[TriLUG] anyone out there good with iptables?........

dsandif dsandif at email.unc.edu
Tue Aug 10 14:11:01 EDT 2004 

Hi folks,

I am slowly but steadily pushing my way  through this file server setup.
Next phase: Iptables! I am no linux guru here and in the past two weeks,
I have been searching the net and purchased books in an effort to better
understand linux firewalling. Well the right side of my brain just threw
in the towel and my left side is fighting for dear life in an attempt to
absorb this stuff. So if ANY of you out there feels confident enough
about iptables to fill me in, here's what I'm trying to do:

1). I want to setup this file server so that only local lan traffic can
see or (anyone on this local lan of 154.3.77.x network)  access the
server.

2). I want the users to use SSH only to get into the server to their
home directories and be able to see their files in a windows file &
folder format. No other in bound traffic should be allowed.

3). I want to take this file server off the main network\internet and
restrict it to the local LAN (this may be more of an network properties
configuration issue and not a iptables issue, not sure) save for update
& upgrade purposes.

4). No telnet, no ftp, and I'm  guessing I will need to use Samba  to
satisfy client access needs. I did an nmap scan of my system to see what
was open port-wise and got this ( currently the server is unplugged from
the network):


Linux Mamasan 2.4.21-15.0.3.EL #1 Tue Jun 29 18:17:52 EDT 2004 i686 i686
i386 GNU/Linux

[root at Mamasan root]#  nmap -sS -O Mamasan

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on Mamasan (127.0.0.1):
(The 1596 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
139/tcp    open        netbios-ssn
445/tcp    open        microsoft-ds
631/tcp    open        ipp
6000/tcp   open        X11
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 4.285 days (since Thu Aug  5 09:56:11 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds

This is my current iptables configuration:

[root at Mamasan root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere           icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           state NEW
tcp dpt:ssh
REJECT     all  --  anywhere             anywhere           reject-with
icmp-host-prohibited

I have looked at several web sites like this one below, but I'm not sure
I want to entrust the security of my machines to such scripts. I could
use some input on this. Thxs.

D-

http://deepquest.code511.com/iptables/

More information about the TriLUG mailing list