IPTABLES internal/external nic configuration

I can't seem to figure out what I am doing wrong with my IPTABLES rules.  I have 2 nics on this machine.  I wanted to trust everything from eth0 and deny everything but port 80 on external nic.

# iptables -F
# iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j REJECT  - I want to reject spoofed addresses pretending to be my internal nic
# iptables -A INPUT -i lo -j ACCEPT - accept everything on the loopback
# iptables -A INPUT -i eth0 -j ACCEPT - except everything on the internal nic
# iptables -A INPUT -p tcp --dport www -j ACCEPT - is limiting this to the eth1 needed?
# iptables -A INPUT -j LOG -m limit
# iptables -A INPUT -j REJECT
# service iptables save

I restart iptables but then I am unable to ssh into eth0.
Any ideas what is wrong in my config?

Thanks
MartokAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
jlevieConnect With a Mentor Commented:
The following is a poor firewall in that it doesn't protect against malformed packets & such, but it should do what you want.

IPT="/sbin/iptables"
OUTSIDE=eth1
INSIDE=eth0
INSIDE_IP=192.168.1.????
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Use  NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Allow HTTP inbound to the outside interface
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following  if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the  IP to be that of the INSIDE interface
# of the firewall.
#
$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched dropped.
#
$IPT -A INPUT -j DROP

For a more complete and resonably secure firewall that isn't overly complicated take a look at http://www.entrophy-free.net/tools/iptables-gw
0
 
de2ZotjesCommented:
Giving him a complete srcipt is nice , but still doesn't explain why his solution is not working. I would say that it is the lack of statefull inspection that is bothering this person.

Martok can you execute the following command:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

After that retry the ssh
0
 
mikygeeCommented:
I would add a little comment.

First check the OUTPUT chain policy
iptables -L OUTPUT
according to your previous scripts is should be set to ACCEPT (jlevie did set this policy in his script)

about the other rules

iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j REJECT
should be, if you're connected directly on the internet on eth1
iptables -A INPUT -i eth1 -s 192.168.1.0/16 -j REJECT
because all the networks starting with 192.168.x.x are said to be private networks (correct me if i'm wrong)

iptables -A INPUT -j REJECT
get rid of this rule and set REJECT to the default policy.
Because if one day you change you mind and you set ACCEPT to the default policy the last rule to be read will be with ACCEPT and not REJECT.
so do something like that
iptables -P INPUT -j REJECT

I did not understant what you want to do with www, is there a www server on your firewall ?
0
 
pjcrooks2000Commented:
Silly answer maybe!

If it is a fresh install did you install ssh daemon on the machine?  Ignore if its too silly  :)

regards pjcrooks2000
0
 
MartokAuthor Commented:
Thanks for the help guys.  I used used some of the settings from jlevieon - http://www.entrophy-free.net/tools/iptables-gw and everything seems to be working now.  I appreciate the help.
0
All Courses

From novice to tech pro — start learning today.