iptables newbie.
ken at flyingtoasters.net
ken at flyingtoasters.net
Sun Jun 8 17:44:13 EDT 2003
My heavens! That was far more than I was expecting! Thanks for all the
stuff -- I've plugged it in, and it all works great, but now it's time for
fun: I'm gonna sit down and munch on it. As for the "one host" bit,
well... I've only got one host that stays up (don't know if I mentioned
that this was at home -- work's behind a Sonicwall, the crutch which has
made me ignorant of iptables -- bad!), so I don't really have a whole lot
of choice in the matter. Regardless, this is perfect -- thanks much!
-Ken
> ken at flyingtoasters.net wrote:
>>
>> I've got a couple of NICs, both physical and virtual. Basically, I'd
>> like
>> to restrict eth0 (my cable modem) to only allow 80, 25, and 22 in-bound,
>> and everything else (lo, eth1, ppp0), I'd like wide open. Any
>> suggestions/pointers as to how to do that? Should NAT (which I have
>> implemented) cause me any grief?
>
> Sounds like you want something like this:
>
>
> # Flush all old rules on restart
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
> iptables --table nat --flush
>
> # Allow all state matches through
> iptables -A FORWARD -m state --state ESTABLISH,RELATED -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISH,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISH,RELATED -j ACCEPT
>
> # Take care of NAT rules
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source your.legal.ip
>
> # Let the internal network out to play
> iptables -A FORWARD -i eth1 -m state --state NEW -d 0/0 -j ACCEPT
> iptables -A INPUT -i eth1 -m state --state NEW -d 0/0 -j ACCEPT
> iptables -A INPUT -i lo -m state --state NEW -d 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -m state --state NEW -s 0/0 -d 0/0 -j ACCEPT
>
> # Let in needed traffic patterns
> iptables -A INPUT -p tcp -i eth0 -d 0/0 --dport 22 -j LOG --log-prefix "
> INBOUND_SSH "
> iptables -A INPUT -p tcp -i eth0 -d 0/0 --dport 22 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 -d 0/0 --dport 25 -j LOG --log-prefix "
> INBOUND_SSH "
> iptables -A INPUT -p tcp -i eth0 -d 0/0 --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 -d 0/0 --dport 80 -j LOG --log-prefix "
> INBOUND_SSH "
> iptables -A INPUT -p tcp -i eth0 -d 0/0 --dport 80 -j ACCEPT
>
> # Log all non-matched packets
> iptables -A INPUT -s 0/0 -j LOG --log-level info --log-prefix "
> DROP_INPUT "
> iptables -A FORWARD -s 0/0 -j LOG --log-level info --log-prefix "
> DROP_FORWARD "
> iptables -A INPUT -i eth0 -p tcp -d 0/0 -j REJECT --reject-with
> icmp-host-unreachable
> iptables -A FORWARD -i eth0 -p tcp -d 0/0 -j REJECT --reject-with
> icmp-host-unreachable
>
> # Log all non-matched packets
> iptables -A OUTPUT -s 0/0 -j LOG --log-level info --log-prefix "
> DROP_OUTPUT "
>
>
> # --------POLICY RULES--------
> #
> # Define default policy for all chains
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> Opening multiple ports to the same box (especially the firewall) is just
> asking to get whacked. The above should be functional though.
>
> HTH,
> C
>
>
More information about the gnhlug-discuss
mailing list