About iptables rules

Printable View

How to modify INPUT chain making it only visible the services intended?

Ports 20 and 80 are now open. I have ssh client and server installed. The server can be remote-accessed by workstations and vice versa.

Quote:

  • Your OUTPUT chain can probably be left wide open with a default policy of ACCEPT and no additional rules. At least for now, given the circumstances you've explained.
  • Whether making the rule as
    Code:

    iptables -A OUTPUT -p icmp --icmp-type 8 -s 192.168.0.10 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    ???

    TIA


    B.R.
    satimis
  • 08-25-2007
    anomie
    Back up your old script and try this.

    Code:

    #!/bin/bash

    TRUSTEDNET=192.168.0.0/24

    # Flush rules
    iptables -F

    # INPUT

    # Allow loopback traffic
    iptables -A INPUT -i lo -j ACCEPT

    # Allow established connections
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Allow new ssh connections from trusted net
    iptables -A INPUT -m state --state NEW -s ${TRUSTEDNET} -p tcp --dport 22 -j ACCEPT

    # Allow new http connections from anywhere
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

    # Allow new https connections from anywhere
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

    # Drop all else by default
    iptables -A INPUT -j DROP

    # Set default policies
    iptables -P INPUT ACCEPT
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    Notes:
    • Change TRUSTEDNET to the IP (or subnet) that you want to have access to sshd.
    • Add more restrictive OUTPUT chain rules as needed, once you've established what is legitimate outbound traffic in your situation.
    • I'd suggest hardening sshd further rather than relying only on packet filtering rules.
    • You're going to need to forward ports from your router/NAT device to the appropriate ports on your LAMP server.
    • And the list goes on...


    I'd recommend really knowing what you're doing before opening this up to the web, or else you're just another target waiting to get "pwned".

    Please read and understand the manpages for iptables(8 ) so that you can set up rules based on your own needs.
  • 08-26-2007
    satimis
    Hi anomie,

    Quote:

    Back up your old script and try this.

    Code:

    #!/bin/bash

    TRUSTEDNET=192.168.0.0/24

    # Flush rules
    iptables -F

    # INPUT

    # Allow loopback traffic
    iptables -A INPUT -i lo -j ACCEPT

    # Allow established connections
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Allow new ssh connections from trusted net
    iptables -A INPUT -m state --state NEW -s ${TRUSTEDNET} -p tcp --dport 22 -j ACCEPT

    # Allow new http connections from anywhere
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

    # Allow new https connections from anywhere
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

    # Drop all else by default
    iptables -A INPUT -j DROP

    # Set default policies
    iptables -P INPUT ACCEPT
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT


    $ sudo mv /etc/rc.local /etc/rc.local.old
    $ sudo touch /etc/rc.local

    Copied your sample on "rc.local"


    $ sudo /etc/rc.local start

    $ sudo iptables -L
    Code:

    Chain INPUT (policy ACCEPT)
    target    prot opt source              destination       
    ACCEPT    0    --  anywhere            anywhere           
    ACCEPT    0    --  anywhere            anywhere            state RELATED,ESTAB
    LISHED
    ACCEPT    tcp  --  192.168.0.0/24      anywhere            state NEW tcp dpt:s
    sh
    ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:w
    ww
    ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:h
    ttps
    DROP      0    --  anywhere            anywhere           

    Chain FORWARD (policy DROP)
    target    prot opt source              destination       

    Chain OUTPUT (policy ACCEPT)
    target    prot opt source              destination

    It hung here a while
    Code:

    ACCEPT    0    --  anywhere            anywhere            state RELATED,ESTAB
    LISHED

    before printout the rest.

    $ ping -c3 yahoo.com
    Code:

    PING yahoo.com (66.94.234.13) 56(84) bytes of data.
    64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=53 time=180
     ms
    64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=2 ttl=52 time=179
     ms
    64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=3 ttl=53 time=180
     ms

    --- yahoo.com ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2009ms
    rtt min/avg/max/mdev = 179.378/180.043/180.387/0.470 ms

    It worked.


    Quote:

    I'd recommend really knowing what you're doing before opening this up to the web, or else you're just another target waiting to get "pwned".
    Noted. This is a test machine not running 24 hours.


    Others noted with thanks


    B.R.
    satimis