Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Iptables rules

Posted on 2004-04-21
7
Medium Priority
?
1,677 Views
Last Modified: 2010-05-18
Hello experts,

I created linux server with Debian 3.0. Whole purpose of this server is to share internet with squid only http and ftp ports. I'm very new in iptalbles and I need a rules which will protect my server from outside on every ports which I do not need to share internet except port 22 ssh. Can anybody help me with iptalbes rules and write some rules with comment. Or if there is better solution to protect my server please let me know.

eth0 1.1.1.1 mask 255.255.255.252(external IP)
eth1 192.168.1.1 mask 255.255.0.0 (internal IP)

thanks

LUXANA
0
Comment
Question by:Luxana
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 3

Expert Comment

by:adallen
ID: 10885753
I use iptables on my RedHat firewalls.  This is a copy of what I use:

---SNIP---

# eth1 = internal interface
# eth0 = external interface
#
# Add the following two lines to your /etc/syslog.conf file
# kern.crit;kern.!alert                                 /var/log/fw.hostile
# kern.notice;kern.!warn                                /var/log/fw.outbound

# Remove all current iptables rules
iptables -F
iptables -X

# Set up masquerading and allow forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables --modprobe=iptable_nat -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# PACKET NETWORK ADDRESS TRANSLATION # NAT #

# Default Policies
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Set up rules to be followed for connections from outside
# Allow only inbound port 22; log all others
iptables -N CHECKIN
iptables -A CHECKIN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Dont log broadcast
iptables -A CHECKIN -d 10.0.0.255 -j DROP
iptables -A CHECKIN -d 255.255.255.255 -j DROP
iptables -A CHECKIN -p tcp --dport 22 -m state --state \
            NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A CHECKIN -j LOG --log-level crit --log-prefix 'Firewall ' \
            -m limit --limit 1/m --limit-burst 5                                                                  
iptables -A CHECKIN -j DROP                                                                                      
                                                                                                                 
# Set up rules to be followed for connections headed outside                                                      
# Allow all connections already established                                                                      
# Allow DNS, SSH, HTTP, HTTPS, Real Time Streaming, POP, and SMTP                                                
# without logging.                                                                                                
# Allow all others, but log                                                                                      
iptables -N CHECKOUT                                                                                              
iptables -A CHECKOUT -p tcp -m state --state ESTABLISHED -j ACCEPT                                                
iptables -A CHECKOUT -p udp --dport 53 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 40001 -j ACCEPT                                                              
iptables -A CHECKOUT -p tcp --dport 80 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 8080 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 443 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 554 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 110 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 25 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 22 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 6010 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp -m state --state NEW -j LOG --log-level \                                            
            notice --log-prefix 'Firewall ' -m limit --limit 4/m --limit-burst 1                                  
iptables -A CHECKOUT -p udp -j LOG --log-level notice --log-prefix \                                              
            'Firewall ' -m limit --limit 4/m --limit-burst 1                                                      
iptables -A CHECKOUT -j ACCEPT                                                                                    
                                                                                                                 
# If headed out from inside (Masquerade), send to CHECKOUT chain                                                  
# If coming from outside, send to CHECKIN chain                                                                  
# If headed in from outside and new or invalid, send to CHECKIN chain                                            
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT                                        
iptables -A FORWARD -i eth1 -j CHECKOUT                                                                          
iptables -A INPUT -i eth1 -j ACCEPT                                                                              
iptables -A INPUT -i eth0 -j CHECKIN                                                                              
iptables -A OUTPUT -o eth1 -j ACCEPT                                                                              
iptables -A OUTPUT -o eth0 -j CHECKOUT                                                                            
                                                                                                                 
# set the MTU of the interfaces to the correct size. this is usually                                              
# smaller than usual, since pppoe does some more encapsulating.  If you                                          
# don't, ping to the outside world should work, but almost any other                                              
# TCP connection (like FTP or HTTP) will fail.  Accorting to Daniel                                              
# Roethlingsberger, this can also be done at interface level (try                                                
# 'ifconfig mtu XXX'), but there's nothing wrong with taking the                                                  
# following line in your iptables, too.                                                                          
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j \                                                          
                        TCPMSS --clamp-mss-to-pmtu                                                                
                                                                                                                 
# Reset counters                                                                                                  
iptables -Z
0
 
LVL 10

Author Comment

by:Luxana
ID: 10887570
hello  adallen

Thanks for help but I'm araid that I will need more help to make it work. Please can you put more comments to your script remember I'm just begginer. How can I use this script. The way how I'm setting up iptables is that i'm typing commnads to konsole. I wrote the script which aloow me save and start packetfiltering. My script is using iptables-save and iptables-restore commands. I'll copy your script here and put there some more quetions about it. I'm going to double points for you.I'll put @ in front of my commnets. thaks for patient

LUXANA

---SNIP---
@ this is clear
# eth1 = internal interface
# eth0 = external interface
#
# Add the following two lines to your /etc/syslog.conf file
@ I done this but is it ok  with # does not it take it like comment rest of the line?
# kern.crit;kern.!alert                                 /var/log/fw.hostile
# kern.notice;kern.!warn                                /var/log/fw.outbound
@clear
# Remove all current iptables rules
iptables -F
iptables -X
@ clear but I think I do not need masquerade
# Set up masquerading and allow forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables --modprobe=iptable_nat -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# PACKET NETWORK ADDRESS TRANSLATION # NAT #
@ not completelly clear
# Default Policies
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Set up rules to be followed for connections from outside
# Allow only inbound port 22; log all others
iptables -N CHECKIN
iptables -A CHECKIN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Dont log broadcast
@here I need to change to my 192.168.1.1 or not and what about mask?
iptables -A CHECKIN -d 10.0.0.255 -j DROP
iptables -A CHECKIN -d 255.255.255.255 -j DROP
@ \ character means new line is not it?
iptables -A CHECKIN -p tcp --dport 22 -m state --state \
            NEW,ESTABLISHED,RELATED -j ACCEPT
@ not clear. What about the strink Firewall
iptables -A CHECKIN -j LOG --log-level crit --log-prefix 'Firewall ' \
            -m limit --limit 1/m --limit-burst 5                                                                  
iptables -A CHECKIN -j DROP                                                                                      
 @ what does                                                                                                                  CHECKOUT is doing?
# Set up rules to be followed for connections headed outside                                                      
# Allow all connections already established                                                                      
# Allow DNS, SSH, HTTP, HTTPS, Real Time Streaming, POP, and SMTP                                                
# without logging.                                                                                                
# Allow all others, but log                                                                                      
iptables -N CHECKOUT                                                                                              
iptables -A CHECKOUT -p tcp -m state --state ESTABLISHED -j ACCEPT                                                
iptables -A CHECKOUT -p udp --dport 53 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 40001 -j ACCEPT                                                              
iptables -A CHECKOUT -p tcp --dport 80 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 8080 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 443 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 554 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 110 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 25 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 22 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 6010 -j ACCEPT                                                                
@ rest of script no idea
iptables -A CHECKOUT -p tcp -m state --state NEW -j LOG --log-level \                                            
            notice --log-prefix 'Firewall ' -m limit --limit 4/m --limit-burst 1                                  
iptables -A CHECKOUT -p udp -j LOG --log-level notice --log-prefix \                                              
            'Firewall ' -m limit --limit 4/m --limit-burst 1                                                      
iptables -A CHECKOUT -j ACCEPT                                                                                    
                                                                                                                 
# If headed out from inside (Masquerade), send to CHECKOUT chain                                                  
# If coming from outside, send to CHECKIN chain                                                                  
# If headed in from outside and new or invalid, send to CHECKIN chain                                            
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT                                        
iptables -A FORWARD -i eth1 -j CHECKOUT                                                                          
iptables -A INPUT -i eth1 -j ACCEPT                                                                              
iptables -A INPUT -i eth0 -j CHECKIN                                                                              
iptables -A OUTPUT -o eth1 -j ACCEPT                                                                              
iptables -A OUTPUT -o eth0 -j CHECKOUT                                                                            
                                                                                                                 
# set the MTU of the interfaces to the correct size. this is usually                                              
# smaller than usual, since pppoe does some more encapsulating.  If you                                          
# don't, ping to the outside world should work, but almost any other                                              
# TCP connection (like FTP or HTTP) will fail.  Accorting to Daniel                                              
# Roethlingsberger, this can also be done at interface level (try                                                
# 'ifconfig mtu XXX'), but there's nothing wrong with taking the                                                  
# following line in your iptables, too.                                                                          
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j \                                                          
                        TCPMSS --clamp-mss-to-pmtu                                                                
                                                                                                                 
# Reset counters                                                                                                  
iptables -Z
0
 
LVL 12

Accepted Solution

by:
j2 earned 400 total points
ID: 10898954
Why not install shorewall, a very potent firewall, which is also available as a debian package. After installation, you need the followin gchanges

/etc/shorewall/interfaces
net eth0 detect
loc eth1 detect


/etc/shorewall/rules
#accept SSH from local and net
ACCEPT net $FW tcp ssh
ACCEPT loc $FW tcp ssh

#Accept squid from local to FW
ACCEPT loc $FW tcp 3128

#Allow squid to talk to ports 80,81,21,443
ACCEPT $FW net tcp 80,81,21,443

/etc/defaults/shorewall
Change Startup=0 to Startup=1


Shorewall does a LOT of tasks which you will not find in any other script i have seen, and also have a highly active and friendly user community on the mailing lists.

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 10

Author Comment

by:Luxana
ID: 10916674
Hello j2

Thanks fro ypour help but it seems that I have a trouble wtih starting up shorewall.  I get the warning message  Can't locate module  ip6_tables.
ip6tables v1.2.6a: can't initialize ip6tables table `filter': Address family not supperted by protocol.

What should I do now?

I was able to run shorewall for first time but when I stop it I can't get it run again.

Luxana
0
 
LVL 12

Expert Comment

by:j2
ID: 10920507
That is a FAQ. -- set DISABLE_IPV6=No in shorewall.conf.
0
 
LVL 10

Author Comment

by:Luxana
ID: 10977731
hello j2

Finally I get it work.

thanks
0
 
LVL 12

Expert Comment

by:j2
ID: 10979205
Great!

There is a newbie-mailinglist on the shorewall website. You might want to consider subscribing to it, since it is a very friendly user community.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question