Hi
---------- IPTABLES ----------Im looking to create a new firewall.
I would like to block all incoming connections but still alow, FTP (21), HTTP, to be accessed from the outside world.
My windows box (behind the linux box) needs an internet connection and sofar I have this forwarding script:
My windows box also needs some connections on certian ports forwarded to It e.g. 207011 (random port), and needs to beable to view mail and surf the web.Code:echo 1 > /proc/sys/net/ipv4/ip_forward iptables --flush iptables --table nat --flush iptables --delete-chain iptables --flush --delete-chain iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQERADE iptables --append FORWARD --in-interface eth0 -j ACCEPT
Also logging would be nice
---------- Administration ----------I need some sort of SECURE way of remotely administrating my linux box over the network. a Terminal like interface and a Grapical file browser/editor (that looks/feels like gnome or KDE) but preferably not using X11 (unless you can super secure it with the firewall)
Any scraps of help would be greatly appreciated (im such a linux n00b)
Hey,
Your firewal looks pretty complex for a newbie. (compliment)
It's been a while since Ive done any firewall stuff but you can get some basic info here
http://www.linuxnewbie.org/nhf/intel...es_basics.html
Or what you could even do is use gShield to set up everything for you. The config. is just one big questionaire. Check out this link.
http://www.linuxnewbie.org/nhf/intel...znetshare.html
----Administration----
have you looked into VNC w/ SSH port forwarding?
Firewall - gShield. http://muse.linuxmafia.org
Administration - SSH and X forwarding http://www.afn.org/~afn57538/xforward.htm
Hi
Using some other persons script isnt what I want, im a n00b, not a leetch.
And I know its complex, my dad's realy, whats the word, over protective.
And remember, all of your help will be put into a NHF so you dont get the same question over and over again
thanks for your help
I had no idea about iptables, firewall and masquerading either but I've read numbers of FAQs, HOW-TOs and articles in the last two days...and now I have a pretty good understanding of this stuff (at least I think so)
Those 3 links helped me the most to understand the concept:
http://www.tldp.org/HOWTO/IP-Masquer...WTO/index.html
http://www.tldp.org/HOWTO/Firewall-HOWTO.html
http://www.linuxjournal.com/article.php?sid=4815
If this isn't enough you can also try:
http://netfilter.samba.org/documenta...ing-HOWTO.html
http://netfilter.samba.org/documenta...NAT-HOWTO.html
Read everything from top to bottom ... get some firewall scripts and try to understand what they do and why they are doing it.
[quote author=xin link=board=5;threadid=3828;start=0#38675 date=1024552609]
Using some other persons script isnt what I want, im a n00b, not a leetch.
[/quote]
What the heck's the difference. The idea is securing your box, not coming up with some cool new iptables script, which are pretty boring creatures at best.
I would you suggest you read this book: http://www.bookpool.com/.x/tjmc3cpea6/sm/0735710996 or at least the documentation from netfilter
Also, you script dosent seem that overly complicated nor over-protective. In fact, right now, its not protecting anything. What you have there are simply some rules to flush existing chains and initialize NAT. Half of the script flushes and deletes customized rule targets that, as far as I can tell, don't exist yet. I don't even see any filtering rules to flush. Is that all there is to your firewall? Right now its not a firewall at all, but rather a router NATTING its connection.
Add this to your script:
This script can be brought down some, and made leaner, but the above rules should give you a clear idea, I hope, on how to write rules for your box. A cleaner example of some of the rules above would be:Code:# variables internal_interface="eth1" external_interface="eth0" # drop all incoming packets by default iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # accept everthing on the loopback interface (necessary to run X and # other local services) iptables -lo -j ACCEPT # accept connections to web and ftp servers running on this box iptables -A INPUT -i $external_interface -p tcp --destination-port 80 -j ACCEPT iptables -A INPUT -i $external_interface -p tcp --destination-port 20 -j ACCEPT iptables -A INPUT -i $external_interface -p tcp --destination-port 21 -j ACCEPT # accept all incoming responces to local client requests. This rule # does not allow incoming packets that have the SYN flag set in the header-- # e.g., those packets wishing to establish a session with a local service. # SYN packets are dropped by the default DROP policy (except of course # http and ftp, as compensated for above). iptables -A INPUT -i $external_interface -p tcp ! --syn -j ACCEPT # allow all outgoing client requests origination from this box iptables -A OUTPUT -o $external_interface -p tcp --source-port 1024:65535 -j ACCEPT # local dns client ruleset. Allow traffic to and from udp port 53. iptables -A OUTPUT -o $external_interface -p udp --destination-port 53 -j ACCEPT iptables -A INPUT -i $external_interface -p udp --source-port 53 -j ACCEPT # forwarding rules -- similar to rule sets above. Allows outgoing client # requests from the LAN, but drops all packet from the WAN with the # SYN flag set in the header. iptables -A FORWARD -i $external_interface -o $internal_interface -p tcp ! --syn -j ACCEPT iptables -A FORWARD -i $internal_interface -o $external_interface -p tcp --destination-port 1024:65535 -j ACCEPT # LAN client dns ruleset iptables -A FORWARD -i $external_interface -o $internal_interface -p udp --source-port 53 -j ACCEPT iptables -A FORWARD -i $internal_interface -o $external_interface -p udp --destination-port 53 -j ACCEPT
This would combined the three local server rules in the above script and allow you to more easily add services to this script at a later date. You can also write custom rule targets (which make larger scripts easier to manage), as well as write stateful netfilter rules, if you see fit to doing so. However, their syntax is slightly different from the above, since custom targets need to be flushed and established, and packet states need to be matched.Code:# all local tcp servers in one rule iptables -A INPUT -i $external_interface -p tcp -m multiport --destination-port 20,21,80 -j ACCEPT
I'n not sure what effect NAT will have on how you write your forwarding rules. You may want to look into that further. The above will work on a box that is not NATTING its connection.
Can anyone add to the above script, or edit it where it might have gone astray or been obscure?
Hope this helps
Hi
Thanks for your help, that detail will get me moving on towards port forwarding, I know my current script does c*** all, thats why Im making a new one Duh(not to be rude or anything).
Does anyone know if it is possible to load text from a file in baSh? so If i say had a list of banned IP's in a file banned_ip.txt, it would read them all in, and write the script for the IP's?
Thanks
p.s. (off topic), What things are crucial for linux to run (the things that start up using that OK thingy) and how do I stop the things from running if I dont need/use them?
Thanks again
Right from the firewall how-to at http://www.tldp.org/HOWTO/Firewall-HOWTO.html
A firewall isn't any good if the system it is build on is left wide open to attacks. A "bad guy" could gain access to the through a non firewall service and modify it for their own needs. You need to turning off any unneeded services.
Look in your /etc/inetd.conf file. This file configures inetd also known as the "super server". It controls a bunch of the server daemons and starts them as they are requested by a packet arriving at a "well known" port.
You should turn off echo, discard, daytime, chargen, ftp, gopher, shell, login, exec, talk, ntalk, pop-2, pop-3, netstat, systat, tftp, bootp, finger, cfinger, time, swat and linuxconfig if you have one.
To turn a service off, put # as the first character of the service line. When your done, send a SIG-HUP to the process by typing "kill -HUP <pid>", where <pid> is the process number of inetd. This will make inetd re-read its configuration file (inetd.conf) and restart without taking your system down.
Test this by telneting to port 15 (netstat) on firewall. If you get any output you have not turned these services off.
Hi
So, ive got this:
The rest of the stuff tolsoy posted (thanks) I dont really get why it is necessary and how it works.Code:#SET VARIBLES int_inf="eth0" ext_inf="eth1" #FLUSH/DELETE CURRENT CHAINS iptables --flush iptables --table nat --flush iptables --delete-chain iptables --flush --delete-chain #BLOCK EVERYTHING iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # accept connections to web and ftp servers running on this box iptables -A INPUT -i $ext_inf -p tcp --destination-port 80 -j ACCEPT iptables -A INPUT -i $ext_inf -p tcp --destination-port 20 -j ACCEPT iptables -A INPUT -i $ext_inf -p tcp --destination-port 21 -j ACCEPT # allow all outgoing client requests origination from this box iptables -A OUTPUT -o $ext_inf -p tcp --source-port 1024:65535 -j ACCEPT # # This line has an error, dunno why, It just works without it, and not with it # iptables -lo -j ACCEPT # #TURN ON FORWARDING echo 1 > /proc/sys/net/ipv4/ip_forward #FORWARD iptables --table nat --append POSTROUTING -o $ext_inf -j MASQERADE iptables --append FORWARD --in-interface $int_inf -j ACCEPT
Thanks for your help.
What don't you understand? Let me know and I'll see if I can help explain it better.
The loopback line that dosen't work should be
Sorry. Is the script working correctly at this point? Upon looking back at it, I think you should edit the client request line to make the source ports 1:65535 to allow for responses from yuor local servers. I may have goofed on that line.Code:iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
Also, where is udp support?
Posting Permissions
Reply With Quote
Bookmarks