iptables newbie.

Chris Brenton cbrenton at chrisbrenton.org
Sun Jun 8 15:18:06 EDT 2003 

ken at flyingtoasters.net wrote:
>
> I've got a couple of NICs, both physical and virtual.  Basically, I'd like
> to restrict eth0 (my cable modem) to only allow 80, 25, and 22 in-bound,
> and everything else (lo, eth1, ppp0), I'd like wide open.  Any
> suggestions/pointers as to how to do that?  Should NAT (which I have
> implemented) cause me any grief?

Sounds like you want something like this:


# Flush all old rules on restart
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables --table nat --flush

# Allow all state matches through
iptables -A FORWARD -m state --state ESTABLISH,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISH,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISH,RELATED -j ACCEPT

# Take care of NAT rules
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source your.legal.ip

# Let the internal network out to play
iptables -A FORWARD -i eth1 -m state --state NEW -d 0/0 -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -s 0/0 -d 0/0 -j ACCEPT

# Let in needed traffic patterns
iptables -A INPUT -p tcp -i eth0 -d 0/0 --dport 22 -j LOG --log-prefix " 
INBOUND_SSH "
iptables -A INPUT -p tcp -i eth0 -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -d 0/0 --dport 25 -j LOG --log-prefix " 
INBOUND_SSH "
iptables -A INPUT -p tcp -i eth0 -d 0/0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -d 0/0 --dport 80 -j LOG --log-prefix " 
INBOUND_SSH "
iptables -A INPUT -p tcp -i eth0 -d 0/0 --dport 80 -j ACCEPT

# Log all non-matched packets
iptables -A INPUT -s 0/0 -j LOG --log-level info --log-prefix " 
DROP_INPUT  "
iptables -A FORWARD -s 0/0 -j LOG --log-level info --log-prefix " 
DROP_FORWARD  "
iptables -A INPUT -i eth0 -p tcp -d 0/0 -j REJECT --reject-with 
icmp-host-unreachable
iptables -A FORWARD -i eth0 -p tcp -d 0/0 -j REJECT --reject-with 
icmp-host-unreachable

# Log all non-matched packets
iptables -A OUTPUT -s 0/0 -j LOG --log-level info --log-prefix " 
DROP_OUTPUT  "


# --------POLICY RULES--------
#
# Define default policy for all chains
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Opening multiple ports to the same box (especially the firewall) is just 
asking to get whacked. The above should be functional though.

HTH,
C

More information about the gnhlug-discuss mailing list