RE: [gentoo-user] iptables help
Try FireHOL very nice tool. Generate stateful iptables packet filtering firewalls very very easy http://firehol.sourceforge.net/ - Gregory -Original Message- From: Andrew Gaffney [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 6:48 PM To: Gentoo User Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
- Original Message - From: "gabriel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 01, 2003 2:57 PM Subject: Re: [gentoo-user] iptables help > NO! that will pretty much negate the use of a firewall alltogether! where > are you droping/rejecting packets? basically your script says this: > > accept everything incoming > accept everything outgoing > accept everything forwarding > forward all traffic from ppp0 to eth0 > nat your internal lan to eth0 > accept all established or related packets > accept all incoming packets from the internal lan > accept all incoming connections from any ip, on any interface on ports 22, 25, > and 80. > drop everything else that's incoming. No, changing the policy changes the DEFAULT behaviour for that chain. It's not part of the normal rule order for the chain. Do iptables -L INPUT, you'll see that the policy is listed at the top, not in the normal sequence of rules. Any chain can only have 1 policy so once you change it, it over-rides the earlier setting. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
- Original Message - From: "gabriel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 01, 2003 2:57 PM Subject: Re: [gentoo-user] iptables help > NO! that will pretty much negate the use of a firewall alltogether! where > are you droping/rejecting packets? basically your script says this: > > accept everything incoming > accept everything outgoing > accept everything forwarding > forward all traffic from ppp0 to eth0 > nat your internal lan to eth0 > accept all established or related packets > accept all incoming packets from the internal lan > accept all incoming connections from any ip, on any interface on ports 22, 25, > and 80. > drop everything else that's incoming. No, changing the policy changes the DEFAULT behaviour for that chain. It's not part of the normal rule order for the chain. Do iptables -L INPUT, you'll see that the policy is listed at the top, not in the normal sequence of rules. Any chain can only have 1 policy so once you change it, it over-rides the earlier setting. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
gabriel wrote: On September 1, 2003 01:23 pm, Andrew Gaffney wrote: Based on replies on this list and another, I have come up with the following iptables rules that work for me: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -P INPUT DROP NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this: accept everything incoming accept everything outgoing accept everything forwarding forward all traffic from ppp0 to eth0 nat your internal lan to eth0 accept all established or related packets accept all incoming packets from the internal lan accept all incoming connections from any ip, on any interface on ports 22, 25, and 80. drop everything else that's incoming. i can't be sure that you can reset the policy like that, but i can assure you that the aboe rules are in now way secure. Here is a little background on my network. ppp0 is NOT an internet connection. It is an incoming dial-up connection used only by ME. I trust myself :) As for the actual internet connection, I have a router with an IP of 192.168.254.1 hooked to a T1 set to forward all incoming traffic to this particular box. This box only acts as a router for my own PPP connection. All boxes in the LAN use the router. So, what I am doing, if I understand iptables half as well as I think I do, is forwarding all traffic from my INTERNAL ppp0 interface out to the LAN/internet, allowing any box inside the LAN to connect to this box on any port, only allowing connections from outside the LAN to be made to ports 22, 25, and 80, and allowing in any traffic from outside the LAN that is part of an already established connection. Am I correct? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On September 1, 2003 01:23 pm, Andrew Gaffney wrote: > Based on replies on this list and another, I have come up with the > following iptables rules that work for me: > > echo 1 > /proc/sys/net/ipv4/ip_forward > iptables -P INPUT ACCEPT > iptables -F INPUT > iptables -P OUTPUT ACCEPT > iptables -F OUTPUT > iptables -P FORWARD ACCEPT > iptables -F FORWARD > iptables -t nat -F > iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -P INPUT DROP NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this: accept everything incoming accept everything outgoing accept everything forwarding forward all traffic from ppp0 to eth0 nat your internal lan to eth0 accept all established or related packets accept all incoming packets from the internal lan accept all incoming connections from any ip, on any interface on ports 22, 25, and 80. drop everything else that's incoming. i can't be sure that you can reset the policy like that, but i can assure you that the aboe rules are in now way secure. -- in the past we had little to do with other races. evolution teaches us that we must fight that which is different in order secure land, food, and mates for ourselves, but we must reach a point when the nobility of intellect asserts itself and says: no. we need not be afraid of those we are different, we can embrace that difference and learn from it. - g'kar, babylon 5 "the ragged edge" -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Patrick Marquetecken wrote: should this not be the second line line ? first the echo 1 > /proc/sys/net/ipv4/ip_forward then all the drop statements and then the allow rules ? I will probably move the DROP policy line back towards the top. I did it this way so I could be sure I didn't lock myself out before I could ALLOW myself back in. -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
should this not be the second line line ? first the echo 1 > /proc/sys/net/ipv4/ip_forward then all the drop statements and then the allow rules ? Patrick On Mon, 01 Sep 2003 12:23:38 -0500 Andrew Gaffney <[EMAIL PROTECTED]> wrote: > iptables -P INPUT DROP -- "Do you know what a Vulcan mind meld is?" -- Tuvok "It's that thing where you grab someone's head..." -- Crewman Suiter (Meld) PGP Key: http://users.pandora.be/rivendell/marquetp.gpg Fingerprint = 2792 057F C445 9486 F932 3AEA D3A3 1B0C 1059 273B ICQ# 316932703 Registered Linux User #44550 http://counter.li.org pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables help
Based on replies on this list and another, I have come up with the following iptables rules that work for me: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -P INPUT DROP -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, 29 Aug 2003 20:52:42 +0200 Peter Eis <[EMAIL PROTECTED]> wrote: > Why hazzle with iptables? > I'd rather recommend using shorewall (emerge shorewall). It's much > easier to configure and has as lot features you'll probably want. > > Peter > > Andrew Gaffney wrote: > > > I'm trying to create a firewall using iptables. [ rest snipped ] Thanks for the tip, Peter. I'm now up and running shorewall on 2.6.test3. For anyone else interested. 1. You need to emerge iproute-20010824-r4 (masked) to use shorewall on 2.6. 2. You need 99% of the items under networking enabled in your kernel to use shorewall. After about 5 attempts, I got enough stuff enabled to run shorewall. This is what I have; you may prefer modules. CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set CONFIG_NETLINK_DEV=y CONFIG_UNIX=y CONFIG_NET_KEY=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y # CONFIG_IP_PNP is not set CONFIG_NET_IPIP=m CONFIG_NET_IPGRE=m CONFIG_NET_IPGRE_BROADCAST=y # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set CONFIG_INET_ECN=y CONFIG_SYN_COOKIES=y CONCONFIG_INET_ESP=y CONFIG_INET_IPCOMP=y CONFIG_NETFILTER=y CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IRC=y CONFIG_IP_NF_TFTP=y # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_PKTTYPE=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_RECENT=y CONFIG_IP_NF_MATCH_ECN=y CONFIG_IP_NF_MATCH_DSCP=y CONFIG_IP_NF_MATCH_AH_ESP=y CONFIG_IP_NF_MATCH_LENGTH=y CONFIG_IP_NF_MATCH_TTL=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_HELPER=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_CONNTRACK=y # CONFIG_IP_NF_MATCH_UNCLEAN is not set # CONFIG_IP_NF_MATCH_OWNER is not set CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y # CONFIG_IP_NF_TARGET_MIRROR is not set CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y # CONFIG_IP_NF_NAT_LOCAL is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set CONFIG_IP_NF_NAT_IRC=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_NAT_TFTP=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_ECN=y CONFIG_IP_NF_TARGET_DSCP=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_ULOG=y CONFIG_IP_NF_TARGET_TCPMSS=y CONFIG_IP_NF_ARPTABLES=y CONFIG_IP_NF_ARPFILTER=y CONFIG_IP_NF_ARP_MANGLE=y CONFIG_XFRM_USER=y Enjoy. -- Collins Richey - Denver Area if you fill your heart with regrets of yesterday and the worries of tomorrow, you have no today to be thankful for. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, 29 Aug 2003 10:47:59 -0500 Andrew Gaffney <[EMAIL PROTECTED]> wrote: > I'm trying to create a firewall using iptables. I want it to drop > incoming packets except to ports 22, 25, and 80 unless the source > address is 192.168.254.x. I'm asking before I do this because I'm > accessing the computer remotely right now and I don't want to cut > myself off from it. I'm thinking something like: > > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -p all -j DROP > > -or- > > iptables -P INPUT DROP > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > > Would either of these get me the desired results? > > -- > Andrew Gaffney > > > -- > [EMAIL PROTECTED] mailing list > > IMHO, second version will work as you wish. BUT that's only IMHO! Why? because you first deny everything, and then you 'relaxing' DENY rule. In first last command (DROP all) you overwriting that what you said in 4 previous lines. -- Piotr Piasny (p1t3r05) piteros1[at]_SPAM_wp.pl p1t3r05[at]_SPAM_o2.pl LRU #217108 MR #102136 Gentoo -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your best bet for rules for this would be rules like: ipables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/min -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/min -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/min -j ACCEPT iptables -A INPUT -s 192.168.254.0/24 -p tcp -m tcp --tcp-flags SYB,RST,RST,ACK SYN -j ACCEPT On August 29, 2003 01:41 pm, Andrew Gaffney wrote: > Andrew Dacey wrote: > > - Original Message - > > From: "Andrew Gaffney" <[EMAIL PROTECTED]> > > To: "Gentoo User" <[EMAIL PROTECTED]> > > Sent: Friday, August 29, 2003 12:47 PM > > Subject: [gentoo-user] iptables help > > > >>I'm trying to create a firewall using iptables. I want it to drop > >>incoming packets except to ports 22, 25, and 80 unless the source > >>address is 192.168.254.x. I'm asking before I do this because I'm > >>accessing the computer remotely right now and I don't want to cut myself > >>off from it. I'm thinking something like: > >> > >>iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > >>iptables -A INPUT -p tcp --dport 22 -j ACCEPT > >>iptables -A INPUT -p tcp --dport 25 -j ACCEPT > >>iptables -A INPUT -p tcp --dport 80 -j ACCEPT > >>iptables -A INPUT -p all -j DROP > >> > >>-or- > >> > >>iptables -P INPUT DROP > >>iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > >>iptables -A INPUT -p tcp --dport 22 -j ACCEPT > >>iptables -A INPUT -p tcp --dport 25 -j ACCEPT > >>iptables -A INPUT -p tcp --dport 80 -j ACCEPT > >> > >>Would either of these get me the desired results? > > > > I'd be tempted to add a line of > > > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > That way any traffic you initiate from that box will be able to get back > > in. > > > > As someone else mentioned, I'd use the option of setting the INPUT policy > > to DROP but make sure to set that AFTER you've setup the other rules. > > So, it should be: > > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -P INPUT DROP > > Correct? - -- Stephen Clowater Real software engineers don't like the idea of some inexplicable and greasy hardware several aisles away that may stop working at any moment. They have a great distrust of hardware people, and wish that systems could be virtual at *___all* levels. They would like personal computers (you know no one's going to trip over something and kill your DFA in mid-transit), except that they need 8 megabytes to run their Correctness Verification Aid packages. The (revised) 3 case c++ function to determine the meaning of life : #include FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\ ))?(is_arts_student())? "grep -i 'meaning of life' /dev/null": "grep \ - -i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\ '* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\ ()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\ if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; } -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/UZjGcyHa6bMWAzYRAvPUAJ47SXRMId0td1WPMUjfgnMAR9HLmgCcDEQj YZvTwJb3/KgKDOiP6y18R+A= =KlrX -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Friday 29 August 2003 20:12, Andrew Gaffney wrote: > Rudmer van Dijk wrote: > > On Friday 29 August 2003 19:21, Andrew Gaffney wrote: > >>Andrew Gaffney wrote: > >>>iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > >>>iptables -A INPUT -p tcp --dport 22 -j ACCEPT > >>>iptables -A INPUT -p tcp --dport 25 -j ACCEPT > >>>iptables -A INPUT -p tcp --dport 80 -j ACCEPT > >>>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > >>>iptables -P INPUT DROP > >>> > >>>Correct? > >> > >>Something I forgot to mention is that there is a 2nd interface: ppp0. I > >>have a ppp dial-in server set up for my use. I have a few iptables rules > >>set up to NAT stuff from ppp0 out through eth0. Will the above rules > >>interfere with that? > > > > not really, but do you want to block local machines? if you only want to > > block outside connections then you can use something like the following. > > > > Rudmer > > > > --- > > > > # allow forwarding > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > >iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT > >iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > >iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT > > > > # masquerade local -> internet connections > >iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > > > # maximize ssh response > >iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos > > Minimize-Delay > > > > # accept ssh, web and mail connections > >iptables -A INPUT -p tcp --dport ssh -j ACCEPT > >iptables -A INPUT -p tcp --dport http -j ACCEPT > >iptables -A INPUT -p tcp --dport smtp -j ACCEPT > > > > # set policy for chains > >iptables -P INPUT DROP > >iptables -P OUTPUT ACCEPT > >iptables -P FORWARD DROP > > > > # enable and masquerade forwarded packages > > echo 1 > /proc/sys/net/ipv4/ip_forward > > # disable ExplicitCongestionNotification > > echo 0 > /proc/sys/net/ipv4/tcp_ecn > > You misunderstand. With your example, I believe you have ppp0 as the > external connection and eth0 acting as the internal connection to the > LAN. ppp0 is not the internet connection. eth0 is connected to a router > that is connected to a T1. I want to allow all traffic to and from ppp0 > and masquerade anything from ppp0 out to the LAN/internet through eth0. > I want anything incoming connections into eth0 with a source address of > 192.168.254.0/24 to be allow through. Anything other incoming > connections into eth0 (from the internet) I want to be blocked unless it > is for port 22, 25, or 80. ok, when you see ppp0 mentioned it normally means the outgoing connection... the solution is simple: change ppp0 to eth0 and insert at the 5th (or 6th) place this iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT then it should work. Rudmer PS. if you want to do a thorough cleaning of your tables before you try a new set of rules, try this: iptables -Z iptables -F iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -t nat -F POSTROUTING iptables -t mangle -F PREROUTING iptables -t mangle -F OUTPUT iptables -X iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, Aug 29, 2003 at 08:52:42PM +0200, Peter Eis wrote: > Why hazzle with iptables? > I'd rather recommend using shorewall (emerge shorewall). It's much > easier to configure and has as lot features you'll probably want. I'll second that. Shorewall works at a higher level of abstraction - letting you design network zones and policies - rather that dealing with the details of constructing iptables commands. It's very flexible and, after a short learning curve, very powerful and easy to use. Nathan Meyers [EMAIL PROTECTED] > > Peter > > Andrew Gaffney wrote: > > >I'm trying to create a firewall using iptables. I want it to drop > >incoming packets except to ports 22, 25, and 80 unless the source > >address is 192.168.254.x. I'm asking before I do this because I'm > >accessing the computer remotely right now and I don't want to cut > >myself off from it. I'm thinking something like: > > > >iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > >iptables -A INPUT -p tcp --dport 22 -j ACCEPT > >iptables -A INPUT -p tcp --dport 25 -j ACCEPT > >iptables -A INPUT -p tcp --dport 80 -j ACCEPT > >iptables -A INPUT -p all -j DROP > > > >-or- > > > >iptables -P INPUT DROP > >iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > >iptables -A INPUT -p tcp --dport 22 -j ACCEPT > >iptables -A INPUT -p tcp --dport 25 -j ACCEPT > >iptables -A INPUT -p tcp --dport 80 -j ACCEPT > > > >Would either of these get me the desired results? > > > > > > -- > [EMAIL PROTECTED] mailing list > > > -- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Why hazzle with iptables? I'd rather recommend using shorewall (emerge shorewall). It's much easier to configure and has as lot features you'll probably want. Peter Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, 2003-08-29 at 11:47, Andrew Gaffney wrote: > I'm trying to create a firewall using iptables. I want it to drop > incoming packets except to ports 22, 25, and 80 unless the source > address is 192.168.254.x. I'm asking before I do this because I'm > accessing the computer remotely right now and I don't want to cut myself > off from it. I'm thinking something like: > > > > Would either of these get me the desired results? i'm thinkin' you want: # policies iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # accept established connections to save having to go through all of those rules. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # dns, repeat for each address iptables -A OUTPUT -o eth0 -p udp -s --sport 1024:65535 -d --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s --sport 1024:65535 -d --dport 53 -m state --state NEW -j ACCEPT # outgoing traffic iptables -A OUTPUT -o eth0 -p tcp -s --sport 1024:65535 --dport 22 -m state --state NEW -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s --sport 1024:65535 --dport 25 -m state --state NEW -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT # incomming connections iptables -A INPUT -i eth0 -p tcp -s --sport 192.168.254.0/24 1024:65535 -d --dport 22 -m state --state NEW -j ACCEPT iptables -A INPUT -i eth0 -p tcp -s --sport 192.168.254.0/24 1024:65535 -d --dport 25 -m state --state NEW -j ACCEPT iptables -A INPUT -i eth0 -p tcp -s --sport 192.168.254.0/24 1024:65535 -d --dport 80 -m state --state NEW -j ACCEPT note the following: (a) the chain policy (-P) should always be put at the top. (b) the output DROP policy is generally regarded as a little too restrictive, but i like it that way... you may want to use them or not. (c) this script doesn't do everything, ie. it doesn't disable forwarding and check for martains etc. i would suggest you buy a book and get the low-down on iptables to fully understand everything about it. (d) connection tracking must be available to iptables. so you should either load the module (ip_conntrack), or compile it directly into your kernel. -- this is your life and it's ending one minute at a time. - tyler Durden, "fight club" -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Rudmer van Dijk wrote: On Friday 29 August 2003 19:21, Andrew Gaffney wrote: Andrew Gaffney wrote: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? Something I forgot to mention is that there is a 2nd interface: ppp0. I have a ppp dial-in server set up for my use. I have a few iptables rules set up to NAT stuff from ppp0 out through eth0. Will the above rules interfere with that? not really, but do you want to block local machines? if you only want to block outside connections then you can use something like the following. Rudmer --- # allow forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT # masquerade local -> internet connections iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # maximize ssh response iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay # accept ssh, web and mail connections iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport smtp -j ACCEPT # set policy for chains iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # enable and masquerade forwarded packages echo 1 > /proc/sys/net/ipv4/ip_forward # disable ExplicitCongestionNotification echo 0 > /proc/sys/net/ipv4/tcp_ecn You misunderstand. With your example, I believe you have ppp0 as the external connection and eth0 acting as the internal connection to the LAN. ppp0 is not the internet connection. eth0 is connected to a router that is connected to a T1. I want to allow all traffic to and from ppp0 and masquerade anything from ppp0 out to the LAN/internet through eth0. I want anything incoming connections into eth0 with a source address of 192.168.254.0/24 to be allow through. Anything other incoming connections into eth0 (from the internet) I want to be blocked unless it is for port 22, 25, or 80. -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Friday 29 August 2003 19:21, Andrew Gaffney wrote: > Andrew Gaffney wrote: > > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -P INPUT DROP > > > > Correct? > > Something I forgot to mention is that there is a 2nd interface: ppp0. I > have a ppp dial-in server set up for my use. I have a few iptables rules > set up to NAT stuff from ppp0 out through eth0. Will the above rules > interfere with that? not really, but do you want to block local machines? if you only want to block outside connections then you can use something like the following. Rudmer --- # allow forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT # masquerade local -> internet connections iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # maximize ssh response iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay # accept ssh, web and mail connections iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport smtp -j ACCEPT # set policy for chains iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # enable and masquerade forwarded packages echo 1 > /proc/sys/net/ipv4/ip_forward # disable ExplicitCongestionNotification echo 0 > /proc/sys/net/ipv4/tcp_ecn -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Friday 29 August 2003 18:41, Andrew Gaffney wrote: > Andrew Dacey wrote: > > - Original Message - > >>I'm trying to create a firewall using iptables. I want it to drop > >>incoming packets except to ports 22, 25, and 80 unless the source > >>address is 192.168.254.x. I'm asking before I do this because I'm > >>accessing the computer remotely right now and I don't want to cut myself > >>off from it. I'm thinking something like: > >> > So, it should be: > > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -P INPUT DROP > > Correct? yes, and if you use ssh to connect to that box you can try the following: iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay I use that for my outgoing connection, but don't really know if it really helps... Rudmer -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Andrew Gaffney wrote: Andrew Dacey wrote: - Original Message - From: "Andrew Gaffney" <[EMAIL PROTECTED]> To: "Gentoo User" <[EMAIL PROTECTED]> Sent: Friday, August 29, 2003 12:47 PM Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? I'd be tempted to add a line of iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT That way any traffic you initiate from that box will be able to get back in. As someone else mentioned, I'd use the option of setting the INPUT policy to DROP but make sure to set that AFTER you've setup the other rules. So, it should be: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? Something I forgot to mention is that there is a 2nd interface: ppp0. I have a ppp dial-in server set up for my use. I have a few iptables rules set up to NAT stuff from ppp0 out through eth0. Will the above rules interfere with that? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Andrew Dacey wrote: - Original Message - From: "Andrew Gaffney" <[EMAIL PROTECTED]> To: "Gentoo User" <[EMAIL PROTECTED]> Sent: Friday, August 29, 2003 12:47 PM Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? I'd be tempted to add a line of iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT That way any traffic you initiate from that box will be able to get back in. As someone else mentioned, I'd use the option of setting the INPUT policy to DROP but make sure to set that AFTER you've setup the other rules. So, it should be: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
- Original Message - From: "Andrew Gaffney" <[EMAIL PROTECTED]> To: "Gentoo User" <[EMAIL PROTECTED]> Sent: Friday, August 29, 2003 12:47 PM Subject: [gentoo-user] iptables help > I'm trying to create a firewall using iptables. I want it to drop > incoming packets except to ports 22, 25, and 80 unless the source > address is 192.168.254.x. I'm asking before I do this because I'm > accessing the computer remotely right now and I don't want to cut myself > off from it. I'm thinking something like: > > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -p all -j DROP > > -or- > > iptables -P INPUT DROP > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > > Would either of these get me the desired results? I'd be tempted to add a line of iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT That way any traffic you initiate from that box will be able to get back in. As someone else mentioned, I'd use the option of setting the INPUT policy to DROP but make sure to set that AFTER you've setup the other rules. Andrew "frugal" Dacey [EMAIL PROTECTED] http://www.tildefrugal.net/ -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
At 29 August, 2003 Andrew Gaffney wrote: > I'm trying to create a firewall using iptables. I want it to drop > incoming packets except to ports 22, 25, and 80 unless the source > address is 192.168.254.x. I'm asking before I do this because I'm > accessing the computer remotely right now and I don't want to cut myself > off from it. I'd suggest using the projectfiles.com rc.firewall script. Works For Me, and it can do some rather neat NAT sorts of things, too. I don't know how well it'll work under Gentoo as a startup script, but you can always just run it manually. http://projectfiles.com/firewall/ -- Andrew Farmer [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables help
So I should do: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -P INPUT DROP The first line would accept anything from any IP in the 192.168.254.0 netblock, lines 2-5 anything on port 22, 25, or 80, and the last, set it to drop everything else? Jason Martin wrote: I'd suggest the second option, but be sure to change the policy to DROP _after_ you've set up rules to allow you access. -Jason Martin On Fri, 29 Aug 2003, Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- [EMAIL PROTECTED] mailing list -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'd suggest the second option, but be sure to change the policy to DROP _after_ you've set up rules to allow you access. - -Jason Martin On Fri, 29 Aug 2003, Andrew Gaffney wrote: > I'm trying to create a firewall using iptables. I want it to drop > incoming packets except to ports 22, 25, and 80 unless the source > address is 192.168.254.x. I'm asking before I do this because I'm > accessing the computer remotely right now and I don't want to cut myself > off from it. I'm thinking something like: > > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -p all -j DROP > > -or- > > iptables -P INPUT DROP > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > > Would either of these get me the desired results? > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.3.2 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQE/T3WLl2ODWuqVSBMRAjaFAJ4u7K/8vRn4V+U2ZiXeK/P6XsfgMgCfUlmM bTfnZuOLgTiwZeCfOjrvTQc= =vjys -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list