[TriLUG] Firewall for my webserver (IPTABLES)

Kevin Flanagan kevin at flanagannc.net
Sun Jun 8 09:58:41 EDT 2003 

On Sun, 2003-06-08 at 01:38, Jerry M. Howell II wrote:

Quick, take that system off of the network!

You just gave the entire internet the keys to the kingdom.  Take it off
of the internet until you get a handle on firewalls, once you do, be
sure that the rules aren't the same as the ones that you just posted.

I'd never discuss my firewall rules in any detail with folks that I
don't know.



Just my $.02


> Hello everyone,
> 
>    I'm curently running adminning my wifes webserver at
>    gamma.hostbyk.com. We are running redhat 7.3 with a generic 2.4.20
>    kernel custom compiled with all the iptables/NAT goodies. I go to
>    enable the firewall and thats where I runn into problems. I can view
>    the webserver, about 75% of my clients can but there are some that go
>    through compuserve, earthlink and aol that can't seem to access
>    anything once I start the firewall. No email, ftp, can't ping it or
>    pull up a webpage. Thought it was probably ICMP so I allowed that
>    through but still nothing. Might someone have any sugestions? here is
>    the output from /usr/local/iptables-save wich is iptables-1.2.8 BTW.
> 
> # Generated by iptables-save v1.2.8 on Fri Jun  6 13:07:33 2003
> *nat
> :PREROUTING ACCEPT [1956549:98046633]
> :POSTROUTING ACCEPT [205477:14316170]
> :OUTPUT ACCEPT [205477:14316170]
> COMMIT
> # Completed on Fri Jun  6 13:07:33 2003
> # Generated by iptables-save v1.2.8 on Fri Jun  6 13:07:33 2003
> *mangle
> :PREROUTING ACCEPT [11003984:1977948454]
> :INPUT ACCEPT [10098177:1941715975]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [10603720:6903438327]
> :POSTROUTING ACCEPT [10603700:6903433659]
> COMMIT
> # Completed on Fri Jun  6 13:07:33 2003
> # Generated by iptables-save v1.2.8 on Fri Jun  6 13:07:33 2003
> *filter
> :INPUT ACCEPT [8569034:1718459859]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [10603700:6903436455]
> :acctboth - [0:0]
> :firewall - [0:0]
> [5:582] -A INPUT -p udp -m udp --sport 53 -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --sport 113 -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT 
> [4:552] -A INPUT -p icmp -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT 
> [85:7204] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
> [158:22654] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
> [40:1898] -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --dport 1080 -j ACCEPT 
> [0:0] -A INPUT -p udp -m udp --dport 1080 -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --dport 2082 -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --dport 2087 -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --dport 2095 -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT 
> [0:0] -A INPUT -p udp -m udp --dport 8000 -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT 
> [0:0] -A INPUT -p udp -m udp --dport 8080 -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT 
> [0:0] -A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT 
> [0:0] -A INPUT -s 217.133.0.0/255.255.0.0 -j DROP 
> [0:0] -A INPUT -s 80.13.0.0/255.255.0.0 -j DROP 
> [0:0] -A INPUT -s 200.0.0.0/255.0.0.0 -j DROP 
> [0:0] -A INPUT -s 216.15.179.128/255.255.255.224 -j DROP 
> [0:0] -A INPUT -s 43.0.0.0/255.0.0.0 -j DROP 
> [0:0] -A INPUT -s 61.0.0.0/255.0.0.0 -j DROP 
> [0:0] -A INPUT -s 133.0.0.0/255.0.0.0 -j DROP 
> [0:0] -A INPUT -s 163.13.0.0/255.255.0.0 -j DROP 
> [0:0] -A INPUT -s 163.14.0.0/255.254.0.0 -j DROP 
> [0:0] -A INPUT -s 163.16.0.0/255.240.0.0 -j DROP 
> [0:0] -A INPUT -s 163.32.0.0/255.255.0.0 -j DROP 
> [0:0] -A INPUT -s 211.0.0.0/255.0.0.0 -j DROP 
> [0:0] -A INPUT -s 218.0.0.0/255.0.0.0 -j DROP 
> [0:0] -A INPUT -s 219.0.0.0/255.0.0.0 -j DROP 
> [0:0] -A INPUT -s 220.0.0.0/255.0.0.0 -j DROP 
> [0:0] -A INPUT -s 221.0.0.0/255.0.0.0 -j DROP 
> [0:0] -A INPUT -p icmp -j firewall 
> [0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j firewall 
> [21:1408] -A INPUT -p udp -j firewall 
> [0:0] -A OUTPUT -p icmp -m state --state INVALID -j DROP 
> [21:1408] -A firewall -j LOG --log-prefix "Firewall:" --log-level info 
> [21:1408] -A firewall -j DROP 
> COMMIT
> # Completed on Fri Jun  6 13:07:33 2003
> 
> My firewall script can be found at http://www.jmhowell.com/fire.html if
> you wanna look that over as well. Thnx for any advice that can be given.
> Any time warner admins feal free to spill the beens as well if you know
> of anything :)
-- 
+--------------------------------------------------------+ 
   When all men think alike, no one thinks very much.
	Walter Lippmann

More information about the TriLUG mailing list