Solved

Linux Firewall Rules

Posted on 2004-04-20
8
268 Views
Last Modified: 2013-11-16
Hey all,

Need a standard set of rules that I can apply to Linux (Red Hat 9 specifically) IPtables.  Basically I want to allow web (80) and remote admin if possible.  After that, deny everything else and log it.  

I'm a complete new at Linux, so verbose commands etc would be very helpful.  Thanks!

0
Comment
Question by:Kyle Abrahams
  • 5
  • 3
8 Comments
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 10875313
(I realize there is no set standard, but I want the most secure/restrictive settings possible.)
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10875349
Hi ged325,

I would use this iptables generator

Easy to use, great security, the file that is generated has the information on how to implement it in a redhat system.

Cheers,
IceRaven
0
 
LVL 7

Accepted Solution

by:
IceRaven earned 500 total points
ID: 10875352
Hi ged325,

Use this site, just enter your computer and port details.  Instructions for installing the file are included in the file that is produced in the end.

http://www.e3.com.au/firewall/index.php

Cheers,
IceRaven
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 10936512
Still looking into this, sorry I haven't responded in a while, things got a little hectic around here, didn't forget about ya.

0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 11014652
I've tried using that script:  Here are the rules:
I've put as many comments as possible, but it's still cutting off my 80 from the internal network.  (Haven't tried from web.)

NOTE:
192.168.4.1 = webserver  (windows Machine)
192.168.4.2 = Local side address of firewall.
192.168.3.2 = Internet side of address of firewall.


Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          
bad_packets  all  --  anywhere             anywhere          
ACCEPT     all  --  192.168.4.0/24       anywhere          
ACCEPT     all  --  anywhere             192.168.4.255      
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
tcp_inbound  tcp  --  anywhere             anywhere          
udp_inbound  udp  --  anywhere             anywhere          
icmp_packets  icmp --  anywhere             anywhere          

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
bad_packets  all  --  anywhere             anywhere          
tcp_outbound  tcp  --  anywhere             anywhere          
udp_outbound  udp  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.4.1        tcp dpt:http
LOG        all  --  anywhere             anywhere           limit: avg 3/min burst 3 LOG level warning prefix `FORWARD packet died: '

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
DROP       icmp --  anywhere             anywhere           state INVALID
ACCEPT     all  --  192.168.4.2          anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  Linux-Firewall       anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
LOG        all  --  anywhere             anywhere           limit: avg 3/min burst 3 LOG level warning prefix `OUTPUT packet died: '

Chain bad_packets (2 references)
target     prot opt source               destination        
LOG        all  --  anywhere             anywhere           state INVALID LOG level warning prefix `Invalid packet: '
DROP       all  --  anywhere             anywhere           state INVALID
bad_tcp_packets  tcp  --  anywhere             anywhere          
RETURN     all  --  anywhere             anywhere          

Chain bad_tcp_packets (1 references)
target     prot opt source               destination        
RETURN     tcp  --  anywhere             anywhere          
LOG        tcp  --  anywhere             anywhere           state NEW tcp flags:!SYN,RST,ACK/SYN LOG level warning prefix `New not syn:'
DROP       tcp  --  anywhere             anywhere           state NEW tcp flags:!SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere          

Chain icmp_packets (1 references)
target     prot opt source               destination        
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded
RETURN     icmp --  anywhere             anywhere          

Chain icmp_pakets (0 references)
target     prot opt source               destination        

Chain tcp_inbound (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:https
#35 shouldn't be in here, I need to remove.
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:35  
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
RETURN     tcp  --  anywhere             anywhere          

Chain tcp_outbound (1 references)
target     prot opt source               destination        
REJECT     tcp  --  anywhere             anywhere           tcp dpt:irc reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:telnet reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:nntp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:ftp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:ftp-data reject-with icmp-port-unreachable
#5190 AIM, 4443 Yahoo, 1863 MSN
REJECT     tcp  --  anywhere             anywhere           tcp dpt:5190 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:4443 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:1863 reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere          

Chain udp_inbound (1 references)
target     prot opt source               destination        
#drop netbios noise.
DROP       udp  --  anywhere             anywhere           udp dpt:netbios-ns
DROP       udp  --  anywhere             anywhere           udp dpt:netbios-dgm
RETURN     udp  --  anywhere             anywhere          

Chain udp_outbound (1 references)
target     prot opt source               destination        
REJECT     udp  --  anywhere             anywhere           udp dpt:4000 reject-with icmp-port-unreachable
ACCEPT     udp  --  anywhere             anywhere          
0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 11014790
checking logs:

"New Not Syn: " In=eth0 (192.168.3.2.),   out=eth0, SRC= 192.168.4.1, dst = 192.168.3.1(machine I'm trying to access from),
LEN = 48 TOS=0x00 TTL = 127 ID = 1527 DF PROTO = TCP SPT = 80 DPT = 3492 WINDOW = 64240 RES=0x00 ACK SYN URGP
0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 11015574
Got it, Had to add:

ACCEPT     tcp  --  192.168.4.1             anywhere           tcp spt:http  flags:SYN, FIN, ACK/SYN
RETURN     tcp  --  192.168.4.1             anywhere           tcp spt:http  flags:SYN, FIN, ACK/SYN


to bad_tcp_packets.


Thanks for your help.
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 11020173
Glad you sorted it out!

Cheers,
IceRaven.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question