Firewall: iptables rules for ssh, web, e-mail and DNS

From: Tomás García Ferrari (tgf_at_bigital.com)
Date: 12/02/03

  • Next message: Michael Hamam: "samba/ldap issues" 
    To: RedHat List <redhat-list@redhat.com>
Date: Tue, 02 Dec 2003 10:17:21 -0300

    Hello:

    I'm trying to configure iptables (on RH 9) with a restrictive set of rules,
    to leave open only ssh, http, pop3 / imap, smtp and DNS ports and close all
    the rest.

    I was reading tons of differents articles and options all over the web, but
    none of them gave me a pretty basic and simple way of configuring this
    (isn't it that 'black magic' thing, right?)

    Which script do you normally use? Where can I find this information?

    Thanks!
    Tomás

    PS: this is the clearest script I found... but my DNS is not responding if I
    use it! :(

    +--- starts here

    #!/bin/bash
    #
    # This is a sample firewall for ip_tables, the tool for doing firewalling
    # and masquerading under the 2.3.x/2.4.x series of kernels.
    #
    # Be warned, this is a very restrictive set of firewall rules (and they
    # should be, for proper security). Anything that you do not _specifically_
    # allow is logged and dropped into /dev/null, so if you're wondering why
    # something isn't working, check /var/log/messages.
    #
    # This is about as close as you get to a 'secure' firewall. It's nasty,
    # it's harsh, and it will make your machine nearly invisible to the rest
    # of the internet world. Have fun.
    #
    # To run this script you must 'chmod 700 iptables-script' and then execute
    # it. To stop it from running, run 'iptables -F'

    #Point this to your copy of ip_tables
    IPT="/usr/local/bin/iptables"

    #Load the module.
    modprobe ip_tables

    #Flush old rules, delete the firewall chain if it exists
    $IPT -F
    $IPT -F -t nat
    $IPT -X firewall

    #Setup Masquerading. Change the IP to your internal network and uncomment
    #this in order to enable it.
    #$IPT -A POSTROUTING -t nat -s 192.168.1.0/24 -j MASQUERADE
    #$IPT -P FORWARD ACCEPT
    #echo 1 > /proc/sys/net/ipv4/ip_forward

    #Set up the firewall chain
    $IPT -N firewall
    $IPT -A firewall -j LOG --log-level info --log-prefix "Firewall:"
    $IPT -A firewall -j DROP

    #Accept ourselves
    $IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
    #If you're using IP Masquerading, change this IP to whatever your internl
    #IP addres is and uncomment it
    #$IPT -A INPUT -s 192.168.1.1/32 -d 0/0 -j ACCEPT

    #Accept DNS, 'cause it's warm and friendly
    $IPT -A INPUT -p udp --source-port 53 -j ACCEPT
    $IPT -A INPUT -p tcp --source-port 113 -j ACCEPT
    $IPT -A INPUT -p tcp --destination-port 113 -j ACCEPT

    #Allow ftp to send data back and forth.
    $IPT -A INPUT -p tcp ! --syn --source-port 20 --destination-port 1024:65535
    -j ACCEPT

    #Accept SSH. Duh.
    $IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT

    #Send everything else ot the firewall.
    $IPT -A INPUT -p icmp -j firewall
    $IPT -A INPUT -p tcp --syn -j firewall
    $IPT -A INPUT -p udp -j firewall

    +--- ends here

    +-- --+
        Tomás García Ferrari
        Bigital
        http://bigital.com/
    +-- --+ 

    -- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
  • Next message: Michael Hamam: "samba/ldap issues"

    Relevant Pages

    • Website setup questions.
      ... Create firewall rule to direct HTTP port 80 to the SBS External NIC ... Create firewall rule to point DNS port 53 to the SBS External NIC ... NICS to get this request to not timeout or be refused. ...
      (microsoft.public.windows.server.sbs)
    • Re: For Microsoft Partners and Customers Who Cant Download or Access
      ... Using ipconfig /all showed the DNS IP is in fact the same IP ... as the firewall as you mentioned. ... Microsoft for msdn2.microsoft.com. ... use a static IP and set the DNS server addresses to the DNS ...
      (microsoft.public.dotnet.general)
    • Re: Setting another machine as a firewall
      ... I don't think a firewall is really the right technology to ... The alternative to implementing a proxy mail server on your firewall ... internet, then that is just a matter of writing filter rules to allow ... As far as DNS goes, combining a NAT'ing firewall with a mailserver on ...
      (freebsd-questions)
    • Re: E-Mail Address Cant Receive E-Mail from *Some* External Organizations
      ... The fact that _some_ messages are delivered is because they are sent from different IPs, so double-check your firewall settings. ... So, that looks right to me, anyway; both resolve to the proper IP address of the external interface for our firewall, and the only difference is that for "company.org" our ISP's mail server acts as a backup server in case our internal mail server is down. ... However, if I send a message to "me@xxxxxxxxxxxxxxxx" from my Yahoo e-mail account, I get an NDR returned to my Yahoo account. ... I have checked with our ISP who handles our DNS settings, and they indicate that all appears to be in order with our DNS and MX records. ...
      (microsoft.public.exchange.admin)
    • Re: loss of SOME connectivity
      ... I "think" it is DNS. ... Yes, I can ping the router, AND the ISP DNS. ... I cannot connect the inet cable directly to the server because the inet is ... MS firewall not started. ...
      (microsoft.public.windows.server.sbs)