RE: iptables
From: Trevor Benson (tbenson@gdxinc.com)Date: 09/19/01
- Previous message: Prakash Purushotham: "Re: iptables"
- Maybe in reply to: Thomas Kirk: "iptables"
- Next in thread: Rob 'Feztaa' Park: "Re: iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <378253B6F337D411BB0B009027C3F0438019BF@EMAILSERVER> From: Trevor Benson <tbenson@gdxinc.com> To: 'Thomas Kirk' <thomas@arkena.com>, focus-linux@securityfocus.com Subject: RE: iptables Date: Wed, 19 Sep 2001 11:03:06 -0700
Take your firewall rules that look like this:
iptables -N state_chk
iptables -A state_chk -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A state_chk -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A state_chk -j DROP
and change them to add this line like this
iptables -N state_chk
iptables -A state_chk -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A state_chk -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A state_chk -p tcp --dport 22 -j ACCEPT
iptables -A state_chk -j DROP
Your default INPUT policy is drop, and you have decided only to accept
related data into your WAN port. So if its not initiated from the inside,
it wont get in (in theory). Thus you also added a drop for all packets
after that list of state checking. What needs to be done is to have the
port 22 set to accept the incoming connection, and prior to the actual
steate_chk DROP rule. It could even be -I inserted into the INPUT chain in
the filter table, which would precede the statement checking though, and not
take advantage of the statefull inspection passing off to the last iptables
chain that prior packets used.
Trevor
-----Original Message-----
From: Thomas Kirk [mailto:thomas@arkena.com]
Sent: Tuesday, September 18, 2001 3:51 AM
To: focus-linux@securityfocus.com
Subject: iptables
Hey there listmembers
First of all let me point out that im a newbie on the iptables and
security in general. Im writing to this list because i managed to
build a fw using linux 2.4.9 and iptables 1.2.2. The gateway has 5
interfaces one on the outside WAN and four on the inside LAN. Im
running dhcp on all the LAN interfaces supplying the diffrent nets
with connection to internet.
Setup :
+------>192.168.10.x
|
|------>192.168.11.x
Internet->Gatway(running iptables etc)--|
|------>192.168.12.x
|
+------>192.168.13.x
Since im not very good with iptables yet ive found a firewallscript
that will setup the most bascis rules for what to DENY and what to
ACCEPT. The script also setups basic NAT'ing between the outside and
inside interfaces. Ive put a copy of the rules last in the mail. Now
my question is. Sometimes i need to connect from the inside and
the outside into my fw via ssh (Not root!). How is this done? Right
now i cant connect to the server from any of the sides?
iptablerules :
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp #(needed only if you plan on using FTP)
#Set the default policies - sets the default actions of the built-in chains.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#Blocks all new connections unless initiated from the "protected" network.
iptables -N state_chk
iptables -A state_chk -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A state_chk -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A state_chk -j DROP
#Jump to the state_chk chain from INPUT and FORWARD chains.
iptables -A INPUT -j state_chk
iptables -A FORWARD -j state_chk
#Masquerade connections - only needed on the firewall box if you have an
internal network that you wish to rou
te traffic to and from the Internet.
#Enable IP forwarding between the interfaces - remember to disable this if
you're going to unload the Iptables
rules.
echo "1" > /proc/sys/net/ipv4/ip_forward
#Load the NAT modules - needed only if you compiled as modules
modprobe iptable_nat
modprobe ip_nat_ftp (needed only if you plan on using FTP)
#Enable IP masquerading - Use if your eth0 has a dynamic IP address. For
static IP, it's recommended that you
use source NAT instead.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#Enable source NAT - Use if your eth0 has a static IP address.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ip_address_of_eth0
Thanks in advance
--
Venlig hilsen/Kind regards
Thomas Kirk
ARKENA
thomas@arkena.com
http://www.arkena.com
"I'm an idiot.. At least this one [bug] took about 5 minutes to find.."
(Linus Torvalds in response to a bug report.)
> I'm an idiot.. At least this [bug] took about 5 minutes to find..
Disquieting ...
(Gonzalo Tornaria in response to Linus Torvalds's mailing about a kernel
bug.)
> I'm an idiot.. At least this [bug] took about 5 minutes to find..
We need to find some new terms to describe the rest of us mere mortals
then.
(Craig Schlenter in response to Linus Torvalds's mailing about a kernel
bug.)
> I'm an idiot.. At least this [bug] took about 5 minutes to find..
Surely, Linus is talking about the kind of idiocy that others aspire to :-).
(Bruce Perens in response to Linus Torvalds's mailing about a kernel bug.)
- Previous message: Prakash Purushotham: "Re: iptables"
- Maybe in reply to: Thomas Kirk: "iptables"
- Next in thread: Rob 'Feztaa' Park: "Re: iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
