Re: [gentoo-user] [OT] tips on my 1st try at iptables?
[digest-mode reply] Subject: Re: [gentoo-user] [OT] tips on my 1st try at iptables? From: A. Khattri [EMAIL PROTECTED] Date: Mon, 30 May 2005 23:06:36 -0400 (EDT) To: gentoo-user@lists.gentoo.org On Mon, 30 May 2005, Ow Mun Heng wrote: Frankly, I've stopped trying to grok iptables but rather I use a frontend like shorewall. It's much simpler than doing it all by yourself. I prefer just plain iptables myself Me too! rgh. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] tips on my 1st try at iptables?
On Tue, 31 May 2005, Ow Mun Heng wrote: I prefer just plain iptables myself ;-) One man's meat is another's poison. That's the beauty of Open Source. You're free to decide. Well its one less package to manage - and you dont need any startup scripts (/etc/init.d/iptables save saves the current rule set and automatically restores it on startup). -- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] tips on my 1st try at iptables?
As first I was a bit weary, but after I modified a sample iptables to my likings, I found I got what I wanted. #First we flush our current rules iptables -F iptables -t nat -F #Then we lock our services so they only work from the LAN iptables -I INPUT 1 -i eth1 -j ACCEPT iptables -I INPUT 1 -i lo -j ACCEPT iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT #(Optional) Allow access to our ssh server from the WAN # Additional: port 81 (alt http) and port 443 (https), port 21 (ftp) #iptables -A INPUT -p TCP --dport ssh -i eth0 -j ACCEPT iptables -A INPUT -p TCP --dport -i eth0 -j ACCEPT iptables -A INPUT -p TCP --dport 81 -i eth0 -j ACCEPT iptables -A INPUT -p TCP --dport 443 -i eth0 -j ACCEPT iptables -A INPUT -p TCP --dport 21 -i eth0 -j ACCEPT #iptables -A INPUT -p TCP --dport 25 -i eth0 -j ACCEPT #iptables -A INPUT -p TCP --dport 143 -i eth0 -j ACCEPT #iptables -A INPUT -p TCP --dport 993 -i eth0 -j ACCEPT #iptables -A INPUT -p TCP --dport 995 -i eth0 -j ACCEPT #iptables -A INPUT -p TCP --dport 110 -i eth0 -j ACCEPT #Drop TCP / UDP packets to privileged ports iptables -A INPUT -p TCP -i ! eth1 -d 0/0 --dport 0:1023 -j DROP iptables -A INPUT -p UDP -i ! eth1 -d 0/0 --dport 0:1023 -j DROP #Finally we add the rules for NAT iptables -I FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j DROP iptables -A FORWARD -i eth1 -s 192.168.0.0/255.255.0.0 -j ACCEPT iptables -A FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #Actual port forwarding iptables -t nat -A PREROUTING -p tcp --dport 3389 -i eth0 -j DNAT --to 192.168.0.250 iptables -t nat -A PREROUTING -p tcp --dport 6881 -i eth0 -j DNAT --to 192.168.0.250 iptables -t nat -A PREROUTING -p udp --dport 6881 -i eth0 -j DNAT --to 192.168.0.250 #This is so when we boot we don't have to run the rules by hand /etc/init.d/iptables save I've found it to work very well. On 6/2/05, A. Khattri [EMAIL PROTECTED] wrote: On Tue, 31 May 2005, Ow Mun Heng wrote: I prefer just plain iptables myself ;-) One man's meat is another's poison. That's the beauty of Open Source. You're free to decide. Well its one less package to manage - and you dont need any startup scripts (/etc/init.d/iptables save saves the current rule set and automatically restores it on startup). -- -- gentoo-user@gentoo.org mailing list -- - Mark Shields -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] tips on my 1st try at iptables?
On Mon, 2005-05-30 at 23:06 -0400, A. Khattri wrote: On Mon, 30 May 2005, Ow Mun Heng wrote: Frankly, I've stopped trying to grok iptables but rather I use a frontend like shorewall. It's much simpler than doing it all by yourself. I prefer just plain iptables myself ;-) One man's meat is another's poison. That's the beauty of Open Source. You're free to decide. -- Ow Mun Heng Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM 98% Microsoft(tm) Free!! Neuromancer 14:03:43 up 16:05, 8 users, load average: 1.23, 1.45, 1.27 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] tips on my 1st try at iptables?
Travis Osterman wrote: I've spent the weekend attempting to mold an old p3 400mHz machine into a firewall/router so I can replace my current linksys box. Basically, I read the howtos at netfilter.org and the gentoo-home-router-howto and put together the following script for loading my rules. This meets the functionality I need at this point in the project (ssh access from inside and outside, port forwarding, and masquerading), but I'm not well versed on security concerns so I'm hoping a few experienced users could point out redundancies and potential security issues. Thanks in advance for taking the time to help. #!/bin/bash IPT=/sbin/iptables WAN_IFACE=eth0 LAN_IFACE=eth1 LAN_ADDY=192.168.0.0/24 # flush and reset rules $IPT -F $IPT -t nat -F $IPT -t mangle -F $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT # begin rules $IPT -I INPUT 1 -i $LAN_IFACE -j ACCEPT $IPT -I INPUT 1 -i lo -j ACCEPT $IPT -A INPUT -p UDP --dport bootps -i ! $LAN_IFACE -j REJECT $IPT -A INPUT -p UDP --dport domain -i ! $LAN_IFACE -j REJECT $IPT -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT --protocol tcp --dport 22 -i $WAN_IFACE -j ACCEPT $IPT -P INPUT DROP $IPT -A INPUT -i ! $LAN_IFACE -j DROP $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 80 \ -j DNAT --to 192.168.0.20 $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 1022 \ -j DNAT --to 192.168.0.20:22 $IPT -I FORWARD -i $LAN_IFACE -d $LAN_ADDY -j DROP $IPT -A FORWARD -i $LAN_IFACE -s $LAN_ADDY -j ACCEPT $IPT -A FORWARD -i $WAN_IFACE -d $LAN_ADDY -j ACCEPT $IPT -P FORWARD DROP $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 $f done /etc/init.d/iptables save -- Travis Osterman Personally I found it much easier to use Shorewall, this is a firewall which does all the low-level ip-tables config and gives you more high-level access. Personally since switching i have not used IP-tables rules at all. Search google and have a look, you may find it more flexible then a script. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] tips on my 1st try at iptables?
On Sun, 2005-05-29 at 20:03 -0500, Travis Osterman wrote: I've spent the weekend attempting to mold an old p3 400mHz machine into a firewall/router so I can replace my current linksys box. Basically, I read the howtos at netfilter.org and the gentoo-home-router-howto and put together the following script for loading my rules. Frankly, I've stopped trying to grok iptables but rather I use a frontend like shorewall. It's much simpler than doing it all by yourself. Perhaps you can take a look , perhaps you will like it? This meets the functionality I need at this point in the project (ssh access from inside and outside, port forwarding, and masquerading), but I'm not well versed on security concerns so I'm hoping a few experienced users could point out redundancies and potential security issues. Thanks in advance for taking the time to help. #!/bin/bash IPT=/sbin/iptables WAN_IFACE=eth0 LAN_IFACE=eth1 LAN_ADDY=192.168.0.0/24 # flush and reset rules $IPT -F $IPT -t nat -F $IPT -t mangle -F $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT # begin rules $IPT -I INPUT 1 -i $LAN_IFACE -j ACCEPT $IPT -I INPUT 1 -i lo -j ACCEPT $IPT -A INPUT -p UDP --dport bootps -i ! $LAN_IFACE -j REJECT $IPT -A INPUT -p UDP --dport domain -i ! $LAN_IFACE -j REJECT $IPT -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT --protocol tcp --dport 22 -i $WAN_IFACE -j ACCEPT $IPT -P INPUT DROP $IPT -A INPUT -i ! $LAN_IFACE -j DROP $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 80 \ -j DNAT --to 192.168.0.20 $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 1022 \ -j DNAT --to 192.168.0.20:22 $IPT -I FORWARD -i $LAN_IFACE -d $LAN_ADDY -j DROP $IPT -A FORWARD -i $LAN_IFACE -s $LAN_ADDY -j ACCEPT $IPT -A FORWARD -i $WAN_IFACE -d $LAN_ADDY -j ACCEPT $IPT -P FORWARD DROP $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 $f done /etc/init.d/iptables save -- Travis Osterman -- Ow Mun Heng Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM 98% Microsoft(tm) Free!! Neuromancer 17:18:11 up 2 days, 9:03, 8 users, load average: 0.95, 0.78, 1.10 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] tips on my 1st try at iptables?
I tend to agree, I also tried to get a setup similar to what you have or want up and running. I got bout 3/4 of the way there and no further :( I havent had a chance to setup my firewall since than but shorewall is definately going to be my choice when I get round to it :P Its interface is a lot easier to use and to understand. Especially when it comes to forwarding and such. Cheers Rav On 5/30/05, Ow Mun Heng [EMAIL PROTECTED] wrote: On Sun, 2005-05-29 at 20:03 -0500, Travis Osterman wrote: I've spent the weekend attempting to mold an old p3 400mHz machine into a firewall/router so I can replace my current linksys box. Basically, I read the howtos at netfilter.org and the gentoo-home-router-howto and put together the following script for loading my rules. Frankly, I've stopped trying to grok iptables but rather I use a frontend like shorewall. It's much simpler than doing it all by yourself. Perhaps you can take a look , perhaps you will like it? This meets the functionality I need at this point in the project (ssh access from inside and outside, port forwarding, and masquerading), but I'm not well versed on security concerns so I'm hoping a few experienced users could point out redundancies and potential security issues. Thanks in advance for taking the time to help. #!/bin/bash IPT=/sbin/iptables WAN_IFACE=eth0 LAN_IFACE=eth1 LAN_ADDY=192.168.0.0/24 # flush and reset rules $IPT -F $IPT -t nat -F $IPT -t mangle -F $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT # begin rules $IPT -I INPUT 1 -i $LAN_IFACE -j ACCEPT $IPT -I INPUT 1 -i lo -j ACCEPT $IPT -A INPUT -p UDP --dport bootps -i ! $LAN_IFACE -j REJECT $IPT -A INPUT -p UDP --dport domain -i ! $LAN_IFACE -j REJECT $IPT -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT --protocol tcp --dport 22 -i $WAN_IFACE -j ACCEPT $IPT -P INPUT DROP $IPT -A INPUT -i ! $LAN_IFACE -j DROP $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 80 \ -j DNAT --to 192.168.0.20 $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 1022 \ -j DNAT --to 192.168.0.20:22 $IPT -I FORWARD -i $LAN_IFACE -d $LAN_ADDY -j DROP $IPT -A FORWARD -i $LAN_IFACE -s $LAN_ADDY -j ACCEPT $IPT -A FORWARD -i $WAN_IFACE -d $LAN_ADDY -j ACCEPT $IPT -P FORWARD DROP $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 $f done /etc/init.d/iptables save -- Travis Osterman -- Ow Mun Heng Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM 98% Microsoft(tm) Free!! Neuromancer 17:18:11 up 2 days, 9:03, 8 users, load average: 0.95, 0.78, 1.10 -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] tips on my 1st try at iptables?
Here is my /var/lib/iptables/rules-save # Generated by iptables-save v1.2.11 on Sat May 21 16:58:29 2005 *nat :PREROUTING ACCEPT [29:1670] :POSTROUTING ACCEPT [431:26255] :OUTPUT ACCEPT [0:0] [30:1841] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Sat May 21 16:58:29 2005 # Generated by iptables-save v1.2.11 on Sat May 21 16:58:29 2005 *mangle :PREROUTING ACCEPT [16422:18018799] :INPUT ACCEPT [16422:18018799] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [13453:2622146] :POSTROUTING ACCEPT [13453:2622146] COMMIT # Completed on Sat May 21 16:58:29 2005 # Generated by iptables-save v1.2.11 on Sat May 21 16:58:29 2005 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [13453:2622146] [440:320869] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [0:0] -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT [0:0] -A INPUT -p icmp -j ACCEPT [3:180] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT COMMIT # Completed on Sat May 21 16:58:29 2005 I followed the guide here and it works great.Simple to set up. http://gentoo-wiki.com/HOWTO_setup_a_home-server -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] tips on my 1st try at iptables?
Frankly, I've stopped trying to grok iptables but rather I use a frontend like shorewall. It's much simpler than doing it all by yourself. I installed ipcop briefly (just to have a look) and between my lan network card not being supported and the additional features I wanted to put on the box (squid, local portage mirror, ntp server, etc). The project is actually coming along quite nicely so far, thanks for all the tips. -- Travis -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT] tips on my 1st try at iptables?
On Mon, 30 May 2005, Ow Mun Heng wrote: Frankly, I've stopped trying to grok iptables but rather I use a frontend like shorewall. It's much simpler than doing it all by yourself. I prefer just plain iptables myself ;-) -- -- gentoo-user@gentoo.org mailing list