-
February 7th, 2005, 08:18 AM
#1
help required ip tables
Hi all,
i have a ssh server and i want to use iptables to restrict other users over network to access only ssh service for that i have written some rules using iptables at the same time i want to block outbound access (all type) except access to squid (3128) but after that my browser is unable to connect to the squid. I m posting my rules so that someone can help me
Thanks
#!/bin/sh
iptables -F
iptables -A INPUT -p icmp -m state --state NEW -j ACCEPT
#Outbound Allow
iptables -A OUTPUT -p tcp -d XXX.XXX.XXX.XXX --dport 3128 --tcp-flags SYN,FIN,ACK SYN -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 1:65535 -j REJECT
#SSH Input Allow
iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ! 22 -j DROP
iptables -A INPUT -p tcp --dport ! 3128 --tcp-flags SYN,FIN,ACK SYN -j DROP
/etc/init.d/iptables restart
I m using red hat 9.
Excuse me, is there an airport nearby large enough for a private jet to land?
-
February 7th, 2005, 06:04 PM
#2
I’m sobber, so I’m not sure I can help . ..but I try, although I am not going too far into this.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
allows input into the box on the normal ssh port ( do you need this from internet facing devices ? If not you may want to restrict it to only one, say eth1 if that is facing your LAN ) Also unsure why you use the "state" here, but ....
iptables -A INPUT -p tcp --dport ! 22 -j DROP
drops everything not destined for ssh port ... so everything else gets dropped ... will never reach the line below. Connections to port 3128 will be dropped before they reach the rule.
iptables -A INPUT -p tcp --dport ! 3128 --tcp-flags SYN,FIN,ACK SYN -j DROP
You might also include you default rules of DENY all, but maybe your waiting until you get it working ?
Are the ssh and squid servers on the same box ???
I’m not sure exactly what you are trying to achieve here.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
February 8th, 2005, 02:51 AM
#3
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
February 8th, 2005, 03:00 AM
#4
Yes, your description is not terribly clear. You want to block outbound access...from where? From the SSH server? From the network? It doesn't appear that this server has multiple NICs, so I don't see a lot of benefit from using Squid...unless you are bouncing traffic through this server and out onto the 'Net with Squid (Barnicles! That'd be a configuration nightmare).
Maybe a simple network map could help us. The cloud, the Linux server (or *BSD or whatever), and your workstation.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
February 8th, 2005, 05:18 AM
#5
hi, thanks for the reply
actually i have installed squid on machine one which is connected to the internet having two nics and SSH server is installed on another machine. I want to black all type of inbound traffic on ssh server except ssh.At the same time the SSH server outbound should be the internal interface(trusted) of the squid so that ssh server can only access HTTP proxy for internet. This is the scenario in my case.
Thanks
Excuse me, is there an airport nearby large enough for a private jet to land?
-
February 8th, 2005, 05:20 AM
#6
Member
have you checked your default policies?
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
but id prefer to disallow everthing then start allowing only the things i need
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 --tcp-flags SYN,FIN,ACK SYN -j ACCEPT
-
February 8th, 2005, 09:41 AM
#7
As I see it, you have one box that is being used as a gateway which you want to ssh into; that box is connected directly to another running squid. The Squid box is the only box connected directly to the internet. Is that correct? Using this assumption:
( BTW, its late, just got back from the airport, and I’m getting drunk )
No way am I going into setting up ssh and squid here ... or why you are doing it this way.
I slapped together something that may be what you are looking for, but it is intended only as a starting point!
1) This is the start of the firewall for the ssh/gateway box, NOT a complete firewall
2) It does not take into consideration https, ICMP requests/replies, FTP requests, etc.
3) You MUST also have a properly configured firewall protecting the squid box.
4) this is a script file to be run after iptables has started. There is no need to restart iptables after running this script. ( you had in your original “/etc/init.d/iptables restart” ) why ?
5) guess you already know, but just in case, the file must be executable and have the proper permissions.
This is hard enough, but I get the feeling that English is a second language for you.
Go through the following carefully, know what it is doing before you try to use it. If not, go back to the iptables( Netfilter ) site, read through the documentation available.
There are also a few things thrown in here not related that may be worth investigating.
Good Luck, hope it puts you on the right track. And if I made a mistake, anybody, please correct me.
#!/bin/sh
#
echo Configuring IpTables firewall
#
# LOCALHOSTIP="127.0.0.1/32"
# INTERNET Interface="eth0"
# LAN Interface="eth1"
iptables="/sbin/iptables"
/sbin/depmod -a
# – below you would load any helpers needed that were built as modules and not into the kernel
# examples:
/sbin/modprobe ipt_LOG
echo ipt_LOG
/sbin/modprobe iptable_filter
echo iptable_filter
/sbin/modprobe ipt_state
echo ipt_state
# ------ [ Flush and set default policies ] ------------------ #
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -X
iptables -t nat -F
iptables -t nat -X
# ------Set default policies for packets going through this firewall box-------- #
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# set http requests to your gatway box to be sent to your squid box at port 3128
# change it to dport 3128 if you want to configure each client machine to use the proxy
# and not do it transparently
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to XXX.XXX.XXX.XXX:3128
# - oh, change XXX.XXX.XXX.XXX to the IP of your squid box
# -------- Bulk of INPUT table -------- #
# Allow ssh to the firewall box from the Internal network
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
# -------- Bulk of OUTPUT table -------- #
# you said nothing about what should go here — you will need to fill in
# this is output of the ssh server, NOT things forwarded to the squid box
# -- BLANK --
# -------- Bulk of FORWARD table -------- #
# – here is the tricky part – in built-in PREROUTING table you DNATed the port, but
# - you must now allow it in the forward table, whcih it will hit, to continue on its journey
iptables -A FORWARD -i eth1 -p tcp --dport 3128 -j ACCEPT
# - now allow connections to traverse the firewall
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# ---log all packets that hit the default policy ---- #
iptables -A INPUT -j LOG --log-level info --log-prefix "input_default_drop: "
iptables -A OUTPUT -j LOG --log-level info --log-prefix "output_default_drop: "
iptables -A FORWARD -j LOG --log-level info --log-prefix "forward_default_drop: "
# ---------------------- Activate the forwarding----------------- #
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo tcp_syncookies
echo Firewall loaded
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|