Re: IPTABLES configuration [help]

From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 04/06/02 

From: Kasper Dupont <kasperd@daimi.au.dk>
Date: Sat, 06 Apr 2002 00:59:42 +0200

Falcon wrote:
>
> Okay I'm an iptables newbie, but it is essiental that I get a script
> up very very soon to match to the following specifcations.
>
> I'm running Redhat Linux 7.2 w/ iptables-1.2.3-1 on it.
>
> I have it booting at startup. Here is the location of all my files:
> /etc/rc.d/init.d/iptables
> /sbin/iptables-restore
> /sbin/iptables
> /sbin/iptables-save
> /etc/sysconfig/iptables
>
> I want to configure /etc/sysconfig/iptables w/ the specifications that
> I'm saying right below here.
>
> Drop all connections expect for ones connecting to ports:
> -21
> -22
> -25
> -80
> -110
> -995

In or out? TCP or UDP?

>
> I also need to deny ALL access to this ip [on all ports]:
> -67.201.164.124

In or out?

Here is a modified version of mine, might be overkill for you.
A few notes about the purpose of the different parts.

INPUT allow related and established packets and ping packets.
Delegate TCP and UDP to seperate chains. DROP multicast
packets without logging to keep noice in log down.

UDPINPUT first a rule that makes traceroute work but still
doesn't allow any UDP packets through to the ports. Then a
few DHCP server packets get allowed, change these rules
for your needs or remove them. LOG and DROP the rest.

TCPINPUT allow the specified ports through, LOG and REJECT
the rest.

OUTPUT prevents apache from making any connections, to limit
damage if it ever got cracked. TCP gets delegated to a
seperate chain, everything else gets accepted.

TCPOUTPUT allow the specified ports through, LOG and REJECT
the rest. This doesn't have to open the same ports as
TCPINPUT, mine doesn't. Also notice the difference between
the last rules.

LOGDROP just LOG and DROP packets, limit the amount of packets
getting logged.

LOGREJECT similar to LOGDROP, but REJECT packets with the most
appropriate response I could come up with.

SLOWLOGREJECT similar to LOGREJECT but limits the amount of
packets getting rejected to keep outgoing trafic down in case
of flooding. The rest gets dropped.

LOGACCEPT can be used in case you want to log anything that
actually got accepted. Intentionally no limit here.

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGDROP - [0:0]
:LOGREJECT - [0:0]
:LOGACCEPT - [0:0]
:SLOWLOGREJECT - [0:0]
:UDPINPUT - [0:0]
:TCPINPUT - [0:0]
:TCPOUTPUT - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j LOGDROP
-A INPUT -d 127.0.0.0/8 -j LOGDROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -j TCPINPUT
-A INPUT -p udp -j UDPINPUT
-A INPUT -m limit --limit 79/minute --limit-burst 4 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 192.168.100.1 -d 224.0.0.1 -j DROP
-A INPUT -j LOGDROP

-A UDPINPUT -p udp -m udp --sport 1024:65535 --dport 1024:65535 -j SLOWLOGREJECT
-A UDPINPUT -s 10.4.0.1 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A UDPINPUT -s 0.0.0.0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A UDPINPUT -s 194.239.10.172 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A UDPINPUT -j LOGDROP

-A TCPINPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A TCPINPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A TCPINPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A TCPINPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A TCPINPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A TCPINPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A TCPINPUT -j SLOWLOGREJECT

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner apache -j LOGDROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -j TCPOUTPUT

-A TCPOUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A TCPOUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A TCPOUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A TCPOUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A TCPOUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A TCPOUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A TCPOUTPUT -j LOGREJECT

-A LOGDROP -m limit --limit 1/minute --limit-burst 42 -j LOG --log-prefix "iptables DROP: "
-A LOGDROP -j DROP
-A LOGREJECT -m limit --limit 1/minute --limit-burst 42 -j LOG --log-prefix "iptables REJECT: "
-A LOGREJECT -p tcp -j REJECT --reject-with tcp-reset
-A LOGREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-A LOGREJECT -j REJECT --reject-with icmp-host-unreachable
-A SLOWLOGREJECT -m limit --limit 15/minute --limit-burst 10 -j LOGREJECT
-A SLOWLOGREJECT -j LOGDROP
-A LOGACCEPT -j LOG --log-prefix "iptables ACCEPT: "
-A LOGACCEPT -j ACCEPT

COMMIT 

-- 
Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use mailto:razor-report@daimi.au.dk

Relevant Pages

  • RE: Cannot add workstation to domain when negotiating ISL on Cisco routers.
    ... make sure that any End station ports are configured for Port Fast ... Kerberos Packets by default use UDP. ... 244474 How to force Kerberos to use TCP instead of UDP ...
    (microsoft.public.win2000.active_directory)
  • Re: block CodeRed/Nimda at the firewall?
    ... I don't think it would help sending out icmp packets ... I only send UDP and TCP packets to the LOGREJECT ... I drop some of those early in my INPUT chain. ... I have a few ports where I DROP instead of using ...
    (comp.os.linux.security)
  • Re: UPD better than TCP in streaming video/audio ?
    ... > UDP gains speed over TCP because it carries no information that would ... it doesn't even know that packets were lost. ... which is perfect for UDP. ... > Finally, there's the possibility of multicast data - for instance, a live ...
    (microsoft.public.win32.programmer.networks)
  • Re: Simulating smaller MTU? ie sending small packets.
    ... This is due to the fact that TCP ... If you want smaller packets, ... >> set there as the MSS is announced by the receiver during the ... Yes, per connection. ...
    (comp.lang.perl.misc)
  • Re: NTP and Firewall help needed.
    ... >port 123 for udp and tcp. ... Also the idea of combining rules for packets arriving at the local machine ... ACCEPT any and all traffic coming from the localhost interface ...
    (comp.os.linux.setup)
Quantcast