RE: iptables help needed

From: Poole, John J (john.j.poole@usago.ksc.nasa.gov)
Date: 02/17/03

  • Next message: JR: "RE: iptables help needed" 
    From: "Poole, John J" <john.j.poole@usago.ksc.nasa.gov>
To: "'security-discuss@linuxsecurity.com'" <security-discuss@linuxsecurity.com>
Date: Mon, 17 Feb 2003 12:44:45 -0500

    JR,
      I know very little about iptables either, I use the script supplied at
    this Web Sight. There are also discussion groups too.
    John
    http://monmotha.mplug.org/firewall/index.php

    -----Original Message-----
    From: JR [mailto:traken@spscompanies.com]
    Sent: Monday, February 17, 2003 12:39 PM
    To: security-discuss@linuxsecurity.com
    Subject: iptables help needed

            Ok im pretty new to iptables, but this is where im at, Redhat 8
    kernel
    2.4.20 w/pom-20030107 mods added, dhcpd server. The dhcpd seems fine, I can
    get to the main box fine from a 192.168.. pc but I cannot get past the main
    box, ping, telnet, ftp, nothing. The main box can do all those...
       I have gotten kinda crazy with opening things up to try and get this to
    work, seems like I must be close:

    /sbin/iptables -vL | more
    Chain INPUT (policy ACCEPT 3 packets, 156 bytes)
     pkts bytes target prot opt in out source
    destination

        0 0 ACCEPT all -- lo any anywhere anywhere

        0 0 ACCEPT tcp -- eth1 any anywhere anywhere
           tcp dpt:ssh
        0 0 ACCEPT tcp -- eth1 any anywhere anywhere
           state RELATED,ESTABLISHED
        0 0 ACCEPT all -- eth1 any anywhere anywhere
           state NEW
        0 0 ACCEPT tcp -- any any anywhere anywhere
           tcp dpt:telnet
        0 0 ACCEPT tcp -- any any anywhere anywhere
           tcp dpt:1065
        0 0 ACCEPT tcp -- any any anywhere anywhere
           tcp dpt:1063
        0 0 ACCEPT udp -- eth1 any anywhere anywhere

        0 0 ACCEPT udp -- eth0 any anywhere anywhere

        0 0 ACCEPT all -- eth1 any anywhere anywhere
        0 0 ACCEPT all -- eth1 any anywhere anywhere

       60 4464 ACCEPT all -- eth0 any anywhere anywhere

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target prot opt in out source
    destination

        0 0 all -- any any anywhere anywhere

        0 0 ACCEPT all -- eth1 any anywhere anywhere

        0 0 ACCEPT all -- eth0 any anywhere anywhere

    Chain OUTPUT (policy ACCEPT 3 packets, 348 bytes)
     pkts bytes target prot opt in out source
    destination

        0 0 ACCEPT all -- any lo anywhere anywhere

       32 6672 ACCEPT all -- any any anywhere anywhere
           state RELATED,ESTABLISHED
        0 0 ACCEPT all -- any any modem anywhere
        0 0 ACCEPT all -- any any anywhere

        0 0 ACCEPT all -- any eth0 anywhere anywhere

        0 0 ACCEPT all -- any eth1 anywhere anywhere

    This is the file I run to get this:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    /sbin/iptables -F
    /sbin/iptables -X
    /sbin/iptables -Z
    /sbin/iptables -t filter -A FORWARD
    echo \* Setting loopback rules
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -o lo -j ACCEPT
    echo \* setting NAT rules
    /sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/25 -d -0/0 -j
    MASQU$
    echo \* setting external rules
    /sbin/iptables -t filter -A INPUT -i eth1 -m tcp -p tcp --dport 22 -j ACCEPT
    #allow ftp etc
    /sbin/iptables -t filter -A INPUT -i eth1 -p tcp -m state --state
    ESTABLISHED,\$
    #Drop all new connects?
    /sbin/iptables -t filter -A INPUT -i eth1 -m state --state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -m tcp --dport 23 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -m tcp --dport 1065 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -m tcp --dport 1063 -j ACCEPT
    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
    #/sbin/iptables -A OUTPUT -p ALL -s 192.168.1.7 -j ACCEPT
    /sbin/iptables -P FORWARD ACCEPT
    /sbin/iptables -A INPUT -p UDP -i eth1 -j ACCEPT
    /sbin/iptables -A FORWARD -p ALL -i eth1 -j ACCEPT
    /sbin/iptables -A INPUT -p UDP -i eth0 -j ACCEPT
    /sbin/iptables -A FORWARD -p ALL -i eth0 -j ACCEPT
    /sbin/iptables -A INPUT -i eth1 -j ACCEPT
    $
    /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -j ACCEPT
    $
    /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT

    Im not affraid to read if someone can stear me in the right direction I
    would very much appreciate it, pretty lost right now... 

    ---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.455 / Virus Database: 255 - Release Date: 2/13/2003
-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Mailscanner thanks transtec Computers for their support.
------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.