asked on

Help configuring IPTABLES

I need some assistance configuring IPTABLES (haven't done it in ages).

I want to restrict all incoming connections on any port to "trusted" IPs.

I will have a local squid server running & want to make sure it isnt wide open... also some other services that I want to filter this way as well.

mgonullu

http://www.cae.wisc.edu/iptables-using#examples

Maybe this will be a good memory refreshment

fosiul01

the tutorial mgonullu provided its quite good

basicaly,

start of with block every port ( incomming port)

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
then open one by one as you go and as you need

iptables -A INPUT -p tcp --dport 22 -j ACCEPT (ssh)

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

http://www.cyberciti.biz/tips/linux-iptables-6-how-to-block-outgoing-access-to-selectedspecific-ip-address.html
http://www.cyberciti.biz/tips/linux-iptables-4-block-all-incoming-traffic-but-allow-ssh.html

mcainc

ASKER

i've been reading a bit and would like to know if this is valid, i want to allow ssh access & ftp access to my home ip ("ip.ip.ip.ip")

i'm not concerned with blocking the outgoing packets from the server, only preventing what is allowed in

before i run this i want to make sure it is accurate so i dont lock myself out!

# flushing rules

iptables -F
iptables -X

# blocking all ports

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allowing loopback unrestricted access

iptables -A INPUT -i lo
iptables -A OUTPUT -o lo

# allowing trusted ips appropriate access

iptables -A INPUT -s ip.ip.ip.ip -j ACCEPT
iptables -A OUTPUT -d ip.ip.ip.ip -j ACCEPT

# allow incoming ssh

iptables -A INPUT -p tcp dport 22 -m state state NEW -j ACCEPT

# allow incoming ftp

iptables -A INPUT -p tcp dport 21 -m state state NEW -j ACCEPT

# nothing else gets into this box

iptables -A INPUT -j DROP

mcainc

ASKER

hmm, i see some strange characters before -dport & -state... they should be the standard hyphen -

fosiul01

its seems alright to me
but if you see, you system is resonding slowly to ssh connection to be established
then just add this 2 rules

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

fosiul01

I always use this command to allow any port to come

iptables -A INPUT -p tcp --dport 22 -j ACCEPT (ssh)

but you have used this
iptables -A INPUT -p tcp dport 22 -m state state NEW -j ACCEPT

" -m state state " from which reference you got this one ??

mcainc

ASKER

i found it here, is it not accurate?

http://www.cyberciti.biz/tips/linux-iptables-4-block-all-incoming-traffic-but-allow-ssh.html

mcainc

ASKER

if i am specifying trusted ip addresses to only be able to access the system, is it even necessary to block ports?

it seems pointless because the ips are trusted... so can this all just be simplified by

# flushing rules

iptables -F
iptables -X

# blocking all ports

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allowing loopback unrestricted access

iptables -A INPUT -i lo
iptables -A OUTPUT -o lo

# allowing trusted ips appropriate access

iptables -A INPUT -s ip.ip.ip.ip -j ACCEPT
iptables -A OUTPUT -d ip.ip.ip.ip -j ACCEPT

# optimizing

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# nothing else gets into this box

iptables -A INPUT -j DROP

ASKER CERTIFIED SOLUTION

fosiul01

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

mcainc

ASKER

thanks for the help!