iptables script (noob)

Posted on 2008-03-26 13:05:11-07 by lshw

Hello, I have not been using iptables for very long. In the past I've made rules based on ACCEPT, now I'd like to use DENY, also attempting to use the state function. I would like suggestions and useful help. (I've tried in some IRC channels and they are generally abusive, which I really don't have time for) Here's the script requirements: Web server offers http & https to internet Mail server uses SMTP, POP3, imap, imapssl Database server uses port 1433 TCP which is open to a remote lan, closed to all others. All servers need DNS. Maintenance of the firewalls is done on SSH. "Everything else" is DENY. Here's what I've come up with so far: http://docs.google.com/Doc?docid=dhs4mgx8_82hdfq69vk&hl=en (Tried pasting the script here but was rejected)

Direct Responses: 7465 | Write a response

Posted on 2008-03-26 14:32:08-07 by lshw in response to 7464

Re: iptables script (noob)

Here's the script after stripping out the offensive formatting
(insert dashes, dollar signs, colons)

iptables t filter F
iptables t filter X

DROP
iptables t filter P INPUT DROP
iptables t filter P OUTPUT DROP
iptables t filter P FORWARD DROP
variables (put quotes on the right side)
remote is iprange_for_db_users
www is eth0
web is web_server_ip
mail is mail_server_ip
bbdd is database_server_ip
ssh is ip_para_ssh_access
cf is firewall_ip
all is any ext ip (0000slash0)
Permit localhost
iptables A INPUT i lo j ACCEPT
iptables A OUTPUT o lo j ACCEPT
Start filtering
iptables A FORWARD m state state ESTABLISHED,RELATED j ACCEPT
open web server http & https (insert string sign before variable)
iptables A FORWARD m state state NEW p tcp s web o www dport 80 j ACCEPT
iptables A FORWARD m state state NEW p tcp s $web o $www dport 443 j ACCEPT
open mail server pop3, imap, imapssl
iptables A FORWARD m state state NEW p tcp s mail o www dport 110 j ACCEPT
iptables A FORWARD m state state NEW p tcp s mail o www dport 25 j ACCEPT
iptables A FORWARD m state state NEW p tcp s mail o www dport 143 j ACCEPT
iptables A FORWARD m state state NEW p tcp s mail - www dport 993 j ACCEPT
iptables A FORWARD m state state NEW p udp s mail o www dport 993 j ACCEPT
open data base for users on remote lan
iptables A FORWARD m state state NEW p tcp s bbdd o remote dport 1433 j ACCEPT

open all servers for DNS (note to myself: change to range of ip's?)
iptables A FORWARD m state state NEW p tcp s web o www dport 53 j ACCEPT
iptables A FORWARD m state state NEW p udp s web o www dport 53 j ACCEPT
iptables A FORWARD m state state NEW p tcp s mail o www dport 53 j ACCEPT
iptables A FORWARD m state state NEW p udp s mail o www dport 53 j ACCEPT
iptables A FORWARD m state state NEW p tcp s bbdd o www dport 53 j ACCEPT
iptables A FORWARD m state state NEW p udp s bbdd o www dport 53 j ACCEPT
open firewall to SSH
iptables A FORWARD m state state NEW p tcp s ssh o cf dport 22 j ACCEPT
iptables A FORWARD m state state NEW p udp s ssh o cf dport 22 j ACCEPT
Close all other ports
iptables A INPUT s any i eth0 p tcp dport 1 to 1024 j DROP
iptables A INPUT s any i eth0 p udp dport 1 to 1024 j DROP
Close webmin
iptables A INPUT s any p tcp dport 10000 j DROP

Direct Responses: Write a response

Perl Weekly newsletter
A free weekly newsletter for people who are busy to read all the blogs. click here to check it out.