Find the answer to your Linux question:
Results 1 to 4 of 4
Like Tree1Likes
  • 1 Post By ivotkl
Please, help me: firewall should be set as follows: 1. via the eth0 is available from the Internet DHCP network service specified and also can check the availability of the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2013
    Posts
    2

    Unhappy Firewall


    Please, help me: firewall should be set as follows:
    1. via the eth0 is available from the Internet DHCP network service specified and also can check the availability of the Internet to your virtual machine via ping. No other communications initiated from the Internet (via eth0) is not permitted. From the outside (ie the Internet) enable only check availability virtual machine via ping;
    iptables F
    iptables -A OUTPUT -p udp --dport 68 -j ACCEPT
    iptables -P OUTPUT DROP
    iptables -A INPUT -p udp --dport 67 -j ACCEPT
    iptables -P INPUT DROP


    2. through eth1 and loopback is possible to access all ports via any protocol;
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth1 -j ACCEPT
    iptables -P INPUT ACCEPT


    3. Server is capable of communication on the Internet without constraints, that is with any remote network service;
    iptables -P FOWARD ACCEPT
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT

    I tis ok? Where is problem?

  2. #2
    Linux Newbie
    Join Date
    Jan 2013
    Location
    Argentina
    Posts
    122
    Hello olip15. Happy new year and thank you for writing. Nice great wall of fire you've built, hehe.

    I have not had the opportunity to sit and practice iptables. I've read a book about it but I do not completely understand it yet.
    Regarding the rules, if its a copy-paste from any configuration file, the only mistake I can see is a typographical error.

    Where it says:
    Code:
    iptables -P FOWARD ACCEPT
    It should say:
    Code:
    iptables -P FORWARD ACCEPT
    Now, If I remember correctly:

    1.
    Code:
    iptables -F
    Erases everything

    Code:
    iptables -A OUTPUT -p udp --dport 68 -j ACCEPT
    Appends a rule that tells your computer that every udp communication leaving your computer getting to port 68 is accepted.

    Code:
    iptables -P OUTPUT DROP
    Drops any package leaving your computer. Perhaps that's where your problem lies. I'd try using something like this:

    Code:
    iptables -A OUTPUT -p [!] udp --dport [!] 68 -j DROP
    "-p, --protocol [!] protocol
    The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted.

    (...)

    --destination-port,--dport [!] port[ort]"

    (Taken from here)

    In my example, if applied correctly and provided I'm not mistaken, it will drop any communication that starts in your computer that is not related with UDP protocol nor destination port 68.

    Code:
    iptables -A INPUT -p udp --dport 67 -j ACCEPT
    Appends a rule that tells your computer that any udp communication coming to your port 67 is accepted.

    Code:
    iptables -P INPUT DROP
    Same thing as before would apply here. you need to type something like
    Code:
    iptables -A INPUT -p [!] udp --dport [!] 67 -j ACCEPT
    I'm not sure about the "[!]" symbol syntax. I believe you need to remove the brackets as those usually represent an option or something else.

    2.

    Code:
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth1 -j ACCEPT
    iptables -P INPUT ACCEPT
    I'm not sure if these three rules overrule what you've pointed out on step 1. I don't remember how the command reads the rules.

    3.
    Code:
    iptables -P FOWARD ACCEPT
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    Same as in point 2, although I don't understand how policies work.

    "-P, --policy chain target
    Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets."

    Hope it helps.
    elija likes this.

  3. #3
    Just Joined!
    Join Date
    Dec 2013
    Posts
    2
    Thank you, good link. I will study.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Newbie
    Join Date
    Jan 2013
    Location
    Argentina
    Posts
    122
    No problem. Glad I could help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •