Page 12 of 29 FirstFirst ... 2101112131422 ... LastLast
Results 111 to 120 of 286

Thread: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

  1. #111
    Join Date
    May 2007
    Beans
    52
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    what do you do if you want to add in server stuff like ssh, stmp, pop3, www, ftp

    only want to be able to access server via local network for ssh and stmp pop3 only, I dont want others to be able to access it via the net, only web ( www )

    if that makes any sence.

    this is how far i got

    Code:
    !/bin/bash
    
    # No spoofing
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo 1 > $filtre
    done
    fi
    
    # No icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
    #load some modules you may need
    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe iptable_filter
    modprobe iptable_nat
    
    # Remove all rules and chains
    iptables -F
    iptables -X
    
    # first set the default behaviour => accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    
    # Create 2 chains, it allows to write a clean script
    iptables -N FIREWALL
    iptables -N TRUSTED
    
    # Allow ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow loopback traffic
    iptables -A FIREWALL -i lo -j ACCEPT
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    # DROP all other packets
    iptables -A FIREWALL -j DROP
    
    # Send all INPUT packets to the FIREWALL chain
    iptables -A INPUT -j FIREWALL
    # DROP all forward packets, we don't share internet connection in this example
    iptables -A FORWARD -j DROP
    
    # Allow https
    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 443 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 443 -j ACCEPT
    
    #Allow Web Taffic
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    #Allow www
    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 80 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
    
    # Allow FTP
    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 21 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 21 -j ACCEPT
    
    #Allow smtp
    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 110 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 110 -j ACCEPT
    
    #Allow pop3
    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 25 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 25 -j ACCEPT
    
    #Allow SSH
    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 22 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 22 -j ACCEPT
    this is not tested yet, as to me not knowing whats going on realy


    TT
    Last edited by tommytomato; June 24th, 2007 at 06:55 AM.

  2. #112
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Quote Originally Posted by tommytomato View Post
    what do you do if you want to add in server stuff like ssh, stmp, pop3, www, ftp

    only want to be able to access server via local network for ssh and stmp pop3 only, I dont want others to be able to access it via the net, only web ( www )

    if that makes any sence.

    this is how far i got
    Some of the ports you chose to open don't corresponf to the comment you put, for instance the port for pop3 is 110.

    Code:
    #Allow Web Taffic
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    these lines are useless, you don't filter output in your script and the first firewall rule allows already the needed trffic on port 80 (iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT)

    Code:
    #Allow www
    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 80 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
    also useless for the same reasons.

    Code:
    # Allow FTP
    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 21 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 21 -j ACCEPT
    #Allow smtp
    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 110 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 110 -j ACCEPT
    
    #Allow pop3
    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 25 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 25 -j ACCEPT
    Useless as well the first firewall rule allows already all that.

    To be sure just open your /etc/services file, all the port are listed with the name of the corresponding services so just look at this file to catch the good port with the good protocol.
    Here you just seems to need to open your ssh port for what you want to do.
    Now for your local network matter i don't know because you didn't give enought details, do you have 2 network cards one on internet and the other on the local network or is it something else. ?
    Last edited by frodon; June 24th, 2007 at 10:51 AM.

  3. #113
    Join Date
    May 2007
    Beans
    52
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    No I have one network card in the server

    I use another PC on the network to access the server, I also have a router where i can open ports and point them to the server

    does that make sence, I'm realy lost here

    TT

  4. #114
    Join Date
    May 2007
    Beans
    52
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Opps here is my latest try
    later i want to be able to allow access to 25 and 110 for my network only and not the outside, would the email server still send and recive mail ??

    Code:
    /etc/init.d/firewall status
    Chain FIREWALL (1 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    ACCEPT     all  --  anywhere             anywhere            
    TRUSTED    all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    FIREWALL   all  --  anywhere             anywhere            
    DROP       all  --  a83-132-97-14.cpe.netcabo.pt  anywhere            
    DROP       all  --  81.199.85.110        anywhere            
    DROP       all  --  218.16.120.80        anywhere            
    DROP       all  --  mx4.url.com.tw       anywhere            
    DROP       all  --  218.0.153.219.broad.cq.cq.dynamic.163data.com.cn  anywhere            
    DROP       all  --  63-93-95-121.lsan.mdsg-pacwest.com  anywhere            
    DROP       all  --  002.011.dsl.syd.iprimus.net.au  anywhere            
    DROP       all  --  mail.ala-hawaii.org  anywhere            
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain TRUSTED (1 references)
    target     prot opt source               destination         
    ACCEPT     udp  --  anywhere             anywhere            udp spt:https 
    ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https 
    ACCEPT     tcp  --  anywhere             anywhere            tcp spt:www 
    ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp 
    ACCEPT     tcp  --  anywhere             anywhere            tcp spt:smtp 
    ACCEPT     tcp  --  anywhere             anywhere            tcp spt:pop3 
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    but when i restart it i get this message

    /etc/init.d/firewall restart
    Removing all iptables rules: [End of flush]
    Iptables rules creation: iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument

    TT

  5. #115
    Join Date
    May 2007
    Beans
    52
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    I think i fixed that error

    but when i turn on the firewall i cant access the server or the site i have hosted

    when i turn off the firewall i can access the server and access the sites i have hosted

    TT

  6. #116
    Join Date
    May 2007
    Beans
    25

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    I am new to ubuntu and I am barely able to find my way around it. I had firestarter installed on my computer, but after I tried to get it to boot every time i log in, it stopped working. I mean that it completely stopped working, no matter what you did it refused to open a window. After struggling with several, more complicated, firewalls I decided to try and configure my iptables according to your script. I'm pretty sure that I put everything in right and I made sure to save everything. The only problem is that now I cannot connect to the internet. Neither my ethernet, nor my wireless access will connect.

    Please post easy to follow directions on how I can get the internet again. If that is too much work, please tell me how i can undo all of the changes made to my iptables so that I can use my computer again.

    Thanks!

  7. #117
    Join Date
    May 2007
    Beans
    52
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    I dont know if this is right, but just undo or delete what you have done

    or turn off iptables using the command

    /etc/init.d/iptables stop

    or /etc/init.d/firewall stop

    I'm sure others will help you out, as i'm not the best at iptables either

    O yer you could post up you firewall script for others to look out

    TT

  8. #118
    Join Date
    Jun 2007
    Beans
    15

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    you can try putting ppp0 instead of eth0 in your script and restarting the firewall.i was having the same problem and this trick saved me.

  9. #119
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    TyPhoon101 is right check the name of your network interface, you can see that using the network tools you have available in your admin menu.

  10. #120
    Join Date
    Mar 2007
    Location
    Dayton. OH
    Beans
    47
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Thanks! this answered all my questions about the use IP tables, great tutorial

Page 12 of 29 FirstFirst ... 2101112131422 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •