Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 12 of 12
Originally Posted by parihar Thanks for the link Lazydog...I guess I need type 0 (reply) and 8 (request) for pinging purposes. As for my iptables configuration I'm sorry I wasn't ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677

    Quote Originally Posted by parihar View Post
    Thanks for the link Lazydog...I guess I need type 0 (reply) and 8 (request) for pinging purposes.

    As for my iptables configuration I'm sorry I wasn't specific on what I was trying to do. What you guys showed me works, unfortunately I am just trying to open only a few outbound connections and a few inbound connections. Each connection should have specific parameters. For example:

    On my laptop I want to web browse (I am just showing port 80 but there will be more 443, 20, 21-add some FTP access, etc.):

    # HTTP - for normal web browsing
    iptables -A INPUT -p tcp -m tcp --sport 80 -j -m state --state ESTABLISHED ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT


    but then I want to be able to ssh into and from this machine:

    # SSH
    iptables -A INPUT -p tcp -m tcp --sport 3242 -j -m state --state NEW,ESTABLISHED ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --dport 3242 -m state --state NEW,ESTABLISHED -j ACCEPT


    So what I am trying to achieve is a separate state parameters for each port number. I hope this explains my mind set a little bit.
    OK, Place these 2 rules at the top of your script.

    Code:
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    Now all you have to worry about is the New connected you would like to have either leave or receive on the system. You could then do somethning like this;

    Code:
    iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
    And so on.

    Quote Originally Posted by RDU View Post
    Lazydog:This will work but it's VERY (too much) open. It's never a good idea to open too much output.
    I can agree with this. I like to lock down everything and then open what is needed.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  2. #12
    Just Joined! codge's Avatar
    Join Date
    Sep 2008
    Location
    Halesowen u.k.
    Posts
    15
    Hi, did you get it sorted? This is my iptables firewall, it's still a work in progress but it works o.k.

    Code:
    ###############################################################
    ### Remove all previous rules, and delete any user defined chains ###
    iptables -X
    iptables -F
    iptables -t nat -X
    iptables -t nat -F
    iptables -t mangle -X
    iptables -t mangle -F
    
    ###############################################################
    ### Set the default policies to drop ###
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    
    ###############################################################
    ### Define interfaces here ###
    # Enter the designation for the Internal Interface's
    INTIF=eth0
    # Enter the IP address of the Internal Interface
    INTIP=192.***.*.**/24
    # Enter the designation for the Internal Interface's
    EXTIF=eth1
    # Enter the IP address of the external Interface
    EXTIP=86.***.***.**
    
    ###############################################################
    ### BAD GUYS (Block Source IP Address) ###
    #iptables -A INPUT -s 82.94.249.158 -j DROP
    ###porn-hub###
    iptables -A INPUT -s 146.82.202.179 -j DROP
    iptables -A INPUT -s 146.82.202.170 -j DROP
    iptables -A INPUT -s 146.82.203.166 -j DROP
    iptables -A INPUT -s 146.82.203.203 -j DROP
    iptables -A INPUT -s 146.82.203.243 -j DROP
    iptables -A INPUT -s 146.82.202.180 -j DROP
    iptables -A INPUT -s 146.82.203.228 -j DROP
    iptables -A INPUT -s 146.82.203.242 -j DROP
    iptables -A INPUT -s 146.82.204.113 -j DROP
    iptables -A INPUT -s 146.82.200.125 -j DROP
    iptables -A INPUT -s 146.82.203.230 -j DROP
    iptables -A INPUT -s 146.82.202.154 -j DROP
    iptables -A INPUT -s 146.82.204.17 -j DROP
    iptables -A INPUT -s 146.82.204.131 -j DROP
    iptables -A INPUT -s 146.82.204.35 -j DROP
    iptables -A INPUT -s 146.82.202.169 -j DROP
    iptables -A INPUT -s 146.82.204.47 -j DROP
    
    ###############################################################
    ### INBOUND Rule: Allow ALL EXT packets if a connection already exists ###
    iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    ###############################################################
    ### Allows all packets from the localhost interface, lo. So the machine can talk to itself ###
    iptables -A INPUT -i lo -j ACCEPT
    
    ###############################################################
    ### Drop broken packets ###
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
    
    ###############################################################
    ### INBOUND Rules: Allow ONLY NEW packets on these ports ###.
    # Web browser and shell use port 80 #
    iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 123 -j ACCEPT
    iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 443 -j ACCEPT
    
    ###############################################################
    ### If you are using squid uncomment this is to enable it to REDIRECT ###
    # Squid Transparent Proxy: Enable rule for transparent proxy redirection #
    # Redirect all WWW (port 80) OUTBOUNT packets to the Squid Server on port 3128 #
    #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    
    ###############################################################
    ### Don't Allow all ICMP Traffic (optional) - IN, OUT and THROUGH ###
    iptables -A INPUT -p icmp --icmp-type any -j DROP
    iptables -A OUTPUT -p icmp --icmp-type any -j DROP
    iptables -A FORWARD -p icmp --icmp-type any -j DROP
    
    ##############################################################
    #### Output filters###
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
    
    ###############################################################
    ### Log everything, Required for psad ###
    iptables -A INPUT -j LOG
    iptables -A FORWARD -j LOG
    
    ###############################################################
    ### If you have fwsnort installed###
    fwsnort
    /etc/fwsnort/fwsnort.sh

Page 2 of 2 FirstFirst 1 2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •