Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
IPTABLES help & Remote Administration
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: IPTABLES help & Remote Administration

Hybrid View

  1. #1
    Junior Member
    Join Date
    May 2002
    Posts
    89

    IPTABLES help & Remote Administration

    Hi
    ---------- IPTABLES ----------
    Im looking to create a new firewall.
    I would like to block all incoming connections but still alow, FTP (21), HTTP, to be accessed from the outside world.
    My windows box (behind the linux box) needs an internet connection and sofar I have this forwarding script:

    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --flush --delete-chain
    iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQERADE
    iptables --append FORWARD --in-interface eth0 -j ACCEPT
    My windows box also needs some connections on certian ports forwarded to It e.g. 207011 (random port), and needs to beable to view mail and surf the web.
    Also logging would be nice
    ---------- Administration ----------
    I need some sort of SECURE way of remotely administrating my linux box over the network. a Terminal like interface and a Grapical file browser/editor (that looks/feels like gnome or KDE) but preferably not using X11 (unless you can super secure it with the firewall)

    Any scraps of help would be greatly appreciated (im such a linux n00b)

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    417

    Re:IPTABLES help & Remote Administration

    Hey,

    Your firewal looks pretty complex for a newbie. (compliment)
    It's been a while since Ive done any firewall stuff but you can get some basic info here

    http://www.linuxnewbie.org/nhf/intel...es_basics.html


    Or what you could even do is use gShield to set up everything for you. The config. is just one big questionaire. Check out this link.
    http://www.linuxnewbie.org/nhf/intel...znetshare.html

    ----Administration----
    have you looked into VNC w/ SSH port forwarding?

  3. #3
    Senior Member
    Join Date
    May 2001
    Posts
    472

    Re:IPTABLES help & Remote Administration

    Firewall - gShield. http://muse.linuxmafia.org

    Administration - SSH and X forwarding http://www.afn.org/~afn57538/xforward.htm

  4. #4
    Junior Member
    Join Date
    May 2002
    Posts
    89

    Re:IPTABLES help & Remote Administration

    Hi
    Using some other persons script isnt what I want, im a n00b, not a leetch.
    And I know its complex, my dad's realy, whats the word, over protective.
    And remember, all of your help will be put into a NHF so you dont get the same question over and over again

    thanks for your help

  5. #5

    Re:IPTABLES help & Remote Administration

    I had no idea about iptables, firewall and masquerading either but I've read numbers of FAQs, HOW-TOs and articles in the last two days...and now I have a pretty good understanding of this stuff (at least I think so )

    Those 3 links helped me the most to understand the concept:

    http://www.tldp.org/HOWTO/IP-Masquer...WTO/index.html

    http://www.tldp.org/HOWTO/Firewall-HOWTO.html

    http://www.linuxjournal.com/article.php?sid=4815

    If this isn't enough you can also try:

    http://netfilter.samba.org/documenta...ing-HOWTO.html

    http://netfilter.samba.org/documenta...NAT-HOWTO.html

    Read everything from top to bottom ... get some firewall scripts and try to understand what they do and why they are doing it.

  6. #6

    Re:IPTABLES help & Remote Administration

    [quote author=xin link=board=5;threadid=3828;start=0#38675 date=1024552609]
    Using some other persons script isnt what I want, im a n00b, not a leetch.
    [/quote]

    What the heck's the difference. The idea is securing your box, not coming up with some cool new iptables script, which are pretty boring creatures at best.

    I would you suggest you read this book: http://www.bookpool.com/.x/tjmc3cpea6/sm/0735710996 or at least the documentation from netfilter

    Also, you script dosent seem that overly complicated nor over-protective. In fact, right now, its not protecting anything. What you have there are simply some rules to flush existing chains and initialize NAT. Half of the script flushes and deletes customized rule targets that, as far as I can tell, don't exist yet. I don't even see any filtering rules to flush. Is that all there is to your firewall? Right now its not a firewall at all, but rather a router NATTING its connection.

    Add this to your script:

    Code:
    # variables
    internal_interface="eth1"
    external_interface="eth0"
    
    # drop all incoming packets by default
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    
    # accept everthing on the loopback interface (necessary to run X and 
    # other local services)
    iptables -lo -j ACCEPT
    
    # accept connections to web and ftp servers running on this box
    iptables -A INPUT -i $external_interface -p tcp --destination-port 80 -j ACCEPT
    iptables -A INPUT -i $external_interface -p tcp --destination-port 20 -j ACCEPT
    iptables -A INPUT -i $external_interface -p tcp --destination-port 21 -j ACCEPT
    
    # accept all incoming responces to local client requests. This rule
    # does not allow incoming packets that have the SYN flag set in the header--
    # e.g., those packets wishing to establish a session with a local service.
    # SYN packets are dropped by the default DROP policy (except of course 
    # http and ftp, as compensated for above).
    iptables -A INPUT -i $external_interface -p tcp ! --syn -j ACCEPT
    
    # allow all outgoing client requests origination from this box
    iptables -A OUTPUT -o $external_interface -p tcp --source-port 1024:65535 -j ACCEPT 
    
    # local dns client ruleset. Allow traffic to and from udp port 53.
    iptables -A OUTPUT -o $external_interface -p udp --destination-port 53 -j ACCEPT
    iptables -A INPUT -i $external_interface -p udp --source-port 53 -j ACCEPT
    
    # forwarding rules -- similar to rule sets above. Allows outgoing client
    # requests from the LAN, but drops all packet from the WAN with the
    # SYN flag set in the header.
    iptables -A FORWARD -i $external_interface -o $internal_interface -p tcp ! --syn -j ACCEPT
    iptables -A FORWARD -i $internal_interface -o $external_interface -p tcp --destination-port 1024:65535 -j ACCEPT
    
    # LAN client dns ruleset
    iptables -A FORWARD -i $external_interface -o $internal_interface -p udp --source-port 53 -j ACCEPT
    iptables -A FORWARD -i $internal_interface -o $external_interface -p udp --destination-port 53 -j ACCEPT
    This script can be brought down some, and made leaner, but the above rules should give you a clear idea, I hope, on how to write rules for your box. A cleaner example of some of the rules above would be:

    Code:
    # all local tcp servers in one rule
    iptables -A INPUT -i $external_interface -p tcp -m multiport --destination-port 20,21,80 -j ACCEPT
    This would combined the three local server rules in the above script and allow you to more easily add services to this script at a later date. You can also write custom rule targets (which make larger scripts easier to manage), as well as write stateful netfilter rules, if you see fit to doing so. However, their syntax is slightly different from the above, since custom targets need to be flushed and established, and packet states need to be matched.

    I'n not sure what effect NAT will have on how you write your forwarding rules. You may want to look into that further. The above will work on a box that is not NATTING its connection.

    Can anyone add to the above script, or edit it where it might have gone astray or been obscure?

    Hope this helps

  7. #7
    Junior Member
    Join Date
    May 2002
    Posts
    89

    Re:IPTABLES help & Remote Administration

    Hi
    Thanks for your help, that detail will get me moving on towards port forwarding, I know my current script does c*** all, thats why Im making a new one Duh(not to be rude or anything).
    Does anyone know if it is possible to load text from a file in baSh? so If i say had a list of banned IP's in a file banned_ip.txt, it would read them all in, and write the script for the IP's?

    Thanks

    p.s. (off topic), What things are crucial for linux to run (the things that start up using that OK thingy) and how do I stop the things from running if I dont need/use them?
    Thanks again

  8. #8

    Re:IPTABLES help & Remote Administration

    Right from the firewall how-to at http://www.tldp.org/HOWTO/Firewall-HOWTO.html


    A firewall isn't any good if the system it is build on is left wide open to attacks. A "bad guy" could gain access to the through a non firewall service and modify it for their own needs. You need to turning off any unneeded services.

    Look in your /etc/inetd.conf file. This file configures inetd also known as the "super server". It controls a bunch of the server daemons and starts them as they are requested by a packet arriving at a "well known" port.

    You should turn off echo, discard, daytime, chargen, ftp, gopher, shell, login, exec, talk, ntalk, pop-2, pop-3, netstat, systat, tftp, bootp, finger, cfinger, time, swat and linuxconfig if you have one.

    To turn a service off, put # as the first character of the service line. When your done, send a SIG-HUP to the process by typing "kill -HUP <pid>", where <pid> is the process number of inetd. This will make inetd re-read its configuration file (inetd.conf) and restart without taking your system down.

    Test this by telneting to port 15 (netstat) on firewall. If you get any output you have not turned these services off.

  9. #9
    Junior Member
    Join Date
    May 2002
    Posts
    89

    Re:IPTABLES help & Remote Administration

    Hi
    So, ive got this:
    Code:
    #SET VARIBLES
    int_inf="eth0"
    ext_inf="eth1"
    
    
    #FLUSH/DELETE CURRENT CHAINS
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --flush --delete-chain
    
    
    #BLOCK EVERYTHING
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    
    
    # accept connections to web and ftp servers running on this box
    iptables -A INPUT -i $ext_inf -p tcp --destination-port 80 -j ACCEPT
    iptables -A INPUT -i $ext_inf -p tcp --destination-port 20 -j ACCEPT
    iptables -A INPUT -i $ext_inf -p tcp --destination-port 21 -j ACCEPT
    
    
    # allow all outgoing client requests origination from this box
    iptables -A OUTPUT -o $ext_inf -p tcp --source-port 1024:65535 -j ACCEPT
    
    
    #
    #  This line has an error, dunno why, It just works without it, and not with it
    #     iptables -lo -j ACCEPT 
    #
    
    
    #TURN ON FORWARDING
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    
    #FORWARD
    iptables --table nat --append POSTROUTING -o $ext_inf -j MASQERADE
    iptables --append FORWARD --in-interface $int_inf -j ACCEPT
    The rest of the stuff tolsoy posted (thanks) I dont really get why it is necessary and how it works.

    Thanks for your help.

  10. #10

    Re:IPTABLES help & Remote Administration

    What don't you understand? Let me know and I'll see if I can help explain it better.

    The loopback line that dosen't work should be

    Code:
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    Sorry. Is the script working correctly at this point? Upon looking back at it, I think you should edit the client request line to make the source ports 1:65535 to allow for responses from yuor local servers. I may have goofed on that line.

    Also, where is udp support?

Similar Threads

  1. Universal remote boot and administration service
    By sportyidiot in forum General Chat
    Replies: 0
    Last Post: 02-02-2012, 07:57 PM
  2. How to forward local HTTP requests to remote Proxy with IPTables ?
    By asdamha in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 05-12-2011, 11:51 AM
  3. Secure Remote Linux Administration
    By peter in forum Tutorials
    Replies: 1
    Last Post: 11-24-2008, 05:22 AM
  4. Remote applications, Actually remote Windows Question.
    By Stevef22 in forum Linux - Hardware, Networking & Security
    Replies: 2
    Last Post: 11-05-2006, 06:11 AM
  5. Remote Administration - Help please
    By glapalom in forum Linux - Hardware, Networking & Security
    Replies: 4
    Last Post: 02-23-2003, 04:58 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •