Kyle Abrahams, PMP
asked on
Linux Firewall Rules
Hey all,
Need a standard set of rules that I can apply to Linux (Red Hat 9 specifically) IPtables. Basically I want to allow web (80) and remote admin if possible. After that, deny everything else and log it.
I'm a complete new at Linux, so verbose commands etc would be very helpful. Thanks!
Need a standard set of rules that I can apply to Linux (Red Hat 9 specifically) IPtables. Basically I want to allow web (80) and remote admin if possible. After that, deny everything else and log it.
I'm a complete new at Linux, so verbose commands etc would be very helpful. Thanks!
Hi ged325,
I would use this iptables generator
Easy to use, great security, the file that is generated has the information on how to implement it in a redhat system.
Cheers,
IceRaven
I would use this iptables generator
Easy to use, great security, the file that is generated has the information on how to implement it in a redhat system.
Cheers,
IceRaven
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Still looking into this, sorry I haven't responded in a while, things got a little hectic around here, didn't forget about ya.
ASKER
I've tried using that script: Here are the rules:
I've put as many comments as possible, but it's still cutting off my 80 from the internal network. (Haven't tried from web.)
NOTE:
192.168.4.1 = webserver (windows Machine)
192.168.4.2 = Local side address of firewall.
192.168.3.2 = Internet side of address of firewall.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
bad_packets all -- anywhere anywhere
ACCEPT all -- 192.168.4.0/24 anywhere
ACCEPT all -- anywhere 192.168.4.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
tcp_inbound tcp -- anywhere anywhere
udp_inbound udp -- anywhere anywhere
icmp_packets icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
bad_packets all -- anywhere anywhere
tcp_outbound tcp -- anywhere anywhere
udp_outbound udp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.4.1 tcp dpt:http
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning prefix `FORWARD packet died: '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere state INVALID
ACCEPT all -- 192.168.4.2 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- Linux-Firewall anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning prefix `OUTPUT packet died: '
Chain bad_packets (2 references)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID LOG level warning prefix `Invalid packet: '
DROP all -- anywhere anywhere state INVALID
bad_tcp_packets tcp -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain bad_tcp_packets (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere
LOG tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN LOG level warning prefix `New not syn:'
DROP tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere
Chain icmp_packets (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
RETURN icmp -- anywhere anywhere
Chain icmp_pakets (0 references)
target prot opt source destination
Chain tcp_inbound (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
#35 shouldn't be in here, I need to remove.
ACCEPT tcp -- anywhere anywhere tcp dpt:35
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
RETURN tcp -- anywhere anywhere
Chain tcp_outbound (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:irc reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:telnet reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:nntp reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:ftp reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:ftp-data reject-with icmp-port-unreachable
#5190 AIM, 4443 Yahoo, 1863 MSN
REJECT tcp -- anywhere anywhere tcp dpt:5190 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:4443 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:1863 reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere
Chain udp_inbound (1 references)
target prot opt source destination
#drop netbios noise.
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
RETURN udp -- anywhere anywhere
Chain udp_outbound (1 references)
target prot opt source destination
REJECT udp -- anywhere anywhere udp dpt:4000 reject-with icmp-port-unreachable
ACCEPT udp -- anywhere anywhere
I've put as many comments as possible, but it's still cutting off my 80 from the internal network. (Haven't tried from web.)
NOTE:
192.168.4.1 = webserver (windows Machine)
192.168.4.2 = Local side address of firewall.
192.168.3.2 = Internet side of address of firewall.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
bad_packets all -- anywhere anywhere
ACCEPT all -- 192.168.4.0/24 anywhere
ACCEPT all -- anywhere 192.168.4.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
tcp_inbound tcp -- anywhere anywhere
udp_inbound udp -- anywhere anywhere
icmp_packets icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
bad_packets all -- anywhere anywhere
tcp_outbound tcp -- anywhere anywhere
udp_outbound udp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.4.1 tcp dpt:http
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning prefix `FORWARD packet died: '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere state INVALID
ACCEPT all -- 192.168.4.2 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- Linux-Firewall anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning prefix `OUTPUT packet died: '
Chain bad_packets (2 references)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID LOG level warning prefix `Invalid packet: '
DROP all -- anywhere anywhere state INVALID
bad_tcp_packets tcp -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain bad_tcp_packets (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere
LOG tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN LOG level warning prefix `New not syn:'
DROP tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere
Chain icmp_packets (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
RETURN icmp -- anywhere anywhere
Chain icmp_pakets (0 references)
target prot opt source destination
Chain tcp_inbound (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
#35 shouldn't be in here, I need to remove.
ACCEPT tcp -- anywhere anywhere tcp dpt:35
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
RETURN tcp -- anywhere anywhere
Chain tcp_outbound (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:irc reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:telnet reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:nntp reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:ftp reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:ftp-data reject-with icmp-port-unreachable
#5190 AIM, 4443 Yahoo, 1863 MSN
REJECT tcp -- anywhere anywhere tcp dpt:5190 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:4443 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:1863 reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere
Chain udp_inbound (1 references)
target prot opt source destination
#drop netbios noise.
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
RETURN udp -- anywhere anywhere
Chain udp_outbound (1 references)
target prot opt source destination
REJECT udp -- anywhere anywhere udp dpt:4000 reject-with icmp-port-unreachable
ACCEPT udp -- anywhere anywhere
ASKER
checking logs:
"New Not Syn: " In=eth0 (192.168.3.2.), out=eth0, SRC= 192.168.4.1, dst = 192.168.3.1(machine I'm trying to access from),
LEN = 48 TOS=0x00 TTL = 127 ID = 1527 DF PROTO = TCP SPT = 80 DPT = 3492 WINDOW = 64240 RES=0x00 ACK SYN URGP
"New Not Syn: " In=eth0 (192.168.3.2.), out=eth0, SRC= 192.168.4.1, dst = 192.168.3.1(machine I'm trying to access from),
LEN = 48 TOS=0x00 TTL = 127 ID = 1527 DF PROTO = TCP SPT = 80 DPT = 3492 WINDOW = 64240 RES=0x00 ACK SYN URGP
ASKER
Got it, Had to add:
ACCEPT tcp -- 192.168.4.1 anywhere tcp spt:http flags:SYN, FIN, ACK/SYN
RETURN tcp -- 192.168.4.1 anywhere tcp spt:http flags:SYN, FIN, ACK/SYN
to bad_tcp_packets.
Thanks for your help.
ACCEPT tcp -- 192.168.4.1 anywhere tcp spt:http flags:SYN, FIN, ACK/SYN
RETURN tcp -- 192.168.4.1 anywhere tcp spt:http flags:SYN, FIN, ACK/SYN
to bad_tcp_packets.
Thanks for your help.
Glad you sorted it out!
Cheers,
IceRaven.
Cheers,
IceRaven.
ASKER