Thanks, it looks interesting enough. I'm sure I can look at how it sets up IPTables and compare it with what I already have.Quote:
Yup. I use it all the time. I only use it for iptables and the linksys/sveasoft firmware though.
cheers
Printable View
Thanks, it looks interesting enough. I'm sure I can look at how it sets up IPTables and compare it with what I already have.Quote:
Yup. I use it all the time. I only use it for iptables and the linksys/sveasoft firmware though.
cheers
At first glance I was with cacosapo on this one. But after reviewing, your syntax seems correct. His is not.Quote:
even putting dports or sports latter in the command seems to work (where I have them), is there a reason to change them?
In defense of cacosapo the man pages are a bit misleading.
If you want to know if your rule works, after you load it try
“ iptables –list -n –line-numbers -v “ to test chain
I do agree, some “statefull” inspection may indeed be appropriate. ( You didn't by any chance “grow-up” on IPFWADM ? )
You said this is a workstation. Are you sharing files on this box with others on the LAN?
If not, why open those ports to everyone on the LAN? Why not just open them up outbound to the ( SAMBA ) server and use the “ -state” to maintain the connection? I assume there will be M$ boxes there, and if they get infected with a virus or worm that searches for those open ports:
1) if they are closed and logged, you will have evidence of an infection or misconfiguration on your LAN ( like my sons Win2k box that broadcasts to the LAN )
2) if they are open and these bastards write a virus that also spreads to *nix boxes through files sharing, etc., your F***.
I think you get my point.
To say the least, you may also want to include the following, as the last rules ( you already set the default policies in the begining )
# ---log all packets that hit the default policy ---- #
iptables -A INPUT -j LOG --log-level info --log-prefix "input_default_drop: "
iptables -A OUTPUT -j LOG --log-level info --log-prefix "output_default_drop: "
iptables -A FORWARD -j LOG --log-level info --log-prefix "forward_default_drop: "
Also, I find it useful when building a new firewall from scratch to log everything.
So, for example, your one rule rule would become two:
iptables -A INPUT -m multiport -p tcp -s 123.123.0.0/16 --dports 139,445,110 -j LOG --log-level info --log-prefix "MS-SMB-mail_in: "
iptables -A INPUT -m multiport -p tcp -s 123.123.0.0/16 --dports 139,445,110 -j ACCEPT
Once you see a rule is working and you no longer need it for debugging you can either comment out the log rule or delete it.
Hope this helped!
I Dont think so.Quote:
[B]At first glance I was with cacosapo on this one. But after reviewing, your syntax seems correct. His is not.
- tags are parameters and -- are subparameters.
Altough iptables command processor can recognize misplaces subtags, its advisable to keep them following the parameters. And this is more important on ---source-port, --destination-port and --port, because those sub-tags can be used on several places (e.g. they are subtags of -m multiport, -p tcp, etc)
In Irongeek's case, since he wrote subtags with commas, iptables command processor was able to detect that --dport is a -m multiport subtag and not a -p tcp subtag.
Sometimes that can be a mess.
Irongeek, i suggest also that you use service names instead ports. The usage of service names make the config more readable. iptables will lookup at /etc/services file to resolv name-to-port translation.
Thanks folks. I've never played with IPFWADM, is was a little before my time where Linux is concerned. The box in question also serves files to others so I needed the ports dealing with SMB open. I'll be continuing to play with iptables some more.
Yes cacosapo I agree, but ...
run the following,
what I get is:Quote:
#!/bin/sh
#
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -X
iptables -t mangle -F
iptables -t nat -F
iptables -t mangle -X
iptables -t nat -X
# ------Set default policies for packets going through this firewall box-------- #
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#--------------------------------------------------------------------------------------
iptables -A INPUT -m multiport --dports 139,445,110 -p tcp -s 123.123.0.0/16 -j ACCEPT
iptables -A OUTPUT -m multiport --sports 139,445,110 -p tcp -s 123.123.0.0/16 -j ACCEPT
#--------------------------------------------------------------------------------------
# ---log all packets that hit the default policy ---- #
iptables -A INPUT -j LOG --log-level info --log-prefix "input_default_drop: "
iptables -A OUTPUT -j LOG --log-level info --log-prefix "output_default_drop: "
iptables -A FORWARD -j LOG --log-level info --log-prefix "forward_default_drop: "
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo tcp_syncookies
And listing the rules after running this gives only the default drops.Quote:
iptables v1.2.11: multiport needs `-p tcp' or `-p udp'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: multiport needs `-p tcp' or `-p udp'
Try `iptables -h' or 'iptables --help' for more information.
tcp_syncookies
I only tried this on this version, ( default for updated Fedora 3 ) , haven't tried it on newer versions. I also like using the “ ! “ to make things simpler, but the multiport module had some problems with that in certain versions ( 1.3.0.rc1 ? )