[ale] iptables firewall/nat

Dow Hurst dhurst at kennesaw.edu
Tue Oct 16 16:24:35 EDT 2001 

Calvin,
I am sorry I don't have more time to help you out today, however, here
is an example of how to control both input and output chains and
guarantee that you initiate the connection.  Watch the line wrap!  Each
ipchain starts with $IPC, which is a variable set to /sbin/ipchains.

$IPC -A input  -i $EXTIF -p TCP -s $SMTP 25 -d $EXTIP  ! --syn -j ACCEPT
$IPC -A output -i $EXTIF -p TCP -d $SMTP 25 -s $EXTIP          -j ACCEPT

or

$IPC -A input  -i $EXTIF -p UDP -s $DNS 53 -j ACCEPT
$IPC -A output -i $EXTIF -p UDP -d $DNS 53 -j ACCEPT


Note, for example, that the $EXTIF is a variable which can be set at the
top of your script.  Note also the ! --syn which says the outside world
can't initiate the connection.  Note the output chain entry that pairs
the input chain entry controlling what your machine can output to the
Internet.  Play around with making the script more easily configured by
adding global variables at the top of the script.  Then add similar
entries as above for each service you want to enable.  Your default
chain policies should be to *deny* rather than accept.  I would
recommend you purchase Bob Toxen's book "Real World Linux Security" for
an extensive example of how to build a really nice ipchain script that
covers your needs without leaving holes open.  Check out
www.realworldlinuxsecurity.com for online info.
Dow

  
Calvin Harrigan wrote:
> 
> I did decide to stay with the ipchains as you suggested.  I got it setup to a
> point that I feel that it's fairly secure but I'm open to suggestions.  I've
> included my /etc/sysconfig/ipchains file.  Please comment add/remove as you
> guys think might be useful/required.  Thanks.
> 
> :input ACCEPT
> :forward ACCEPT
> :output ACCEPT
> -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
> -A input -s 0/0 -d 0/0 -i eth0 -j ACCEPT
> -A input -s 207.217.126.81 53 -d 0/0 -p udp -j ACCEPT
> -A input -s 207.217.120.83 53 -d 0/0 -p udp -j ACCEPT
> -A input -s 0/0 -d 0/0 :1022 -p tcp -y -j REJECT
> -A input -s 0/0 -d 0/0 :1022 -p udp -j REJECT
> -A input -s 0/0 -d 0/0 6000:6010 -p tcp -j REJECT
> -A input -s 0/0 -d 0/0 6000:6010 -p udp -j REJECT
> -P forward DENY
> -A forward -i ppp0 -j MASQ
> 
> On Tuesday 16 October 2001 02:42 pm, you wrote:
> > Calvin,
> > Stick with Ipchains as there is stateful modules such as ipconntrack_ftp
> > for it that will give you everything in iptables without the confusion.
> > You need to give ipchains the MASQ option in your forwarding policy.
> > Dow
> >
> > Calvin Harrigan wrote:
> > > Did anything ever come of that discussion a few weeks ago about a basic
> > > firewalling system?  I would like to implement a firewall using iptables
> > > and also at NAT capabilities to it.  Any links ideas, and so forth.  I
> > > will be implementing on RH 7.1
> > > The default high security option during the install does a pretty good
> > > job, but it doesn't do NAT and it uses ipchains.  I'm not sure how to add
> > > nat to the ipchains implementation.  Thanks for the help.
> > >
> > > Calvin
> > > --
> > > Signature?
> > > No thank you...
> > >
> > > ---
> > > This message has been sent through the ALE general discussion list.
> > > See http://www.ale.org/mailing-lists.shtml for more info. Problems should
> > > be sent to listmaster at ale dot org.
> 
> --
> Signature?
> No thank you...

-- 
__________________________________________________________
Dow Hurst                   Office: 770-499-3428
Systems Support Specialist  Fax:    770-423-6744
1000 Chastain Rd.
Chemistry Department SC428  Email:dhurst at kennesaw.edu
Kennesaw State University         Dow.Hurst at mindspring.com
Kennesaw, GA 30144
*********************************
*Computational Chemistry is fun!*
*********************************

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list