Results 1 to 7 of 7

Thread: help required ip tables

  1. #1
    Senior Member
    Join Date
    May 2004
    Posts
    274

    help required ip tables

    Hi all,
    i have a ssh server and i want to use iptables to restrict other users over network to access only ssh service for that i have written some rules using iptables at the same time i want to block outbound access (all type) except access to squid (3128) but after that my browser is unable to connect to the squid. I m posting my rules so that someone can help me
    Thanks

    #!/bin/sh

    iptables -F

    iptables -A INPUT -p icmp -m state --state NEW -j ACCEPT

    #Outbound Allow
    iptables -A OUTPUT -p tcp -d XXX.XXX.XXX.XXX --dport 3128 --tcp-flags SYN,FIN,ACK SYN -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 1:65535 -j REJECT

    #SSH Input Allow
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    iptables -A INPUT -p tcp --dport ! 22 -j DROP

    iptables -A INPUT -p tcp --dport ! 3128 --tcp-flags SYN,FIN,ACK SYN -j DROP

    /etc/init.d/iptables restart
    I m using red hat 9.
    Excuse me, is there an airport nearby large enough for a private jet to land?

  2. #2
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I’m sobber, so I’m not sure I can help . ..but I try, although I am not going too far into this.

    iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    allows input into the box on the normal ssh port ( do you need this from internet facing devices ? If not you may want to restrict it to only one, say eth1 if that is facing your LAN ) Also unsure why you use the "state" here, but ....

    iptables -A INPUT -p tcp --dport ! 22 -j DROP

    drops everything not destined for ssh port ... so everything else gets dropped ... will never reach the line below. Connections to port 3128 will be dropped before they reach the rule.


    iptables -A INPUT -p tcp --dport ! 3128 --tcp-flags SYN,FIN,ACK SYN -j DROP

    You might also include you default rules of DENY all, but maybe your waiting until you get it working ?

    Are the ssh and squid servers on the same box ???

    I’m not sure exactly what you are trying to achieve here.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  3. #3
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Yes, your description is not terribly clear. You want to block outbound access...from where? From the SSH server? From the network? It doesn't appear that this server has multiple NICs, so I don't see a lot of benefit from using Squid...unless you are bouncing traffic through this server and out onto the 'Net with Squid (Barnicles! That'd be a configuration nightmare).

    Maybe a simple network map could help us. The cloud, the Linux server (or *BSD or whatever), and your workstation.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    Senior Member
    Join Date
    May 2004
    Posts
    274
    hi, thanks for the reply
    actually i have installed squid on machine one which is connected to the internet having two nics and SSH server is installed on another machine. I want to black all type of inbound traffic on ssh server except ssh.At the same time the SSH server outbound should be the internal interface(trusted) of the squid so that ssh server can only access HTTP proxy for internet. This is the scenario in my case.

    Thanks
    Excuse me, is there an airport nearby large enough for a private jet to land?

  6. #6
    have you checked your default policies?
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT

    but id prefer to disallow everthing then start allowing only the things i need

    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp --dport 3128 --tcp-flags SYN,FIN,ACK SYN -j ACCEPT

  7. #7
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    As I see it, you have one box that is being used as a gateway which you want to ssh into; that box is connected directly to another running squid. The Squid box is the only box connected directly to the internet. Is that correct? Using this assumption:
    ( BTW, its late, just got back from the airport, and I’m getting drunk )
    No way am I going into setting up ssh and squid here ... or why you are doing it this way.

    I slapped together something that may be what you are looking for, but it is intended only as a starting point!

    1) This is the start of the firewall for the ssh/gateway box, NOT a complete firewall

    2) It does not take into consideration https, ICMP requests/replies, FTP requests, etc.

    3) You MUST also have a properly configured firewall protecting the squid box.

    4) this is a script file to be run after iptables has started. There is no need to restart iptables after running this script. ( you had in your original “/etc/init.d/iptables restart” ) why ?

    5) guess you already know, but just in case, the file must be executable and have the proper permissions.


    This is hard enough, but I get the feeling that English is a second language for you.
    Go through the following carefully, know what it is doing before you try to use it. If not, go back to the iptables( Netfilter ) site, read through the documentation available.
    There are also a few things thrown in here not related that may be worth investigating.

    Good Luck, hope it puts you on the right track. And if I made a mistake, anybody, please correct me.

    #!/bin/sh
    #
    echo Configuring IpTables firewall
    #
    # LOCALHOSTIP="127.0.0.1/32"
    # INTERNET Interface="eth0"
    # LAN Interface="eth1"
    iptables="/sbin/iptables"
    /sbin/depmod -a
    # – below you would load any helpers needed that were built as modules and not into the kernel
    # examples:
    /sbin/modprobe ipt_LOG
    echo ipt_LOG
    /sbin/modprobe iptable_filter
    echo iptable_filter
    /sbin/modprobe ipt_state
    echo ipt_state
    # ------ [ Flush and set default policies ] ------------------ #
    iptables -F
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    # ------Set default policies for packets going through this firewall box-------- #
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    # set http requests to your gatway box to be sent to your squid box at port 3128
    # change it to dport 3128 if you want to configure each client machine to use the proxy
    # and not do it transparently
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to XXX.XXX.XXX.XXX:3128
    # - oh, change XXX.XXX.XXX.XXX to the IP of your squid box

    # -------- Bulk of INPUT table -------- #
    # Allow ssh to the firewall box from the Internal network
    iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

    # -------- Bulk of OUTPUT table -------- #
    # you said nothing about what should go here — you will need to fill in
    # this is output of the ssh server, NOT things forwarded to the squid box
    # -- BLANK --

    # -------- Bulk of FORWARD table -------- #
    # – here is the tricky part – in built-in PREROUTING table you DNATed the port, but
    # - you must now allow it in the forward table, whcih it will hit, to continue on its journey
    iptables -A FORWARD -i eth1 -p tcp --dport 3128 -j ACCEPT
    # - now allow connections to traverse the firewall
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    # ---log all packets that hit the default policy ---- #
    iptables -A INPUT -j LOG --log-level info --log-prefix "input_default_drop: "
    iptables -A OUTPUT -j LOG --log-level info --log-prefix "output_default_drop: "
    iptables -A FORWARD -j LOG --log-level info --log-prefix "forward_default_drop: "
    # ---------------------- Activate the forwarding----------------- #
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    echo tcp_syncookies
    echo Firewall loaded
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •