This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
From: garrut@xs4all.nl (Garrut)
Newsgroups: comp.os.linux.security
Subject: help needed with iptables...
Date: 10 Feb 2003 03:09:23 -0800
I want to build a firewall using iptables. I want to block all ports
from the outside except the SSH, POP, IMAP and SMTP ports. From the
indide everything is allowed. Also there is one computer that should
be able to access the internet, but not the internal network, that
computer should also have limited bandwidth. Iptables is already
running on the server with the following rules put in rc.local:
IPTABLES=/usr/sbin/iptables
EXTIF="eth0"
INTIF="eth1"
/sbin/depmod -a
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod ip_conntrack_irc
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
These rules should probably be applied too since someone put them in
there for some reason.
What's the best way to do this? Any help would be appreciated.
===
From: steve harris <steveharris1@hotmail.com>
Newsgroups: comp.os.linux.security
Subject: Re: help needed with iptables...
Date: Mon, 10 Feb 2003 08:07:55 -0600
Garrut wrote:
> I want to build a firewall using iptables. I want to block all ports
> from the outside except the SSH, POP, IMAP and SMTP ports. From the
> indide everything is allowed. Also there is one computer that should
> be able to access the internet, but not the internal network, that
> computer should also have limited bandwidth. Iptables is already
> running on the server with the following rules put in rc.local:
>
http://www.newriders.com/content/images/0735710996/0735710996.jpg
1st edition is for ipchains and 2nd edition includes iptables.
I have both and they are complete for just about any service you want to
run.
Steve
===
From: garrut@xs4all.nl (Garrut)
Newsgroups: comp.os.linux.security
Subject: Re: help needed with iptables...
Date: 20 Feb 2003 02:20:21 -0800
ok... so nobody can help me?
===
From: $kr1p7_k177y@salmahayeksknockers.edu
Newsgroups: comp.os.linux.security
Subject: comp.os.linux.security biweekly FAQ pointer
Date: Sat, 15 Feb 2003 12:08:12 GMT
Welcome to comp.os.linux.security. We ask that you please read the FAQ
before posting questions to the newsgroup. Otherwise: Look, listen, learn,
contribute, but above all, enjoy yourself and the interests you share with
the other denizens of the newsgroup.
This FAQ is intended to serve as a starting point for those new to the
newsgroup, but is also intended to be a survey of Linux security issues and
tools.
This FAQ is aimed at intermediate to experienced Linux users and is
intended to not only answer specific questions, but to also facilitate
further learning by providing pointers other useful security resources.
This introduction/pointer will be posted to comp.os.linux.security
approximately every two weeks.
The latest version of this faq is 2.0, and can be downloaded from:
http://www.linuxsecurity.com/docs/colsfaq.html
http://www.memeticcandiru.com/colsfaq.html
===
From: Kasper Dupont <kasperd@daimi.au.dk>
Newsgroups: comp.os.linux.security
Subject: Re: iptables: block ip range
Date: Sun, 16 Feb 2003 13:45:45 +0100
Judy Morgann wrote:
> now i want to block *all* access from a whole ip-range (eg 135.100.x.x).
> is there a way to do it.
How about:
-A INPUT -s 135.100.0.0/16 -j REJECT --reject-with icmp-host-unreachable
===
From: Judy Morgann <judymorgann@yahoo.com>
Newsgroups: comp.os.linux.security
Subject: iptables: block ip range
Date: Sun, 16 Feb 2003 12:44:30 -0500
i have a iptables script from linuxguruz.net running on our school-server.
the scripts masquerades the lan and blocks all access without http, ssh and
ftp from the outside.
now i want to block *all* access from a whole ip-range (eg 135.100.x.x).
is there a way to do it.
i would be very appreciate if sb could show me a piece of code to insert.
===
From: "khobar" <pnixon18@cox.net>
Newsgroups: comp.os.linux.security
Subject: iptables help
Date: Wed, 19 Feb 2003 23:16:32 GMT
I have a configuration problem with iptables that is blocking Port 139
access between my two internal networks of the form:
Feb 19 15:52:00 Hostname kernel: Shorewall:all2all:REJECT:IN=wlan0 OUT=eth1
SRC=192.168.240.8 DST=192.168.1.5 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=29225
DF PROTO
=TCP SPT=1567 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
192.168.240.8 is the ip of my Win98SE laptop
192.168.1.5 is the ip of one of my Win98SE desktops
My /etc/sysconfig/iptables file:
# Generated by iptables-save v1.2.6a on Thu Feb 6 10:20:03 2003
*mangle
:PREROUTING ACCEPT [8167:3966338]
:INPUT ACCEPT [2998:1106603]
:FORWARD ACCEPT [5112:2856959]
:OUTPUT ACCEPT [1086:494740]
:POSTROUTING ACCEPT [6544:3405253]
:outtos - [0:0]
:pretos - [0:0]
-A PREROUTING -j pretos
-A OUTPUT -j outtos
-A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
COMMIT
# Completed on Thu Feb 6 10:20:03 2003
# Generated by iptables-save v1.2.6a on Thu Feb 6 10:20:03 2003
*nat
:PREROUTING ACCEPT [712:89491]
:POSTROUTING ACCEPT [17:1191]
:OUTPUT ACCEPT [256:32499]
:eth0_masq - [0:0]
-A POSTROUTING -o eth0 -j eth0_masq
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE
-A POSTROUTING -s 192.168.240.0/255.255.255.0 -j MASQUERADE
-A eth0_masq -s 192.168.1.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Thu Feb 6 10:20:03 2003
# Generated by iptables-save v1.2.6a on Thu Feb 6 10:20:03 2003
*filter
:INPUT DROP [4:1332]
:FORWARD DROP [3:144]
:OUTPUT DROP [0:0]
:all2all - [0:0]
:common - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:eth1_fwd - [0:0]
:eth1_in - [0:0]
:fw2masq - [0:0]
:fw2net - [0:0]
:icmpdef - [0:0]
:loc2net - [0:0]
:masq2fw - [0:0]
:masq2masq - [0:0]
:masq2net - [0:0]
:net2all - [0:0]
:newnotsyn - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:wlan0_fwd - [0:0]
:wlan0_in - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j eth0_in
-A INPUT -i eth1 -j eth1_in
-A INPUT -i wlan0 -j wlan0_in
-A INPUT -j common
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -j reject
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -i eth1 -j eth1_fwd
-A FORWARD -i wlan0 -j wlan0_fwd
-A FORWARD -j common
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -j reject
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -j fw2net
-A OUTPUT -o eth1 -j fw2masq
-A OUTPUT -o wlan0 -j fw2masq
-A OUTPUT -j common
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
-A OUTPUT -j reject
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2all -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK
SYN -j n
ewnotsyn
-A all2all -j common
-A all2all -j LOG --log-prefix "Shorewall:all2all:REJECT:" --log-level 6
-A all2all -j reject
-A common -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A common -p icmp -j icmpdef
-A common -p tcp -m state --state INVALID -j DROP
#-A common -p udp -m udp --dport 137:139 -j REJECT --reject-with
icmp-port-unrea
chable
-A common -p udp -m udp --dport 445 -j REJECT --reject-with
icmp-port-unreachabl
e
#-A common -p tcp -m tcp --dport 135 -j DROP
-A common -p udp -m udp --dport 1900 -j DROP
-A common -d 255.255.255.255 -j DROP
-A common -d 224.0.0.0/240.0.0.0 -j DROP
-A common -p tcp -m tcp --dport 113 -j DROP
-A common -d 68.104.143.255 -j DROP
#-A common -d 192.168.1.255 -j DROP
#-A common -d 192.168.240.255 -j DROP
-A eth0_fwd -j dynamic
-A eth0_fwd -o eth1 -j net2all
-A eth0_fwd -o wlan0 -j net2all
-A eth0_in -j dynamic
-A eth0_in -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A eth0_in -j net2all
-A eth1_fwd -j dynamic
-A eth1_fwd -o eth0 -j masq2net
-A eth1_fwd -o wlan0 -j masq2masq
-A eth1_in -j dynamic
-A eth1_in -j masq2fw
-A fw2masq -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2masq -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK
SYN -j n
ewnotsyn
-A fw2masq -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT
-A fw2masq -p tcp -m state --state NEW -m tcp --dport 137 -j ACCEPT
-A fw2masq -p tcp -m state --state NEW -m tcp --dport 138 -j ACCEPT
-A fw2masq -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A fw2masq -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A fw2masq -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A fw2masq -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A fw2masq -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A fw2masq -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT
-A fw2masq -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A fw2masq -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A fw2masq -p udp -m state --state NEW -m udp --dport 139 -j ACCEPT
-A fw2masq -p udp -m state --state NEW -m udp --dport 80 -j ACCEPT
-A fw2masq -p udp -m state --state NEW -m udp --dport 443 -j ACCEPT
-A fw2masq -p udp -m state --state NEW -m udp --dport 110 -j ACCEPT
-A fw2masq -j all2all
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2net -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK
SYN -j ne
wnotsyn
-A fw2net -j ACCEPT
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK
SYN -j n
ewnotsyn
-A loc2net -j ACCEPT
-A masq2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK
SYN -j n
ewnotsyn
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 67 -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 119 -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 123 -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 137 -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 138 -j ACCEPT
-A masq2fw -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A masq2fw -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A masq2fw -p udp -m state --state NEW -m udp --dport 80 -j ACCEPT
-A masq2fw -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A masq2fw -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A masq2fw -p udp -m state --state NEW -m udp --dport 139 -j ACCEPT
-A masq2fw -p udp -m state --state NEW -m udp --dport 443 -j ACCEPT
-A masq2fw -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT
-A masq2fw -p udp -m state --state NEW -m udp --dport 143 -j ACCEPT
-A masq2fw -p udp -m state --state NEW -m udp --dport 110 -j ACCEPT
-A masq2fw -p udp -m state --state NEW -m udp --dport 25 -j ACCEPT
-A masq2fw -p udp -m state --state NEW -m udp --dport 119 -j ACCEPT
-A masq2fw -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT
-A masq2fw -j all2all
-A masq2masq -m state --state RELATED,ESTABLISHED -j ACCEPT
-A masq2masq -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK
SYN -j
newnotsyn
-A masq2masq -j all2all
-A masq2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A masq2net -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK
SYN -j
newnotsyn
-A masq2net -j ACCEPT
-A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2all -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK
SYN -j n
ewnotsyn
-A net2all -j common
-A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6
-A net2all -j DROP
-A newnotsyn -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A wlan0_fwd -j dynamic
-A wlan0_fwd -o eth0 -j masq2net
-A wlan0_fwd -o eth1 -j masq2masq
-A wlan0_in -j dynamic
-A wlan0_in -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A wlan0_in -j masq2fw
COMMIT
# Completed on Thu Feb 6 10:20:03 2003
Sorry for the length, but that just seems way way overly complex. Basically
I want to keep the bad guys out by filtering eth0 and allow unhindered
internal communication between eth1 and wlan0. Of course both of those will
want internet access, and I have a VPN client that connects to eth1 and
communicates through eth0.
I tried guarddog which allowed Samba to run properly but blocked VPN. I
tried to go back to Shorewall which blocked Samba but allowed VPN. The above
was generated when I had the system in a quasi-usable state (Samba
connectivity is unreliable. Sometimes it's there, sometimes not).
I don't want to experiment to the point of breaking the firewall, so I'd
appreciate some help.
===
From: "khobar" <pnixon18@cox.net>
Newsgroups: comp.os.linux.security
Subject: Re: iptables help
Date: Wed, 19 Feb 2003 23:20:25 GMT
khobar <pnixon18@cox.net> wrote:
> Hi folks,
>
> I have a configuration problem with iptables that is blocking Port 139
> access between my two internal networks of the form:
>
> Feb 19 15:52:00 Hostname kernel: Shorewall:all2all:REJECT:IN=wlan0
OUT=eth1
> SRC=192.168.240.8 DST=192.168.1.5 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=29225
> DF PROTO
> =TCP SPT=1567 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
I probably should have mentioned that I understand the above is a Port 139
block which is partly why Samba is having trouble (tstl). System is a
Mandrake 9.0 (2.4.19 kernel). And just to get that iptables kluge file to
work requires that I include the following in my /etc/rc.d/rc.local file:
ifconfig eth0 down
service iptables stop
service iptables start
dhcpcd -R -h hostname eth0
Otherwise VPN doesn't work and maybe some other stuff.
===
From: WX <WX@yarhoo.com>
Subject: iptables newbie
Newsgroups: comp.os.linux.security
Date: Sun, 23 Feb 2003 10:12:17 +1100
Please excuse my total ignorance here.
I wish to block attempts by outsiders from connecting to my computer,from
what I understand the nat tables is responsible for this function but I
don't understand the syntax.
below is the default settings I have, will this block outsiders?
#!/bin/sh
#
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
#
# chkconfig: 2345 03 92
#
# description: Automates a packet filtering firewall with iptables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author: Joshua Jensen <joshua@redhat.com>
# -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
#
# config: /etc/sysconfig/iptables
# Source 'em up
. /etc/init.d/functions
IPTABLES_CONFIG=/etc/sysconfig/iptables
if [ ! -x /sbin/iptables ]; then
exit 0
fi
KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
if [ "$KERNELMAJ" -lt 2 ] ; then
exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
exit 0
fi
if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
# Don't do both
exit 0
fi
iftable() {
if fgrep -qsx $1 /proc/net/ip_tables_names; then
iptables -t "$@"
fi
}
start() {
# don't do squat if we don't have the config file
if [ -f $IPTABLES_CONFIG ]; then
# We do _not_ need to flush/clear anything when using
iptables-resto
re
gprintf "Applying iptables firewall rules: \n"
grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v
'^[[:space:]]*$'
| /sbin/iptables-restore -c && \
success "Applying iptables firewall rules" || \
failure "Applying iptables firewall rules"
echo
touch /var/lock/subsys/iptables
fi
}
stop() {
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do iptables -t $i -F; done && \
success "Flushing all chains:" || \
failure "Flushing all chains:"
for i in $chains; do iptables -t $i -X; done && \
success "Removing user defined chains:" || \
failure "Removing user defined chains:"
gprintf "Resetting built-in chains to the default ACCEPT policy:"
iftable filter -P INPUT ACCEPT && \
iftable filter -P OUTPUT ACCEPT && \
iftable filter -P FORWARD ACCEPT && \
iftable nat -P PREROUTING ACCEPT && \
iftable nat -P POSTROUTING ACCEPT && \
iftable nat -P OUTPUT ACCEPT && \
iftable mangle -P PREROUTING ACCEPT && \
iftable mangle -P OUTPUT ACCEPT && \
success "Resetting built-in chains to the default ACCEPT policy"
|| \
failure "Resetting built-in chains to the default ACCEPT policy"
echo
rm -f /var/lock/subsys/iptables
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
start
;;
condrestart)
[ -e /var/lock/subsys/iptables ] && start
;;
status)
tables=`cat /proc/net/ip_tables_names 2>/dev/null`
for table in $tables; do
gprintf "Table: %s\n" "$table"
iptables -t $table --list
done
;;
panic)
gprintf "Changing target policies to DROP: "
iftable filter -P INPUT DROP && \
iftable filter -P FORWARD DROP && \
iftable filter -P OUTPUT DROP && \
iftable nat -P PREROUTING DROP && \
iftable nat -P POSTROUTING DROP && \
iftable nat -P OUTPUT DROP && \
iftable mangle -P PREROUTING DROP && \
iftable mangle -P OUTPUT DROP && \
success "Changing target policies to DROP" || \
failure "Changing target policies to DROP"
echo
iftable filter -F INPUT && \
iftable filter -F FORWARD && \
iftable filter -F OUTPUT && \
iftable nat -F PREROUTING && \
iftable nat -F POSTROUTING && \
iftable nat -F OUTPUT && \
iftable mangle -F PREROUTING && \
iftable mangle -F OUTPUT && \
success "Flushing all chains:" || \
failure "Flushing all chains:"
iftable filter -X INPUT && \
iftable filter -X FORWARD && \
iftable filter -X OUTPUT && \
iftable nat -X PREROUTING && \
iftable nat -X POSTROUTING && \
iftable nat -X OUTPUT && \
iftable mangle -X PREROUTING && \
iftable mangle -X OUTPUT && \
success "Removing user defined chains:" || \
failure "Removing user defined chains:"
;;
save)
gprintf "Saving current rules to %s: " "$IPTABLES_CONFIG"
touch $IPTABLES_CONFIG
chmod 600 $IPTABLES_CONFIG
/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
success "Saving current rules to %s" "$IPTABLES_CONFIG" || \
failure "Saving current rules to %s" "$IPTABLES_CONFIG"
echo
;;
*)
gprintf "Usage: %s
{start|stop|restart|condrestart|status|panic|save}\n"
"$0"
exit 1
esac
exit 0
===
From: jack <not@all.org>
Newsgroups: comp.os.linux.security
Subject: Re: iptables newbie
Date: Sun, 23 Feb 2003 00:28:53 +0100
WX wrote:
> Please excuse my total ignorance here.
> I wish to block attempts by outsiders from connecting to my computer,from
> what I understand the nat tables is responsible for this function but I
> don't understand the syntax.
The INPUT chain in the "filter" table is what You want.
> below is the default settings I have, will this block outsiders?
There are no "settings" in this script:
> | /sbin/iptables-restore -c &&
This is where Your iptables rules are set up; "iptables-restore",
again, is just a script that reads some rules from a file and applies
them.
Anyway, iptables is the place to go; the "nat" table is not what You
want. You want to drop or reject on the input chain of the filter table.
To start with, tell us which distro You're using, or at least where
that quoted script comes from; and, do "iptables -Lnxv" and "iptables
-Lnxvt nat", and provide the output of both of these.
People here will help You out, but You should sure get some iptables
tutorial if You want to know what's happening and not solely rely
on help from outside. - I really encourage You to do so, it's by far
not as complicated as it might seem to You presently.
===
From: Kasper Dupont <kasperd@daimi.au.dk>
Newsgroups: comp.os.linux.security
Subject: Re: iptables newbie
Date: Sun, 23 Feb 2003 01:35:57 +0100
WX wrote:
>
> Please excuse my total ignorance here.
> I wish to block attempts by outsiders from connecting to my computer,from
> what I understand the nat tables is responsible for this function but I
> don't understand the syntax.
> below is the default settings I have, will this block outsiders?
>
> #!/bin/sh
> #
> # Startup script to implement /etc/sysconfig/iptables pre-defined rules.
> #
> # chkconfig: 2345 03 92
> #
> # description: Automates a packet filtering firewall with iptables.
> #
> # by bero@redhat.com, based on the ipchains script:
> # Script Author: Joshua Jensen <joshua@redhat.com>
> # -- hacked up by gafton with help from notting
> # modified by Anton Altaparmakov <aia21@cam.ac.uk>:
> # modified by Nils Philippsen <nils@redhat.de>
> #
> # config: /etc/sysconfig/iptables
>
> # Source 'em up
> . /etc/init.d/functions
>
> IPTABLES_CONFIG=/etc/sysconfig/iptables
>
[...]
>
> exit 0
What you have posted is not a configuration but rather a script used
to load and save the configuration. It should be obvious to you, that
the configuration file is named /etc/sysconfig/iptables. Now that file
might not exist, and if it does not, there will be no filtering.
You can write all your iptables rules to /etc/sysconfig/iptables, and
if you prefer to initialize your rules in memory on the running
iptables, you can save it to the file using "service iptables save".
If you want to know how such a configuration file could look like,
you can take a look at: http://www.daimi.au.dk/~kasperd/iptables/
You can probably find some tutorials describing how to make your rules,
but you might as well just read the iptables man page.
===
From: WX <WX@yarhoo.com>
Subject: Re: iptables newbie
Newsgroups: comp.os.linux.security
Date: Sun, 23 Feb 2003 15:18:48 +1100
Kasper Dupont wrote:
> WX wrote:
>>
>> Please excuse my total ignorance here.
>> I wish to block attempts by outsiders from connecting to my computer,from
>> what I understand the nat tables is responsible for this function but I
>> don't understand the syntax.
>> below is the default settings I have, will this block outsiders?
>>
>> #!/bin/sh
>> #
>> # Startup script to implement /etc/sysconfig/iptables pre-defined rules.
>> #
>> # chkconfig: 2345 03 92
>> #
>> # description: Automates a packet filtering firewall with iptables.
>> #
>> # by bero@redhat.com, based on the ipchains script:
>> # Script Author: Joshua Jensen <joshua@redhat.com>
>> # -- hacked up by gafton with help from notting
>> # modified by Anton Altaparmakov <aia21@cam.ac.uk>:
>> # modified by Nils Philippsen <nils@redhat.de>
>> #
>> # config: /etc/sysconfig/iptables
>>
>> # Source 'em up
>> . /etc/init.d/functions
>>
>> IPTABLES_CONFIG=/etc/sysconfig/iptables
>>
> [...]
>>
>> exit 0
>
> What you have posted is not a configuration but rather a script used
> to load and save the configuration. It should be obvious to you, that
> the configuration file is named /etc/sysconfig/iptables. Now that file
> might not exist, and if it does not, there will be no filtering.
>
> You can write all your iptables rules to /etc/sysconfig/iptables, and
> if you prefer to initialize your rules in memory on the running
> iptables, you can save it to the file using "service iptables save".
>
> If you want to know how such a configuration file could look like,
> you can take a look at: http://www.daimi.au.dk/~kasperd/iptables/
>
> You can probably find some tutorials describing how to make your rules,
> but you might as well just read the iptables man page.
>
I'm running Mandrake9 and the file is /etc/rc.d/init.d/iptables.
okay there's no /sysconfig/iptables so I take this has to be created.
I'll read the man page again and see if I can get it into my head a little
clearer.
thanks
===
Newsgroups: comp.os.linux.security
Subject: Re: iptables newbie
From: mojo.nichols@veeerizon.net (Mojo B. Nichols)
Date: Sun, 23 Feb 2003 04:27:59 GMT
>>>>> "WX" == WX <WX@yarhoo.com> writes:
> Please excuse my total ignorance here. I wish to block attempts by
> outsiders from connecting to my computer,from what I understand the
> nat tables is responsible for this function but I don't understand
> the syntax. below is the default settings I have, will this block
> outsiders?
nat is responsible for network address translation. Filtering allows
you to block (or filter) incoming traffic. Both functions are handled
by iptables. For filtering you basically you supply rules that
dictates what it filter and how. To understand the rules you need a
couple of concepts that are probably better described in one of the
many how-to's I'm looking for the one I found most useful:
http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html
That said here are a couple of handy things that may help you along
the way.
from root (login as root) try:
[root@localhost /root] # iptables -L
this will return something like the following. These rules are wide
open and allow free flow of packets.
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
The following two rules (this can be typed on the command line as
root) will drop all packets unless your machine establishes them: It
assumes you have a network interface on eth0.
iptables -P INPUT DROP
iptables -A INPUT -i eth0 --state ESTABLISHED -j ACCEPT
the command iptables -L should now show these rules. The first line
establishes a default policy to drop all incoming traffic on all
network devices, the second line creates a rule that ACCEPTS incoming
traffic that is all ready established (you visiting a website). -i
eth0 restricts it to that device.
finally the following rule will log all traffic that is incoming on eth0
iptables -A INPUT -i eth0 -j LOG
and last
man iptables
or
info iptables
will provide you with more information about the command iptables.
oh and the script you sent will save whatever rules you provide if you
provide the following argument: save. ie:
/etc/rc.d/init.d/iptables save
note this script is different then the iptables mentioned above.
It makes sense to name them the same, trust that for now. Your can
locate the other iptables by typing
[root@localhost ]# which iptables
===
From: WX <WX@yarhoo.com>
Subject: Re: iptables newbie
Newsgroups: comp.os.linux.security
Date: Sun, 23 Feb 2003 18:09:45 +1100
Mojo B. Nichols wrote:
>>>>>> "WX" == WX <WX@yarhoo.com> writes:
>
>> Please excuse my total ignorance here. I wish to block attempts by
>> outsiders from connecting to my computer,from what I understand the
>> nat tables is responsible for this function but I don't understand
>> the syntax. below is the default settings I have, will this block
>> outsiders?
>
> nat is responsible for network address translation. Filtering allows
> you to block (or filter) incoming traffic. Both functions are handled
> by iptables. For filtering you basically you supply rules that
> dictates what it filter and how. To understand the rules you need a
> couple of concepts that are probably better described in one of the
> many how-to's I'm looking for the one I found most useful:
>
>
http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html
>
>
> That said here are a couple of handy things that may help you along
> the way.
>
> from root (login as root) try:
>
> [root@localhost /root] # iptables -L
>
> this will return something like the following. These rules are wide
> open and allow free flow of packets.
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
>
>
> The following two rules (this can be typed on the command line as
> root) will drop all packets unless your machine establishes them: It
> assumes you have a network interface on eth0.
>
>
> iptables -P INPUT DROP
> iptables -A INPUT -i eth0 --state ESTABLISHED -j ACCEPT
>
>
> the command iptables -L should now show these rules. The first line
> establishes a default policy to drop all incoming traffic on all
> network devices, the second line creates a rule that ACCEPTS incoming
> traffic that is all ready established (you visiting a website). -i
> eth0 restricts it to that device.
>
> finally the following rule will log all traffic that is incoming on eth0
>
> iptables -A INPUT -i eth0 -j LOG
>
>
> and last
>
> man iptables
>
> or
>
> info iptables
>
> will provide you with more information about the command iptables.
>
>
> oh and the script you sent will save whatever rules you provide if you
> provide the following argument: save. ie:
>
> /etc/rc.d/init.d/iptables save
>
>
> note this script is different then the iptables mentioned above.
> It makes sense to name them the same, trust that for now. Your can
> locate the other iptables by typing
>
> [root@localhost ]# which iptables
>
>
> enjoy.
>
> good luck
>
>
> Mojo
Thanks mojo, I'm going to go away now and get abit more knowledgable before
I ask the next question.
===
From: John SMith <Jsmith@hotlink.com>
Newsgroups: comp.os.linux.security
Subject: Re: iptables newbie
Date: Mon, 24 Feb 2003 01:28:47 GMT
example config file:
#!/bin/bash
iptables -F
iptables -X
iptables -Z
iptables -F -t nat
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
IFACEPUB="eth2"
IFACEPRIV="eth0"
IFACEDMZ="eth1"
IPADDRPUB="172.1.5.254"
IPADDRPRIV="10.1.7.254"
IPADDRDMZ="192.168.1.254"
WEBPRIV="10.1.7.80"
MAILRELAY="192.168.1.25"
PUBBCAST="172.1.5.255"
PRIVBCAST="10.1.7.255"
DMZBCAST="192.168.1.255"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
DNS="172.1.5.53"
NTP="129.6.15.28"
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "0" > ${interface}
done
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
# Anything on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -N syn-flood
iptables -A INPUT -i $IFACEPUB -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
## Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACEPUB -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i $IFACEPUB -f -j LOG --log-prefix "IPTABLES
FRAGMENTS: "
iptables -A INPUT -i $IFACEPUB -f -j DROP
# Drop nonrouted packets
iptables -A INPUT -i $IFACEPUB -s $IPADDRPUB -j DROP
iptables -A INPUT -i $IFACEPUB -s $CLASS_A -j DROP
iptables -A INPUT -i $IFACEPUB -s $CLASS_B -j DROP
iptables -A INPUT -i $IFACEPUB -s $CLASS_C -j DROP
iptables -A INPUT -i $IFACEPUB -s $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -i $IFACEPUB -s $CLASS_E_RESERVED_NET -j DROP
iptables -A INPUT -i $IFACEPRIV -s $IPADDRPRIV -j DROP
#iptables -A INPUT -i $IFACEPRIV -s $CLASS_B -j DROP
#iptables -A INPUT -i $IFACEPRIV -s $CLASS_C -j DROP
iptables -A INPUT -i $IFACEPRIV -s $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -i $IFACEPRIV -s $CLASS_E_RESERVED_NET -j DROP
# Drop traffic with loopback address that comes to either physical interface
iptables -A INPUT -i $IFACEPUB -d 127.0.0.1 -j DROP
iptables -A INPUT -i $IFACEPRIV -d 127.0.0.1 -j DROP
# Drop any broadcast traffic to either physical interface
iptables -A INPUT -i $IFACEPRIV -d $PRIVBCAST -j DROP
iptables -A INPUT -i $IFACEPUB -d $PUBBCAST -j DROP
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
#########################################################################################################################
########################### SSH Filters
###############################################################################
# SSH - To this machine on either interface
iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#########################################################################################################################
#################### MAIL and WEB HOSTING FILTERS
####################################################################################
######## Allow incoming HTTPS traffic to OWA server ########
iptables -A FORWARD -i $IFACEPUB -o $IFACEPRIV -p tcp -d $WEBPRIV
--dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPRIV -o $IFACEPUB -p tcp -s $WEBPRIV
--sport 443 -m state --state ESTABLISHED -j ACCEPT
######## Allow incoming POP traffic to Exchange server ########
iptables -A FORWARD -i $IFACEPUB -o $IFACEPRIV -p tcp -d $WEBPRIV
--dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPRIV -o $IFACEPUB -p tcp -s $WEBPRIV
--sport 110 -m state --state ESTABLISHED -j ACCEPT
######### Allow incoming and OUTGOING MAIL to Relay mailserver #########
iptables -A FORWARD -i $IFACEPUB -o $IFACEDMZ -p tcp -d $MAILRELAY
--dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEDMZ -o $IFACEPUB -p tcp -s $MAILRELAY
--sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEDMZ -o $IFACEPUB -p tcp -s $MAILRELAY
--dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPUB -o $IFACEDMZ -p tcp -d $MAILRELAY
--sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEDMZ -o $IFACEPUB -p udp -s $MAILRELAY -d
$DNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPUB -o $IFACEDMZ -p udp -s $DNS -d
$MAILRELAY --sport 53 -m state --state ESTABLISHED -j ACCEPT
###### allow mail relay to send mail to and from internal exchange #######
iptables -A FORWARD -i $IFACEDMZ -o $IFACEPRIV -p tcp -s $MAILRELAY -d
$WEBPRIV --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPRIV -o $IFACEDMZ -p tcp -s $WEBPRIV -d
$MAILRELAY --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPRIV -o $IFACEDMZ -p tcp -s $WEBPRIV -d
$MAILRELAY --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEDMZ -o $IFACEPRIV -p tcp -s $MAILRELAY -d
$WEBPRIV --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPRIV -o $IFACEPUB -p udp -s $WEBPRIV -d
$DNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPUB -o $IFACEPRIV -p udp -s $DNS -d
$WEBPRIV --sport 53 -m state --state ESTABLISHED -j ACCEPT
#########################################################################################################################
############### OUTGOING rules For INTERNAL CLIENTS
###############################################################
iptables -A FORWARD -i $IFACEPRIV -o $IFACEPUB -p tcp --dport 80 -m
state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPUB -o $IFACEPRIV -p tcp --sport 80 -m
state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPRIV -o $IFACEPUB -p tcp --dport 443 -m
state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPUB -o $IFACEPRIV -p tcp --sport 443 -m
state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPRIV -o $IFACEPUB -p tcp --dport 110 -m
state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPUB -o $IFACEPRIV -p tcp --sport 110 -m
state --state ESTABLISHED -j ACCEPT
############## FTP ###############
iptables -A FORWARD -i $IFACEPRIV -o $IFACEPUB -p tcp --dport 21 -m
state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPUB -o $IFACEPRIV -p tcp --sport 21 -m
state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPRIV -o $IFACEPUB -p tcp --dport 20 -m
state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFACEPUB -o $IFACEPRIV -p tcp --sport 20 -m
state --state RELATED,ESTABLISHED -j ACCEPT
#########################################################################################################################
########################### VPN Protocols
###########################################################################
# IPSEC - IKE
iptables -A OUTPUT -p udp --dport 500 --sport 500 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -m state
--state NEW,ESTABLISHED -j ACCEPT
# ESP encrypton and authentication
iptables -A INPUT -i eth0 -p 50 -j ACCEPT
iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
iptables -A INPUT -i $IFACEPUB -p tcp --dport 1723 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACEPUB -p tcp --sport 1723 -m state --state
ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACEPUB -p 47 -m state --state NEW,ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -o $IFACEPUB -p 47 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -i ppp+ -o $IFACEPRIV -d $WEBPRIV --dport 443
-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -i $IFACEPRIV -o ppp+ -s $WEBPRIV --sport 443
-m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -i ppp+ -o $IFACEPRIV -d $WEBPRIV --dport 110
-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -i $IFACEPRIV -o ppp+ -s $WEBPRIV --sport 110
-m state --state ESTABLISHED -j ACCEPT
#########################################################################################################################
############################## DNS and NTP from the FIREWALL
############################################################
iptables -A OUTPUT -p udp -o eth0 -d $DNS --dport 53 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -i eth0 -s $DNS --sport 53 -m state --state
ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 -d $NTP --dport 123 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -i eth0 -s $NTP --sport 123 -m state --state
ESTABLISHED -j ACCEPT
# Setup Dynamic NAT
iptables -t nat --append POSTROUTING -o $IFACEPUB -j SNAT --to-source
$IPADDRPUB
iptables -t nat -A PREROUTING -p tcp --dport 443 -i $IFACEPUBWEB -j DNAT
--to $WEBPRIV:443
iptables -t nat -A PREROUTING -p tcp --dport 443 -i $IFACEPUBMAIL -j
DNAT --to $MAILRELAY:25
-mjm
WX wrote:
> Please excuse my total ignorance here.
> I wish to block attempts by outsiders from connecting to my computer,from
> what I understand the nat tables is responsible for this function but I
> don't understand the syntax.
> below is the default settings I have, will this block outsiders?
>
>
>
> #!/bin/sh
> #
> # Startup script to implement /etc/sysconfig/iptables pre-defined rules.
> #
> # chkconfig: 2345 03 92
> #
> # description: Automates a packet filtering firewall with iptables.
> #
> # by bero@redhat.com, based on the ipchains script:
> # Script Author: Joshua Jensen <joshua@redhat.com>
> # -- hacked up by gafton with help from notting
> # modified by Anton Altaparmakov <aia21@cam.ac.uk>:
> # modified by Nils Philippsen <nils@redhat.de>
> #
> # config: /etc/sysconfig/iptables
>
> # Source 'em up
> . /etc/init.d/functions
>
> IPTABLES_CONFIG=/etc/sysconfig/iptables
>
> if [ ! -x /sbin/iptables ]; then
> exit 0
> fi
>
> KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
> KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
>
> if [ "$KERNELMAJ" -lt 2 ] ; then
> exit 0
> fi
> if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
> exit 0
> fi
>
>
>
> if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
> # Don't do both
> exit 0
> fi
>
> iftable() {
> if fgrep -qsx $1 /proc/net/ip_tables_names; then
> iptables -t "$@"
> fi
> }
>
> start() {
> # don't do squat if we don't have the config file
> if [ -f $IPTABLES_CONFIG ]; then
> # We do _not_ need to flush/clear anything when using
> iptables-resto
> re
> gprintf "Applying iptables firewall rules: \n"
> grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v
> '^[[:space:]]*$'
> | /sbin/iptables-restore -c && \
> success "Applying iptables firewall rules" || \
> failure "Applying iptables firewall rules"
> echo
> touch /var/lock/subsys/iptables
> fi
> }
>
> stop() {
> chains=`cat /proc/net/ip_tables_names 2>/dev/null`
> for i in $chains; do iptables -t $i -F; done && \
> success "Flushing all chains:" || \
> failure "Flushing all chains:"
> for i in $chains; do iptables -t $i -X; done && \
> success "Removing user defined chains:" || \
> failure "Removing user defined chains:"
> gprintf "Resetting built-in chains to the default ACCEPT policy:"
> iftable filter -P INPUT ACCEPT && \
> iftable filter -P OUTPUT ACCEPT && \
> iftable filter -P FORWARD ACCEPT && \
> iftable nat -P PREROUTING ACCEPT && \
> iftable nat -P POSTROUTING ACCEPT && \
> iftable nat -P OUTPUT ACCEPT && \
> iftable mangle -P PREROUTING ACCEPT && \
> iftable mangle -P OUTPUT ACCEPT && \
> success "Resetting built-in chains to the default ACCEPT policy"
> || \
> failure "Resetting built-in chains to the default ACCEPT policy"
> echo
> rm -f /var/lock/subsys/iptables
> }
>
> case "$1" in
> start)
> start
> ;;
>
> stop)
> stop
> ;;
>
> restart|reload)
> # "restart" is really just "start" as this isn't a daemon,
> # and "start" clears any pre-defined rules anyway.
> # This is really only here to make those who expect it happy
> start
> ;;
>
> condrestart)
> [ -e /var/lock/subsys/iptables ] && start
> ;;
>
> status)
> tables=`cat /proc/net/ip_tables_names 2>/dev/null`
> for table in $tables; do
> gprintf "Table: %s\n" "$table"
> iptables -t $table --list
> done
> ;;
>
> panic)
> gprintf "Changing target policies to DROP: "
> iftable filter -P INPUT DROP && \
> iftable filter -P FORWARD DROP && \
> iftable filter -P OUTPUT DROP && \
> iftable nat -P PREROUTING DROP && \
> iftable nat -P POSTROUTING DROP && \
> iftable nat -P OUTPUT DROP && \
> iftable mangle -P PREROUTING DROP && \
> iftable mangle -P OUTPUT DROP && \
> success "Changing target policies to DROP" || \
> failure "Changing target policies to DROP"
> echo
> iftable filter -F INPUT && \
> iftable filter -F FORWARD && \
> iftable filter -F OUTPUT && \
> iftable nat -F PREROUTING && \
> iftable nat -F POSTROUTING && \
> iftable nat -F OUTPUT && \
> iftable mangle -F PREROUTING && \
> iftable mangle -F OUTPUT && \
> success "Flushing all chains:" || \
> failure "Flushing all chains:"
> iftable filter -X INPUT && \
> iftable filter -X FORWARD && \
> iftable filter -X OUTPUT && \
> iftable nat -X PREROUTING && \
> iftable nat -X POSTROUTING && \
> iftable nat -X OUTPUT && \
> iftable mangle -X PREROUTING && \
> iftable mangle -X OUTPUT && \
> success "Removing user defined chains:" || \
> failure "Removing user defined chains:"
> ;;
>
> save)
> gprintf "Saving current rules to %s: " "$IPTABLES_CONFIG"
> touch $IPTABLES_CONFIG
> chmod 600 $IPTABLES_CONFIG
> /sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
> success "Saving current rules to %s" "$IPTABLES_CONFIG" || \
> failure "Saving current rules to %s" "$IPTABLES_CONFIG"
> echo
> ;;
>
> *)
> gprintf "Usage: %s
> {start|stop|restart|condrestart|status|panic|save}\n"
> "$0"
> exit 1
> esac
>
> exit 0
>
>
===
From: WX <WX@yarhoo.com>
Subject: Re: iptables newbie
Newsgroups: comp.os.linux.security
Date: Mon, 24 Feb 2003 13:42:03 +1100
John SMith wrote:
> WX,
> Read the tutorial at www.netfilter.org
> It will teach you everything you need to know - step by step.
Thanks John, I've downloaded a few and will print them out.
===
From: Mike Martin <mike@overlord.no-ip.com>
Subject: Clear up an IPTABLES question...
Newsgroups: comp.os.linux.security
Date: Mon, 24 Feb 2003 19:32:02 GMT
Note: This is only sort of a security question - but you guys are the
experts and IPTABLES. If offended please jump quickly to the next
message. Thanks!
A real quick question about how packets are routed.
What I've understood so far:
Packets from a network adapter go though the PREROUTING tables
Packets from PREROUTING, not for the local machine, go to the FORWARD
table, otherwise they go to the INPUT table.
Packets from the local machine heading for somewhere else go through the
OUTPUT table.
Packets from the FORWARD and OUTPUT tables go to the POSTROUTING table.
Packets from POSTROUTING go to the appropriate adaptor.
What I don't know:
Packets from the local machine destined for the local machine... what
tables do they traverse?
Thanks for your help!
Mike dot Martin at Cogeco dot CA
From: "ynotssor" <"ynotssor">
Newsgroups: comp.os.linux.security
References: <Squ6a.19175$q26.528581@read1.cgocable.net>
Subject: Re: Clear up an IPTABLES question...
Date: Mon, 24 Feb 2003 13:17:39 -0800
"Mike Martin" <mike@overlord.no-ip.com> wrote in message
news:Squ6a.19175$q26.528581@read1.cgocable.net
[...]
> What I don't know:
> Packets from the local machine destined for the local machine... what
> tables do they traverse?
It depends on what rules (if any) you've established for the loopback interface.
===
From: Kasper Dupont <kasperd@daimi.au.dk>
Newsgroups: comp.os.linux.security
Subject: Re: Clear up an IPTABLES question...
Date: Mon, 24 Feb 2003 22:55:37 +0100
Mike Martin wrote:
> Note: This is only sort of a security question - but you guys are the
> experts and IPTABLES. If offended please jump quickly to the next
> message. Thanks!
>
> A real quick question about how packets are routed.
>
> What I've understood so far:
> Packets from a network adapter go though the PREROUTING tables
> Packets from PREROUTING, not for the local machine, go to the FORWARD
> table, otherwise they go to the INPUT table.
> Packets from the local machine heading for somewhere else go through the
> OUTPUT table.
> Packets from the FORWARD and OUTPUT tables go to the POSTROUTING table.
> Packets from POSTROUTING go to the appropriate adaptor.
>
> What I don't know:
> Packets from the local machine destined for the local machine... what
> tables do they traverse?
AFAIK they are handled just like any other packet. Only exception being
at the point of going to the "adaptor", the inteface being chosen is lo,
which will immediately return the packets as received. So it will be
through OUTPUT and POSTROUTING to lo, and then from lo through PREROUTING
and INPUT.
===
From: np_bernstein@hotmail.com (niku)
Newsgroups: comp.os.linux.security
Subject: iptables & nfs slowdowns
Date: 24 Feb 2003 17:20:44 -0800
I've been meaning to run a few iptables rules that I cobbled together
by
you all. I wanted it to try to provide some modicum of security even
though I know it needs a lot more -- thing is I felt guilty because of
the mostly unread copy of "Building Internet Firewalls" sitting on my
bookshelf. Now, however, it's causing me some headaches because it's
taking an exceedingly large amount of time mounting exported NFS
filesystems, and it's also taking a long time to start up. By long, I
mean:
----------------------------
[nick@da2 nfs]$ time sudo mount -o soft 192.168.210.253:/u/ test/
real 4m59.990s
user 0m0.006s
sys 0m0.002s
----------------------------
compared to :
real 0m0.011s
user 0m0.002s
sys 0m0.008s
when I comment out the line:
"iptables -A INPUT -p udp -s! ${localnet}/24 --dport 111 -j DROP"
----------------------------
I was hoping that some of you might have an aducated guess as to what
is
causing these problems, and be able to give me some advice.
Anyway, here are the rules in question:
localnet="192.168.210.0"
#################################################################
function start(){
#----- PORTMAP ------------------------------------------------#
iptables -A INPUT -p tcp -s! ${localnet}/24 --dport 111 -j DROP
iptables -A INPUT -p udp -s! ${localnet}/24 --dport 111 -j DROP
#----- named ------------------------------------------------#
iptables -A INPUT -p tcp -s! ${localnet}/24 --dport 53 -j DROP
iptables -A INPUT -p udp -s! ${localnet}/24 --dport 53 -j DROP
iptables -A INPUT -p tcp -s! ${localnet}/24 --dport 953 -j DROP
iptables -A INPUT -p udp -s! ${localnet}/24 --dport 953 -j DROP
#----- Telnet ------------------------------------------------#
iptables -A INPUT -p tcp -s! ${localnet}/24 --dport 23 -j DROP
#----- compaq -------------------------------------------------#
iptables -A INPUT -p tcp -s! ${localnet}/24 --dport 2301 -j DROP
#----- LPD -------------------------------------------------#
iptables -A INPUT -p tcp -s! ${localnet}/24 --dport 515 -j DROP
#----- LPD -------------------------------------------------#
iptables -A INPUT -p tcp -s! ${localnet}/24 --dport 8888 -j DROP
echo "Starting iptable rules"
}
.... snip ....
case "$1" in
start)
start
;;
.... snip .....
Also, if any of you have any advice as to how I could improve this
ruleset, I'd appreciate it as well. That would just be a bonus,
however, I'll probably post this part of the question again an a few
weeks when I've gotten more of my research out of the way.
TIA,
Nick
PS:
I am rtfm ... just figured 2x my chances of finding the answer. :)
===
From: kyi <kyi@kyi.sytes.net>
Newsgroups: comp.os.linux.security
Subject: Re: iptables & nfs slowdowns
Date: Tue, 25 Feb 2003 14:46:34 +0000
niku wrote:
> I've been meaning to run a few iptables rules that I cobbled together
> by
> you all. I wanted it to try to provide some modicum of security even
> though I know it needs a lot more -- thing is I felt guilty because of
> the mostly unread copy of "Building Internet Firewalls" sitting on my
> bookshelf. Now, however, it's causing me some headaches because it's
> taking an exceedingly large amount of time mounting exported NFS
> filesystems, and it's also taking a long time to start up. By long, I
> mean:
> ----------------------------
> [nick@da2 nfs]$ time sudo mount -o soft 192.168.210.253:/u/ test/
Try adding 'nolock'to the mount opitons, like.....
time sudo mount -o soft,nolock 192.168.210.253:/u/ test/
I had the same problem and that fixed it for me.
===
From: "Aaron " <aaron@philngood.com>
Subject: iptables-save and variables
Date: Mon, 24 Feb 2003 21:12:38 -0600
I'm running redhat 8.0 fresh install haven't gotten the system on the
network or anything like that. I'm tryin to figure this whole
iptables-save and restore out. I have been looking at a lot of
documentation and always networks and ipaddress are set to variables,
something like "$inside_lan" "dmz" things of this nature. Well, i want
to do this but i'm wondering how to do this without creating a script and
loading it whenever the computer starts. To further complicate the issue,
i was using webmin to try to do this..and i really didn't see anyplace
that i could place any variables. Webmin, by default also seems to save
the firewall to file /etc/sysconfig/iptables in the iptables-save format
(which i can't read at all.. i don't get where all those mumbers are
coming from)
I guess my question is this. Can i create variabbles and use webmin and
not save the rules to file? if i have to save them to a file..so be it,
can i still use webmin....and finally..lets say i create a file....put in
varialbes and load it all up...firewall working great. then i do an
iptables-save, where does it get saved to? and if there is no script, how
does it get restored when iptables-restor gets run by the init script when
the system boots?
Thanks and sorry for the disarray of the question.
===
From: Tarald Holm <tarald.holm@online.no>
Newsgroups: comp.os.linux.security
Subject: iptables and bind
Date: Fri, 28 Feb 2003 14:26:07 +0100
I've been playing with my firewall/router linux box, trying to wrap my
head around iptables.
I have made a simple litte setup, where policy is DROP, and I've opened
for the traffic I wish to allow in and out. So far so good.
However, I can no longer run named on my box.. everything works when i
use my ISP's nameservers, but not when I try to use bind locally. (This
all worked before, when I used a predefined iptables script, which used
masquerading, which I am trying to avoid now)
I have opened for DNS traffic, as shown below.
# Allow DNS Requests in
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
# Allow DNS out
$IPTABLES -A OUTPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 53 -j ACCEPT
My logs display:
kernel: martian source x.x.211.111 from x.x.211.105, on dev eth0
where x.x.211.105 is the IP of my router-box, and x.x.211.111 is
_supposed_ to be the netmask.
I wonder if I have made a horrible mistake somewhere.
===
From: "Cedric Blancher" <blancher@cartel-securite.fr>
Newsgroups: comp.os.linux.security
Subject: Re: iptables and bind
Date: Fri, 28 Feb 2003 14:37:53 +0100
Tarald Holm wrote:
> I have opened for DNS traffic, as shown below.
> # Allow DNS Requests in
> $IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
> $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
This par is OK.
> # Allow DNS out
> $IPTABLES -A OUTPUT -p tcp --sport 53 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --sport 53 -j ACCEPT
Have you configured BIND for it uses port 53 as source in named.conf with
query-source statement ?
query-source port 53
Overwise, source port will be unprivilieged (>1023).
> My logs display:
> kernel: martian source x.x.211.111 from x.x.211.105, on dev eth0
> where x.x.211.105 is the IP of my router-box, and x.x.211.111 is
> _supposed_ to be the netmask.
Is x.x.211.105 eth0 IP ?
Martian source/destination indicates that a packet was received on an
interface on which it shouldn't have, according to routing table.
===
From: Tarald Holm <tarald.holm@online.no>
Newsgroups: comp.os.linux.security
Subject: Re: iptables and bind
Date: Fri, 28 Feb 2003 14:57:39 +0100
Cedric Blancher wrote:
>> # Allow DNS out
>> $IPTABLES -A OUTPUT -p tcp --sport 53 -j ACCEPT
>> $IPTABLES -A OUTPUT -p udp --sport 53 -j ACCEPT
>
> Have you configured BIND for it uses port 53 as source in named.conf
> with query-source statement ?
>
> query-source port 53
>
> Overwise, source port will be unprivilieged (>1023).
>
I must confess I have not. I will try spesifying to allow unprivilieged
ports out (Something I should have done, but not thought of... newbie,
see ;))
>> My logs display: kernel: martian source x.x.211.111 from
>> x.x.211.105, on dev eth0 where x.x.211.105 is the IP of my
>> router-box, and x.x.211.111 is _supposed_ to be the netmask.
>
>
> Is x.x.211.105 eth0 IP ?
>
> Martian source/destination indicates that a packet was received on an
> interface on which it shouldn't have, according to routing table.
Yes, this is the IP of eth0. the .111 ip is the _broadcast_ ip, not the
netmask, i made a mistake in my original post. I seem to have two
seperate problems here, because the same martian-errors appear in my
logs when reverting to my earlier setup. (The masq setup where DNS works)
===
From: "Cedric Blancher" <blancher@cartel-securite.fr>
Newsgroups: comp.os.linux.security
Subject: Re: iptables and bind
Date: Fri, 28 Feb 2003 15:11:24 +0100
Tarald Holm wrote:
> I must confess I have not. I will try spesifying to allow unprivilieged
> ports out (Something I should have done, but not thought of... newbie,
> see ;))
;)
> > Martian source/destination indicates that a packet was received on an
> > interface on which it shouldn't have, according to routing table.
> Yes, this is the IP of eth0. the .111 ip is the _broadcast_ ip, not the
> netmask, i made a mistake in my original post. I seem to have two
> seperate problems here, because the same martian-errors appear in my
> logs when reverting to my earlier setup. (The masq setup where DNS
> works)
Well, sure you'll get this message again for it is not related to
Netfilter, but to your IP stack.
Cf. /proc/sys/net/ipv4/conf/all/rp_filter
/proc/sys/net/ipv4/conf/all/log_martians
Consider reading Linux Advanced Routing and Traffic Control HOWTO. There's
a chapter which that describes network related sysctl settings.
Your message must be followed by a "ll header" log which can help you
track down the error (check if source MAC is OK).
--
M: Ne soyez donc pas inquiets. CEGETEL est en train de revoir en
globalit