EricTViking
asked on
Need a basic IPTables script for multihomed Linux box with simple packet filter
Hi,
I need to configure a simple firewall on a Centos 5 Linux box using IPTables.
The box is multihomed with eth0 being LAN and eth1 being WAN.
All I want to block is all inbound traffic on the WAN apart from UDP Port 4569 (IAX2 protocol).
Not using NAT or routing, no problem with all outbound WAN traffic being allowed either.
Thanks
I need to configure a simple firewall on a Centos 5 Linux box using IPTables.
The box is multihomed with eth0 being LAN and eth1 being WAN.
All I want to block is all inbound traffic on the WAN apart from UDP Port 4569 (IAX2 protocol).
Not using NAT or routing, no problem with all outbound WAN traffic being allowed either.
Thanks
ASKER
Hi, sorry for the delay in responding, have not had access to the linux box for some time...
I tried the script above and it seems to also block internal traffic. Sorry I can't be more specific on what is blocked internally as I don't know where to find the logs from iptables to see what it is blocking.
I tried the script above and it seems to also block internal traffic. Sorry I can't be more specific on what is blocked internally as I don't know where to find the logs from iptables to see what it is blocking.
it should be correct
you are sure that you changed the iprange to your internal range?
below some adjustments that should log to your systemlog.
you are sure that you changed the iprange to your internal range?
below some adjustments that should log to your systemlog.
#!/bin/bash
/sbin/iptables -t filter -F ACCEPTLOG
/sbin/iptables -t filter -A ACCEPTLOG -j LOG --log-prefix "ACCEPTLOG :"
/sbin/iptables -t filter -A ACCEPTLOG -j ACCEPT
/sbin/iptables -t filter -F DROPLOG
/sbin/iptables -t filter -A DROPLOG -j LOG --log-prefix "ACCEPTLOG :"
/sbin/iptables -t filter -A DROPLOG -j DROP
iptables -t filter -A INPUT -s 0.0.0.0/24 -j ACCEPTLOG
iptables -t filter -A INPUT -p udp --destination-port 4569 -j ACCEPTLOG
iptables -t filter -A INPUT -s 0.0.0.0/0 -j DROPLOG
ASKER
Thanks for the update :-)
Yes, I changed the 0.0.0.0/24 in line 10 to 192.168.99.0/24 which is my internal IP range.
When I try to run the script I get the following:
iptables v1.3.5: Couldn't load target `ACCEPTLOG':/lib/iptables/ libipt_ACC EPTLOG.so: cannot open shared object file: No such file or directory
Also, should the 0.0.0.0/0 in line 12 be replaced with my public IP?
Yes, I changed the 0.0.0.0/24 in line 10 to 192.168.99.0/24 which is my internal IP range.
When I try to run the script I get the following:
iptables v1.3.5: Couldn't load target `ACCEPTLOG':/lib/iptables/
Also, should the 0.0.0.0/0 in line 12 be replaced with my public IP?
Np
the 0.0.0.0/0 should stay that way it just says block everything that was not handled by previous rules
I added the command to create both the droplog and acceptlog chains
And now i saw what was causing the problem.
With the state related, established rule the problem should be resolved.
You can turn logging on or off like you wish by replacing the ACCEPTLOG or DROPLOG in the last 3 commands by ACCEPT or DROP.
cheers,
the 0.0.0.0/0 should stay that way it just says block everything that was not handled by previous rules
I added the command to create both the droplog and acceptlog chains
And now i saw what was causing the problem.
With the state related, established rule the problem should be resolved.
You can turn logging on or off like you wish by replacing the ACCEPTLOG or DROPLOG in the last 3 commands by ACCEPT or DROP.
cheers,
#!/bin/bash
/sbin/iptables -t filter -N ACCEPTLOG
/sbin/iptables -t filter -N DROPLOG
/sbin/iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -F ACCEPTLOG
/sbin/iptables -t filter -A ACCEPTLOG -j LOG --log-prefix "ACCEPTLOG :"
/sbin/iptables -t filter -A ACCEPTLOG -j ACCEPT
/sbin/iptables -t filter -F DROPLOG
/sbin/iptables -t filter -A DROPLOG -j LOG --log-prefix "ACCEPTLOG :"
/sbin/iptables -t filter -A DROPLOG -j DROP
iptables -t filter -A INPUT -s 0.0.0.0/24 -j ACCEPTLOG
iptables -t filter -A INPUT -p udp --destination-port 4569 -j ACCEPTLOG
iptables -t filter -A INPUT -s 0.0.0.0/0 -j DROPLOG
ASKER
Hi,
Thanks for that, the script sets up iptables Ok now, but I'm not sure it's working quite right.
When I try to access a web site on the Linux box from the LAN parts of it fail to load and it runs very slowly.
if i do dmesg I can see iptables logs but only ACCEPTLOG, even if I try to access a blocked external port I don't appear to get any DROPLOG messages.
External access does seem to be being blocked correctly though.
Thanks for that, the script sets up iptables Ok now, but I'm not sure it's working quite right.
When I try to access a web site on the Linux box from the LAN parts of it fail to load and it runs very slowly.
if i do dmesg I can see iptables logs but only ACCEPTLOG, even if I try to access a blocked external port I don't appear to get any DROPLOG messages.
External access does seem to be being blocked correctly though.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Jupike, thanks for a brilliant answer! I appreciate you taking the time to fine tune the script for me - it is now working perfectly and my original question has been fully answered. Here's 2000 points well earned :-)
Replace the 0.0.0.0/24 with your internal network range
then the script should allow all traffic from the internal network
allow traffic to UDP port 4569
and block all other incoming traffic
Open in new window