Solved

IPTABLES internal/external nic configuration

Posted on 2004-08-19
5
381 Views
Last Modified: 2010-04-22
I can't seem to figure out what I am doing wrong with my IPTABLES rules.  I have 2 nics on this machine.  I wanted to trust everything from eth0 and deny everything but port 80 on external nic.

# iptables -F
# iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j REJECT  - I want to reject spoofed addresses pretending to be my internal nic
# iptables -A INPUT -i lo -j ACCEPT - accept everything on the loopback
# iptables -A INPUT -i eth0 -j ACCEPT - except everything on the internal nic
# iptables -A INPUT -p tcp --dport www -j ACCEPT - is limiting this to the eth1 needed?
# iptables -A INPUT -j LOG -m limit
# iptables -A INPUT -j REJECT
# service iptables save

I restart iptables but then I am unable to ssh into eth0.
Any ideas what is wrong in my config?

Thanks
0
Comment
Question by:Martok
5 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 125 total points
ID: 11846386
The following is a poor firewall in that it doesn't protect against malformed packets & such, but it should do what you want.

IPT="/sbin/iptables"
OUTSIDE=eth1
INSIDE=eth0
INSIDE_IP=192.168.1.????
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Use  NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Allow HTTP inbound to the outside interface
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following  if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the  IP to be that of the INSIDE interface
# of the firewall.
#
$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched dropped.
#
$IPT -A INPUT -j DROP

For a more complete and resonably secure firewall that isn't overly complicated take a look at http://www.entrophy-free.net/tools/iptables-gw
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11856458
Giving him a complete srcipt is nice , but still doesn't explain why his solution is not working. I would say that it is the lack of statefull inspection that is bothering this person.

Martok can you execute the following command:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

After that retry the ssh
0
 
LVL 2

Expert Comment

by:mikygee
ID: 11858394
I would add a little comment.

First check the OUTPUT chain policy
iptables -L OUTPUT
according to your previous scripts is should be set to ACCEPT (jlevie did set this policy in his script)

about the other rules

iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j REJECT
should be, if you're connected directly on the internet on eth1
iptables -A INPUT -i eth1 -s 192.168.1.0/16 -j REJECT
because all the networks starting with 192.168.x.x are said to be private networks (correct me if i'm wrong)

iptables -A INPUT -j REJECT
get rid of this rule and set REJECT to the default policy.
Because if one day you change you mind and you set ACCEPT to the default policy the last rule to be read will be with ACCEPT and not REJECT.
so do something like that
iptables -P INPUT -j REJECT

I did not understant what you want to do with www, is there a www server on your firewall ?
0
 
LVL 8

Expert Comment

by:pjcrooks2000
ID: 11864145
Silly answer maybe!

If it is a fresh install did you install ssh daemon on the machine?  Ignore if its too silly  :)

regards pjcrooks2000
0
 

Author Comment

by:Martok
ID: 11912759
Thanks for the help guys.  I used used some of the settings from jlevieon - http://www.entrophy-free.net/tools/iptables-gw and everything seems to be working now.  I appreciate the help.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now