?
Solved

Help configuring IPTABLES

Posted on 2008-10-21
10
Medium Priority
?
322 Views
Last Modified: 2013-12-16
I need some assistance configuring IPTABLES (haven't done it in ages).

I want to restrict all incoming connections on any port to "trusted" IPs.

I will have a local squid server running & want to make sure it isnt wide open... also some other services that I want to filter this way as well.

0
Comment
Question by:mcainc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 9

Expert Comment

by:mgonullu
ID: 22773819
http://www.cae.wisc.edu/iptables-using#examples

Maybe this will be a good memory refreshment
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22774167
the tutorial mgonullu provided its quite good

basicaly,

start of with block every port ( incomming port)

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
then open one by one as you go and as you need

iptables -A INPUT  -p tcp --dport 22 -j ACCEPT    (ssh)

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


http://www.cyberciti.biz/tips/linux-iptables-6-how-to-block-outgoing-access-to-selectedspecific-ip-address.html
http://www.cyberciti.biz/tips/linux-iptables-4-block-all-incoming-traffic-but-allow-ssh.html
0
 

Author Comment

by:mcainc
ID: 22794046
i've been reading a bit and would like to know if this is valid, i want to allow ssh access & ftp access to my home ip ("ip.ip.ip.ip")

i'm not concerned with blocking the outgoing packets from the server, only preventing what is allowed in

before i run this i want to make sure it is accurate so i dont lock myself out!


# flushing rules

iptables -F
iptables -X

# blocking all ports

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allowing loopback unrestricted access

iptables -A INPUT -i lo
iptables -A OUTPUT -o lo

# allowing trusted ips appropriate access

iptables -A INPUT -s ip.ip.ip.ip -j ACCEPT
iptables -A OUTPUT -d ip.ip.ip.ip -j ACCEPT

# allow incoming ssh

iptables -A INPUT -p tcp dport 22 -m state state NEW -j ACCEPT

# allow incoming ftp

iptables -A INPUT -p tcp dport 21 -m state state NEW -j ACCEPT

# nothing else gets into this box

iptables -A INPUT -j DROP
0
Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

 

Author Comment

by:mcainc
ID: 22794049
hmm, i see some strange characters before -dport & -state... they should be the standard hyphen -
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22794095
its seems alright to me
but if you see, you system is resonding slowly to ssh connection to be established
then just add this 2 rules

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22794112
I always use this command  to allow any port to come

iptables -A INPUT  -p tcp --dport 22 -j ACCEPT    (ssh)

but you have used this
iptables -A INPUT -p tcp dport 22 -m state state NEW -j ACCEPT


" -m state state " from which reference you got this one ??
0
 

Author Comment

by:mcainc
ID: 22794156
if i am specifying trusted ip addresses to only be able to access the system, is it even necessary to block ports?

it seems pointless because the ips are trusted... so can this all just be simplified by

# flushing rules

iptables -F
iptables -X

# blocking all ports

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allowing loopback unrestricted access

iptables -A INPUT -i lo
iptables -A OUTPUT -o lo

# allowing trusted ips appropriate access

iptables -A INPUT -s ip.ip.ip.ip -j ACCEPT
iptables -A OUTPUT -d ip.ip.ip.ip -j ACCEPT

# optimizing

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# nothing else gets into this box

iptables -A INPUT -j DROP
0
 
LVL 29

Accepted Solution

by:
fosiul01 earned 2000 total points
ID: 22794219
yes its finej
iptables -F
iptables -X

# blocking all ports

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allowing loopback unrestricted access

iptables -A INPUT -i lo
iptables -A OUTPUT -o lo

# allowing trusted ips appropriate access

iptables -A INPUT -s ip.ip.ip.ip -j ACCEPT
iptables -A OUTPUT -d ip.ip.ip.ip -j ACCEPT

# optimizing

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# nothing else gets into this box

iptables -A INPUT -j DROP


you just have to add the port such as 22, 80(web site) to allow to your box

thats it
how are you adding this rule ??
just add by hand, one by one command, then test it, if you are happy
then

service iptables save

it will automaticaly save all rules in iptables
0
 

Author Closing Comment

by:mcainc
ID: 31508640
thanks for the help!
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question