Weblog entry #1 for onez_sumlang
See all weblog entries made by onez_sumlang.
#1
About IPTABLES...
Posted by onez_sumlang on Mon 19 May 2008 at 15:34
# To configure the set of iptables rules:
#
# /etc/rc.d/init.d/iptables stop
# source /etc/sysconfig/iptables-precursor
#
# To save the current set of iptables rules for use at next reboot:
#
# iptables-save > /etc/sysconfig/iptables
#
# To dynamically restart iptables after modifying /etc/sysconfig/iptables:
#
# /etc/rc.d/init.d/iptables restart
#
# To examine the current set of rules in effect:
#
# /etc/rc.d/init.d/iptables status
# send IP packets to the outside world, enable IP Forwarding:
#
# echo 1 > /proc/sys/net/ipv4/ip_forward
# Prevent SYN floods from consuming memory resources:
#
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#
# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable. These rules apply if a more specific rule below
# is not applicable. Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Flush (-F) all specific rules
#
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
# Forward all packets from eth1 (internal network) to eth0 (the internet).
#
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
#
# Forward packets that are part of existing and related connections from eth0 to eth1.
#
iptables -A FORWARD -i eth0 -o eth1 -m state –state ESTABLISHED,RELATED -j ACCEPT
#
# Permit packets in to firewall itself that are part of existing and related connections.
#
iptables -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
# Allow all inputs to firewall from the internal network and local interfaces
#
iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
# SNAT (Source NAT) is used to map private source IP numbers of
# interfaces on the internal LAN to one of my public static IP numbers.
# SNAT performs this mapping when a client running on one of the
# internal hosts (x.y.z.c) initiates a TCP connection (SYN) through
# eth0.
#
iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT –to-source x.y.
# Alternative to SNAT  MASQUERADE
# iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
# Deny any packet coming in on the public internet interface eth0
# which has a spoofed source address from our local networks:
#
iptables -A INPUT -i eth0 -s x.y.z.s/32 -j DROP
iptables -A INPUT -i eth0 -s x.y.z.c/32 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
# Accept all tcp SYN packets for protocols SMTP, HTTP, HTTPS, and SSH:
# (SMTP connections are further audited by our SMTP server)
#
iptables -A INPUT -p tcp -s 0/0 -d x.y.z.m/32 –destination-port 25 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 80 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 443 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 22 –syn -j ACCEPT
#
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.m/32 –destination-port 25 –syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.w/32 –destination-port 80 –syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.w/32 –destination-port 443 –syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 22 –syn -j ACCEPT
#
# Sometimes I run older versions of SSH on port 2200:
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 2200 –syn -j ACCEPT
#
# For imapd via stunnel (instead of xinetd-based imapd):
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 993 –syn -j ACCEPT
#
# For xinetd-based IMAP server (see /etc/xinetd.conf for who can use it):
#
#iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 143 –syn -j ACCEPT
#
# For DHCP server:
#
iptables -A INPUT -i eth1 -p tcp –sport 68 –dport 67 -j ACCEPT
iptables -A INPUT -i eth1 -p udp –sport 68 –dport 67 -j ACCEPT
#
# For LDAP clients:
#
#iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 389 -syn -j ACCEPT
#dga- worry about LDAP later (after I decode LDAP documentation (-;)
#
# DNS queries:
#
# Permit responses from our ISP’s DNS server. When a client running on our
# host makes a DNS query, the outgoing query is allowed since we permit all
# outgoing packets. The reply will be a UDP connection back to the high
# numbered client port from which the query was made. So we only need to
# permit UDP packets from our ISP’s DNS servers back to high numbered ports:
#
#iptables -A INPUT -p udp -s <ISP DNS server IP>/32 –source-port 53 -d 0/0 –destination-port 1024:65535 -j ACCEPT
# But since we trust our ISP DNS Server not not have been hacked and we may
# not be sure what our client IP range is, we loosen this to:
#
iptables -A INPUT -p udp -s <ISP DNS server IP>/32 –source-port 53 -d 0/0 -j ACCEPT
# Running a caching DNS Server
#
iptables -A INPUT -p udp -s 0/0 –source-port 53 -d x.y.z.d/32 –destination-port 1024:65535 -j
ACCEPT
# Running a DNS server (tinydns)
#
# When we run a DNS server, we have to accept UDP from anywhere to port 53
#
iptables -A INPUT -p udp -s 0/0 -d 0/0 –destination-port 53 -j ACCEPT
#
# Allow DNS zone transfers via TCP from ISP Master DNS server:
#
# iptables -A INPUT -p tcp -s <ISP Master DNS server IP>/32 -d 0/0 –destination-port 53 –syn -j ACCEPT
#
# For some other custom server running here listening on port <port number>:
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port <port number> –syn -j ACCEPT
#
# For FTP server, restricted to specific local hosts (and see /etc/xinetd.conf):
# (for public file transfers we use scp, sftp, and related SSH file transfer tools)
#
iptables -A INPUT -p tcp -s x.y.z.s/32 -d 0/0 –destination-port 20 –syn -j ACCEPT
iptables -A INPUT -p tcp -s x.y.z.s/32 -d 0/0 –destination-port 21 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 127.0.0.1/8 -d 0/0 –destination-port 20 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 127.0.0.1/8 -d 0/0 –destination-port 21 –syn -j ACCEPT
#
# For Samba (smbd and nmbd), restricted to specific local client hosts (x.y.z.c):
#
iptables -A INPUT -p tcp -s x.y.z.c/32 -d x.y.z.s/32 –destination-port 139 –syn -j ACCEPT
iptables -A INPUT -p udp -s x.y.z.c/32 -d x.y.z.s/32 –destination-port 137 -j ACCEPT
# the ‘ICMP port unreachable’ response.
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp –syn -j DROP
source oceanpark.com firewall rules (using iptables)
#
# /etc/rc.d/init.d/iptables stop
# source /etc/sysconfig/iptables-precursor
#
# To save the current set of iptables rules for use at next reboot:
#
# iptables-save > /etc/sysconfig/iptables
#
# To dynamically restart iptables after modifying /etc/sysconfig/iptables:
#
# /etc/rc.d/init.d/iptables restart
#
# To examine the current set of rules in effect:
#
# /etc/rc.d/init.d/iptables status
# send IP packets to the outside world, enable IP Forwarding:
#
# echo 1 > /proc/sys/net/ipv4/ip_forward
# Prevent SYN floods from consuming memory resources:
#
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#
# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable. These rules apply if a more specific rule below
# is not applicable. Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Flush (-F) all specific rules
#
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
# Forward all packets from eth1 (internal network) to eth0 (the internet).
#
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
#
# Forward packets that are part of existing and related connections from eth0 to eth1.
#
iptables -A FORWARD -i eth0 -o eth1 -m state –state ESTABLISHED,RELATED -j ACCEPT
#
# Permit packets in to firewall itself that are part of existing and related connections.
#
iptables -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
# Allow all inputs to firewall from the internal network and local interfaces
#
iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
# SNAT (Source NAT) is used to map private source IP numbers of
# interfaces on the internal LAN to one of my public static IP numbers.
# SNAT performs this mapping when a client running on one of the
# internal hosts (x.y.z.c) initiates a TCP connection (SYN) through
# eth0.
#
iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT –to-source x.y.
# Alternative to SNAT  MASQUERADE
# iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
# Deny any packet coming in on the public internet interface eth0
# which has a spoofed source address from our local networks:
#
iptables -A INPUT -i eth0 -s x.y.z.s/32 -j DROP
iptables -A INPUT -i eth0 -s x.y.z.c/32 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
# Accept all tcp SYN packets for protocols SMTP, HTTP, HTTPS, and SSH:
# (SMTP connections are further audited by our SMTP server)
#
iptables -A INPUT -p tcp -s 0/0 -d x.y.z.m/32 –destination-port 25 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 80 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 443 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 22 –syn -j ACCEPT
#
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.m/32 –destination-port 25 –syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.w/32 –destination-port 80 –syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.w/32 –destination-port 443 –syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d 0/0 –destination-port 22 –syn -j ACCEPT
#
# Sometimes I run older versions of SSH on port 2200:
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 2200 –syn -j ACCEPT
#
# For imapd via stunnel (instead of xinetd-based imapd):
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 993 –syn -j ACCEPT
#
# For xinetd-based IMAP server (see /etc/xinetd.conf for who can use it):
#
#iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 143 –syn -j ACCEPT
#
# For DHCP server:
#
iptables -A INPUT -i eth1 -p tcp –sport 68 –dport 67 -j ACCEPT
iptables -A INPUT -i eth1 -p udp –sport 68 –dport 67 -j ACCEPT
#
# For LDAP clients:
#
#iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port 389 -syn -j ACCEPT
#dga- worry about LDAP later (after I decode LDAP documentation (-;)
#
# DNS queries:
#
# Permit responses from our ISP’s DNS server. When a client running on our
# host makes a DNS query, the outgoing query is allowed since we permit all
# outgoing packets. The reply will be a UDP connection back to the high
# numbered client port from which the query was made. So we only need to
# permit UDP packets from our ISP’s DNS servers back to high numbered ports:
#
#iptables -A INPUT -p udp -s <ISP DNS server IP>/32 –source-port 53 -d 0/0 –destination-port 1024:65535 -j ACCEPT
# But since we trust our ISP DNS Server not not have been hacked and we may
# not be sure what our client IP range is, we loosen this to:
#
iptables -A INPUT -p udp -s <ISP DNS server IP>/32 –source-port 53 -d 0/0 -j ACCEPT
# Running a caching DNS Server
#
iptables -A INPUT -p udp -s 0/0 –source-port 53 -d x.y.z.d/32 –destination-port 1024:65535 -j
ACCEPT
# Running a DNS server (tinydns)
#
# When we run a DNS server, we have to accept UDP from anywhere to port 53
#
iptables -A INPUT -p udp -s 0/0 -d 0/0 –destination-port 53 -j ACCEPT
#
# Allow DNS zone transfers via TCP from ISP Master DNS server:
#
# iptables -A INPUT -p tcp -s <ISP Master DNS server IP>/32 -d 0/0 –destination-port 53 –syn -j ACCEPT
#
# For some other custom server running here listening on port <port number>:
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –destination-port <port number> –syn -j ACCEPT
#
# For FTP server, restricted to specific local hosts (and see /etc/xinetd.conf):
# (for public file transfers we use scp, sftp, and related SSH file transfer tools)
#
iptables -A INPUT -p tcp -s x.y.z.s/32 -d 0/0 –destination-port 20 –syn -j ACCEPT
iptables -A INPUT -p tcp -s x.y.z.s/32 -d 0/0 –destination-port 21 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 127.0.0.1/8 -d 0/0 –destination-port 20 –syn -j ACCEPT
iptables -A INPUT -p tcp -s 127.0.0.1/8 -d 0/0 –destination-port 21 –syn -j ACCEPT
#
# For Samba (smbd and nmbd), restricted to specific local client hosts (x.y.z.c):
#
iptables -A INPUT -p tcp -s x.y.z.c/32 -d x.y.z.s/32 –destination-port 139 –syn -j ACCEPT
iptables -A INPUT -p udp -s x.y.z.c/32 -d x.y.z.s/32 –destination-port 137 -j ACCEPT
# the ‘ICMP port unreachable’ response.
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp –syn -j DROP
source oceanpark.com firewall rules (using iptables)
Comments on this Entry
Posted by Anonymous (217.216.xx.xx) on Mon 19 May 2008 at 17:37
Hi, which charset are you using? Your config file is full of weird symbols, apparently.
[ Parent | Reply to this comment ]