[TriLUG] IPTables help (long)

Corey Mutter mutterc at nc.rr.com
Tue Sep 17 12:34:45 EDT 2002 

> 
> Message: 3
> From: Tanner Lovelace <lovelace at wayfarer.org>
> To: trilug at trilug.org
> Date: 16 Sep 2002 14:33:47 -0400
> Subject: [TriLUG] IPTables help
> Reply-To: trilug at trilug.org
> 
> Hi folks,
> 
[snip]
> 
> This sounds like it should be easy.  Can anyone provide me
> with an easy, well commented, example that I can use with the
> standard redhat 7.3 iptables script?
> 
> Thanks in advance,
> Tanner Lovelace
> -- 
> Tanner Lovelace | lovelace at wayfarer.org | http://wtl.wayfarer.org/
> --*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
> GPG Fingerprint = A66C 8660 924F 5F8C 71DA  BDD0 CE09 4F8E DE76 39D4
> GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
> --*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
>           Si hoc legere scis, nimium eruditionis habes.
> 

This is rather long, but will get you the relevant parts of the
iptables script my firewall uses. I'll also throw in some
explication in bracketed comments. I don't know about the RedHat init
scripts' use of iptables... this machine is really bare-bones, and so
it just runs this script. It has a NATed subnet behind it, but I will 
leave all that stuff out...

[#!, echo, yadda yadda]
# Enable address spoofing protection, disable receiving source-routed
# packets and ICMP Redirects
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Flush all chains; delete all user-defined chains
iptables -F
iptables -X
# [this makes the script idempotent; all your rules will be replaced by it]

# Paranoid default: drop on all chains
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# [Note: This is all you will need for the forward chain as you ain't a router]

# Chain for allowing no new inbound connections (stateful firewall)
iptables -N nonew
# If already part of an existing connection, okay
iptables -A nonew -m state --state ESTABLISHED,RELATED -j RETURN
# New connections are okay on eth1 only
iptables -A nonew -m state --state NEW -i eth1 -j RETURN
# Anything else is a probe attempt, log
# Port 113 is not a probe, it's identd, reject silently.
iptables -A nonew -i eth0 -p tcp --dport 113 -j REJECT --reject-with tcp-reset
# DHCP replies to other folks are not much of a concern
iptables -A nonew -i eth+ -d 255.255.255.255/32 -p udp --dport 68 --sport 67 -j RETURN
iptables -A nonew -m limit --limit 3 -j LOG --log-level debug --log-prefix "Probe: "
# Reject with "port unreachable", just like nobody was listening
# or RST for TCP connections, or drop for ICMP packets
iptables -A nonew -p tcp -j REJECT --reject-with tcp-reset
iptables -A nonew -p icmp -j DROP
iptables -A nonew -j REJECT
# [The reason to do this in a separate chain is for modularity
# You can then call this from several places (e.g. I need to call it
# from the FORWARD chain, for my wireless subnet, ...)
# Also, this way I can have a limit-match LOG target without affecting
# unrelated rules]

# Input chain (packets to the local box come here)
# Anything on loopback OK
iptables -A INPUT -i lo+ -j ACCEPT
# Anything on eth1 OK
iptables -A INPUT -i eth1 -j ACCEPT
# Allow SSH to this box from $company NAT address
iptables -A INPUT -i eth0 -s [IP address elided] -p tcp --dport 22 -j ACCEPT
# [These next rules are not in my script, but you will need them]
# [One for each allowed server, as many as you like]
iptables -A INPUT -i eth0 -p tcp --dport [insert port here] -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport [insert port here] -j ACCEPT
# [End of custom rules for TriLUG]
# No new connections from Internet
iptables -A INPUT -j nonew
# It passed the tests
iptables -A INPUT -j ACCEPT

# [Output checking is mostly about limiting bad addresses. You may not care.
# If you don't put output checking in, change default policy to ACCEPT]
# Output chain (packets from the local box come here)
# Loopback okay
iptables -A OUTPUT -o lo+ -j ACCEPT
# Local net on eth1 okay
iptables -A OUTPUT -o eth1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
# DHCP requests on eth0 okay
iptables -A OUTPUT -o eth0 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp --sport bootpc --dport bootps -j ACCEPT
# Non-localnet on eth0 okay
iptables -A OUTPUT -o eth0 -s ! 192.168.1.0/24 -d ! 192.168.1.0/24 -j ACCEPT
# Anything else bad, log and drop
iptables -A OUTPUT -m limit --limit 3 -j LOG --log-level crit --log-prefix "Bad
output addr! "
iptables -A OUTPUT -j DROP

HTH
Corey

More information about the TriLUG mailing list