help to build iptables rules for an oscar cluster

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm new on this list and noob in iptables rules. So I'm searching a
little bit help. I'm trying to build a simple firewall for our cluster
(Oscar/CentOS 5.5). I just want a ssh access in input for the head node.
All the others things in input must be blocked (at the moment) for the
head node. The nodes must have a total free access to the head node.

On the head node I have in /etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24392:5034163]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
#
#
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
--name SSH --rsource -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60
--hitcount 4 --rttl --name SSH --rsource -j LOG --log-prefix
"SSH_brute_force "
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60
--hitcount 4 --rttl --name SSH --rsource -j DROP
#
#
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
#
# begin: allowed networks
-A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.100.0/255.255.255.0 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.200.0/255.255.255.0 -j ACCEPT
-A RH-Firewall-1-INPUT -s 139.11.215.0/255.255.128.0 -j ACCEPT
-A RH-Firewall-1-INPUT -s 139.11.0.0/255.255.0.0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT




An iptables -L gives me:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
state NEW recent: SET name: SSH side: source
LOG        tcp  --  anywhere             anywhere            tcp dpt:ssh
recent: UPDATE seconds: 60 hit_count: 4 TTL-Match name: SSH side: source
LOG level warning prefix `SSH_brute_force '
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh
recent: UPDATE seconds: 60 hit_count: 4 TTL-Match name: SSH side: source

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (3 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  192.168.0.0/24       anywhere
ACCEPT     all  --  192.168.100.0/24     anywhere
ACCEPT     all  --  192.168.200.0/24     anywhere
ACCEPT     all  --  139.11.128.0/17      anywhere
ACCEPT     all  --  139.11.0.0/16        anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp dpt:http
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited
LOG        all  --  anywhere             anywhere            LOG level
warning
DROP       all  --  anywhere             anywhere




Thx in advance,
Best regards,
GiGGz

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux