Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 29th October 2011, 08:35 PM
hermouche Offline
Registered User
 
Join Date: Apr 2006
Location: Algeria
Posts: 807
linuxfedorafirefox
Smile iptables rules!

Hy everywhere everyone,

Please check the following and tell me what should i take off ? and
what i should add in order to be the safiest possible.
I'm sure that there is some redundancy, but i need your expertise THANKS

We are in an institutions where Student's are trying to hack the server

Quote:
[root@serveur ~]# iptables -L OUTPUT -n --line-numbers
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21 state NEW
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:1024:65535 state NEW
7 ACCEPT all -- 192.168.0.0/24 0.0.0.0/0
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

[root@serveur ~]# iptables -L INPUT -n --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:1024:65535 state RELATED,ESTABLISHED
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 ACCEPT all -- 192.168.0.0/24 0.0.0.0/0
7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

[root@serveur ~]# iptables -L FORWARD -n --line-numbers
Chain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

[root@serveur ~]# iptables -L POSTROUTING -t nat -n --line-numbers
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 192.168.0.0/24 0.0.0.0/0

[root@serveur ~]# iptables -L PREROUTING -t nat -n --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
[root@serveur ~]#

An other thing which is very embarrasing, is that many students are using Torrent's for downloading things which have nothing to do with their lecture's. How to fix that (we are using squid but some webproxies are just passing through; the HTTPS is also another problem since we can't stop it, it is needed for logging as an example)


Thanks a lot

red
__________________
IBM ThinkPad z60m

Last edited by hermouche; 29th October 2011 at 09:37 PM. Reason: to close
Reply With Quote
  #2  
Old 29th October 2011, 10:27 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,400
linuxfirefox
Re: iptables rules!

It all depends on what you want to do.

Output chain default policy of Drop is a pita when forwarding (nat or route) as related and establish wont always catch it.

Quote:
We are in an institutions where Student's are trying to hack the server
Logging options, cron script, email/page details, go for a short walk and then kill the little bastard. Simple. Even sheep understand.
Reply With Quote
  #3  
Old 30th October 2011, 04:00 PM
hermouche Offline
Registered User
 
Join Date: Apr 2006
Location: Algeria
Posts: 807
windows_7firefox
Smile Re: iptables rules!

Quote:
Originally Posted by beaker_ View Post
It all depends on what you want to do.

Output chain default policy of Drop is a pita when forwarding (nat or route) as related and establish wont always catch it.


Logging options, cron script, email/page details, go for a short walk and then kill the little bastard. Simple. Even sheep understand.
OK thanks the for the reply,

I would like basically to let the dns, http, https, ssh to pass .

Quote:
[root@serveur ~]# iptables -L INPUT --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
dpts:1024:65535


[root@serveur ~]# iptables -L OUTPUT --line-numbers
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere

[root@serveur ~]# iptables -L POSTROUTING -t nat --line-numbers
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 192.168.0.0/24 anywhere

[root@serveur ~]# iptables -L PREROUTING -t nat --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128
[root@serveur ~]#
I would like to DROP the INPUT chain (Actually it is dropped) but which command should i put inside in order to let the http, dns, https and ssh passing through

Thanks again beaker for the reply & HELP

red
__________________
IBM ThinkPad z60m
Reply With Quote
  #4  
Old 30th October 2011, 05:41 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,400
linuxfirefox
Re: iptables rules!

This is how I prefer to lay it out and then I load them through system-config-firewall. But that's just my needs.

[ @ sysconfig]# ls iptables-* -l
-rw-------. 1 root root 65 Jul 3 13:16 iptables-1_policies
-rw-------. 1 root root 2699 Jul 6 11:07 iptables-2_antispoofing
-rw-------. 1 root root 9952 Oct 5 11:27 iptables-3_filter
-rw-------. 1 root root 4014 Jul 16 13:34 iptables-4_nat
-rw-------. 1 root root 1740 May 21 11:54 iptables-config

Well it depends on what "let through" means. If you only want to forward then for all intents and purposes, it's all in the nat table. Yes, you still lock down In and Out. So for ex.,

nat
Code:
#-A PREROUTING -i eth2 -s ! 192.168.32.12/24 -p tcp --dport 58030 -j DNAT --to 10.212.76.5:80 -m comment --comment "UNASSIGNED"

-A POSTROUTING -s 192.168.32.12/24 -o eth1 -j MASQUERADE

But squid, dnsmasq... would seam as logical. You'll have to forgive me because I don't know how comfortable you are with iptables so I just copied and edited some rules as examples. Just some ideas. Yeah you'd edit the sport, dports, and subnets as needed. For ex.., Dropping 0.0.0.0 will break dhcpd. Assuming you ran it from here i.e.,

filter
Example of logging
Code:
###
# * eth0 *
# * Public NIC
###
-A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "eth0 Spoofed source IP"
-A INPUT -i eth0 -s 0.0.0.0/8 -j DROP

filter
examples from a home pc
Code:
# *** Unlimited on the loopback interface
#
# * lo *
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Previously initiated and accpeted exchanges bypass rule checking
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# ICMP requests
-A INPUT -p ICMP --icmp-type echo-request -j ACCEPT
-A INPUT -p ICMP --icmp-type echo-reply -j ACCEPT
-A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
-A OUTPUT -p ICMP --icmp-type echo-reply -j ACCEPT

#
# Dropping Known Attacks
#
#... Make sure NEW incoming tcp connections are SYN packets
#... Packets with incoming fragments
#... Incoming malformed XMAS packets
#... Incoming malformed NULL packets
#

# killing squid.  need to identify alternate methods.
# -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# -A INPUT -f -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP






# ==================================================================================
# ****
# ****                       WAN POLICY (eth0)
# ****
# **** - Squid relaying remotes for everyone @ here
# **** - OpenVPN Access Server.  LAN not permitted to connect
# **** - OpenVPN. Remote Connections.  LAN not permitted to connect
# ***
# ===================================================================================

# HTTP
-A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

# OpenVPN
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 1196 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58000 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58001 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58002 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58003 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58004 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58005 -j ACCEPT

# OpenVPN AS
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 943 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 946 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 947 -j ACCEPT

-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT

# Drop the rest
# =======================================
-A INPUT -i eth0 -j REJECT
-A OUTPUT -o eth0 -j REJECT






# =======================================================================================
# ****
# ****                          LAN POLICY (eth1)
# ****
# **** - Samba as remote file server.  Accessable only to Remote and LAN
# **** - SSH from LAN
# **** - GDM & XRDP available for remote desktop
# ****
# ****
# ****
# =========================================================================================

# Samba
# Accessable only to vpn and bound to eth1.
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m tcp -p tcp --dport 135 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m udp -p udp --dport 138 -j ACCEPT

# SSH
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# GDM
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m udp -p udp --dport 177 -j ACCEPT

# XRDP
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 3389 -j ACCEPT

# VSFTP
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

# NTOP Web Access
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 3000 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 3001 -j ACCEPT

# Vpn Management Ports
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58101 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58102 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58103 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58104 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58105 -j ACCEPT

# BackupPC
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT

# WebCal
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 8008 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT

# Drop the rest
# =======================================
-A INPUT -i eth1 -j REJECT
-A OUTPUT -o eth1 -j REJECT
Reply With Quote
  #5  
Old 30th October 2011, 08:12 PM
hermouche Offline
Registered User
 
Join Date: Apr 2006
Location: Algeria
Posts: 807
linuxfedorafirefox
Re: iptables rules!

Quote:
Originally Posted by beaker_ View Post
This is how I prefer to lay it out and then I load them through system-config-firewall. But that's just my needs.

[ @ sysconfig]# ls iptables-* -l
-rw-------. 1 root root 65 Jul 3 13:16 iptables-1_policies
-rw-------. 1 root root 2699 Jul 6 11:07 iptables-2_antispoofing
-rw-------. 1 root root 9952 Oct 5 11:27 iptables-3_filter
-rw-------. 1 root root 4014 Jul 16 13:34 iptables-4_nat
-rw-------. 1 root root 1740 May 21 11:54 iptables-config

Well it depends on what "let through" means. If you only want to forward then for all intents and purposes, it's all in the nat table. Yes, you still lock down In and Out. So for ex.,

nat
Code:
#-A PREROUTING -i eth2 -s ! 192.168.32.12/24 -p tcp --dport 58030 -j DNAT --to 10.212.76.5:80 -m comment --comment "UNASSIGNED"

-A POSTROUTING -s 192.168.32.12/24 -o eth1 -j MASQUERADE

But squid, dnsmasq... would seam as logical. You'll have to forgive me because I don't know how comfortable you are with iptables so I just copied and edited some rules as examples. Just some ideas. Yeah you'd edit the sport, dports, and subnets as needed. For ex.., Dropping 0.0.0.0 will break dhcpd. Assuming you ran it from here i.e.,

filter
Example of logging
Code:
###
# * eth0 *
# * Public NIC
###
-A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "eth0 Spoofed source IP"
-A INPUT -i eth0 -s 0.0.0.0/8 -j DROP

filter
examples from a home pc
Code:
# *** Unlimited on the loopback interface
#
# * lo *
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Previously initiated and accpeted exchanges bypass rule checking
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# ICMP requests
-A INPUT -p ICMP --icmp-type echo-request -j ACCEPT
-A INPUT -p ICMP --icmp-type echo-reply -j ACCEPT
-A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
-A OUTPUT -p ICMP --icmp-type echo-reply -j ACCEPT

#
# Dropping Known Attacks
#
#... Make sure NEW incoming tcp connections are SYN packets
#... Packets with incoming fragments
#... Incoming malformed XMAS packets
#... Incoming malformed NULL packets
#

# killing squid.  need to identify alternate methods.
# -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# -A INPUT -f -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP






# ==================================================================================
# ****
# ****                       WAN POLICY (eth0)
# ****
# **** - Squid relaying remotes for everyone @ here
# **** - OpenVPN Access Server.  LAN not permitted to connect
# **** - OpenVPN. Remote Connections.  LAN not permitted to connect
# ***
# ===================================================================================

# HTTP
-A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

# OpenVPN
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 1196 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58000 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58001 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58002 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58003 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58004 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58005 -j ACCEPT

# OpenVPN AS
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 943 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 946 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 947 -j ACCEPT

-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT

# Drop the rest
# =======================================
-A INPUT -i eth0 -j REJECT
-A OUTPUT -o eth0 -j REJECT






# =======================================================================================
# ****
# ****                          LAN POLICY (eth1)
# ****
# **** - Samba as remote file server.  Accessable only to Remote and LAN
# **** - SSH from LAN
# **** - GDM & XRDP available for remote desktop
# ****
# ****
# ****
# =========================================================================================

# Samba
# Accessable only to vpn and bound to eth1.
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m tcp -p tcp --dport 135 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m udp -p udp --dport 138 -j ACCEPT

# SSH
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# GDM
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m udp -p udp --dport 177 -j ACCEPT

# XRDP
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 3389 -j ACCEPT

# VSFTP
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

# NTOP Web Access
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 3000 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 3001 -j ACCEPT

# Vpn Management Ports
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58101 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58102 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58103 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58104 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58105 -j ACCEPT

# BackupPC
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT

# WebCal
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 8008 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT

# Drop the rest
# =======================================
-A INPUT -i eth1 -j REJECT
-A OUTPUT -o eth1 -j REJECT

OUP's i'm sorry, but you are going very fast

I'm not an expert, sorry.

We don't have any web server or any application to protect.

Basically, we have a LAN (about 100 students) and a gateway (PC) with two NIC's:
eth0 ---> Connected to a modem/router ----> then to the WEB
eth1----> is our LAN

We want to be able to go to the web either from LAN and from the gateway (WAN).

We have squid in place and is working actually.
__________________
IBM ThinkPad z60m
Reply With Quote
  #6  
Old 30th October 2011, 11:55 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,400
linuxfirefox
Re: iptables rules!

It's all trial and error so you'll have to slug at it but here's a starting point. Attached is a pic loading it through system-config-firewall (custom rules, filter table). I put in some notes and structure. But, like I said, it's trial and error.

Assuming:
- no NAT between network on eth0 and network on eth1. Done at modem/router.
- modem/router knows the route back to eth1
- dns and squid runs on modem/router
- squid handling ssl and non-ssl (447 & 80)
- I tossed out some networks/24. I hope it's clear
Attached Thumbnails
Click image for larger version

Name:	Untitled.jpe
Views:	80
Size:	137.6 KB
ID:	21998  
Attached Files
File Type: txt iptables-3_filter.txt (3.4 KB, 81 views)
Reply With Quote
  #7  
Old 31st October 2011, 10:07 AM
hermouche Offline
Registered User
 
Join Date: Apr 2006
Location: Algeria
Posts: 807
linuxfirefox
Smile Re: iptables rules!

Quote:
Originally Posted by beaker_ View Post
It's all trial and error so you'll have to slug at it but here's a starting point. Attached is a pic loading it through system-config-firewall (custom rules, filter table). I put in some notes and structure. But, like I said, it's trial and error.

Assuming:
- no NAT between network on eth0 and network on eth1. Done at modem/router.
- modem/router knows the route back to eth1
- dns and squid runs on modem/router
- squid handling ssl and non-ssl (447 & 80)
- I tossed out some networks/24. I hope it's clear
Thank you very much beaker for your perseverance

I would like you if you don't mind to see PLEASE, the following and just tel me what should i write inside the INPUT chain without touching the following OUTPUT, FORWARD,PREROUTING and the POSTROUTING chains.

The objectif is to get the outside world "web" either from the LAN (eth1) and from the Gateway (eth0)

Quote:
[root@serveur ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination

JUST HERE PLEASE

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.0.0/24 anywhere

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128
[root@serveur ~]#

Thanks a lot

red
__________________
IBM ThinkPad z60m

Last edited by hermouche; 31st October 2011 at 10:13 AM.
Reply With Quote
  #8  
Old 3rd November 2011, 05:26 AM
hermouche Offline
Registered User
 
Join Date: Apr 2006
Location: Algeria
Posts: 807
linuxfedorafirefox
Re: iptables rules!

Do we have to allow local connections with the following:

Quote:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Because, if i erase them, i don't reach the web either from the LAN nor from the Firewall !!
is it normal? More over, the following is the results when we allow local connections: "just an extract":


Quote:
[root@serveur sysconfig]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
So while allowing the local connection, the results as we can see, it NEGATES the DROP policy for both OUTPUT and INPUT, which means as far as i know that i am telling it to accept everything from anywhere (it's like if i said the policy is ACCEPT for both OUTPUT and INPUT!!!

So what's the point to DROP "INPUT and OUTPUT", since just after it says Accept from anywhere to anywhere !!!!

So i'm really confused here ....

red
__________________
IBM ThinkPad z60m

Last edited by hermouche; 3rd November 2011 at 05:28 AM.
Reply With Quote
Reply

Tags
iptables, rules

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables rules management greno Security and Privacy 1 3rd June 2007 04:08 PM
iptables rules - what is wrong with my rules? duni Servers & Networking 4 30th August 2006 07:38 PM
Where to put my own iptables rules? stuffie Security and Privacy 10 14th January 2005 08:42 AM


Current GMT-time: 01:26 (Saturday, 25-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Panambi Photos on Instagram - Jordan Travel Photos on Instagram - La Pintana