[TriLUG] anyone out there good with iptables?........

Brian Henning brian at strutmasters.com
Tue Aug 10 14:22:36 EDT 2004 

*to the Meow Mix tune*
webmin webmin webmin webmin webmin webmin webmin webmin...

Not at all required, but I've found that webmin's iptables ("Linux Firewall"
applet under Networking) interface is very clean and intuitive.

One basic rule of thumb is on your input chain, the last rule should always
be an across-the-board drop:
iptables -a INPUT_CHAIN_NAME -j DROP

Then all you have to do is put your specific allows in front of that rule.

If you choose to use Webmin, I recommend against also using any boot-time
scripts..  the two may not get along nicely.  Instead of scripting, rely on
iptables' ability to save its current configuration.  The only use for a
script in the webmin case would be for safekeeping in case iptables' saved
configuration somehow gets trashed.

Hope this is helpful...
Cheers,
~Brian

----- Original Message ----- 
From: "dsandif" <dsandif at email.unc.edu>
To: <trilug at trilug.org>
Sent: Tuesday, August 10, 2004 2:11 PM
Subject: [TriLUG] anyone out there good with iptables?........


> Hi folks,
>
> I am slowly but steadily pushing my way  through this file server setup.
> Next phase: Iptables! I am no linux guru here and in the past two weeks,
> I have been searching the net and purchased books in an effort to better
> understand linux firewalling. Well the right side of my brain just threw
> in the towel and my left side is fighting for dear life in an attempt to
> absorb this stuff. So if ANY of you out there feels confident enough
> about iptables to fill me in, here's what I'm trying to do:
>
> 1). I want to setup this file server so that only local lan traffic can
> see or (anyone on this local lan of 154.3.77.x network)  access the
> server.
>
> 2). I want the users to use SSH only to get into the server to their
> home directories and be able to see their files in a windows file &
> folder format. No other in bound traffic should be allowed.
>
> 3). I want to take this file server off the main network\internet and
> restrict it to the local LAN (this may be more of an network properties
> configuration issue and not a iptables issue, not sure) save for update
> & upgrade purposes.
>
> 4). No telnet, no ftp, and I'm  guessing I will need to use Samba  to
> satisfy client access needs. I did an nmap scan of my system to see what
> was open port-wise and got this ( currently the server is unplugged from
> the network):
>
>
> Linux Mamasan 2.4.21-15.0.3.EL #1 Tue Jun 29 18:17:52 EDT 2004 i686 i686
> i386 GNU/Linux
>
> [root at Mamasan root]#  nmap -sS -O Mamasan
>
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Interesting ports on Mamasan (127.0.0.1):
> (The 1596 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 22/tcp     open        ssh
> 139/tcp    open        netbios-ssn
> 445/tcp    open        microsoft-ds
> 631/tcp    open        ipp
> 6000/tcp   open        X11
> Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
> Uptime 4.285 days (since Thu Aug  5 09:56:11 2004)
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds
>
> This is my current iptables configuration:
>
> [root at Mamasan root]# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     icmp --  anywhere             anywhere           icmp any
> ACCEPT     ipv6-crypt--  anywhere             anywhere
> ACCEPT     ipv6-auth--  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:ssh
> REJECT     all  --  anywhere             anywhere           reject-with
> icmp-host-prohibited
>
> I have looked at several web sites like this one below, but I'm not sure
> I want to entrust the security of my machines to such scripts. I could
> use some input on this. Thxs.
>
> D-
>
> http://deepquest.code511.com/iptables/
>
> -- 
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>

More information about the TriLUG mailing list