| View previous topic :: View next topic |
| Author |
Message |
ba747heavy
Apprentice
Joined: 11 Aug 2003
Posts: 216
Location: New Mexico, USA
|
 Posted: Wed Aug 20, 2003 3:03 am Post subject: iptables question |
 |
|
I tried searching this forum for 'iptables', and I gave up after I read the 4th page of results(of 30 or so...)
Anyway, my first question is: Where can I find a good tutorial for iptables thing? I have tried linuxdoc.org and I could only find something on ipchains
And my second question is, how would you accomplish the following goals of my firewall?
1) I run a mail server(IMAP and pop) on my box. I want to allow all related traffic.
2) Allow all ftp and http traffic.
3) I run AMSN, and I want to open any ports(if any) that the MSN protocol uses.
4) Block the rest of the traffic
I would assume some very simple rules would accomplish this. Am I missing some things in my proposed 'openings'?
_________________
Fred Clausen
"leet [speak] is a cry for help from a shallow mind" - Doomwookie Jan 05 |
|
| Back to top |
|
 |
Decibels
Veteran
Joined: 16 Aug 2002
Posts: 1630
Location: U.S.A.
|
|
| Back to top |
|
|
ba747heavy
Apprentice
Joined: 11 Aug 2003
Posts: 216
Location: New Mexico, USA
|
| Posted: Wed Aug 20, 2003 3:11 am Post subject: |
|
|
Thanks!
_________________
Fred Clausen
"leet [speak] is a cry for help from a shallow mind" - Doomwookie Jan 05 |
|
| Back to top |
|
|
To
Veteran
Joined: 12 Apr 2003
Posts: 1145
Location: Coimbra, Portugal
|
| Posted: Wed Aug 20, 2003 9:17 am Post subject: |
|
|
Try also www.netfilter.org on the user docs part, the howto's are great. Rusty's has donne a great work 
Tó
_________________
------------------------------------------------
Linux Gandalf 3.2.35-grsec
Gentoo Base System version 2.2
------------------------------------------------ |
|
| Back to top |
|
|
ba747heavy
Apprentice
Joined: 11 Aug 2003
Posts: 216
Location: New Mexico, USA
|
| Posted: Wed Aug 20, 2003 2:14 pm Post subject: |
|
|
Thanks! I will check this out 
_________________
Fred Clausen
"leet [speak] is a cry for help from a shallow mind" - Doomwookie Jan 05 |
|
| Back to top |
|
|
ba747heavy
Apprentice
Joined: 11 Aug 2003
Posts: 216
Location: New Mexico, USA
|
| Posted: Wed Aug 20, 2003 5:52 pm Post subject: |
|
|
Using the example script that I found in a link in post #2, I find that some sites are now refusing to load up. For instance, forums.gentoo.org is refusing to load up in opera unless I cycle the firewall off and then back on. Several other sites are that way as well. Here is the relevant part of my firewall script(I made some changes).
| Code: |
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -N myfilter
iptables -A myfilter -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A myfilter -m state --state NEW -i ! $CABLEE -j ACCEPT
iptables -A myfilter -m state --state INVALID -j LOG --log-prefix "INVALID:" --log-level warning
iptables -A myfilter -p tcp -j REJECT --reject-with tcp-reset
iptables -A myfilter -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $CABLEE -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $CABLEE -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $CABLEE -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $CABLEE -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $CABLEE -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $CABLEE -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $CABLEE -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $CABLEE -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -i $CABLEE --icmp-type echo-request -m limit --limit 1/minute -j LOG --log-prefix "PING:" -- log-level notice
iptables -A INPUT -p icmp -i $CABLEE --icmp-type echo-request -m limit --limit 2/second -j ACCEPT
if [ "$FRWD" -eq 1 ]
then
iptables -A FORWARD -j myfilter
fi
if [ "$FRWD" -eq 1 ]
then
{
iptables -A FORWARD -i $CABLEE -o $LANE -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i $LANE -o $CABLEE -j ACCEPT
iptables -A FORWARD -j LOG
iptables -t nat -A POSTROUTING -o $CABLEE -j MASQUERADE
}
fi
iptables -A INPUT -i $CABLEE -p tcp --dport 137:139 -j ACCEPT
|
Thanks gentlemen!
_________________
Fred Clausen
"leet [speak] is a cry for help from a shallow mind" - Doomwookie Jan 05 |
|
| Back to top |
|
|
vert
Apprentice
Joined: 07 May 2002
Posts: 214
Location: Delft, The Netherlands
|
| Posted: Thu Aug 21, 2003 1:30 pm Post subject: |
|
|
Take a look at your logs (kernel or iptables log) and see if you can find packets that belong to those sites that are dropped and what rule causes it.
Also, I recently started using fwbuilder (www.fwbuilder.org). This tool allows you to create a firewall by drag-and-drop in an object oriented gui. There's an ebuild for it. |
|
| Back to top |
|
|
ba747heavy
Apprentice
Joined: 11 Aug 2003
Posts: 216
Location: New Mexico, USA
|
| Posted: Thu Aug 21, 2003 10:07 pm Post subject: |
|
|
Thanks, I will do that!
_________________
Fred Clausen
"leet [speak] is a cry for help from a shallow mind" - Doomwookie Jan 05 |
|
| Back to top |
|
|
|
Networking & Security
