Is there a way or is there a directory where i can put the iptables rules, because it is tedious to execute the command everytime i would reboot.
jeremy ----- Original Message ----- From: Rafael 'Dido' Sevilla <[EMAIL PROTECTED]> Date: Sun, 19 Oct 2003 15:57:05 +0800 To: Philippine Linux Users Group Mailing List <[EMAIL PROTECTED]> Subject: Re: [plug] vulnerable server (Network Setting) > On Sun, Oct 19, 2003 at 02:52:23PM +0800, smart penguin wrote: > > Guys thanks for the response, this is my present network setting : > > > > Server : (RH9, internal eth0 192.168.0.5 external eth0 : > > 203.204.202.11), the reason for having an external because i have a > > dsl connection. > > Services : Samba, DNS, Squid, SSHd, Apache (for local, and > > planning to implement outside web). > > > > Much better. :) > > So let's get this straight. You're running your Linux box as a router, > right? So definitely you'll want: > > iptables -t nat -A POSTROUTING -s 192.168.0.1 -j MASQUERADE > > and turn on IP forwarding in your sysctl.conf. > > > > > My ideal firewall would be : > > (First, i need to know how to execute the command, and what files or > > directory, where to put the command) > > Read man iptables for more details. iptables_save can save your results > in a file that may be used by the iptables initscript. > > > > > 1. to be able to connect the RH9 server to the internet safely without > > the hassle of being paranoid. > > Start with this: > > iptables -t filter -A INPUT -p tcp --syn -j REJECT > iptables -t filter -A INPUT -p udp --syn -j REJECT > > This denies all incoming connections. The further rules we add below > will relax this default policy as they get processed before these rules > (they should appear at the bottom when you do iptables -t filter -L -n). > > > You'll certainly want to allow DNS, so you have to add: > > iptables -t filter -I INPUT -p udp --sport 53 --dport 1024:65535 -j \ > ACCEPT > iptables -t filter -I INPUT -p udp --sport 1024:65535 --dport 53 -j \ > ACCEPT > > > > > 2. to be able all workstation to browse the internet, through SQUID > > without being DENIED by the firewall. > > iptables -t filter -I INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.5 \ > --dport 3128 --syn -j ACCEPT > > assuming of course, you use the default port 3128 for Squid. > > > > > 3. to be able to use the MIRC, AudioGalaxy and Chikka, from the > > workstation, without jepordizing the server and all the workstation > > > > This is a problem. I don't know what ports to open for AudioGalaxy and > Chikka, but this ought to allow IRC through: > > iptables -t filter -I INPUT -p tcp -s 192.168.0.0/24 --dport 6661:6669 \ > --syn -j ACCEPT > > > 4. to be able to connect to the RH9 server from the workstation using > > the SAMBA > > > > iptables -t filter -I INPUT -p udp -s 192.168.0.0/24 -d 192.168.0.5 \ > --dport 137 -j ACCEPT > iptables -t filter -I INPUT -p udp -s 192.168.0.0/24 -d 192.168.0.5 \ > --dport 138 -j ACCEPT > iptables -t filter -I INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.5 \ > --dport 139 --syn -j ACCEPT > > > 5. to be able to have a working apache locally with a secure server. > > > > iptables -t filter -I INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.5 \ > --dport 80 --syn -j ACCEPT > iptables -t filter -I INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.5 \ > --dport 443 --syn -j ACCEPT > > > > 6. and should i be able to buy a domain name, and implement the apache > > from outside, i would be confident that the RH9 server is AT LEAST > > safe enough. > > > > When you're ready to do this add: > > iptables -t filter -I INPUT -p tcp -s 0/0 -d 203.204.202.11 --dport 80 \ > --syn -j ACCEPT > iptables -t filter -I INPUT -p tcp -s 0/0 -d 203.204.202.11 --dport 443 \ > --syn -j ACCEPT > > This will allow connections originating anywhere to connect to your > 203.204.202.11 IP's http and https ports. > > But be forewarned that if you happen to run insecure content, e.g. > broken or badly written CGI scripts, this won't help at all. > > > 7. to be able to connect through SSH from a PARTICULAR workstation > > with an IP ADD: 192.168.0.3 > > > > iptables -t filter -I INPUT -p tcp -s 192.168.0.3 -d 192.168.05 --dport > 22 --syn -j ACCEPT > > > From the above mentioned request, i really appreciate for the > > help. Thank you all. > > > > No problem. :) > > So you can understand what all these rules mean, I suggest you look at > the copious documentation for netfilter, some of which can be found here: > > http://www.netfilter.org/documentation/index.html > > Start with the networking concepts howto there, then read the Andreasson > tutorial. > > > > > jeremy > > > > P.S. > > > > And also i need to know on how i can reset the Iptables/firewall > > setting, in case i would accidentally type the wrong or excute the > > wrong command. > > > > iptables -t filter -F > > This will remove all iptables rules and leave your server open to all > connections. > > iptables -t nat -F > > removes all NAT rules. > > -- > Philippine Linux Users' Group (PLUG) Mailing List > [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) > Official Website: http://plug.linux.org.ph > Searchable Archives: http://marc.free.net.ph > . > To leave, go to http://lists.q-linux.com/mailman/listinfo/plug > . > Are you a Linux newbie? To join the newbie list, go to > http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie -- ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
