Rookie's iptables configuration:
Here's the problem.
I've been trying to patch up my own iptables-configuration for some days now, but I'm lacking skills and advice.
So here's my setup and what I basically want my iptables to do:
Desktop (Ubuntu/Windows 2000) <--cat5--> Server (Debian)+HP printer <--cat5--> ADSL and the Internet
1. The Desktop would be connected to the Server with a cross-linked RJ-45-cable. The Server would put the Desktop under NAT and if it could just filter out some basic stuff (like Blaster-worm attacks to ports 137 etc.) - so much the better. The Desktop would also have it's own software-based firewall.
2. The Server would also be hosting apache2, vsftpd etc. so I would want those ports to be open, but everything other incoming traffic to any other ports than 21, 80 etc. would be blocked. eth0 is connected to Internet and eth1 would be connected to the Desktop.
Here is a full list of what incoming traffic should be permitted behalf of the Server: [syntax: name (port, protocols)]
Quote:
* SSH (22, tcp/udp)
* NTP (123, tcp/udp)
* WWW (80:443, tcp/udp)
* apt (21:80, tcp/udp)
* wget (20:21:80:443, tcp/udp)
* FTP (20:21, tcp/udp)
* IRC (6667, tcp)
* E-Mail (No need for implementing this yet, 'cause I'm not running a mailbox-system :>)
I'm not certain if all the stuff require both TCP/UDP, but... just in case.
Also if I need something open for DHCP, then that should be open... right?
And because I'm running cups/Samba on the Server, I would want it to be as if everyone from certain IPs (the ones coming from LAN) could use the printer and other IPs would be prohibited of printing.
And here's something incoming traffic (for both server and desktop) what should be blocked by firewall:
Quote:
* Ports 137, 138, 139 - both TCP/UDP
* Port 445, 593 - both TCP/UDP
* Samba-related ports. Everyone else but certain IPs.
* Pingflood (only 1/sec)
... and behold. Below is my iptables-conf atm. Made from scratch mostly by using tutorials & other people configs. I haven't even tested it yet, since I'm sure it won't work. Thus it needs really much fixing.
Code:
# the nat-traffic that is meant to be forwarded for desktop :<
-A INPUT -i eth0 -m state --state ! ESTABLISHED,RELATED -j DROP
-t nat -A POSTROUTING -o eth0 -j MASQUERADE
# hmm... if i got correct, then this is the one needed for automatic fetching of ip, or so... :p
-A INPUT -i eth0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
# the permitted incoming traffic... but it would be necessarry that i could use the same ports for outgoing traffic. meaning that my box starts fe. a new http-clientside connection
-A INPUT -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 80 -j ACCEPT
# i was told that this was unnecessary
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
# everything outgoing to other ports should be prohibited as well...
# the next line would block any traffic coming to other ports and log it...
-A INPUT -m multiport ! --ports 20:21:22:80:113:123:443 -j LDROP
# don't have idea about this one.
-A INPUT -i lo -j ACCEPT
# ping-requests allowed. only 1/sec allowed. thus icmp-echo-reply (pong) should be also permitted.
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# logging ****
-A LDROP -p tcp -m limit --limit-burst 3/sec -j LOG --log-prefix "iptables: TCP Dropped " --log-level 6
-A LDROP -p udp -m limit --limit-burst 3/sec -j LOG --log-prefix "iptables: UDP Dropped " --log-level 6
-A LDROP -p icmp -m limit --limit-burst 3/sec -j LOG --log-prefix "iptables: ICMP Dropped " --log-level 6
-A LDROP -f -m limit --limit-burst 3/sec -j LOG --log-prefix "iptables: FRAGMENT Dropped "
-A LDROP -j DROP
Any given help is welcome and warmly accepted.
Greetings,
-d