Solved

Iptables rules

Posted on 2004-04-21
7
1,662 Views
Last Modified: 2010-05-18
Hello experts,

I created linux server with Debian 3.0. Whole purpose of this server is to share internet with squid only http and ftp ports. I'm very new in iptalbles and I need a rules which will protect my server from outside on every ports which I do not need to share internet except port 22 ssh. Can anybody help me with iptalbes rules and write some rules with comment. Or if there is better solution to protect my server please let me know.

eth0 1.1.1.1 mask 255.255.255.252(external IP)
eth1 192.168.1.1 mask 255.255.0.0 (internal IP)

thanks

LUXANA
0
Comment
Question by:Luxana
  • 3
  • 3
7 Comments
 
LVL 3

Expert Comment

by:adallen
Comment Utility
I use iptables on my RedHat firewalls.  This is a copy of what I use:

---SNIP---

# eth1 = internal interface
# eth0 = external interface
#
# Add the following two lines to your /etc/syslog.conf file
# kern.crit;kern.!alert                                 /var/log/fw.hostile
# kern.notice;kern.!warn                                /var/log/fw.outbound

# Remove all current iptables rules
iptables -F
iptables -X

# Set up masquerading and allow forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables --modprobe=iptable_nat -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# PACKET NETWORK ADDRESS TRANSLATION # NAT #

# Default Policies
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Set up rules to be followed for connections from outside
# Allow only inbound port 22; log all others
iptables -N CHECKIN
iptables -A CHECKIN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Dont log broadcast
iptables -A CHECKIN -d 10.0.0.255 -j DROP
iptables -A CHECKIN -d 255.255.255.255 -j DROP
iptables -A CHECKIN -p tcp --dport 22 -m state --state \
            NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A CHECKIN -j LOG --log-level crit --log-prefix 'Firewall ' \
            -m limit --limit 1/m --limit-burst 5                                                                  
iptables -A CHECKIN -j DROP                                                                                      
                                                                                                                 
# Set up rules to be followed for connections headed outside                                                      
# Allow all connections already established                                                                      
# Allow DNS, SSH, HTTP, HTTPS, Real Time Streaming, POP, and SMTP                                                
# without logging.                                                                                                
# Allow all others, but log                                                                                      
iptables -N CHECKOUT                                                                                              
iptables -A CHECKOUT -p tcp -m state --state ESTABLISHED -j ACCEPT                                                
iptables -A CHECKOUT -p udp --dport 53 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 40001 -j ACCEPT                                                              
iptables -A CHECKOUT -p tcp --dport 80 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 8080 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 443 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 554 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 110 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 25 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 22 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 6010 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp -m state --state NEW -j LOG --log-level \                                            
            notice --log-prefix 'Firewall ' -m limit --limit 4/m --limit-burst 1                                  
iptables -A CHECKOUT -p udp -j LOG --log-level notice --log-prefix \                                              
            'Firewall ' -m limit --limit 4/m --limit-burst 1                                                      
iptables -A CHECKOUT -j ACCEPT                                                                                    
                                                                                                                 
# If headed out from inside (Masquerade), send to CHECKOUT chain                                                  
# If coming from outside, send to CHECKIN chain                                                                  
# If headed in from outside and new or invalid, send to CHECKIN chain                                            
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT                                        
iptables -A FORWARD -i eth1 -j CHECKOUT                                                                          
iptables -A INPUT -i eth1 -j ACCEPT                                                                              
iptables -A INPUT -i eth0 -j CHECKIN                                                                              
iptables -A OUTPUT -o eth1 -j ACCEPT                                                                              
iptables -A OUTPUT -o eth0 -j CHECKOUT                                                                            
                                                                                                                 
# set the MTU of the interfaces to the correct size. this is usually                                              
# smaller than usual, since pppoe does some more encapsulating.  If you                                          
# don't, ping to the outside world should work, but almost any other                                              
# TCP connection (like FTP or HTTP) will fail.  Accorting to Daniel                                              
# Roethlingsberger, this can also be done at interface level (try                                                
# 'ifconfig mtu XXX'), but there's nothing wrong with taking the                                                  
# following line in your iptables, too.                                                                          
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j \                                                          
                        TCPMSS --clamp-mss-to-pmtu                                                                
                                                                                                                 
# Reset counters                                                                                                  
iptables -Z
0
 
LVL 10

Author Comment

by:Luxana
Comment Utility
hello  adallen

Thanks for help but I'm araid that I will need more help to make it work. Please can you put more comments to your script remember I'm just begginer. How can I use this script. The way how I'm setting up iptables is that i'm typing commnads to konsole. I wrote the script which aloow me save and start packetfiltering. My script is using iptables-save and iptables-restore commands. I'll copy your script here and put there some more quetions about it. I'm going to double points for you.I'll put @ in front of my commnets. thaks for patient

LUXANA

---SNIP---
@ this is clear
# eth1 = internal interface
# eth0 = external interface
#
# Add the following two lines to your /etc/syslog.conf file
@ I done this but is it ok  with # does not it take it like comment rest of the line?
# kern.crit;kern.!alert                                 /var/log/fw.hostile
# kern.notice;kern.!warn                                /var/log/fw.outbound
@clear
# Remove all current iptables rules
iptables -F
iptables -X
@ clear but I think I do not need masquerade
# Set up masquerading and allow forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables --modprobe=iptable_nat -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# PACKET NETWORK ADDRESS TRANSLATION # NAT #
@ not completelly clear
# Default Policies
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Set up rules to be followed for connections from outside
# Allow only inbound port 22; log all others
iptables -N CHECKIN
iptables -A CHECKIN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Dont log broadcast
@here I need to change to my 192.168.1.1 or not and what about mask?
iptables -A CHECKIN -d 10.0.0.255 -j DROP
iptables -A CHECKIN -d 255.255.255.255 -j DROP
@ \ character means new line is not it?
iptables -A CHECKIN -p tcp --dport 22 -m state --state \
            NEW,ESTABLISHED,RELATED -j ACCEPT
@ not clear. What about the strink Firewall
iptables -A CHECKIN -j LOG --log-level crit --log-prefix 'Firewall ' \
            -m limit --limit 1/m --limit-burst 5                                                                  
iptables -A CHECKIN -j DROP                                                                                      
 @ what does                                                                                                                  CHECKOUT is doing?
# Set up rules to be followed for connections headed outside                                                      
# Allow all connections already established                                                                      
# Allow DNS, SSH, HTTP, HTTPS, Real Time Streaming, POP, and SMTP                                                
# without logging.                                                                                                
# Allow all others, but log                                                                                      
iptables -N CHECKOUT                                                                                              
iptables -A CHECKOUT -p tcp -m state --state ESTABLISHED -j ACCEPT                                                
iptables -A CHECKOUT -p udp --dport 53 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 40001 -j ACCEPT                                                              
iptables -A CHECKOUT -p tcp --dport 80 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 8080 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 443 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 554 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 110 -j ACCEPT                                                                
iptables -A CHECKOUT -p tcp --dport 25 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 22 -j ACCEPT                                                                  
iptables -A CHECKOUT -p tcp --dport 6010 -j ACCEPT                                                                
@ rest of script no idea
iptables -A CHECKOUT -p tcp -m state --state NEW -j LOG --log-level \                                            
            notice --log-prefix 'Firewall ' -m limit --limit 4/m --limit-burst 1                                  
iptables -A CHECKOUT -p udp -j LOG --log-level notice --log-prefix \                                              
            'Firewall ' -m limit --limit 4/m --limit-burst 1                                                      
iptables -A CHECKOUT -j ACCEPT                                                                                    
                                                                                                                 
# If headed out from inside (Masquerade), send to CHECKOUT chain                                                  
# If coming from outside, send to CHECKIN chain                                                                  
# If headed in from outside and new or invalid, send to CHECKIN chain                                            
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT                                        
iptables -A FORWARD -i eth1 -j CHECKOUT                                                                          
iptables -A INPUT -i eth1 -j ACCEPT                                                                              
iptables -A INPUT -i eth0 -j CHECKIN                                                                              
iptables -A OUTPUT -o eth1 -j ACCEPT                                                                              
iptables -A OUTPUT -o eth0 -j CHECKOUT                                                                            
                                                                                                                 
# set the MTU of the interfaces to the correct size. this is usually                                              
# smaller than usual, since pppoe does some more encapsulating.  If you                                          
# don't, ping to the outside world should work, but almost any other                                              
# TCP connection (like FTP or HTTP) will fail.  Accorting to Daniel                                              
# Roethlingsberger, this can also be done at interface level (try                                                
# 'ifconfig mtu XXX'), but there's nothing wrong with taking the                                                  
# following line in your iptables, too.                                                                          
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j \                                                          
                        TCPMSS --clamp-mss-to-pmtu                                                                
                                                                                                                 
# Reset counters                                                                                                  
iptables -Z
0
 
LVL 12

Accepted Solution

by:
j2 earned 100 total points
Comment Utility
Why not install shorewall, a very potent firewall, which is also available as a debian package. After installation, you need the followin gchanges

/etc/shorewall/interfaces
net eth0 detect
loc eth1 detect


/etc/shorewall/rules
#accept SSH from local and net
ACCEPT net $FW tcp ssh
ACCEPT loc $FW tcp ssh

#Accept squid from local to FW
ACCEPT loc $FW tcp 3128

#Allow squid to talk to ports 80,81,21,443
ACCEPT $FW net tcp 80,81,21,443

/etc/defaults/shorewall
Change Startup=0 to Startup=1


Shorewall does a LOT of tasks which you will not find in any other script i have seen, and also have a highly active and friendly user community on the mailing lists.

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 10

Author Comment

by:Luxana
Comment Utility
Hello j2

Thanks fro ypour help but it seems that I have a trouble wtih starting up shorewall.  I get the warning message  Can't locate module  ip6_tables.
ip6tables v1.2.6a: can't initialize ip6tables table `filter': Address family not supperted by protocol.

What should I do now?

I was able to run shorewall for first time but when I stop it I can't get it run again.

Luxana
0
 
LVL 12

Expert Comment

by:j2
Comment Utility
That is a FAQ. -- set DISABLE_IPV6=No in shorewall.conf.
0
 
LVL 10

Author Comment

by:Luxana
Comment Utility
hello j2

Finally I get it work.

thanks
0
 
LVL 12

Expert Comment

by:j2
Comment Utility
Great!

There is a newbie-mailinglist on the shorewall website. You might want to consider subscribing to it, since it is a very friendly user community.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now