I have a dual homed server in an install for someone who is very cost sensitive. This server originally is being setup as an Asterisk server, but now the simplest thing for me to do is also set it up to provide internet access for the small shop as well. So it will have one external, WAN facing nic that needs all incoming ports except UDP 5060 and 10000 -> 60000 blocked for all but two ips. The internal, LAN facing NIC will need all ports except voip/dns/http blocked to it, and need to provide masquerading. I have limited experience with iptables and would love some guidelines. Any pointers would be greatly appreciated! Thanks, jlc -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20080522/7bda745b/attachment-0005.html>
On Thu, May 22, 2008 at 8:30 AM, Joseph L. Casale <JCasale at activenetwerx.com> wrote:> I have limited experience with iptables and would love some guidelines. Any > pointers > would be greatly appreciated!This CentOS wiki may help: http://wiki.centos.org/HowTos/Network/IPTables Akemi
On Thursday 22 May 2008 22:30:29 Joseph L. Casale wrote:> I have a dual homed server in an install for someone who is very cost > sensitive. This server originally is being setup as an Asterisk server, but > now the simplest thing for me to do is also set it up to provide internet > access for the small shop as well. > > So it will have one external, WAN facing nic that needs all incoming ports > except UDP 5060 and 10000 -> 60000 blocked for all but two ips. > > The internal, LAN facing NIC will need all ports except voip/dns/http > blocked to it, and need to provide masquerading. > > I have limited experience with iptables and would love some guidelines. Any > pointers would be greatly appreciated!Hi JLC, There are 2 ways to implement firewall: negative list and positive list. Looks like you want a very strict one that is positive list. Assuming eth0 is WAN, and eth1 is LAN (assuming 192.168.0.0/24)(please mind the word wrap): #Clear all rules and policies first: iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -t nat -F #Give access for localhost: iptables -I INPUT -i lo -j ACCEPT iptables -I OUTPUT -o lo -j ACCEPT #To make life easier: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #Allowing needed ports: iptables -A INPUT -i eth0 -m multiport -p udp --dport 5060,10000:60000 -s ipthatyouwantallow -j ACCEPT iptables -A INPUT -i eth1 -m multiport -p udp --dport 53,80,5060,10000:60000 -j ACCEPT iptables -A OUTPUT -m multiport -p udp --dport 53 -j ACCEPT iptables -A FORWARD -m multiport -p udp --dport 53,5060,10000:60000 -s ipthatyouallow -j ACCEPT iptables -A FORWARD -m multiport -p tcp --dport 80 -j ACCEPT #For masquerading: iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.0.0/24 -j MASQUERADE #For logging (troubleshooting): iptables -A INPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** INPUT DROP ** ' iptables -A FORWARD -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** FORWARD DROP ** ' iptables -A OUTPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** OUTPUT DROP ** ' #Finally dropping all other traffic (positive list firewall): iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #Don't forget to save it: service iptables save I might make some mistakes up there, so the logging is very important. You can just monitor the log file: tail -f /var/log/messages and look for any miss ports and open them. If for some reason you want to clear the iptables, run this command: iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -t nat -F service iptables save Goodluck, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 22:03:54 up 2:37, 2.6.22-14-generic GNU/Linux Let's use OpenOffice. http://www.openoffice.org The real challenge of teaching is getting your students motivated to learn. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos/attachments/20080523/331aba71/attachment-0005.sig>
Fajar, I really appreciate all the detailed help here! I have some questions.>Hi JLC, >There are 2 ways to implement firewall: negative list and positive list. Looks like you want a very strict one that is positive list. > >Assuming eth0 is WAN, and eth1 is LAN (assuming 192.168.0.0/24)(please mind the word wrap): >#Clear all rules and policies first: >iptables -P INPUT ACCEPT >iptables -P OUTPUT ACCEPT >iptables -P FORWARD ACCEPT >iptables -F >iptables -t nat -FI misunderstand this, if the default policy is to accept, then how does this work (I thought it was wise to make it Drop)? In terms of Cisco ACL's, how does iptables work, does it simply continue processing until it sees something explicitly denying if the default policy is ACCEPT, versus DROP, will it continue processing until it sees something explicitly allowing?>#Finally dropping all other traffic (positive list firewall): >iptables -P INPUT DROP >iptables -P OUTPUT DROP >iptables -P FORWARD DROPSo here you know restate the default policy? I thought you could only define this once?>If for some reason you want to clear the iptables, run this command: >iptables -P INPUT ACCEPT >iptables -P OUTPUT ACCEPT >iptables -P FORWARD ACCEPT >iptables -FDoes this -F not reset the above stated policy?>iptables -t nat -F >service iptables saveThanks so much! jlc
On Friday 23 May 2008 11:03, Fajar Priyanto wrote:> ?On Thursday 22 May 2008 22:30:29 Joseph L. Casale wrote: > ?> I have a dual homed server in an install for someone who is very cost > ?> sensitive. This server originally is being setup as an Asterisk server, > ?> but now the simplest thing for me to do is also set it up to provide > ?> internet access for the small shop as well. > ?> > ?> So it will have one external, WAN ?facing nic that needs all incoming > ?> ports except UDP 5060 and 10000 -> 60000 blocked for all but two ips. > ?> > ?> The internal, LAN facing ?NIC will need all ports except voip/dns/http > ?> blocked to it, and need to provide masquerading. > ?> > ?> I have limited experience with iptables and would love some guidelines. > ?> Any pointers would be greatly appreciated! > > ?Hi JLC, > ?There are 2 ways to implement firewall: negative list and positive list. > Looks like you want a very strict one that is positive list. > > ?Assuming eth0 is WAN, and eth1 is LAN (assuming 192.168.0.0/24)(please > mind the word wrap): > ?#Clear all rules and policies first: > ?iptables -P INPUT ACCEPT > ?iptables -P OUTPUT ACCEPT > ?iptables -P FORWARD ACCEPT > ?iptables -F > ?iptables -t nat -FSince you believe that he wants a very strict firewall why are you setting the default policy's to ACCEPT? ?Security 101, strict firewall drops everything from the start. ?Then you open the access you require, not the other way around.> ?#Give access for localhost: > ?iptables -I INPUT -i lo -j ACCEPT > ?iptables -I OUTPUT -o lo -j ACCEPT > > ?#To make life easier: > ?iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > ?iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > ?iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > ?#Allowing needed ports: > ?iptables -A INPUT -i eth0 -m multiport -p udp --dport 5060,10000:60000 -s > ?ipthatyouwantallow -j ACCEPT > ?iptables -A INPUT -i eth1 -m multiport -p udp --dport > ?53,80,5060,10000:60000 -j ACCEPT > ?iptables -A OUTPUT -m multiport -p udp --dport 53 -j ACCEPT > ?iptables -A FORWARD -m multiport -p udp --dport 53,5060,10000:60000 -s > ?ipthatyouallow -j ACCEPT > ?iptables -A FORWARD -m multiport -p tcp --dport 80 -j ACCEPTFirst question you need to ask yourself is there any hosting services on this box that will require a connection form the WAN side. ?If not then you should change your input statements to allow only the LAN. ?You do not require the INPUT statements for packets that pass through the box as the FORWARD will handle all traffic passing through. Second question is if you are using ESTABLISHED,RELATED why are you not using NEW in the above rules? Third question is have you enables connection tracking? ?If you are using ESTABLISHED,RELATED then the system needs a way to keep track of the connection. If you want a 100% secure firewall then you will not allow any INPUT. ?All modification would have to be done from the box using a keyboard. ?If this is not an option then you can allow access from a trusted IP only and setup other security options.> ?#For masquerading: > ?iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.0.0/24 -j MASQUERADEIf the WAN port is connected directly to the Internet then you should MASQ all out going traffic and anything that is heading to 192.168.0.0/24 should be dropped.> ?#For logging (troubleshooting): > ?iptables -A INPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix > '** INPUT DROP ** ' > ?iptables -A FORWARD -m limit --limit 2/m --limit-burst 2 -j > ?LOG --log-prefix '** FORWARD DROP ** ' > ?iptables -A OUTPUT -m limit --limit 2/m --limit-burst 2 -j > ?LOG --log-prefix '** OUTPUT DROP ** 'Logging any packets that make it this far is a good idea.> ?#Finally dropping all other traffic (positive list firewall): > ?iptables -P INPUT DROP > ?iptables -P OUTPUT DROP > ?iptables -P FORWARD DROPThis should be at the top for the firewall not the ACCEPT you have there now.> ?#Don't forget to save it: > ?service iptables save > > ?I might make some mistakes up there, so the logging is very important. YouJust a few. ?:) For your reading enjoyment. http://iptables.rlworkman.net/chunkyhtml/index.html -- Regards Robert Smile... it increases your face value! Linux User #296285 http://counter.li.org