Help an IPTABLES neophyte please

Waldher, Travis R Travis.R.Waldher at boeing.com
Fri May 9 14:39:11 UTC 2008 

> -----Original Message-----
> From: Rick Stevens [mailto:ricks at nerd.com]
> Sent: Thursday, May 08, 2008 10:08 AM
> To: Getting started with Red Hat Linux
> Subject: Re: Help an IPTABLES neophyte please
> 
> Waldher, Travis R wrote:
> > I've got a machine acting as a portal between a public network and a
> > private network.  Right now, all you can do is ssh in to the box
from
> > the public side, and then do as you please on the private side.  You
> > cannot ssh or form any other connection that wasn't initiated by a
> > client on the public side of the machine.  Think of it as a roach
> motel.
> >
> >
> >
> > Well, I need to be able to pull information from an LDAP server that
> is
> > on the public network.
> >
> >
> >
> > How do I setup my firewall so that it will first allow outbound
> traffic
> > on port 389 (any others?) and second forward any requests it
receives
> > from other machines on the private network on.
> 
> Hey, Travis!  Long time, no speak!
> 
> If this were a normal machine (one not acting as a router), the way
you
> worded the above sounds like the only incoming connections allowed are
> for ssh (TCP port 22), so you probably have a rule such as:
> 
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> 
> in your ruleset.  Assuming that the OUTPUT chain has a default policy
> of "ACCEPT", you should also have rules such as:
> 
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> before the final "-j REJECT" (or "-j DROP") in the input chain.  That
> should allow ANY TCP traffic as long as it was INITIATED from the
> local machine.
> 
> If the machine is a router, then we'd probably have to get into
> specifying the different NICs in the rules (by use of the "-i"
> parameter).
> 
> Could you post your current ruleset so we can get a grip on what you
> have set up?  It may be a really simple fix or a simpler ruleset may
> work.
> 
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer                       rps2 at nerd.com -
> - Hosting Consulting, Inc.                                           -
> -                                                                    -
> -   NEWS FLASH! Intelligence of mankind decreasing!  Details at...   -
> -     uh, when, uh, the little hand is, uh, on the...  Aw, NUTS!     -
> ----------------------------------------------------------------------

Dang, change jobs?  Nerd.com now? LOL

Here's the script I use to set the firewall.  IP's have been modified to
protect the innocent

#Clean out the IP Tables
iptables -F
iptables -X

#setup default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d 162.254.180.165 --sport 513:65535
--dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 162.254.180.165 -d 0/0 --sport 22 --dport
513:65535 -m state --state ESTABLISHED -j ACCEPT

# Allow pings
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d 162.254.180.165 -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 162.254.180.165 -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s 162.254.180.165 -d 0/0 -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -s 162.254.180.165 -d 0/0 -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#Allow FTP
#iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
#iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED
-j ACCEPT

#Drop all other traffic
iptables -A INPUT -i eth0 -j DROP
iptables -A OUTPUT -o eth0 -j DROP

#Allow the private network to be chatty
iptables -A INPUT -i eth1 -s 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -A OUTPUT -o eth1 -s 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth2 -s 192.168.2.0/255.255.255.128 -j ACCEPT
iptables -A OUTPUT -o eth2 -s 192.168.2.0/255.255.255.128 -j ACCEPT

#Allow certain pings
#iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j
ACCEPT

Basically I first tell it to drop all traffic, default deny.  Then I
start opening things back up.  This machine is not acting like a router
right now.  I do need to forward LDAP traffic to the outside now.

I want this machine to be wide open on the private network, but very
closed off on the public side.  Allowing inbound SSH only, no outbound.
Allowing outbound LDAP requests, but no inbound.

Thanks,
Travis

More information about the Redhat-install-list mailing list