kephillips
asked on
question for jlevie
Hi jlevie,
I'm using your iptables (iptables-gw). My problem is that my users would like to use outlook express to send/receive mail from the outside connection and these ports don't seem to be "open". Could you tell me what I need to change in iptables-gw to have this feature?
Also, I have users connecting over ppp+ IP=192.168.0.80 and I need to cut off all internet access. Only access to the intranet and mail.
Thanks very much.
I'm using your iptables (iptables-gw). My problem is that my users would like to use outlook express to send/receive mail from the outside connection and these ports don't seem to be "open". Could you tell me what I need to change in iptables-gw to have this feature?
Also, I have users connecting over ppp+ IP=192.168.0.80 and I need to cut off all internet access. Only access to the intranet and mail.
Thanks very much.
The IPtables script that I recall setting up would not restrict outbound connections on the POP, IMAP & SMTP ports. But I could be wrong... Please post the iptables-gw script and I'll tell you how to adjust it for outbound mail connections if it is the firewall that's the problem.
ASKER
Hi jlevie,
Here's what i'm trying to use-this is all my mail stuff here:
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 25
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 110
iptables -t nat -A PREROUTING -p tcp -i $OUTSIDE --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $OUTSIDE --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 25 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 110 -j ACCEPT
this is for the ppp+ connection:
# MODEM
iptables -A INPUT -i $USERS -d 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.80 -o $OUTSIDE -j DROP
thanks.
Here's what i'm trying to use-this is all my mail stuff here:
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 25
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 110
iptables -t nat -A PREROUTING -p tcp -i $OUTSIDE --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $OUTSIDE --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 25 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 110 -j ACCEPT
this is for the ppp+ connection:
# MODEM
iptables -A INPUT -i $USERS -d 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.80 -o $OUTSIDE -j DROP
thanks.
I think you've changed the rules somewhat over what I set up. I would not have done the masquerade by ports. Please post the entire iptables-gw script so I can see what's going on.
ASKER
#!/bin/sh
#
# Save this in root's home directory as iptables-gw and make it executable
# with 'chmod +x iptables-gw'. Then to install the rule set simply run it
# with './iptables-gw'.
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
# echo 1 > /proc/sys/net/ipv4/ip_forw
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
# I find it easier to modify this file and run it to change the rulesets.,
# rather than modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT="/sbin/iptables"
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth1
INSIDE=eth0
USERS=ppp+
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent - Just dop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack
#
iptables -N silent
iptables -A silent -j DROP
iptables -N tcpflags
iptables -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
iptables -A tcpflags -j DROP
iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP
#
# Use NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
iptables -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#####################
# Use Source NAT to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#
# To Statically NAT an outside IP (1.2.3.4) to an inside IP (10.0.0.2) you'd
# do something like:
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j firewalled
#
# We've slipped the surly bonds of windows and are dancing on the
# silvery wings of Linux, so don't allow that windows broadcast trash
# to leak out of the firewall.
#
iptables -A FORWARD -p udp --dport 137 -j silent
iptables -A FORWARD -p udp --dport 138 -j silent
iptables -A FORWARD -p udp --dport 139 -j silent
iptables -A FORWARD -p udp --dport 445 -j silent
iptables -A FORWARD -p udp --dport 9006 -j silent
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
# iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.1
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.1
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 192.168.0.1
#
# Examples of allowing inbound for the port forwarding examples above or for
# allowing access to services running on the firewall
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
#iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp --dport 143 -j ACCEPT
#iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#iptables -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 7175:7176 -j ACCEPT
######################### MAIL ##########################
#iptables -A OUTPUT -o eth1 -p tcp --dport 25 -j ACCEPT
#iptables -A OUTPUT -o eth1 -p tcp --dport 110 -j ACCEPT
#iptables -A INPUT -o eth1 -p tcp --sport 25 -j ACCEPT
#iptables -A INPUT -o eth1 -p tcp --sport 110 -j ACCEPT
#iptables -A FORWARD -o eth1 -p tcp --dport 25 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -o eth1 -p tcp --dport 110 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#tcp --dport 110 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 25
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 110
iptables -t nat -A PREROUTING -p tcp -i $OUTSIDE --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $OUTSIDE --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 25 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 110 -j ACCEPT
##########################
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
iptables -A INPUT -i lo -j ACCEPT
#
# Uncomment the following if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the IP to be that of the INSIDE interface
# of the firewall.
#
iptables -A INPUT -i $INSIDE -d 192.168.0.1 -j ACCEPT
# MODEM STUFF
iptables -A INPUT -i $USERS -d 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.80 -o $OUTSIDE -j DROP
# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
iptables -A INPUT -j firewalled
222,0-1 Bot
#
# Save this in root's home directory as iptables-gw and make it executable
# with 'chmod +x iptables-gw'. Then to install the rule set simply run it
# with './iptables-gw'.
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
# echo 1 > /proc/sys/net/ipv4/ip_forw
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
# I find it easier to modify this file and run it to change the rulesets.,
# rather than modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT="/sbin/iptables"
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth1
INSIDE=eth0
USERS=ppp+
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent - Just dop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack
#
iptables -N silent
iptables -A silent -j DROP
iptables -N tcpflags
iptables -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
iptables -A tcpflags -j DROP
iptables -N firewalled
iptables -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
iptables -A firewalled -j DROP
#
# Use NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
iptables -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#####################
# Use Source NAT to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#
# To Statically NAT an outside IP (1.2.3.4) to an inside IP (10.0.0.2) you'd
# do something like:
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j firewalled
#
# We've slipped the surly bonds of windows and are dancing on the
# silvery wings of Linux, so don't allow that windows broadcast trash
# to leak out of the firewall.
#
iptables -A FORWARD -p udp --dport 137 -j silent
iptables -A FORWARD -p udp --dport 138 -j silent
iptables -A FORWARD -p udp --dport 139 -j silent
iptables -A FORWARD -p udp --dport 445 -j silent
iptables -A FORWARD -p udp --dport 9006 -j silent
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
# iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.1
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.1
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 192.168.0.1
#
# Examples of allowing inbound for the port forwarding examples above or for
# allowing access to services running on the firewall
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
#iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp --dport 143 -j ACCEPT
#iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#iptables -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#iptables -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 7175:7176 -j ACCEPT
######################### MAIL ##########################
#iptables -A OUTPUT -o eth1 -p tcp --dport 25 -j ACCEPT
#iptables -A OUTPUT -o eth1 -p tcp --dport 110 -j ACCEPT
#iptables -A INPUT -o eth1 -p tcp --sport 25 -j ACCEPT
#iptables -A INPUT -o eth1 -p tcp --sport 110 -j ACCEPT
#iptables -A FORWARD -o eth1 -p tcp --dport 25 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -o eth1 -p tcp --dport 110 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#tcp --dport 110 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 25
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 110
iptables -t nat -A PREROUTING -p tcp -i $OUTSIDE --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $OUTSIDE --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 25 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 110 -j ACCEPT
##########################
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
iptables -A INPUT -i lo -j ACCEPT
#
# Uncomment the following if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the IP to be that of the INSIDE interface
# of the firewall.
#
iptables -A INPUT -i $INSIDE -d 192.168.0.1 -j ACCEPT
# MODEM STUFF
iptables -A INPUT -i $USERS -d 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.80 -o $OUTSIDE -j DROP
# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
iptables -A INPUT -j firewalled
222,0-1 Bot
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Jim,
It still doesn't want to work.
I need my dialup users to have access to the website on 192.168.0.1 but NOT to the INTERNET
Also,
I have tried accessing my mail server over the internet using outlook express and it still isn't working.
I get errors on ports 25 and 110.
Thanks.
It still doesn't want to work.
I need my dialup users to have access to the website on 192.168.0.1 but NOT to the INTERNET
Also,
I have tried accessing my mail server over the internet using outlook express and it still isn't working.
I get errors on ports 25 and 110.
Thanks.
Is the PPP server on the firewall? Or is it a different box?
When you tried outlook were you at some other location (i.e. from outside of the firewall)?
When you tried outlook were you at some other location (i.e. from outside of the firewall)?
ASKER
ok.
the ppp is on the server same as the firewall. ppp users log in using the address 192.168.0.80
Also, when we tried outlook we were trying it outside the firewall, This is what I need to work.
Thanks.
the ppp is on the server same as the firewall. ppp users log in using the address 192.168.0.80
Also, when we tried outlook we were trying it outside the firewall, This is what I need to work.
Thanks.
What is the outside IP of your firewall?
ASKER
ok. works great!
smtp = 25
smtps = 465
pop3 = 110
imap = 143
pop3s = 995
imaps = 993
Those that ends on "s" are only nessescary if you use SSL/TLS encryption.