Results 1 to 4 of 4

Thread: IPTables Help

  1. #1
    Join Date
    Jul 2001

    Question IPTables Help

    I have RedHat 7.2 installed with 2.4.18 Kernel build with iptables support. I am trying to setup a firewall using iptables (getting away from ipchains) but seem to have a few problems.

    It appears that the default policy of DROP overrules any exceptions I put in. For example, if I set the default policy for both input and output to drop then enter the following iptables commands.

    iptables -A INPUT -i eth0 -p tcp -d --dport 22 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp -s --sport 22 -j ACCEPT

    I cannot ssh to the server ( entering these rules. sshd is running and the server is listening on port 22. Any ideas?

    --Anxiously awaits some light shed on this for me

    It\'s a long life, until you die

  2. #2
    Senior Member
    Join Date
    Apr 2002

    This tutorial posted by one of our members, Str34m3r, should help you out.


    <edit> The first link I posted was geared toward someone that is running NAT and needing IPTables. For info on a stand alone machine : http://www.antionline.com/showthread...hreadid=230338

    \"I believe that you can reach the point where there is no longer any difference between developing the habit of pretending to believe and developing the habit of believing.\"

  3. #3
    Junior Member
    Join Date
    Nov 2001
    I'm confused on a few points.
    1) why are you dropping all outgoing connections? Even though you are setting up a firewall,
    shouldn't your firewall allow outbound traffic and disallow inbound traffic unless it's

    2) where are you connecting to this machine from? if you're connecting from the outside world,
    all 192.168.xxx.yyy/24 packets are dropped. End of story. You can't route reserved packets
    around the internet

    if you're trying to allow ssh and outgoing connections, here's a script I would use:

    #Org's happy IPTables mini-nat firewall
    # ok, it sucks...but guess what? it works...and any customizations you want to make, go
    # ahead. -- orgcandman <orgcandman@users.sourceforge.net>


    #sourcenet is netmask

    #first let's get ready to do IP forwarding
    echo "1" > /proc/sys/net/ipv4/ip_forward

    #k, now let's flush previous chains..
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -F -t mangle
    iptables -X
    iptables -F -t nat

    #k, now let's set policies...
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT

    #now let's make some default input allows
    #allow ssh
    iptables -A INPUT -i $(EXTERN) -p tcp --dport 22 -j ACCEPT

    #allow certain inbound ICMP packets
    iptables -A INPUT -i $(EXTERN) -p icmp --icmp-type destination-unreachable -j ACCEPT
    iptables -A INPUT -i $(EXTERN) -p icmp --icmp-type time-exceeded -j ACCEPT
    iptables -A INPUT -i $(EXTERN) -p icmp --icmp-type echo-reply -j ACCEPT

    #create stateful chain/table
    iptables -N STATEFUL > /dev/null
    iptables -F STATEFUL
    #keep forwarding packets alive
    iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
    #and add if it's not on the outside world
    iptables -A STATEFUL -m state --state NEW -i ! $(EXTERN) -j ACCEPT

    #always trust ourself
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    #open NAT
    /sbin/iptables -t nat -A POSTROUTING -s $(SOURCENET) -o $(EXTERN) -j MASQUERADE

    #push everything else to stateful
    iptables -A INPUT -j STATEFUL

    Hope this helps you...
    \"I don\'t care what you learned in C++ class today, you never let your friends touch your private parts.\"

  4. #4
    Join Date
    Jul 2001
    Chefer, thanks for the links. Right now I am doing a standalone machine until I get a grip on these IPTables so the second one helped a lot.

    orgcandman, I am not allowing all outgoing traffic because I want to control what is allowed out. Viruses, trojans, etc etc may make it in one way or another but that doesn't mean that they can go out. Allowing ssh was just the first step in my configuration. I will definately allow more outbound traffic but not all outbound. I was connecting to the firewall from the internal 192.168.xxx.xxx network. I know that isn't routable. I was merely testing my rule before moving on to the next. Thanks for your script as well.


    It\'s a long life, until you die

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts