Solved

Linux Firewall Rules

Posted on 2004-04-20
8
273 Views
Last Modified: 2013-11-16
Hey all,

Need a standard set of rules that I can apply to Linux (Red Hat 9 specifically) IPtables.  Basically I want to allow web (80) and remote admin if possible.  After that, deny everything else and log it.  

I'm a complete new at Linux, so verbose commands etc would be very helpful.  Thanks!

0
Comment
Question by:Kyle Abrahams
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 10875313
(I realize there is no set standard, but I want the most secure/restrictive settings possible.)
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10875349
Hi ged325,

I would use this iptables generator

Easy to use, great security, the file that is generated has the information on how to implement it in a redhat system.

Cheers,
IceRaven
0
 
LVL 7

Accepted Solution

by:
IceRaven earned 500 total points
ID: 10875352
Hi ged325,

Use this site, just enter your computer and port details.  Instructions for installing the file are included in the file that is produced in the end.

http://www.e3.com.au/firewall/index.php

Cheers,
IceRaven
0
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 10936512
Still looking into this, sorry I haven't responded in a while, things got a little hectic around here, didn't forget about ya.

0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 11014652
I've tried using that script:  Here are the rules:
I've put as many comments as possible, but it's still cutting off my 80 from the internal network.  (Haven't tried from web.)

NOTE:
192.168.4.1 = webserver  (windows Machine)
192.168.4.2 = Local side address of firewall.
192.168.3.2 = Internet side of address of firewall.


Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          
bad_packets  all  --  anywhere             anywhere          
ACCEPT     all  --  192.168.4.0/24       anywhere          
ACCEPT     all  --  anywhere             192.168.4.255      
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
tcp_inbound  tcp  --  anywhere             anywhere          
udp_inbound  udp  --  anywhere             anywhere          
icmp_packets  icmp --  anywhere             anywhere          

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
bad_packets  all  --  anywhere             anywhere          
tcp_outbound  tcp  --  anywhere             anywhere          
udp_outbound  udp  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.4.1        tcp dpt:http
LOG        all  --  anywhere             anywhere           limit: avg 3/min burst 3 LOG level warning prefix `FORWARD packet died: '

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
DROP       icmp --  anywhere             anywhere           state INVALID
ACCEPT     all  --  192.168.4.2          anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  Linux-Firewall       anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
LOG        all  --  anywhere             anywhere           limit: avg 3/min burst 3 LOG level warning prefix `OUTPUT packet died: '

Chain bad_packets (2 references)
target     prot opt source               destination        
LOG        all  --  anywhere             anywhere           state INVALID LOG level warning prefix `Invalid packet: '
DROP       all  --  anywhere             anywhere           state INVALID
bad_tcp_packets  tcp  --  anywhere             anywhere          
RETURN     all  --  anywhere             anywhere          

Chain bad_tcp_packets (1 references)
target     prot opt source               destination        
RETURN     tcp  --  anywhere             anywhere          
LOG        tcp  --  anywhere             anywhere           state NEW tcp flags:!SYN,RST,ACK/SYN LOG level warning prefix `New not syn:'
DROP       tcp  --  anywhere             anywhere           state NEW tcp flags:!SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere          

Chain icmp_packets (1 references)
target     prot opt source               destination        
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded
RETURN     icmp --  anywhere             anywhere          

Chain icmp_pakets (0 references)
target     prot opt source               destination        

Chain tcp_inbound (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:https
#35 shouldn't be in here, I need to remove.
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:35  
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
RETURN     tcp  --  anywhere             anywhere          

Chain tcp_outbound (1 references)
target     prot opt source               destination        
REJECT     tcp  --  anywhere             anywhere           tcp dpt:irc reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:telnet reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:nntp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:ftp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:ftp-data reject-with icmp-port-unreachable
#5190 AIM, 4443 Yahoo, 1863 MSN
REJECT     tcp  --  anywhere             anywhere           tcp dpt:5190 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:4443 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:1863 reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere          

Chain udp_inbound (1 references)
target     prot opt source               destination        
#drop netbios noise.
DROP       udp  --  anywhere             anywhere           udp dpt:netbios-ns
DROP       udp  --  anywhere             anywhere           udp dpt:netbios-dgm
RETURN     udp  --  anywhere             anywhere          

Chain udp_outbound (1 references)
target     prot opt source               destination        
REJECT     udp  --  anywhere             anywhere           udp dpt:4000 reject-with icmp-port-unreachable
ACCEPT     udp  --  anywhere             anywhere          
0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 11014790
checking logs:

"New Not Syn: " In=eth0 (192.168.3.2.),   out=eth0, SRC= 192.168.4.1, dst = 192.168.3.1(machine I'm trying to access from),
LEN = 48 TOS=0x00 TTL = 127 ID = 1527 DF PROTO = TCP SPT = 80 DPT = 3492 WINDOW = 64240 RES=0x00 ACK SYN URGP
0
 
LVL 40

Author Comment

by:Kyle Abrahams
ID: 11015574
Got it, Had to add:

ACCEPT     tcp  --  192.168.4.1             anywhere           tcp spt:http  flags:SYN, FIN, ACK/SYN
RETURN     tcp  --  192.168.4.1             anywhere           tcp spt:http  flags:SYN, FIN, ACK/SYN


to bad_tcp_packets.


Thanks for your help.
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 11020173
Glad you sorted it out!

Cheers,
IceRaven.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question