Hiiiii,
I have a LAN that has 3 windows 2000 computers and 1 Redhat7.3 (2.4.20) running
iptables 1.2.7a(Firewall/Router). I need some help fine tunning my rules right now
the windows machines on my LAN behind Firewall can access the net wihtout any
restrictions. I mean as soon as i add a program like MSN Messenger i dont have to
add RULES to my Firewall Machine it just lets it pass right on through.Soo this
means soo can TROJANS if they get opened on the firewall like for instance
younger brother downloading files using KAZAA ;). How do i change my
rules around soo i have to create a rule in my IPTABLES script for each program.I
am little confused on the FORWARDING rules using iptables. "Could Some one
please give me a few examples rules and somehting i should change and add for
somehting like WEBPAGE access and MSN MESSENGER soo get an idea how to
do it". Here what most of my rules look like right now!
##################
# This will also update my ipaddress.
IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\ -f1`
# Remove any existing rules from all chains.
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Unlimited access on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Set the default policy to drop.
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT ACCEPT
iptables -t nat --policy PREROUTING ACCEPT
iptables -t nat --policy OUTPUT ACCEPT
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t mangle --policy PREROUTING ACCEPT
iptables -t mangle --policy OUTPUT ACCEPT
# Allow stateful connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow Access for DNS UDP for my ISP DNS server.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 209.53.4.130 --dport 53 \
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 209.53.4.130 --dport 53 -j ACCEPT
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 209.53.4.150 --dport 53 \
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 209.53.4.150 --dport 53 -j ACCEPT
# Allow access for my ISP DHCP server.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_NET --sport 1024:65535 \
-d 209.53.4.129 --dport 67 \
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 209.53.4.129 --dport 67 -j ACCEPT
# Allow access to remote webservers PORT 80.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 80 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 80 -j ACCEPT
# Attempt to connect to HHTPS connections.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p tcp \
-m state --state NEW --dport 443 \
--sport 1024:65535 \
-j ACCEPT
fi
iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 443 -j ACCEPT
# Fragmented ICMP Messages.
iptables -A INPUT -i eth0 --fragment -p icmp -j LOG \
--log-prefix "Fragmented ICMP: "
iptables -A INPUT -i eth0 --fragment -p icmp -j DROP \
# Source Quench Control
iptables -A INPUT -i eth0 -p icmp \
--icmp-type source-quench -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type source-quench -j ACCEPT
# Parameter Problem Status.
iptables -A INPUT -i eth0 -p icmp \
--icmp-type parameter-problem -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type parameter-problem -j ACCEPT
# Destination Unreachable Error.
iptables -A INPUT -i eth0 -p icmp \
--icmp-type destination-unreachable -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type destination-unreachable -j DROP
# Time Exceeded Status
iptables -A INPUT -i eth0 -p icmp \
--icmp-type time-exceeded -d $IP_INET -j ACCEPT
# Allow Outgoing pings to remote hosts
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type echo-request \
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type echo-request -j ACCEPT
# Incoming ping from Remote Hosts.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i eth0 -p icmp \
-s 209.53.1.231 --icmp-type echo-request -d $IP_INET \
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i eth0 -p icmp \
-s 209.53.1.231 --icmp-type echo-request -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type echo-reply -d 209.53.1.231 -j ACCEPT
# Fowarding is allowed in the direction
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -j ACCEPT
# Enables Packet Forwarding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Thank You...
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
