Find the answer to your Linux question:
Results 1 to 6 of 6
Hello all, im currently doing an assigment for university and im quite inexperienced with Linux and im trying to set up a correct set of parameters for the IP tables. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2010
    Posts
    2

    Smile Help with IP Tables?


    Hello all, im currently doing an assigment for university and im quite inexperienced with Linux and im trying to set up a correct set of parameters for the IP tables. Surprisingly, im really starting to prefer it to windows now that i can see all the possibilities! just seems to require a steep learning curve at times! anyways, if you can have a look at my configs and tell me if they look alright then that would be great. Thanks in advance.

    these are the requirements :


    FIREWALL produce a report containing an iptable firewall definition for a system requiring the following features:
    o Full egress and ingress filtering (i.e. defaults are all REJECT)
    o The machine has only one network connection, eth0.
    o The machine runs ssh, telnet, apache, and qmail.
    o It should be able to surf the web, send email, and make DNS lookups.
    o The apache user should not be allowed to surf the web
    o You should make the rest of the rules as security focused (and sensible) as possible.
    As part of this section, you should document your approach to the firewall, discuss any issues which arise, and annotate your specification. Draw suitable conclusions concerning your approach.


    These are my Configurations :

    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD

    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD REJECT

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -m state --state NEW -p tcp --dport ssh -j ACCEPT
    iptables -A INPUT -m state --state NEW -p tcp --dport telnet -j ACCEPT
    iptables -A INPUT -m state --state NEW -p tcp --dport http -j ACCEPT
    iptables -A INPUT -m state --state NEW -p tcp --dport smtp -j ACCEPT

    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -m state --state NEW -p tcp --sport http -m owner --uid-owner=apache -j DROP
    iptables -A OUTPUT -m state --state NEW -p tcp --dport smtp -j ACCEPT
    iptables -A OUTPUT -m state --state NEW -p tcp --dport http -j ACCEPT
    iptables -A OUTPUT -m state --state NEW -p udp --dport dns -j ACCEPT

  2. #2
    Linux User
    Join Date
    Nov 2009
    Location
    France
    Posts
    292
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD REJECT
    should be last in your script.

    The restriction on the apache user should be
    --dport http
    . Perhaps the NEW state is superfluous, but I'm not sure. There are perhaps other tweaks to do, iptables gurus will help you out.
    0 + 1 = 1 != 2 <> 3 != 4 ...
    Until the camel can pass though the eye of the needle.

  3. #3
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    Location
    NH, USA
    Posts
    3,149
    why should those go last, iptables reads and applies rules in the order it reads them, meaning that those would override everything opened beforehand

  4. #4
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,378
    -P is the default policy per table, they are evaluated after all the others anyway.
    So imho there is only a subtle difference if they are at the beginning or end of the script.

    If the default policy is deny/reject and at the beginning
    and the script then would have a syntax error right after the table flush,
    you are locked out.
    You must always face the curtain with a bow.

  5. #5
    Just Joined!
    Join Date
    Apr 2010
    Posts
    2
    Quote Originally Posted by Irithori View Post
    -P is the default policy per table, they are evaluated after all the others anyway.
    So imho there is only a subtle difference if they are at the beginning or end of the script.

    If the default policy is deny/reject and at the beginning
    and the script then would have a syntax error right after the table flush,
    you are locked out.

    Thanks for the replies, i thought since i added the exceptions then i shouldnt be locked out?

  6. #6
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,378
    Your script wont lock you out.

    I was merely saying:
    If there would be a syntax error *after* the default policies are set to deny
    but *before* the exceptions, then you would be locked out.

    Sorry, for causing confusion.
    You must always face the curtain with a bow.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •