Securing eth1 with IPTABLES

David Kreuter dkreuter-q4+D78v0SMv8u52rGdhAxQ at public.gmane.org
Tue Mar 23 14:12:30 UTC 2004 

I lifted these commands pretty much straight out of theRH9 Linux Bible 
Chapter 16.
Entered by hand.
I'm trying to protect the linux machine which is on the 24.x.x.x network 
and exposed.
I do not want any uninvited packets to do damage to my linux host. My 
linux host is
acting as a router, replacing a windows machine that was providing the 
same function.
The router linux machine has two networks, 24.x.x.x. and 192.168.1.0.
The 192. net has 5 - 6 machines on it including the linux host.
Thanks.
David

Madison Kelly wrote:

> See my notes within the quoted message:
>
> David Kreuter wrote:
>
>> Madison et al thank you for your help. Here is the output as 
>> requested from
>> iptables-save:
>>
>> # Generated by iptables-save v1.2.7a on Mon Mar 22 19:46:40 2004
>> *filter
>> :INPUT ACCEPT [448733:27854874]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [447020:26108052]
>> -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
>
>  - Good, let's everything out (note that no more outbound rules will 
> match because no packet will pass this rule.)
>
>> -A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
>
>  - BAD! Here you say to let everything destined for your internal 
> subnet in. You may as well have no firewall at this point. No other 
> rules added after this will work because no inbound packets will go 
> past this rule (they all match and are ACCEPTed.)
>
>> -A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
>
>  - I can't think of a logical reason for this.
>
>> -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
>
>  - You repeated the first FORWARD rule
>
>> -A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
>
>  - Duplicate of the second rule...
>
>> -A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
>
>  - Again, unsure why this is here...
>
>> -A FORWARD -p tcp -j LOG --log-level 6
>
>  - This rule will never be matched because any packet would have 
> stoped traversing the FORWARD chain as soon as it hit one of the first 
> two all-encompasing rules.
>
>> -A FORWARD -p tcp -j LOG --log-prefix "Forward info" --log-level 6
>
>  - ditto. Put these BEFORE any rule would match.
>
>> COMMIT
>> # Completed on Mon Mar 22 19:46:40 2004
>> # Generated by iptables-save v1.2.7a on Mon Mar 22 19:46:40 2004
>> *nat
>> :PREROUTING ACCEPT [105414:5087474]
>> :POSTROUTING ACCEPT [6102:366228]
>> :OUTPUT ACCEPT [6288:377744]
>> -A POSTROUTING -o eth1 -j MASQUERADE
>> -A POSTROUTING -o eth1 -j MASQUERADE
>
>  - Why twice?
>
>> COMMIT
>> # Completed on Mon Mar 22 19:46:40 2004
>
>
> If you are writting this out via a shell script, can you post it? Also 
> recap what you want to do. I'll see if I can qhip up a script for you 
> over lunch tomorrow at work.
>
> Madison
>
> -- 
> The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
>


--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list