Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Iptables rules

Posted on 2004-04-21
7
1,666 Views
Last Modified: 2010-05-18
Hello experts,

I created linux server with Debian 3.0. Whole purpose of this server is to share internet with squid only http and ftp ports. I'm very new in iptalbles and I need a rules which will protect my server from outside on every ports which I do not need to share internet except port 22 ssh. Can anybody help me with iptalbes rules and write some rules with comment. Or if there is better solution to protect my server please let me know.

eth0 1.1.1.1 mask 255.255.255.252(external IP)
eth1 192.168.1.1 mask 255.255.0.0 (internal IP)

thanks

LUXANA
0
Comment
Question by:Luxana
  • 3
  • 3
7 Comments
 
LVL 3

Expert Comment

by:adallen
ID: 10885753
I use iptables on my RedHat firewalls.  This is a copy of what I use:

---SNIP---

# eth1 = internal interface
# eth0 = external interface
#
# Add the following two lines to your /etc/syslog.conf file
# kern.crit;kern.!alert                                 /var/log/fw.hostile
# kern.notice;kern.!warn                                /var/log/fw.outbound

# Remove all current iptables rules
iptables -F
iptables -X

# Set up masquerading and allow forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables --modprobe=iptable_nat -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# PACKET NETWORK ADDRESS TRANSLATION # NAT #

# Default Policies
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Set up rules to be followed for connections from outside
# Allow only inbound port 22; log all others
iptables -N CHECKIN
iptables -A CHECKIN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Dont log broadcast
iptables -A CHECKIN -d 10.0.0.255 -j DROP
iptables -A CHECKIN -d 255.255.255.255 -j DROP
iptables -A CHECKIN -p tcp --dport 22 -m state --state \
            NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A CHECKIN -j LOG --log-level crit --log-prefix 'Firewall ' \
            -m limit --limit 1/m --limit-burst 5                                                                  
iptables -A CHECKIN -j DROP                                                                                      
                                                                                                                 
# Set up rules to be followed for connections headed outside                                                      
# Allow all connections already established                                                                      
# Allow DNS, SSH, HTTP, HTTPS, Real Time Streaming, POP, and SMTP                                                
# without logging.                                                                                                
# Allow all others, but log                                                                                      
iptables -N CHECKOUT                                                                                              
iptables -A CHECKOUT -p tcp -m state --state ESTABLISHED -j ACCEPT                                                
iptables -A CHECKOUT -p udp --dport 53 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 40001 -j ACCEPT                                                              
iptables -A CHECKOUT -p tcp --dport 80 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 8080 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 443 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 554 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 110 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 25 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 22 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 6010 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp -m state --state NEW -j LOG --log-level \                                            
            notice --log-prefix 'Firewall ' -m limit --limit 4/m --limit-burst 1                                  
iptables -A CHECKOUT -p udp -j LOG --log-level notice --log-prefix \                                              
            'Firewall ' -m limit --limit 4/m --limit-burst 1                                                      
iptables -A CHECKOUT -j ACCEPT                                                                                    
                                                                                                                 
# If headed out from inside (Masquerade), send to CHECKOUT chain                                                  
# If coming from outside, send to CHECKIN chain                                                                  
# If headed in from outside and new or invalid, send to CHECKIN chain                                            
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT                                        
iptables -A FORWARD -i eth1 -j CHECKOUT                                                                          
iptables -A INPUT -i eth1 -j ACCEPT                                                                              
iptables -A INPUT -i eth0 -j CHECKIN                                                                              
iptables -A OUTPUT -o eth1 -j ACCEPT                                                                              
iptables -A OUTPUT -o eth0 -j CHECKOUT                                                                            
                                                                                                                 
# set the MTU of the interfaces to the correct size. this is usually                                              
# smaller than usual, since pppoe does some more encapsulating.  If you                                          
# don't, ping to the outside world should work, but almost any other                                              
# TCP connection (like FTP or HTTP) will fail.  Accorting to Daniel                                              
# Roethlingsberger, this can also be done at interface level (try                                                
# 'ifconfig mtu XXX'), but there's nothing wrong with taking the                                                  
# following line in your iptables, too.                                                                          
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j \                                                          
                        TCPMSS --clamp-mss-to-pmtu                                                                
                                                                                                                 
# Reset counters                                                                                                  
iptables -Z
0
 
LVL 10

Author Comment

by:Luxana
ID: 10887570
hello  adallen

Thanks for help but I'm araid that I will need more help to make it work. Please can you put more comments to your script remember I'm just begginer. How can I use this script. The way how I'm setting up iptables is that i'm typing commnads to konsole. I wrote the script which aloow me save and start packetfiltering. My script is using iptables-save and iptables-restore commands. I'll copy your script here and put there some more quetions about it. I'm going to double points for you.I'll put @ in front of my commnets. thaks for patient

LUXANA

---SNIP---
@ this is clear
# eth1 = internal interface
# eth0 = external interface
#
# Add the following two lines to your /etc/syslog.conf file
@ I done this but is it ok  with # does not it take it like comment rest of the line?
# kern.crit;kern.!alert                                 /var/log/fw.hostile
# kern.notice;kern.!warn                                /var/log/fw.outbound
@clear
# Remove all current iptables rules
iptables -F
iptables -X
@ clear but I think I do not need masquerade
# Set up masquerading and allow forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables --modprobe=iptable_nat -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# PACKET NETWORK ADDRESS TRANSLATION # NAT #
@ not completelly clear
# Default Policies
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Set up rules to be followed for connections from outside
# Allow only inbound port 22; log all others
iptables -N CHECKIN
iptables -A CHECKIN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Dont log broadcast
@here I need to change to my 192.168.1.1 or not and what about mask?
iptables -A CHECKIN -d 10.0.0.255 -j DROP
iptables -A CHECKIN -d 255.255.255.255 -j DROP
@ \ character means new line is not it?
iptables -A CHECKIN -p tcp --dport 22 -m state --state \
            NEW,ESTABLISHED,RELATED -j ACCEPT
@ not clear. What about the strink Firewall
iptables -A CHECKIN -j LOG --log-level crit --log-prefix 'Firewall ' \
            -m limit --limit 1/m --limit-burst 5                                                                  
iptables -A CHECKIN -j DROP                                                                                      
 @ what does                                                                                                                  CHECKOUT is doing?
# Set up rules to be followed for connections headed outside                                                      
# Allow all connections already established                                                                      
# Allow DNS, SSH, HTTP, HTTPS, Real Time Streaming, POP, and SMTP                                                
# without logging.                                                                                                
# Allow all others, but log                                                                                      
iptables -N CHECKOUT                                                                                              
iptables -A CHECKOUT -p tcp -m state --state ESTABLISHED -j ACCEPT                                                
iptables -A CHECKOUT -p udp --dport 53 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 40001 -j ACCEPT                                                              
iptables -A CHECKOUT -p tcp --dport 80 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 8080 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 443 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 554 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 110 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 25 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 22 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 6010 -j ACCEPT                                                                
@ rest of script no idea
iptables -A CHECKOUT -p tcp -m state --state NEW -j LOG --log-level \                                            
            notice --log-prefix 'Firewall ' -m limit --limit 4/m --limit-burst 1                                  
iptables -A CHECKOUT -p udp -j LOG --log-level notice --log-prefix \                                              
            'Firewall ' -m limit --limit 4/m --limit-burst 1                                                      
iptables -A CHECKOUT -j ACCEPT                                                                                    
                                                                                                                 
# If headed out from inside (Masquerade), send to CHECKOUT chain                                                  
# If coming from outside, send to CHECKIN chain                                                                  
# If headed in from outside and new or invalid, send to CHECKIN chain                                            
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT                                        
iptables -A FORWARD -i eth1 -j CHECKOUT                                                                          
iptables -A INPUT -i eth1 -j ACCEPT                                                                              
iptables -A INPUT -i eth0 -j CHECKIN                                                                              
iptables -A OUTPUT -o eth1 -j ACCEPT                                                                              
iptables -A OUTPUT -o eth0 -j CHECKOUT                                                                            
                                                                                                                 
# set the MTU of the interfaces to the correct size. this is usually                                              
# smaller than usual, since pppoe does some more encapsulating.  If you                                          
# don't, ping to the outside world should work, but almost any other                                              
# TCP connection (like FTP or HTTP) will fail.  Accorting to Daniel                                              
# Roethlingsberger, this can also be done at interface level (try                                                
# 'ifconfig mtu XXX'), but there's nothing wrong with taking the                                                  
# following line in your iptables, too.                                                                          
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j \                                                          
                        TCPMSS --clamp-mss-to-pmtu                                                                
                                                                                                                 
# Reset counters                                                                                                  
iptables -Z
0
 
LVL 12

Accepted Solution

by:
j2 earned 100 total points
ID: 10898954
Why not install shorewall, a very potent firewall, which is also available as a debian package. After installation, you need the followin gchanges

/etc/shorewall/interfaces
net eth0 detect
loc eth1 detect


/etc/shorewall/rules
#accept SSH from local and net
ACCEPT net $FW tcp ssh
ACCEPT loc $FW tcp ssh

#Accept squid from local to FW
ACCEPT loc $FW tcp 3128

#Allow squid to talk to ports 80,81,21,443
ACCEPT $FW net tcp 80,81,21,443

/etc/defaults/shorewall
Change Startup=0 to Startup=1


Shorewall does a LOT of tasks which you will not find in any other script i have seen, and also have a highly active and friendly user community on the mailing lists.

0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 10

Author Comment

by:Luxana
ID: 10916674
Hello j2

Thanks fro ypour help but it seems that I have a trouble wtih starting up shorewall.  I get the warning message  Can't locate module  ip6_tables.
ip6tables v1.2.6a: can't initialize ip6tables table `filter': Address family not supperted by protocol.

What should I do now?

I was able to run shorewall for first time but when I stop it I can't get it run again.

Luxana
0
 
LVL 12

Expert Comment

by:j2
ID: 10920507
That is a FAQ. -- set DISABLE_IPV6=No in shorewall.conf.
0
 
LVL 10

Author Comment

by:Luxana
ID: 10977731
hello j2

Finally I get it work.

thanks
0
 
LVL 12

Expert Comment

by:j2
ID: 10979205
Great!

There is a newbie-mailinglist on the shorewall website. You might want to consider subscribing to it, since it is a very friendly user community.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question