IPTables Help

Printable View

July 10th, 2002, 11:05 PM
dAggressor

IPTables Help

I have RedHat 7.2 installed with 2.4.18 Kernel build with iptables support. I am trying to setup a firewall using iptables (getting away from ipchains) but seem to have a few problems.

It appears that the default policy of DROP overrules any exceptions I put in. For example, if I set the default policy for both input and output to drop then enter the following iptables commands.

iptables -A INPUT -i eth0 -p tcp -d 192.168.1.253 --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.253 --sport 22 -j ACCEPT

I cannot ssh to the server (192.168.1.253)after entering these rules. sshd is running and the server is listening on port 22. Any ideas?

dAggressor
--Anxiously awaits some light shed on this for me
July 10th, 2002, 11:37 PM
chefer

http://www.antionline.com/showthread...light=IPTables

This tutorial posted by one of our members, Str34m3r, should help you out.

Regards.

<edit> The first link I posted was geared toward someone that is running NAT and needing IPTables. For info on a stand alone machine : http://www.antionline.com/showthread...hreadid=230338

</edit>
July 11th, 2002, 12:09 AM
orgcandman

I'm confused on a few points.
1) why are you dropping all outgoing connections? Even though you are setting up a firewall,
shouldn't your firewall allow outbound traffic and disallow inbound traffic unless it's
established?

2) where are you connecting to this machine from? if you're connecting from the outside world,
all 192.168.xxx.yyy/24 packets are dropped. End of story. You can't route reserved packets
around the internet

if you're trying to allow ssh and outgoing connections, here's a script I would use:

#!/bin/bash
#Org's happy IPTables mini-nat firewall
# ok, it sucks...but guess what? it works...and any customizations you want to make, go
# ahead. -- orgcandman <[email protected]>

EXTERN='eth0'
INTERN='eth1'

#sourcenet is 192.168.0.0 netmask 255.255.255.0
SOURCENET='192.168.0.0/24'

#first let's get ready to do IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

#k, now let's flush previous chains..
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -X
iptables -F -t nat

#k, now let's set policies...
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#now let's make some default input allows
#allow ssh
iptables -A INPUT -i $(EXTERN) -p tcp --dport 22 -j ACCEPT

#allow certain inbound ICMP packets
iptables -A INPUT -i $(EXTERN) -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i $(EXTERN) -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i $(EXTERN) -p icmp --icmp-type echo-reply -j ACCEPT

#create stateful chain/table
iptables -N STATEFUL > /dev/null
iptables -F STATEFUL
#keep forwarding packets alive
iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
#and add if it's not on the outside world
iptables -A STATEFUL -m state --state NEW -i ! $(EXTERN) -j ACCEPT

#always trust ourself
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#open NAT
/sbin/iptables -t nat -A POSTROUTING -s $(SOURCENET) -o $(EXTERN) -j MASQUERADE

#push everything else to stateful
iptables -A INPUT -j STATEFUL

Hope this helps you...
July 11th, 2002, 12:41 AM
dAggressor

Chefer, thanks for the links. Right now I am doing a standalone machine until I get a grip on these IPTables so the second one helped a lot.

orgcandman, I am not allowing all outgoing traffic because I want to control what is allowed out. Viruses, trojans, etc etc may make it in one way or another but that doesn't mean that they can go out. Allowing ssh was just the first step in my configuration. I will definately allow more outbound traffic but not all outbound. I was connecting to the firewall from the internal 192.168.xxx.xxx network. I know that isn't routable. I was merely testing my rule before moving on to the next. Thanks for your script as well.

dAggressor