Help with IP Tables?

**Tyson87** · 04-23-2010

Hello all, im currently doing an assigment for university and im quite inexperienced with Linux and im trying to set up a correct set of parameters for the IP tables. Surprisingly, im really starting to prefer it to windows now that i can see all the possibilities! just seems to require a steep learning curve at times! anyways, if you can have a look at my configs and tell me if they look alright then that would be great. Thanks in advance.

these are the requirements :

• FIREWALL – produce a report containing an iptable firewall definition for a system requiring the following features:
o Full egress and ingress filtering (i.e. defaults are all REJECT)
o The machine has only one network connection, eth0.
o The machine runs ssh, telnet, apache, and qmail.
o It should be able to surf the web, send email, and make DNS lookups.
o The apache user should not be allowed to surf the web
o You should make the rest of the rules as security focused (and sensible) as possible.
As part of this section, you should document your approach to the firewall, discuss any issues which arise, and annotate your specification. Draw suitable conclusions concerning your approach.

These are my Configurations :

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD REJECT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport telnet -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport http -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport smtp -j ACCEPT

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --sport http -m owner --uid-owner=apache -j DROP
iptables -A OUTPUT -m state --state NEW -p tcp --dport smtp -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport http -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p udp --dport dns -j ACCEPT

**nmset** · 04-24-2010

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD REJECT

should be last in your script.

The restriction on the apache user should be

--dport http

. Perhaps the NEW state is superfluous, but I'm not sure. There are perhaps other tweaks to do, iptables gurus will help you out.

**coopstah13** · 04-24-2010

why should those go last, iptables reads and applies rules in the order it reads them, meaning that those would override everything opened beforehand

***Irithori*** · 04-24-2010

-P is the default policy per table, they are evaluated after all the others anyway.
So imho there is only a subtle difference if they are at the beginning or end of the script.

If the default policy is deny/reject and at the beginning
and the script then would have a syntax error right after the table flush,
you are locked out.

**Tyson87** · 04-26-2010

Originally Posted by Irithori

-P is the default policy per table, they are evaluated after all the others anyway.
So imho there is only a subtle difference if they are at the beginning or end of the script.

If the default policy is deny/reject and at the beginning
and the script then would have a syntax error right after the table flush,
you are locked out.

Thanks for the replies, i thought since i added the exceptions then i shouldnt be locked out?

***Irithori*** · 04-26-2010

Your script wont lock you out.

I was merely saying:
If there would be a syntax error *after* the default policies are set to deny
but *before* the exceptions, then you would be locked out.

Sorry, for causing confusion.

Thread Tools

Display

Help with IP Tables?

Posting Permissions