July 10th, 2002, 11:05 PM
I have RedHat 7.2 installed with 2.4.18 Kernel build with iptables support. I am trying to setup a firewall using iptables (getting away from ipchains) but seem to have a few problems.
It appears that the default policy of DROP overrules any exceptions I put in. For example, if I set the default policy for both input and output to drop then enter the following iptables commands.
iptables -A INPUT -i eth0 -p tcp -d 192.168.1.253 --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.253 --sport 22 -j ACCEPT
I cannot ssh to the server (192.168.1.253)after entering these rules. sshd is running and the server is listening on port 22. Any ideas?
--Anxiously awaits some light shed on this for me
It\'s a long life, until you die
July 10th, 2002, 11:37 PM
This tutorial posted by one of our members, Str34m3r, should help you out.
<edit> The first link I posted was geared toward someone that is running NAT and needing IPTables. For info on a stand alone machine : http://www.antionline.com/showthread...hreadid=230338
\"I believe that you can reach the point where there is no longer any difference between developing the habit of pretending to believe and developing the habit of believing.\"
July 11th, 2002, 12:09 AM
I'm confused on a few points.
1) why are you dropping all outgoing connections? Even though you are setting up a firewall,
shouldn't your firewall allow outbound traffic and disallow inbound traffic unless it's
2) where are you connecting to this machine from? if you're connecting from the outside world,
all 192.168.xxx.yyy/24 packets are dropped. End of story. You can't route reserved packets
around the internet
if you're trying to allow ssh and outgoing connections, here's a script I would use:
#Org's happy IPTables mini-nat firewall
# ok, it sucks...but guess what? it works...and any customizations you want to make, go
# ahead. -- orgcandman <firstname.lastname@example.org>
#sourcenet is 192.168.0.0 netmask 255.255.255.0
#first let's get ready to do IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#k, now let's flush previous chains..
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
#k, now let's set policies...
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#now let's make some default input allows
iptables -A INPUT -i $(EXTERN) -p tcp --dport 22 -j ACCEPT
#allow certain inbound ICMP packets
iptables -A INPUT -i $(EXTERN) -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i $(EXTERN) -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i $(EXTERN) -p icmp --icmp-type echo-reply -j ACCEPT
#create stateful chain/table
iptables -N STATEFUL > /dev/null
iptables -F STATEFUL
#keep forwarding packets alive
iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
#and add if it's not on the outside world
iptables -A STATEFUL -m state --state NEW -i ! $(EXTERN) -j ACCEPT
#always trust ourself
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s $(SOURCENET) -o $(EXTERN) -j MASQUERADE
#push everything else to stateful
iptables -A INPUT -j STATEFUL
Hope this helps you...
\"I don\'t care what you learned in C++ class today, you never let your friends touch your private parts.\"
July 11th, 2002, 12:41 AM
Chefer, thanks for the links. Right now I am doing a standalone machine until I get a grip on these IPTables so the second one helped a lot.
orgcandman, I am not allowing all outgoing traffic because I want to control what is allowed out. Viruses, trojans, etc etc may make it in one way or another but that doesn't mean that they can go out. Allowing ssh was just the first step in my configuration. I will definately allow more outbound traffic but not all outbound. I was connecting to the firewall from the internal 192.168.xxx.xxx network. I know that isn't routable. I was merely testing my rule before moving on to the next. Thanks for your script as well.
It\'s a long life, until you die