[CentOS] IPTables help

Fri May 23 15:03:58 UTC 2008
Fajar Priyanto <fajarpri at cbn.net.id>

On Thursday 22 May 2008 22:30:29 Joseph L. Casale wrote:
> I have a dual homed server in an install for someone who is very cost
> sensitive. This server originally is being setup as an Asterisk server, but
> now the simplest thing for me to do is also set it up to provide internet
> access for the small shop as well.
>
> So it will have one external, WAN  facing nic that needs all incoming ports
> except UDP 5060 and 10000 -> 60000 blocked for all but two ips.
>
> The internal, LAN facing  NIC will need all ports except voip/dns/http
> blocked to it, and need to provide masquerading.
>
> I have limited experience with iptables and would love some guidelines. Any
> pointers would be greatly appreciated!

Hi JLC,
There are 2 ways to implement firewall: negative list and positive list. Looks 
like you want a very strict one that is positive list.

Assuming eth0 is WAN, and eth1 is LAN (assuming 192.168.0.0/24)(please mind 
the word wrap):
#Clear all rules and policies first:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -t nat -F

#Give access for localhost:
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT

#To make life easier:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allowing needed ports:
iptables -A INPUT -i eth0 -m multiport -p udp --dport 5060,10000:60000 -s 
ipthatyouwantallow -j ACCEPT
iptables -A INPUT -i eth1 -m multiport -p udp --dport 
53,80,5060,10000:60000 -j ACCEPT
iptables -A OUTPUT -m multiport -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -m multiport -p udp --dport 53,5060,10000:60000 -s 
ipthatyouallow -j ACCEPT
iptables -A FORWARD -m multiport -p tcp --dport 80 -j ACCEPT

#For masquerading:
iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.0.0/24 -j MASQUERADE

#For logging (troubleshooting):
iptables -A INPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** 
INPUT DROP ** '
iptables -A FORWARD -m limit --limit 2/m --limit-burst 2 -j 
LOG --log-prefix '** FORWARD DROP ** '
iptables -A OUTPUT -m limit --limit 2/m --limit-burst 2 -j 
LOG --log-prefix '** OUTPUT DROP ** '

#Finally dropping all other traffic (positive list firewall):
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Don't forget to save it:
service iptables save

I might make some mistakes up there, so the logging is very important. You can 
just monitor the log file: tail -f /var/log/messages and look for any miss 
ports and open them.

If for some reason you want to clear the iptables, run this command:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -t nat -F
service iptables save

Goodluck,
-- 
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial 
http://linux2.arinet.org
22:03:54 up 2:37, 2.6.22-14-generic GNU/Linux 
Let's use OpenOffice. http://www.openoffice.org
The real challenge of teaching is getting your students motivated to learn.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20080523/331aba71/attachment-0005.sig>