Solved

Need a basic IPTables script for multihomed Linux box with simple packet filter

Posted on 2008-10-22
8
1,220 Views
Last Modified: 2013-11-16
Hi,

I need to configure a simple firewall on a Centos 5 Linux box using IPTables.

The box is multihomed with eth0 being LAN and eth1 being WAN.

All I want to block is all inbound traffic on the WAN apart from UDP Port 4569 (IAX2 protocol).

Not using NAT or routing, no problem with all outbound WAN traffic being allowed either.

Thanks
0
Comment
Question by:EricTViking
  • 4
  • 4
8 Comments
 
LVL 1

Expert Comment

by:jupike
ID: 22779208

Replace the 0.0.0.0/24 with your internal network range

then the script should allow all traffic from the internal network
allow traffic to UDP port 4569
and block all other incoming traffic
#!/bin/bash

iptables -t filter -A INPUT -s 0.0.0.0/24 -j ACCEPT

iptables -t filter -A INPUT -p udp --destination-port 4569 -j ACCEPT

iptables -t filter -P INPUT DROP

Open in new window

0
 
LVL 11

Author Comment

by:EricTViking
ID: 22942402
Hi, sorry for the delay in responding, have not had access to the linux box for some time...

I tried the script above and it seems to also block internal traffic. Sorry I can't be more specific on what is blocked internally as I don't know where to find the logs from iptables to see what it is blocking.
0
 
LVL 1

Expert Comment

by:jupike
ID: 22943907
it should be correct
you are sure that you changed the iprange to your internal range?

below some adjustments that should log to your systemlog.
#!/bin/bash

/sbin/iptables -t filter -F ACCEPTLOG

/sbin/iptables -t filter -A ACCEPTLOG -j LOG --log-prefix "ACCEPTLOG :"

/sbin/iptables -t filter -A ACCEPTLOG -j ACCEPT
 

/sbin/iptables -t filter -F DROPLOG

/sbin/iptables -t filter -A DROPLOG -j LOG --log-prefix "ACCEPTLOG :"

/sbin/iptables -t filter -A DROPLOG -j DROP
 

iptables -t filter -A INPUT -s 0.0.0.0/24 -j ACCEPTLOG

iptables -t filter -A INPUT -p udp --destination-port 4569 -j ACCEPTLOG

iptables -t filter -A INPUT -s 0.0.0.0/0 -j DROPLOG

Open in new window

0
 
LVL 11

Author Comment

by:EricTViking
ID: 22948733
Thanks for the update :-)

Yes, I changed the 0.0.0.0/24 in line 10 to 192.168.99.0/24 which is my internal IP range.

When I try to run the script I get the following:

iptables v1.3.5: Couldn't load target `ACCEPTLOG':/lib/iptables/libipt_ACCEPTLOG.so: cannot open shared object file: No such file or directory

Also, should the 0.0.0.0/0 in line 12 be replaced with my public IP?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 1

Expert Comment

by:jupike
ID: 22953310
Np
the 0.0.0.0/0 should stay that way it just says block everything that was not handled by previous rules

I added the command to create both the droplog and acceptlog chains
And now i saw what was causing the problem.
With the state related, established  rule the problem should be resolved.

You can turn logging on or off like you wish by replacing the ACCEPTLOG or DROPLOG in the last 3 commands by ACCEPT or DROP.

cheers,
#!/bin/bash

/sbin/iptables -t filter -N ACCEPTLOG

/sbin/iptables -t filter -N DROPLOG

/sbin/iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
 

/sbin/iptables -t filter -F ACCEPTLOG

/sbin/iptables -t filter -A ACCEPTLOG -j LOG --log-prefix "ACCEPTLOG :"

/sbin/iptables -t filter -A ACCEPTLOG -j ACCEPT

 

/sbin/iptables -t filter -F DROPLOG

/sbin/iptables -t filter -A DROPLOG -j LOG --log-prefix "ACCEPTLOG :"

/sbin/iptables -t filter -A DROPLOG -j DROP

 

iptables -t filter -A INPUT -s 0.0.0.0/24 -j ACCEPTLOG

iptables -t filter -A INPUT -p udp --destination-port 4569 -j ACCEPTLOG

iptables -t filter -A INPUT -s 0.0.0.0/0 -j DROPLOG

Open in new window

0
 
LVL 11

Author Comment

by:EricTViking
ID: 22953939
Hi,

Thanks for that, the script sets up iptables Ok now, but I'm not sure it's working quite right.

When I try to access a web site on the Linux box from the LAN parts of it fail to load and it runs very slowly.

if i do dmesg I can see iptables logs but only ACCEPTLOG, even if I try to access a blocked external port I don't appear to get any DROPLOG messages.

External access does seem to be being blocked correctly though.
0
 
LVL 1

Accepted Solution

by:
jupike earned 500 total points
ID: 22954570
ow i see i added 2 times ACCEPTLOG as log-prefix
changed that and alowing localhost trafic to now.
I guess he was blocking the site connecting to its database.


He might complain about the fact that the ACCEPTLOG and DROPLOG chains already exist. you can ignore that.
#!/bin/bash

/sbin/iptables -t filter -N ACCEPTLOG

/sbin/iptables -t filter -N DROPLOG

/sbin/iptables -t filter -F INPUT

/sbin/iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

 

/sbin/iptables -t filter -F ACCEPTLOG

/sbin/iptables -t filter -A ACCEPTLOG -j LOG --log-prefix "ACCEPTLOG :"

/sbin/iptables -t filter -A ACCEPTLOG -j ACCEPT

 

/sbin/iptables -t filter -F DROPLOG

/sbin/iptables -t filter -A DROPLOG -j LOG --log-prefix "DROPLOG :"

/sbin/iptables -t filter -A DROPLOG -j DROP
 

iptables -t filter -A INPUT -s 127.0.0.0/24 -j ACCEPT

iptables -t filter -A INPUT -s 0.0.0.0/24 -j ACCEPTLOG

iptables -t filter -A INPUT -p udp --destination-port 4569 -j ACCEPTLOG

iptables -t filter -A INPUT -s 0.0.0.0/0 -j DROPLOG

Open in new window

0
 
LVL 11

Author Closing Comment

by:EricTViking
ID: 31508838
Jupike, thanks for a brilliant answer! I appreciate you taking the time to fine tune the script for me - it is now working perfectly and my original question has been fully answered. Here's 2000 points well earned :-)
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now