Re: Problems with IPTABLES
From: Richard (ikke@nospam.no-ip.com)Date: 03/03/02
- Previous message: those who know me have no need of my name: "Re: identd needed ?"
- In reply to: Roomet Kirotarp: "Problems with IPTABLES"
- Next in thread: Richard: "Re: Problems with IPTABLES"
- Reply: Richard: "Re: Problems with IPTABLES"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Richard <ikke@nospam.no-ip.com> Date: Sat, 2 Mar 2002 21:36:28 -0800
In article <3C810A6A.ABDCD998@hot.ee>, kirotarp@hot.ee says...
> Hi,
>
> I have problem with my firewall setings (RH7.2/iptables)! When I enable
> rules, all computers on local network can access internet and send mail
> but cant login to samba and cant ping server IP and cant connect through
> local windows networking ! When I clear all rules, then computers can
> see server and login to samba domain, but cant see internet anymore!
> :(
Try the followin firewall script:
ipt=/sbin/iptables
extip=1.2.3.4
intip=192.168.100.1
extif=eth0
intif=eth1
# SYN-cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable IP-forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP-spoofing protection
for i in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $i
done
# Disable ICMP Redirect accpetance
for i in /proc/sys/net/ipv4/conf/*/accept_redirects
do
echo 0 > $i
done
# Disable source routed packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $i
done
# Protect against ICMP echo flooding
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Load modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Default policies
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP
# Flush tables
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
# Drop invalid packets
$ipt -t mangle -A PREROUTING -m state --state INVALID -j DROP
# DO NAT
$ipt -t nat -A POSTROUTING -o $extif -j SNAT --to-source $extip
# Allow local traffic
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
# Allow replies
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#INPUT
$ipt -A INPUT -i $intif -p tcp --dport 53 -j ACCEPT # DNS
$ipt -A INPUT -i $intif -p udp --dport 53 -j ACCEPT # DNS
$ipt -A INPUT -i $intif -p tcp --dport 67 -j ACCEPT # DHCP
$ipt -A INPUT -i $intif -p udp --dport 67 -j ACCEPT # DHCP
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT # WWW
$ipt -A INPUT -p tcp --dport 443 -j ACCEPT # HTPS
$ipt -A INPUT -p tcp --dport 25 -j ACCEPT # SMTP
$ipt -A INPUT -i $intif -p tcp --dport 143 -j ACCEPT # IMAP
$ipt -A INPUT -i $intif -p udp --dport 143 -j ACCEPT # IMAP
$ipt -A INPUT -i $intif -p tcp --dport 137:139 -j ACCEPT # SMB
$ipt -A INPUT -i $intif -p udp --dport 137:139 -j ACCEPT # SMB
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT # SSH
$ipt -A INPUT -i $intif -p tcp --dport 3128 -j ACCEPT # SQUID
$ipt -A INPUT -p icmp -j ACCEPT # PING
$ipt -A INPUT -i $intif -d ! $intif -j REJECT # These will reject
$ipt -A INPUT -i $extif -f ! $extif -j REJECT # broadcasts
#OUTPUT
$ipt -A OUTPUT -i $extif -p tcp --dport 53 -j ACCEPT # DNS
$ipt -A OUTPUT -i $extif -p udp --dport 53 -j ACCEPT # DNS
$ipt -A OUTPUT -i $extif -p tcp --dport 80 -j ACCEPT # HTTP
$ipt -A OUTPUT -i $extif -p tcp --dport 443 -j ACCEPT # HTTPS
$ipt -A OUTPUT -i $extif -p tcp --dport 25 -j ACCEPT # SMTP
$ipt -A OUTPUT -i $intif -p udp --dport 137:139 -j ACCEPT # SMB
$ipt -A OUTPUT -i $intif -p tcp --dport 137:139 -j ACCEPT # SMB
$ipt -A OUTPUT -p icmp -j ACCEPT
#FORWARD
# if your own machine isn't the mail server uncomment this line:
# $ipt -A FORWARD -p tcp --dport 25 -j ACCEPT
$ipt -A FORWARD -p tcp --dport 20:21 -j ACCEPT # Don't know the exact
thing for ftp have a ftp-proxy I can recommend that you do this als
$ipt -A FORWARD -p tcp --dport 137:139 -j DROP
$ipt -A FORWARD -p udp --dport 137:139 -j DROP
#Catch all... DENY and log
$ipt -A INPUT -j LOG
$ipt -A OUTPUT -j LOG
$ipt -A FORWARD -j LOG
This should do the trick and if something is still not working check
/var/log/messages for what the things that the firewall is denying.
To use --dport you must first do -p (icmp for example don't have a
destination port)
iptables -A INPUT -s 0/0 -p tcp -d 0/0 --dport 1024:65535 -j ACCEPT
the -d option is not needed if you want everybody. This rule isn't
necessary anymore because you accept related and established connections
iptables -A INPUT -i eth0 -p tcp -s $CLASS_A -j DROP
iptables -A INPUT -i eth0 -p tcp -s $CLASS_B -j DROP
iptables -A INPUT -i eth0 -p tcp -s $CLASS_C -j DROP
You should not get packages with this ipaddress
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
This rule is weird, why should your machine must forward thins on the
same network??
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
This rule will open all ports for your internal network to the internet
and if you have windows you proberbly won't want this (in case with the
viruses etc.)
- Next message: John Holder: "Re: Was somebody in my box?"
- Previous message: those who know me have no need of my name: "Re: identd needed ?"
- In reply to: Roomet Kirotarp: "Problems with IPTABLES"
- Next in thread: Richard: "Re: Problems with IPTABLES"
- Reply: Richard: "Re: Problems with IPTABLES"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
