Securing eth1 with IPTABLES

Tue Mar 23 17:55:38 UTC 2004

Eh, I won't be one to comment on other docs, what do I know? I can point 
you to my talk though which has a sample firewall and some info on 
setting up firewalls and how they work. Others have pointed out bugs so 
it isn't perfect but I think it is good enough to help you get a 
firewall doing what you want. Here's the PDF and SXW copies:

http://thelinuxexperience.com/whitepapers/TLE-WhitePaper_Netfilter-v1.1.pdf
http://thelinuxexperience.com/whitepapers/TLE-WhitePaper_Netfilter-v1.1.sxw

Hope that helps.

Madison

David Kreuter wrote:
> I lifted these commands pretty much straight out of theRH9 Linux Bible 
> Chapter 16.
> Entered by hand.
> I'm trying to protect the linux machine which is on the 24.x.x.x network 
> and exposed.
> I do not want any uninvited packets to do damage to my linux host. My 
> linux host is
> acting as a router, replacing a windows machine that was providing the 
> same function.
> The router linux machine has two networks, 24.x.x.x. and 192.168.1.0.
> The 192. net has 5 - 6 machines on it including the linux host.
> Thanks.
> David
> 
> Madison Kelly wrote:
> 
>> See my notes within the quoted message:
>>
>> David Kreuter wrote:
>>
>>> Madison et al thank you for your help. Here is the output as 
>>> requested from
>>> iptables-save:
>>>
>>> # Generated by iptables-save v1.2.7a on Mon Mar 22 19:46:40 2004
>>> *filter
>>> :INPUT ACCEPT [448733:27854874]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [447020:26108052]
>>> -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
>>
>>
>>  - Good, let's everything out (note that no more outbound rules will 
>> match because no packet will pass this rule.)
>>
>>> -A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
>>
>>
>>  - BAD! Here you say to let everything destined for your internal 
>> subnet in. You may as well have no firewall at this point. No other 
>> rules added after this will work because no inbound packets will go 
>> past this rule (they all match and are ACCEPTed.)
>>
>>> -A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
>>
>>
>>  - I can't think of a logical reason for this.
>>
>>> -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
>>
>>
>>  - You repeated the first FORWARD rule
>>
>>> -A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
>>
>>
>>  - Duplicate of the second rule...
>>
>>> -A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
>>
>>
>>  - Again, unsure why this is here...
>>
>>> -A FORWARD -p tcp -j LOG --log-level 6
>>
>>
>>  - This rule will never be matched because any packet would have 
>> stoped traversing the FORWARD chain as soon as it hit one of the first 
>> two all-encompasing rules.
>>
>>> -A FORWARD -p tcp -j LOG --log-prefix "Forward info" --log-level 6
>>
>>
>>  - ditto. Put these BEFORE any rule would match.
>>
>>> COMMIT
>>> # Completed on Mon Mar 22 19:46:40 2004
>>> # Generated by iptables-save v1.2.7a on Mon Mar 22 19:46:40 2004
>>> *nat
>>> :PREROUTING ACCEPT [105414:5087474]
>>> :POSTROUTING ACCEPT [6102:366228]
>>> :OUTPUT ACCEPT [6288:377744]
>>> -A POSTROUTING -o eth1 -j MASQUERADE
>>> -A POSTROUTING -o eth1 -j MASQUERADE
>>
>>
>>  - Why twice?
>>
>>> COMMIT
>>> # Completed on Mon Mar 22 19:46:40 2004
>>
>>
>>
>> If you are writting this out via a shell script, can you post it? Also 
>> recap what you want to do. I'll see if I can qhip up a script for you 
>> over lunch tomorrow at work.
>>
>> Madison

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml