Hi, I am new to linux firewall, so i don't know how to ask my questions, so i will try my best to let you see what's in my head. look at the picture i attach. eth1: static 65.183.x.x eth0: static 192.168.0.1 workstaions: static 192.168.0.x I was tring to protect my server with a firewall, and did it using iptables. can someone look at my iptables below and help me out. my request: 1. I need to block all ports that can be access from eth1(outside the firewall) 2. The same for eth0. I want to beable to open a port at anytime for eth1 or eth0 or both. I also want to forward a port or two to any workstation of my choice. 3. I need all the common ports like 25,22,21,53,80,110,143,443,995 to be setup, but not running for eth1. Only port that will be running on eth1 is 80, so that i can access my webmail when i am away from the office. I want to beable to enable a port or disable a port as i need them. 4. If i disable say port 22 from eth1, that been no one can ssh into my system from the internet, i want to beable to enable it on eth0, so that any or one workstation can still ssh out to the internet or within the LAN. 5. question: if my mailserver pop3 my mails from the internet, do i need to enable port 25 on eth1, what if i relay all the outgoing mails to my pop3 provider? 6. This is what i know about INPUT, if you set a rule for INPUT, then it only apply the any traffic comming from the internet (eth1), and it you set a rule for OUTPUT it only apply to packets comming from the workstations (eth0). where dos FORWARD flaw in this now, is it when INPUT is done processing the packets from the internet, then it past it on to FORWARD? 7. I am not too sure about my iptable file below, i was reading and the parts that make sence i just copy and paste. 8. i have more question, but........ The info in this iptable if patch from reading on these forums. #!/bin/bash # # This script file will make a firewall that will be in memory. IPTABLES="/sbin/iptables" # Remove any existing rules from all chains $IPTABLES --flush $IPTABLES --delete-chain # Allow packet forwaring echo "1" > /proc/sys/net/ipv4/ip_forward # Allow unlimited traffic on the loopback interface $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # Set the default policy to DROP $IPTABLES --policy INPUT DROP $IPTABLES --policy OUTPUT DROP $IPTABLES --policy FORWARD DROP # Rules to allow ALTEROO to come into our system. $IPTABLES -A INPUT -s 224.0.0.251 -d 192.168.0.1 -p udp -m udp --dport 5353 -j ACCEPT # Enable all pipes to communicate with the firewall. $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A OUTPUT -m state --state INVALID -j DROP # Allow DNS zone transfers $IPTABLES -A INPUT -i eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT # BAD GUYS, Block source IP Address. $IPTABLES -A INPUT -s 192.168.0.39 -j DROP $IPTABLES -A INPUT -s 192.168.0.57 -j DROP # Block Port number $IPTABLES -A INPUT -i eth1 -p tcp --dport 25 -j REJECT $IPTABLES -A INPUT -i eth1 -p tcp --dport 22 -j REJECT $IPTABLES -A INPUT -i eth1 -p tcp --dport 8080 -j REJECT $IPTABLES -A INPUT -i eth1 -p tcp --dport 3128 -J REJECT # Open ports for Server $IPTABLES -A INPUT -s 0/0 -p tcp --dport 22 -j ACCEPT # SSH $IPTABLES -A INPUT -s 0/0 -p tcp --dport 80 -j ACCEPT # HTTP $IPTABLES -A INPUT -s 0/0 -p tcp --dport 443 -j ACCEPT # HTTPs $IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp --dport 110 -j ACCEPT # POP3 $IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp --dport 995 -j ACCEPT # POP3s $IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT # SMTP # Allow any traffic from localhost $IPTABLES -A INPUT -p icmp -j ACCEPT # ICMP/Ping $IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j MASQUERADE # Global Rejects must come Last $IPTABLES -A INPUT -j REJECT $IPTABLES -A FORWARD -j REJECT
First off, the rules you have posted are a mess. In one line you close a port and further down you reopen the port. IPTables is incredibly powerful and simple at the same time once you are in the correct frame of mind. The best thing I see in your existing rules is your default policy value to drop all traffic by default. Follow me for a second with my line of thinking. Since your default policy is to drop all traffic (INPUT,OUTPUT,FORWARD), why do you specify again to drop certain ports? Here is an example of what I am talking about. # Block Port number $IPTABLES -A INPUT -i eth1 -p tcp --dport 22 -j REJECT (Ok, here we are blocking port 22 on eth1 specifically) # Open ports for Server $IPTABLES -A INPUT -s 0/0 -p tcp --dport 22 -j ACCEPT # SSH (This is telling iptables that its ok to talk to any network on port 22) Personally I would of done this. iptables –A INPUT -i eth0 -j ACCEPT You should really look into the program “Firewall Builder” Found here. http://www.fwbuilder.org/
I redid my iptable script, Please have a look: #!/bin/bash # # This script file will make a firewall that will be in memory. # eth1 points to the internet. # eth0 points to my network. IPTABLES="/sbin/iptables" # Remove any existing rules from all chains $IPTABLES --flush $IPTABLES --delete-chain # Allow packet forwaring echo "1" > /proc/sys/net/ipv4/ip_forward # Set the default policy to DROP $IPTABLES --policy INPUT DROP $IPTABLES --policy OUTPUT DROP $IPTABLES --policy FORWARD DROP # Allow unlimited traffic on the loopback interface $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A INPUT -p icmp -s 0/0 --icmp-type 8 -j ACCEPT # ICMP/Ping $IPTABLES -A INPUT -p icmp -s 0/0 --icmp-type 11 -j ACCEPT # ICMP/Ping $IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j MASQUERADE # Rules to allow ALTEROO to come into our system. $IPTABLES -A INPUT -s 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT # Enable all pipes to communicate with the firewall. $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A OUTPUT -m state --state INVALID -j DROP # Allow DNS zone transfers $IPTABLES -A INPUT -i eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT # BAD GUYS, Block source IP Address. $IPTABLES -A INPUT -s 192.168.0.39 -j DROP $IPTABLES -A INPUT -s 192.168.0.57 -j DROP # Open ports for outside of server users (webmail) $IPTABLES -A INPUT -s 0/0 -p tcp --dport 80 -j ACCEPT # HTTP $IPTABLES -A INPUT -s 0/0 -p tcp --dport 443 -j ACCEPT # HTTPs $IPTABLES -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT # POP3 $IPTABLES -A INPUT -i eth0 -p tcp --dport 995 -j ACCEPT # POP3s $IPTABLES -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT # SMTP $IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT # SSH $IPTABLES -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT # FTP $IPTABLES -A INPUT -i eth0 -p tcp --dport 631 -j ACCEPT # ipp printers $IPTABLES -A INPUT -i eth0 -p tcp --dport 9100 -j ACCEPT # hp printers # ---[ Application allowed on my network ]--- # MSN Messenger $IPTABLES -A INPUT -i eth0 -p tcp --dport 6891:6892 -j ACCEPT # MSN file send $IPTABLES -A INPUT -i eth0 -p tcp --dport 1863 -j ACCEPT # messaging $IPTABLES -A INPUT -i eth0 -p tcp --dport 5190 -j ACCEPT # video $IPTABLES -A INPUT -i eth0 -p tcp --dport 6901 -j ACCEPT # voice # Yahoo Messenger $IPTABLES -A INPUT -i eth0 -p tcp --dport 5000:5001 -j ACCEPT # voice chat $IPTABLES -A INPUT -i eth0 -p tcp --dport 5050 -j ACCEPT # messaging $IPTABLES -A INPUT -i eth0 -p tcp --dport 5100 -j ACCEPT # webcam/video # BitTorrent $IPTABLES -A INPUT -s 192.168.0.21 -p tcp --dport 6881:6999 -j ACCEPT $IPTABLES -A INPUT -s 192.168.0.21 -p udp --dport 6881:6999 -j ACCEPT # Global Rejects must come Last $IPTABLES -A INPUT -j REJECT $IPTABLES -A FORWARD -j REJECT $IPTABLES -A OUTPUT -j REJECT
