Martok
asked on
IPTABLES internal/external nic configuration
I can't seem to figure out what I am doing wrong with my IPTABLES rules. I have 2 nics on this machine. I wanted to trust everything from eth0 and deny everything but port 80 on external nic.
# iptables -F
# iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j REJECT - I want to reject spoofed addresses pretending to be my internal nic
# iptables -A INPUT -i lo -j ACCEPT - accept everything on the loopback
# iptables -A INPUT -i eth0 -j ACCEPT - except everything on the internal nic
# iptables -A INPUT -p tcp --dport www -j ACCEPT - is limiting this to the eth1 needed?
# iptables -A INPUT -j LOG -m limit
# iptables -A INPUT -j REJECT
# service iptables save
I restart iptables but then I am unable to ssh into eth0.
Any ideas what is wrong in my config?
Thanks
# iptables -F
# iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j REJECT - I want to reject spoofed addresses pretending to be my internal nic
# iptables -A INPUT -i lo -j ACCEPT - accept everything on the loopback
# iptables -A INPUT -i eth0 -j ACCEPT - except everything on the internal nic
# iptables -A INPUT -p tcp --dport www -j ACCEPT - is limiting this to the eth1 needed?
# iptables -A INPUT -j LOG -m limit
# iptables -A INPUT -j REJECT
# service iptables save
I restart iptables but then I am unable to ssh into eth0.
Any ideas what is wrong in my config?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would add a little comment.
First check the OUTPUT chain policy
iptables -L OUTPUT
according to your previous scripts is should be set to ACCEPT (jlevie did set this policy in his script)
about the other rules
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j REJECT
should be, if you're connected directly on the internet on eth1
iptables -A INPUT -i eth1 -s 192.168.1.0/16 -j REJECT
because all the networks starting with 192.168.x.x are said to be private networks (correct me if i'm wrong)
iptables -A INPUT -j REJECT
get rid of this rule and set REJECT to the default policy.
Because if one day you change you mind and you set ACCEPT to the default policy the last rule to be read will be with ACCEPT and not REJECT.
so do something like that
iptables -P INPUT -j REJECT
I did not understant what you want to do with www, is there a www server on your firewall ?
First check the OUTPUT chain policy
iptables -L OUTPUT
according to your previous scripts is should be set to ACCEPT (jlevie did set this policy in his script)
about the other rules
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j REJECT
should be, if you're connected directly on the internet on eth1
iptables -A INPUT -i eth1 -s 192.168.1.0/16 -j REJECT
because all the networks starting with 192.168.x.x are said to be private networks (correct me if i'm wrong)
iptables -A INPUT -j REJECT
get rid of this rule and set REJECT to the default policy.
Because if one day you change you mind and you set ACCEPT to the default policy the last rule to be read will be with ACCEPT and not REJECT.
so do something like that
iptables -P INPUT -j REJECT
I did not understant what you want to do with www, is there a www server on your firewall ?
Silly answer maybe!
If it is a fresh install did you install ssh daemon on the machine? Ignore if its too silly :)
regards pjcrooks2000
If it is a fresh install did you install ssh daemon on the machine? Ignore if its too silly :)
regards pjcrooks2000
ASKER
Thanks for the help guys. I used used some of the settings from jlevieon - http://www.entrophy-free.net/tools/iptables-gw and everything seems to be working now. I appreciate the help.
Martok can you execute the following command:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
After that retry the ssh