[TriLUG] IPTables help
jeffj at ro.com
jeffj at ro.com
Mon Sep 16 15:38:15 EDT 2002
Tanner Lovelace wrote:
> Hi folks,
>
> I'm sure some of you out there are iptables experts. :-)
>
> Right now the trilug machines are using ipchains based firewall
> setups. We would really prefer to switch these to iptables,
> primarily because of the added benefits that come with
> connection tracking. Unfortunately, it doesn't seem to be
> a simple subject to figure out. It doesn't help that every
> single example you can find on the net assumes you're either
> acting as a router (forwarding) or doing NAT (neither of
> which we want to do. So, I'm coming to the list for help
> instead.
>
> So, here's what we want to do.
I've put down one way which I think will work. I made a couple scripts
that call iptables directly to do what I wanted, so I'm not sure it's
exactly what you were looking for.
>1. We have an internal network on eth1 that is trusted. Everything
> on that network should be just accepted.
Leave the default policy to accept. We'll fix the problems with that
shortly.
>2. Anything part of a connection that we originated should be
> accepted.
# make a chain called block
/sbin/iptables -N block
# allow data to come in from the internet
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow new connections from the trusted LAN
/sbin/iptables -A block -m state --state NEW -i eth1 -j ACCEPT
# disallow anything else
/sbin/iptables -A block -j DROP
>3. Certain services (i.e. http, ftp, dns, mail, kerberos, ldap, etc..)
> should be accepted.
# make a chain called servers
/sbin/iptables -N servers
# allow data to come in to the FTP server
/sbin/iptables -A servers -p udp --dport 20 -j ACCEPT
/sbin/iptables -A servers -p tcp --dport 20 -j ACCEPT
/sbin/iptables -A servers -p udp --dport 21 -j ACCEPT
/sbin/iptables -A servers -p tcp --dport 21 -j ACCEPT
# allow data to come in to the HTTP server
/sbin/iptables -A servers -p udp --dport 80 -j ACCEPT
/sbin/iptables -A servers -p tcp --dport 80 -j ACCEPT
# other servers . . .
> 4. Most everything else should be dropped (and optionally logged).
That is done at the end of the block chain, although I didn't add logging.
Now to link everything together:
# connect the custom chains to the predefined ones
/sbin/iptables -A INPUT -j servers
/sbin/iptables -A INPUT -j block
/sbin/iptables -A FORWARD -j block
You may need to load modules at the start if you're writing a script
like I did.
# load modules
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
--
Jeff Jackowski
http://ro.com/~jeffj/
More information about the TriLUG
mailing list