[CentOS] IPTables help
Robert Spangler
mlists at zoominternet.net
Sat May 24 14:55:57 UTC 2008
On Friday 23 May 2008 11:03, Fajar Priyanto wrote:
> On Thursday 22 May 2008 22:30:29 Joseph L. Casale wrote:
> > I have a dual homed server in an install for someone who is very cost
> > sensitive. This server originally is being setup as an Asterisk server,
> > but now the simplest thing for me to do is also set it up to provide
> > internet access for the small shop as well.
> >
> > So it will have one external, WAN facing nic that needs all incoming
> > ports except UDP 5060 and 10000 -> 60000 blocked for all but two ips.
> >
> > The internal, LAN facing NIC will need all ports except voip/dns/http
> > blocked to it, and need to provide masquerading.
> >
> > I have limited experience with iptables and would love some guidelines.
> > Any pointers would be greatly appreciated!
>
> Hi JLC,
> There are 2 ways to implement firewall: negative list and positive list.
> Looks like you want a very strict one that is positive list.
>
> Assuming eth0 is WAN, and eth1 is LAN (assuming 192.168.0.0/24)(please
> mind the word wrap):
> #Clear all rules and policies first:
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -F
> iptables -t nat -F
Since you believe that he wants a very strict firewall why are you setting the
default policy's to ACCEPT? Security 101, strict firewall drops everything
from the start. Then you open the access you require, not the other way
around.
> #Give access for localhost:
> iptables -I INPUT -i lo -j ACCEPT
> iptables -I OUTPUT -o lo -j ACCEPT
>
> #To make life easier:
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> #Allowing needed ports:
> iptables -A INPUT -i eth0 -m multiport -p udp --dport 5060,10000:60000 -s
> ipthatyouwantallow -j ACCEPT
> iptables -A INPUT -i eth1 -m multiport -p udp --dport
> 53,80,5060,10000:60000 -j ACCEPT
> iptables -A OUTPUT -m multiport -p udp --dport 53 -j ACCEPT
> iptables -A FORWARD -m multiport -p udp --dport 53,5060,10000:60000 -s
> ipthatyouallow -j ACCEPT
> iptables -A FORWARD -m multiport -p tcp --dport 80 -j ACCEPT
First question you need to ask yourself is there any hosting services on this
box that will require a connection form the WAN side. If not then you should
change your input statements to allow only the LAN. You do not require the
INPUT statements for packets that pass through the box as the FORWARD will
handle all traffic passing through.
Second question is if you are using ESTABLISHED,RELATED why are you not using
NEW in the above rules?
Third question is have you enables connection tracking? If you are using
ESTABLISHED,RELATED then the system needs a way to keep track of the
connection.
If you want a 100% secure firewall then you will not allow any INPUT. All
modification would have to be done from the box using a keyboard. If this is
not an option then you can allow access from a trusted IP only and setup other
security options.
> #For masquerading:
> iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.0.0/24 -j MASQUERADE
If the WAN port is connected directly to the Internet then you should MASQ all
out going traffic and anything that is heading to 192.168.0.0/24 should be
dropped.
> #For logging (troubleshooting):
> iptables -A INPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix
> '** INPUT DROP ** '
> iptables -A FORWARD -m limit --limit 2/m --limit-burst 2 -j
> LOG --log-prefix '** FORWARD DROP ** '
> iptables -A OUTPUT -m limit --limit 2/m --limit-burst 2 -j
> LOG --log-prefix '** OUTPUT DROP ** '
Logging any packets that make it this far is a good idea.
> #Finally dropping all other traffic (positive list firewall):
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
This should be at the top for the firewall not the ACCEPT you have there
now.
> #Don't forget to save it:
> service iptables save
>
> I might make some mistakes up there, so the logging is very important. You
Just a few. :)
For your reading enjoyment.
http://iptables.rlworkman.net/chunkyhtml/index.html
--
Regards
Robert
Smile... it increases your face value!
Linux User #296285
http://counter.li.org
More information about the CentOS
mailing list