Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Iptables:Simple firewall questions

  1. #11
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Yup. I use it all the time. I only use it for iptables and the linksys/sveasoft firmware though.
    Thanks, it looks interesting enough. I'm sure I can look at how it sets up IPTables and compare it with what I already have.

    cheers
    Connection refused, try again later.

  2. #12
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    even putting dports or sports latter in the command seems to work (where I have them), is there a reason to change them?
    At first glance I was with cacosapo on this one. But after reviewing, your syntax seems correct. His is not.

    In defense of cacosapo the man pages are a bit misleading.

    If you want to know if your rule works, after you load it try

    “ iptables –list -n –line-numbers -v “ to test chain

    I do agree, some “statefull” inspection may indeed be appropriate. ( You didn't by any chance “grow-up” on IPFWADM ? )

    You said this is a workstation. Are you sharing files on this box with others on the LAN?
    If not, why open those ports to everyone on the LAN? Why not just open them up outbound to the ( SAMBA ) server and use the “ -state” to maintain the connection? I assume there will be M$ boxes there, and if they get infected with a virus or worm that searches for those open ports:
    1) if they are closed and logged, you will have evidence of an infection or misconfiguration on your LAN ( like my sons Win2k box that broadcasts to the LAN )
    2) if they are open and these bastards write a virus that also spreads to *nix boxes through files sharing, etc., your F***.

    I think you get my point.

    To say the least, you may also want to include the following, as the last rules ( you already set the default policies in the begining )

    # ---log all packets that hit the default policy ---- #
    iptables -A INPUT -j LOG --log-level info --log-prefix "input_default_drop: "
    iptables -A OUTPUT -j LOG --log-level info --log-prefix "output_default_drop: "
    iptables -A FORWARD -j LOG --log-level info --log-prefix "forward_default_drop: "

    Also, I find it useful when building a new firewall from scratch to log everything.
    So, for example, your one rule rule would become two:
    iptables -A INPUT -m multiport -p tcp -s 123.123.0.0/16 --dports 139,445,110 -j LOG --log-level info --log-prefix "MS-SMB-mail_in: "
    iptables -A INPUT -m multiport -p tcp -s 123.123.0.0/16 --dports 139,445,110 -j ACCEPT

    Once you see a rule is working and you no longer need it for debugging you can either comment out the log rule or delete it.

    Hope this helped!
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  3. #13
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    [B]At first glance I was with cacosapo on this one. But after reviewing, your syntax seems correct. His is not.
    I Dont think so.
    - tags are parameters and -- are subparameters.
    Altough iptables command processor can recognize misplaces subtags, its advisable to keep them following the parameters. And this is more important on ---source-port, --destination-port and --port, because those sub-tags can be used on several places (e.g. they are subtags of -m multiport, -p tcp, etc)
    In Irongeek's case, since he wrote subtags with commas, iptables command processor was able to detect that --dport is a -m multiport subtag and not a -p tcp subtag.
    Sometimes that can be a mess.
    Irongeek, i suggest also that you use service names instead ports. The usage of service names make the config more readable. iptables will lookup at /etc/services file to resolv name-to-port translation.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  4. #14
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Thanks folks. I've never played with IPFWADM, is was a little before my time where Linux is concerned. The box in question also serves files to others so I needed the ports dealing with SMB open. I'll be continuing to play with iptables some more.

  5. #15
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Yes cacosapo I agree, but ...
    run the following,

    #!/bin/sh
    #
    iptables -F
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -X
    iptables -t mangle -F
    iptables -t nat -F
    iptables -t mangle -X
    iptables -t nat -X
    # ------Set default policies for packets going through this firewall box-------- #
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    #--------------------------------------------------------------------------------------
    iptables -A INPUT -m multiport --dports 139,445,110 -p tcp -s 123.123.0.0/16 -j ACCEPT
    iptables -A OUTPUT -m multiport --sports 139,445,110 -p tcp -s 123.123.0.0/16 -j ACCEPT
    #--------------------------------------------------------------------------------------
    # ---log all packets that hit the default policy ---- #
    iptables -A INPUT -j LOG --log-level info --log-prefix "input_default_drop: "
    iptables -A OUTPUT -j LOG --log-level info --log-prefix "output_default_drop: "
    iptables -A FORWARD -j LOG --log-level info --log-prefix "forward_default_drop: "
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    echo tcp_syncookies
    what I get is:
    iptables v1.2.11: multiport needs `-p tcp' or `-p udp'
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.2.11: multiport needs `-p tcp' or `-p udp'
    Try `iptables -h' or 'iptables --help' for more information.
    tcp_syncookies
    And listing the rules after running this gives only the default drops.
    I only tried this on this version, ( default for updated Fedora 3 ) , haven't tried it on newer versions. I also like using the “ ! “ to make things simpler, but the multiport module had some problems with that in certain versions ( 1.3.0.rc1 ? )
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •