[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 278
  • Last Modified:

Linux Firewall Rules

Hey all,

Need a standard set of rules that I can apply to Linux (Red Hat 9 specifically) IPtables.  Basically I want to allow web (80) and remote admin if possible.  After that, deny everything else and log it.  

I'm a complete new at Linux, so verbose commands etc would be very helpful.  Thanks!

0
Kyle Abrahams
Asked:
Kyle Abrahams
  • 5
  • 3
1 Solution
 
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
(I realize there is no set standard, but I want the most secure/restrictive settings possible.)
0
 
IceRavenCommented:
Hi ged325,

I would use this iptables generator

Easy to use, great security, the file that is generated has the information on how to implement it in a redhat system.

Cheers,
IceRaven
0
 
IceRavenCommented:
Hi ged325,

Use this site, just enter your computer and port details.  Instructions for installing the file are included in the file that is produced in the end.

http://www.e3.com.au/firewall/index.php

Cheers,
IceRaven
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
Still looking into this, sorry I haven't responded in a while, things got a little hectic around here, didn't forget about ya.

0
 
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
I've tried using that script:  Here are the rules:
I've put as many comments as possible, but it's still cutting off my 80 from the internal network.  (Haven't tried from web.)

NOTE:
192.168.4.1 = webserver  (windows Machine)
192.168.4.2 = Local side address of firewall.
192.168.3.2 = Internet side of address of firewall.


Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          
bad_packets  all  --  anywhere             anywhere          
ACCEPT     all  --  192.168.4.0/24       anywhere          
ACCEPT     all  --  anywhere             192.168.4.255      
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
tcp_inbound  tcp  --  anywhere             anywhere          
udp_inbound  udp  --  anywhere             anywhere          
icmp_packets  icmp --  anywhere             anywhere          

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
bad_packets  all  --  anywhere             anywhere          
tcp_outbound  tcp  --  anywhere             anywhere          
udp_outbound  udp  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.4.1        tcp dpt:http
LOG        all  --  anywhere             anywhere           limit: avg 3/min burst 3 LOG level warning prefix `FORWARD packet died: '

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
DROP       icmp --  anywhere             anywhere           state INVALID
ACCEPT     all  --  192.168.4.2          anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  Linux-Firewall       anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
LOG        all  --  anywhere             anywhere           limit: avg 3/min burst 3 LOG level warning prefix `OUTPUT packet died: '

Chain bad_packets (2 references)
target     prot opt source               destination        
LOG        all  --  anywhere             anywhere           state INVALID LOG level warning prefix `Invalid packet: '
DROP       all  --  anywhere             anywhere           state INVALID
bad_tcp_packets  tcp  --  anywhere             anywhere          
RETURN     all  --  anywhere             anywhere          

Chain bad_tcp_packets (1 references)
target     prot opt source               destination        
RETURN     tcp  --  anywhere             anywhere          
LOG        tcp  --  anywhere             anywhere           state NEW tcp flags:!SYN,RST,ACK/SYN LOG level warning prefix `New not syn:'
DROP       tcp  --  anywhere             anywhere           state NEW tcp flags:!SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere          

Chain icmp_packets (1 references)
target     prot opt source               destination        
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded
RETURN     icmp --  anywhere             anywhere          

Chain icmp_pakets (0 references)
target     prot opt source               destination        

Chain tcp_inbound (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:https
#35 shouldn't be in here, I need to remove.
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:35  
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
RETURN     tcp  --  anywhere             anywhere          

Chain tcp_outbound (1 references)
target     prot opt source               destination        
REJECT     tcp  --  anywhere             anywhere           tcp dpt:irc reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:telnet reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:nntp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:ftp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:ftp-data reject-with icmp-port-unreachable
#5190 AIM, 4443 Yahoo, 1863 MSN
REJECT     tcp  --  anywhere             anywhere           tcp dpt:5190 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:4443 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:1863 reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere          

Chain udp_inbound (1 references)
target     prot opt source               destination        
#drop netbios noise.
DROP       udp  --  anywhere             anywhere           udp dpt:netbios-ns
DROP       udp  --  anywhere             anywhere           udp dpt:netbios-dgm
RETURN     udp  --  anywhere             anywhere          

Chain udp_outbound (1 references)
target     prot opt source               destination        
REJECT     udp  --  anywhere             anywhere           udp dpt:4000 reject-with icmp-port-unreachable
ACCEPT     udp  --  anywhere             anywhere          
0
 
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
checking logs:

"New Not Syn: " In=eth0 (192.168.3.2.),   out=eth0, SRC= 192.168.4.1, dst = 192.168.3.1(machine I'm trying to access from),
LEN = 48 TOS=0x00 TTL = 127 ID = 1527 DF PROTO = TCP SPT = 80 DPT = 3492 WINDOW = 64240 RES=0x00 ACK SYN URGP
0
 
Kyle AbrahamsSenior .Net DeveloperAuthor Commented:
Got it, Had to add:

ACCEPT     tcp  --  192.168.4.1             anywhere           tcp spt:http  flags:SYN, FIN, ACK/SYN
RETURN     tcp  --  192.168.4.1             anywhere           tcp spt:http  flags:SYN, FIN, ACK/SYN


to bad_tcp_packets.


Thanks for your help.
0
 
IceRavenCommented:
Glad you sorted it out!

Cheers,
IceRaven.
0

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now