[CentOS] iptables rules

Tue Mar 30 00:29:51 UTC 2010
Robert Spangler <mlists at zoominternet.net>

On Monday 29 March 2010 16:48, m.roth at 5-cent.us wrote:

>  I've got a server with several ip's on eth0. I want to block all traffic
>  *except* to port 80 on them, but not on any other IPs, so that
>  eth0 is www.xxx.yyy.zzz
>  eth0:1 is www.xxx.yyy.ggg
>  eth0:2 is www.xxx.yyy.hhh
>
>  I've tried
>  -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.ggg --dport ! 80 -j DROP
>  -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.hhh --dport ! 80 -j DROP

The problem is your firewall is no firewall.  It blocks nothing and allows 
everything.

>  *filter
>
>  :INPUT ACCEPT [0:0]
>  :FORWARD ACCEPT [0:0]
>  :OUTPUT ACCEPT [769:48207]
>  :RH-Firewall-1-INPUT - [0:0]

By setting all the default policies to ACCEPT you are blocking nothing.

>  -A INPUT -j RH-Firewall-1-INPUT
>  -A FORWARD -j RH-Firewall-1-INPUT
>  -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>  -A RH-Firewall-1-INPUT -d  www.xxx.yyy.ggg -p tcp -m tcp ! --dport 80 -j
> DROP -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp ! --dport 80
> -j DROP -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>  <...>
>  and I notice it puts the ! in front of the --dport, but has no complaints.
>
>  However, I can telnet to www.xxx.yyy.hhh 443. What's wrong with the rules?

See above.  Try these rules I'm sure you will get better results.  And yes, I 
dropped the stupid RH-Firewall-1-INPUT BS that RH puts in there.
Lets make a stateful firewall while we are at it also.


#Set policies to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Setup OUTPUT Rules to allow everything outbound
iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -m state --state NEW -j ACCEPT
iptables -I OUTPUT -j DROP

# Setup INPUT Rules to only all what we want
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -I INPUT -j DROP

Sure you can combined the output rules into one but I like it this way in case 
I need to block something from exiting the system.

You can use this tutorial to better define your rules, for example the icmp 
rule you have above you can fine tune this to only allow what is needed.  
Just remember that the rules are read from top to bottom and the first 
matching rules is used.

http://www.zoominternet.net/~lazydog/iptables-tutorial.html


-- 

Regards
Robert

Linux User #296285
http://counter.li.org