[CentOS] IPTables help

Sat May 24 14:55:57 UTC 2008
Robert Spangler <mlists at zoominternet.net>

On Friday 23 May 2008 11:03, Fajar Priyanto wrote:

>  On Thursday 22 May 2008 22:30:29 Joseph L. Casale wrote:
>  > I have a dual homed server in an install for someone who is very cost
>  > sensitive. This server originally is being setup as an Asterisk server,
>  > but now the simplest thing for me to do is also set it up to provide
>  > internet access for the small shop as well.
>  >
>  > So it will have one external, WAN  facing nic that needs all incoming
>  > ports except UDP 5060 and 10000 -> 60000 blocked for all but two ips.
>  >
>  > The internal, LAN facing  NIC will need all ports except voip/dns/http
>  > blocked to it, and need to provide masquerading.
>  >
>  > I have limited experience with iptables and would love some guidelines.
>  > Any pointers would be greatly appreciated!
>
>  Hi JLC,
>  There are 2 ways to implement firewall: negative list and positive list.
> Looks like you want a very strict one that is positive list.
>
>  Assuming eth0 is WAN, and eth1 is LAN (assuming 192.168.0.0/24)(please
> mind the word wrap):
>  #Clear all rules and policies first:
>  iptables -P INPUT ACCEPT
>  iptables -P OUTPUT ACCEPT
>  iptables -P FORWARD ACCEPT
>  iptables -F
>  iptables -t nat -F

Since you believe that he wants a very strict firewall why are you setting the 
default policy's to ACCEPT?  Security 101, strict firewall drops everything 
from the start.  Then you open the access you require, not the other way 
around.

>  #Give access for localhost:
>  iptables -I INPUT -i lo -j ACCEPT
>  iptables -I OUTPUT -o lo -j ACCEPT
>
>  #To make life easier:
>  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>  iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>  #Allowing needed ports:
>  iptables -A INPUT -i eth0 -m multiport -p udp --dport 5060,10000:60000 -s
>  ipthatyouwantallow -j ACCEPT
>  iptables -A INPUT -i eth1 -m multiport -p udp --dport
>  53,80,5060,10000:60000 -j ACCEPT
>  iptables -A OUTPUT -m multiport -p udp --dport 53 -j ACCEPT
>  iptables -A FORWARD -m multiport -p udp --dport 53,5060,10000:60000 -s
>  ipthatyouallow -j ACCEPT
>  iptables -A FORWARD -m multiport -p tcp --dport 80 -j ACCEPT

First question you need to ask yourself is there any hosting services on this 
box that will require a connection form the WAN side.  If not then you should 
change your input statements to allow only the LAN.  You do not require the 
INPUT statements for packets that pass through the box as the FORWARD will 
handle all traffic passing through.

Second question is if you are using ESTABLISHED,RELATED why are you not using 
NEW in the above rules?

Third question is have you enables connection tracking?  If you are using 
ESTABLISHED,RELATED then the system needs a way to keep track of the 
connection.

If you want a 100% secure firewall then you will not allow any INPUT.  All 
modification would have to be done from the box using a keyboard.  If this is 
not an option then you can allow access from a trusted IP only and setup other 
security options.

>  #For masquerading:
>  iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.0.0/24 -j MASQUERADE

If the WAN port is connected directly to the Internet then you should MASQ all 
out going traffic and anything that is heading to 192.168.0.0/24 should be 
dropped.

>  #For logging (troubleshooting):
>  iptables -A INPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix
> '** INPUT DROP ** '
>  iptables -A FORWARD -m limit --limit 2/m --limit-burst 2 -j
>  LOG --log-prefix '** FORWARD DROP ** '
>  iptables -A OUTPUT -m limit --limit 2/m --limit-burst 2 -j
>  LOG --log-prefix '** OUTPUT DROP ** '

Logging any packets that make it this far is a good idea.

>  #Finally dropping all other traffic (positive list firewall):
>  iptables -P INPUT DROP
>  iptables -P OUTPUT DROP
>  iptables -P FORWARD DROP

This should be at the top for the firewall not the ACCEPT you have there 
now.

>  #Don't forget to save it:
>  service iptables save
>
>  I might make some mistakes up there, so the logging is very important. You

Just a few.  :)

For your reading enjoyment.

http://iptables.rlworkman.net/chunkyhtml/index.html


-- 

Regards
Robert

Smile... it increases your face value!
Linux User #296285
http://counter.li.org