:telnet reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:nntp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:ftp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:ftp-data reject-with icmp-port-unreachable
#5190 AIM, 4443 Yahoo, 1863 MSN
REJECT     tcp  --  anywhere             anywhere           tcp dpt:5190 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:4443 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:1863 reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere          

Chain udp_inbound (1 references)
target     prot opt source               destination        
#drop netbios noise.
DROP       udp  --  anywhere             anywhere           udp dpt:netbios-ns
DROP       udp  --  anywhere             anywhere           udp dpt:netbios-dgm
RETURN     udp  --  anywhere             anywhere          

Chain udp_outbound (1 references)
target     prot opt source               destination        
REJECT     udp  --  anywhere             anywhere           udp dpt:4000 reject-with icmp-port-unreachable
ACCEPT     udp  --  anywhere             anywhere          
0
 
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
checking logs:

"New Not Syn: " In=eth0 (192.168.3.2.),   out=eth0, SRC= 192.168.4.1, dst = 192.168.3.1(machine I'm trying to access from),
LEN = 48 TOS=0x00 TTL = 127 ID = 1527 DF PROTO = TCP SPT = 80 DPT = 3492 WINDOW = 64240 RES=0x00 ACK SYN URGP
0
 
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
Got it, Had to add:

ACCEPT     tcp  --  192.168.4.1             anywhere           tcp spt:http  flags:SYN, FIN, ACK/SYN
RETURN     tcp  --  192.168.4.1             anywhere           tcp spt:http  flags:SYN, FIN, ACK/SYN


to bad_tcp_packets.


Thanks for your help.
0
 
IceRavenCommented:
Glad you sorted it out!

Cheers,
IceRaven.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now