[TriLUG] Firewall for my webserver (IPTABLES)
Jerry M. Howell II
jmhowell at jmhowell.com
Sun Jun 8 01:38:41 EDT 2003
Hello everyone,
I'm curently running adminning my wifes webserver at
gamma.hostbyk.com. We are running redhat 7.3 with a generic 2.4.20
kernel custom compiled with all the iptables/NAT goodies. I go to
enable the firewall and thats where I runn into problems. I can view
the webserver, about 75% of my clients can but there are some that go
through compuserve, earthlink and aol that can't seem to access
anything once I start the firewall. No email, ftp, can't ping it or
pull up a webpage. Thought it was probably ICMP so I allowed that
through but still nothing. Might someone have any sugestions? here is
the output from /usr/local/iptables-save wich is iptables-1.2.8 BTW.
# Generated by iptables-save v1.2.8 on Fri Jun 6 13:07:33 2003
*nat
:PREROUTING ACCEPT [1956549:98046633]
:POSTROUTING ACCEPT [205477:14316170]
:OUTPUT ACCEPT [205477:14316170]
COMMIT
# Completed on Fri Jun 6 13:07:33 2003
# Generated by iptables-save v1.2.8 on Fri Jun 6 13:07:33 2003
*mangle
:PREROUTING ACCEPT [11003984:1977948454]
:INPUT ACCEPT [10098177:1941715975]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10603720:6903438327]
:POSTROUTING ACCEPT [10603700:6903433659]
COMMIT
# Completed on Fri Jun 6 13:07:33 2003
# Generated by iptables-save v1.2.8 on Fri Jun 6 13:07:33 2003
*filter
:INPUT ACCEPT [8569034:1718459859]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10603700:6903436455]
:acctboth - [0:0]
:firewall - [0:0]
[5:582] -A INPUT -p udp -m udp --sport 53 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --sport 113 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
[4:552] -A INPUT -p icmp -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
[85:7204] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
[158:22654] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
[40:1898] -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --dport 1080 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 2082 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 2087 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 2095 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --dport 8000 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --dport 8080 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
[0:0] -A INPUT -s 217.133.0.0/255.255.0.0 -j DROP
[0:0] -A INPUT -s 80.13.0.0/255.255.0.0 -j DROP
[0:0] -A INPUT -s 200.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -s 216.15.179.128/255.255.255.224 -j DROP
[0:0] -A INPUT -s 43.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -s 61.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -s 133.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -s 163.13.0.0/255.255.0.0 -j DROP
[0:0] -A INPUT -s 163.14.0.0/255.254.0.0 -j DROP
[0:0] -A INPUT -s 163.16.0.0/255.240.0.0 -j DROP
[0:0] -A INPUT -s 163.32.0.0/255.255.0.0 -j DROP
[0:0] -A INPUT -s 211.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -s 218.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -s 219.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -s 220.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -s 221.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -p icmp -j firewall
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j firewall
[21:1408] -A INPUT -p udp -j firewall
[0:0] -A OUTPUT -p icmp -m state --state INVALID -j DROP
[21:1408] -A firewall -j LOG --log-prefix "Firewall:" --log-level info
[21:1408] -A firewall -j DROP
COMMIT
# Completed on Fri Jun 6 13:07:33 2003
My firewall script can be found at http://www.jmhowell.com/fire.html if
you wanna look that over as well. Thnx for any advice that can be given.
Any time warner admins feal free to spill the beens as well if you know
of anything :)
--
Jerry M. Howell II
More information about the TriLUG
mailing list