View previous topic :: View next topic |
Author |
Message |
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Thu Apr 08, 2004 9:02 pm Post subject: HOWTO: Iptables for newbies. PART I: Getting Started |
|
|
Linux Iptables for Newbies
Part I: Getting up and running
Part II: Hardening Your Firwall
I found the iptables documentation available to be severly un-newbie friendly. Most assumed a more than working knowledge of ipchains and pretty much picked up from there. Usually my approach to a new endeavor is that I want the option of getting up and going quickly, with minimal explanation. Afterwards I go back to read over more advanced options. This howto is designed with that in mind. It'll get you connected to the internet quickly through your linux router so you know your set-up is basically functional and than it will incrementally add rules and policies so that you'll know which specific command was the cause of any problems that may arise.
Also, this document will focus mainly on using a pppoe connection to the internet and the 2.6.x kernel, because that is what I have. However, the only adaptation that would need to be made is to replace 'ppp0' with 'eth0' (or whatever your output NIC is......this will become clear later.
Assumptions
1. All your hardware is in good working order. This means test each device and ensure that it is functional. Make sure that internet connections are possible without iptables enabled, etc, etc. There's nothing like cussing at a new software program for hours only to discover you have a bad network card or that your modem isn't configured properly.
2.You can read a man page. In fact I assume that while you walk through this Howto, the iptables man page is open right next to it for reference to what each command means.
3.You have a basic understanding of networking and gentoo admin. tools......and I mean really basic, such as how to use ifconfig, rc-update, /etc/conf.d/net, etc. If you don't, refer to
The Gentoo Handbook
or
Linux Help's Networking Basics 101
Kernel Config:
As for the kernel all you must do is enable iptable support.
First.
Code: |
Device Drivers--->Networking Support--->Networking Options---->Network Packet Filtering (replace Ipchains)--->Netfilter Configuration
|
I enabled all the options as modules (in case I want to test other options later) and added ip_tables to my modules.autoload. This loads several modules as dependencies. Later you may want the ip_conntrack for logging. ***Don't forget to "modprobe ip_tables" before running scripts***
Necessary Utilities:
Next you must emerge the userland tools for cofiguring iptables:
Interface configuration:
In my set up, I have three NIC's, one is connected to the WAN through pppoe, the other two to my internal network. In order for them all to play nicely with iptables and masquerading (NAT'ing), they must be set to different subnets. For example, the two NIC's connected to my internal computers, e.g., the internal NIC's, are assigned: 192.168.1.78 and 192.168.2.78 respectively. It should be noted here that it is perfectly acceptable to connect these internal NIC's to any network capable device, such as a switch or hub. For pppoe conections we make sure the NIC connected to the outside world, e.g. the external NIC is not assigned any ip....it's entries in /etc/conf.d/net should be left blank. We must also assign proper netmasks and broadcast values to these interfaces. Your conf.d should look like this for the server:
Server
Code: |
# For pppoe connections you do not want to set values for eth0, simply add \
# net.ppp0 to your default runlevel
#iface_eth0="192.168.0.78 broadcast 192.168.0.255 netmask 255.255.0.0"
iface_eth1="192.168.1.78 broadcast 192.168.1.255 netmask 255.255.255.0"
iface_eth2="192.168.2.78 broadcast 192.168.2.255 netmask 255.255.255.0"
|
Notice that no gateways have been set.
On the client side, the conf.d should be:
Client One
Code: |
iface_eth0="192.168.1.77 broadcast 192.168.1.255 netmask 255.255.255.0"
gateway="eth0/192.168.1.78"
|
Client Two
Code: |
iface_eth0="192.168.2.77 broadcast 192.168.2.255 netmask 255.255.255.0"
gateway="eth0/192.168.2.78"
|
The gateways for the clients are set to the internal ip's of the NIC on the server as should be expected.
Now add all the interfaces to the default run level and restart connections:
Server
Code: |
rc-update add net.eth1 default; rc-update add net.eth2 default; rc-update add net.ppp0 default; \
/etc/init.d/net.eth1 start; /etc/init.d/net.eth2 start; /etc/init.d/net.ppp0 start;
|
Clients
Code: |
/etc/init.d/net.eth0 restart
|
Now verify that you are connected to the internet on the server machine (the clients will not be.....yet) and that all the interfaces can ping each other.
Server
Code: |
ping www.google.com;
ping 192.168.1.78
ping 192.168.2.78
ping 192.168.1.77
ping 192.168.2.77
|
Next ensure that your clients have appropriate DNS's set in your /etc/resolv.conf.
Now to the fun part.....iptables and NAT'ing. We first are going to simply forward addresses with an absolute minimal of rules to ensure that you can get out of the network. *WARNING* If your paranoid, this isn't the most secure thing to do....afterall your opening yourself up to the world with very little protection. But I'm assuming your setting up a SOHO and that you've taken your risperdal with a double helping of olanzapine this morning so that you can handle the tension:
Code: |
#!/bin/bash
IPTABLES='/sbin/iptables'
# Set interface values
EXTIF='ppp0'
INTIF1='eth1'
INTIF2='eth2'
# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# forward LAN traffic from $INTIF1 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
# forward LAN traffic from $INTIF2 to Internet interace $EXTIF
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
#echo -e " - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
#echo -e " - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
# block out all other Internet access on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
|
**note**This script was written by someone on another forum....I've since lost the address to the thread or forum..., but thanks goes to him.
Now check any one of your clients and see if you can connect either to the internet or by ssh'ing to your server. If everything has checked out up to this point....you really should be good to go. If not, check for syntax errors or if you can ping the interfaces. Make sure the ip's and masks for client and server are set correctly.....you get the idea.
If it does work, save the configurations:
Code: |
/etc/init.d/iptables save
|
And than back up your working configuration in case you bork something later you can quickly revert:
Code: |
cp /var/lib/iptables/rules-save /var/lib/iptables/rules.working
|
Now check up your iptables start-up script before adding iptables to your default runlevel:
Code: |
/etc/init.d/iptables start; /etc/init.d/iptables stop; /etc/init.d/iptables start
|
The reason we start, than stop, than start again is because we haven't yet started the iptables script...so we must set the initialized status before stopping. Stopping essentially erases all settings and puts you back to zero. Restarting will show you whether your network will still work after rebooting. Assuming success, we add iptables to our default runlevel:
Code: |
rc-update add iptables default
|
Part II will cover expansion of rule sets and policies to further harden your router. If you can't wait though, you should be pretty well set to start on some of the other tutorials out there like:
Russel's iptables howto (the coder of iptables and ipchains)
Or any of the documentation on the Netfilters Home page
This is the first howto I've written, so I welcome and pm's with constructive criticism
PART II is ready. _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation
Last edited by krunk on Mon Apr 26, 2004 5:33 am; edited 9 times in total |
|
Back to top |
|
|
Krigare Tux's lil' helper
Joined: 12 Nov 2003 Posts: 92 Location: ::1
|
Posted: Thu Apr 08, 2004 9:36 pm Post subject: |
|
|
Excellent! Its rare to see information about this topic in such easy-explained ways that you just did. Good work m8! _________________ Together we are strong. |
|
Back to top |
|
|
Floog Tux's lil' helper
Joined: 29 Nov 2002 Posts: 116
|
Posted: Fri Apr 09, 2004 4:57 am Post subject: |
|
|
Indeed, a hearty thank you to Mr. Krunk.
I just built my first permanent gentoo install from Stage 1. I'm coming from a Slackware background and have basic understanding of iptables. Using gentoo, I wasn't clear on whether iptables was installed in the base installation. And I couldn't figure out where to place my firewall rules -- right into the /etc/init.d/iptables or the /etc/conf.d/iptables.
Your quick-doc. was enough to point me to the right places to install my script and get the firewall installed and started. It took me alot longer to figure out the basics of getting a two-nic. setup running under Gentoo than it did to install my firewall.
Thank you again for your very helpful post.
Floog |
|
Back to top |
|
|
jjasghar Guru
Joined: 07 Mar 2004 Posts: 342 Location: $HOME=/usa/tx/austin
|
Posted: Fri Apr 09, 2004 7:20 pm Post subject: |
|
|
THANK YOU THANK YOU THANK YOU SOOOOO MUCH
i needed this thread like a fish needs water _________________ #include <LinuxUser #324070>
main()
{
printf("and i'm sorry my spellign sucs.");
} |
|
Back to top |
|
|
icywolf n00b
Joined: 19 Jul 2003 Posts: 52
|
Posted: Sat Apr 10, 2004 12:06 am Post subject: |
|
|
thank you! |
|
Back to top |
|
|
Blue Fox Apprentice
Joined: 09 Apr 2004 Posts: 216
|
Posted: Sat Apr 10, 2004 12:35 am Post subject: |
|
|
Very nice
Congratulations
I think that would be interesting if you put references to softwares like fwbuilder, guarddog and jayfirewall _________________ "Never argue with and idiot cuz he bring you down to his level and beat you with experience" |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Sat Apr 10, 2004 1:50 am Post subject: |
|
|
Blue Fox wrote: | Very nice
Congratulations
I think that would be interesting if you put references to softwares like fwbuilder, guarddog and jayfirewall |
I wouldn't mind at all. I'm not familar with that software though. I did everything by hand. I did use Bastille for hardening the file system permissions.
I would probably include such software after the next section. Which I'll put up right after I iron out some of the wrinkles in my firewall script. At the moment it's just too restrictive for an "everyday" desktop.
I'm learning as I do this, so I don't know alot about alternatives to doing it by hand (Mostly because I haven't looked, I do everything by hand the first time). Any nice software you know of post a link and I'll add it to a section after the Howto. _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Sat Apr 10, 2004 8:21 am Post subject: |
|
|
Part II is ready. _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
davidsb Tux's lil' helper
Joined: 08 Dec 2002 Posts: 146 Location: Lisbon, Portugal
|
Posted: Sat Apr 10, 2004 4:06 pm Post subject: |
|
|
Nice tutorial
This will help ppl getting into iptables.
Good work |
|
Back to top |
|
|
ett_gramse_nap Apprentice
Joined: 01 Oct 2003 Posts: 252 Location: Göteborg, Sweden
|
Posted: Tue Apr 13, 2004 12:18 pm Post subject: |
|
|
Thank you! I think i'll throw Shorewall out the window and try to build my 'own' firewall tonight... _________________ Don't bother! |
|
Back to top |
|
|
Braempje l33t
Joined: 31 Jan 2003 Posts: 748
|
Posted: Tue Apr 13, 2004 12:43 pm Post subject: |
|
|
Great tutorial, you do use very special ips however: 192.168.1.0.78 seems to have a 1 too much? I didn't know these ips were allowed in ipv6 either
(I just don't like it when great tutorials contains small confusing mistakes, don't take this personal!) _________________ Dictionary of the Flemish Sign Language - Woordenboek Vlaamse Gebarentaal |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Tue Apr 13, 2004 2:02 pm Post subject: |
|
|
Braempje wrote: | Great tutorial, you do use very special ips however: 192.168.1.0.78 seems to have a 1 too much? I didn't know these ips were allowed in ipv6 either
(I just don't like it when great tutorials contains small confusing mistakes, don't take this personal!) |
Actually, there were several mistakes in that paragraph...so thank you for bringing my attention to them. _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
req n00b
Joined: 04 Nov 2003 Posts: 16 Location: Sweden
|
Posted: Sun Apr 18, 2004 4:26 pm Post subject: [ iptables ] - Saved does not work! [SOLVED] |
|
|
Hello, great tutorial. Just one problem for me!
[ Ops, solved this five seconds after I posted it! In the /etc/init.d/iptables script the echo "1" /proc ... was pointing to the wrong file, so I just edited it a little ]
I've followed this step by step, use exactly your script for setting up iptables initially, and then save the rules. But when I
Code: | rc-update add iptables default |
and reboot (or /etc/init.d/iptables stop .... les start ) it does not forward any more! Then if I run the script again, it works. Now, I could add the script to default runlevel, but I just know it's possible to get this to work the correct way, right? =).
The rules look exactly the same if I run the script or the /etc/init.d/iptables start.
Thanks again,
Richard |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Sun Apr 18, 2004 5:01 pm Post subject: Re: [ iptables ] - Saved does not work! [SOLVED] |
|
|
req wrote: | Hello, great tutorial. Just one problem for me!
[ Ops, solved this five seconds after I posted it! In the /etc/init.d/iptables script the echo "1" /proc ... was pointing to the wrong file, so I just edited it a little ]
I've followed this step by step, use exactly your script for setting up iptables initially, and then save the rules. But when I
Code: | rc-update add iptables default |
and reboot (or /etc/init.d/iptables stop .... les start ) it does not forward any more! Then if I run the script again, it works. Now, I could add the script to default runlevel, but I just know it's possible to get this to work the correct way, right? =).
The rules look exactly the same if I run the script or the /etc/init.d/iptables start.
Thanks again,
Richard |
The iptables init script doesn't work for me either. I have to manually run the script. After starting. The first problem is that the iptables init script starts before rp-pppoe script...which is bad (you can assign rules to an ip that doesn't exist . I havent' had time to see if I should file a bug or not. _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
ed0n l33t
Joined: 23 Apr 2003 Posts: 638 Location: Prishtine/Kosove
|
Posted: Sun Apr 18, 2004 8:12 pm Post subject: |
|
|
/me is bookmarking this page so if I will need (which i will) iptables sometimes I can read something about it, and also in the gentoo security howto iptables is described good. |
|
Back to top |
|
|
zpon n00b
Joined: 16 Apr 2004 Posts: 51 Location: Denmark
|
Posted: Sat Apr 24, 2004 2:02 pm Post subject: |
|
|
i have a problem, i don't know were to put in the long code!
Code: |
#!/bin/bash
IPTABLES='/sbin/iptables'
# Set interface values
EXTIF='ppp0'
INTIF1='eth1'
INTIF2='eth2'
# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# forward LAN traffic from $INTIF1 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
# forward LAN traffic from $INTIF2 to Internet interace $EXTIF
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
#echo -e " - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
#echo -e " - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
# block out all other Internet access on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
|
_________________ //Rock on! |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Sat Apr 24, 2004 2:21 pm Post subject: |
|
|
What is the problem? _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
zpon n00b
Joined: 16 Apr 2004 Posts: 51 Location: Denmark
|
Posted: Sat Apr 24, 2004 2:27 pm Post subject: |
|
|
well, i don't know if this is reight, but can i just copy 'n' past the script into my shell?? when i types iptables and a comand i get an error:
FATAL: Module ip_tables not found.
iptables v1.2.9: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
sorry about my english, hope you are able to read it... _________________ //Rock on! |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Sat Apr 24, 2004 3:43 pm Post subject: |
|
|
zpon wrote: | well, i don't know if this is reight, but can i just copy 'n' past the script into my shell?? when i types iptables and a comand i get an error:
FATAL: Module ip_tables not found.
iptables v1.2.9: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
sorry about my english, hope you are able to read it... |
From the howto:
Code: | I enabled all the options as modules (in case I want to test other options later) and added ip_tables to my modules.autoload. This loads several modules as dependencies. Later you may want the ip_conntrack for logging.
|
I should have also added:
if you they are not loaded.
lmk
_________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
mog Apprentice
Joined: 05 Jul 2003 Posts: 253 Location: Auckland [NZ]
|
Posted: Sun Apr 25, 2004 2:59 am Post subject: |
|
|
hi ... at first ... great stuff ... nice tutorial
it works fine for me, but I also have to rerun the ip forwarding activation everytime I restart iptables. I have found an if statement in the init.d script for iptables that does the activation, but it checks a variable which is never yes in my case.
does anyone know what file one has to alter in order to get this statement to work without commenting out the if _________________ To thine own self be true. |
|
Back to top |
|
|
mog Apprentice
Joined: 05 Jul 2003 Posts: 253 Location: Auckland [NZ]
|
Posted: Sun Apr 25, 2004 4:08 am Post subject: |
|
|
doh ... I should have looked first ... the ENABLE_FORWARDING_IPv4 variable is in /etc/conf.d/iptables ... just set it to yes and forwarding will work just fine after starting/restarting iptables without prior running of the above script ... _________________ To thine own self be true. |
|
Back to top |
|
|
acidburn Tux's lil' helper
Joined: 09 Apr 2004 Posts: 148 Location: Albuquerque
|
Posted: Sun Apr 25, 2004 2:25 pm Post subject: |
|
|
SWEET!! Thanks for the gouge. It was easy to understand and makes things easier _________________ "In Nomeni Patri Et Fili Spiritus Sancti." |
|
Back to top |
|
|
sobers_2002 Veteran
Joined: 16 Mar 2004 Posts: 1128
|
Posted: Sun Apr 25, 2004 2:48 pm Post subject: |
|
|
hi everyone
i am having a doubt here.......i am using ncftpd.....in which in dunno how to specify the passive ports........so since i am running a ftp server also i'll need to open them up. Another thing how do i stop ip tunneling?????? _________________ Pdict - dockable dictionary client for linux
FREE97WIN: Use this code on Dreamhost and you get $97 off !! |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Sun Apr 25, 2004 3:22 pm Post subject: |
|
|
sobers_2002 wrote: | hi everyone
i am having a doubt here.......i am using ncftpd.....in which in dunno how to specify the passive ports........so since i am running a ftp server also i'll need to open them up. Another thing how do i stop ip tunneling?????? |
This howto is a great example of what opensource documentation should be:
FrozenTux
You can probably find something there.
The iptables mailing list is extremely active as well:
netfilter@lists.netfilter.org _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
weyhan Apprentice
Joined: 27 May 2003 Posts: 245
|
Posted: Mon Apr 26, 2004 3:22 am Post subject: |
|
|
Quote: | Interface configuration:
In my set up, I have three NIC's, one is connected to the WAN through pppoe, the other two to my internal network. In order for them all to play nicely with iptables and masquerading (NAT'ing), they must be set to different subnets. For example, the two NIC's connected to my internal computers, e.g., the internal NIC's, are assigned: 192.168.1.78 and 192.168.2.78 respectively. It should be noted here that it is perfectly acceptable to connect these internal NIC's to any network capable device, such as a switch or hub. For pppoe conections we make sure the NIC connected to the outside world, e.g. the external NIC is not assigned any ip....it's entries in /etc/conf.d/net should be left blank. We must also assign proper netmasks and broadcast values to these interfaces. Your conf.d should look like this for the server:
Server Code: |
# For pppoe connections you do not want to set values for eth0, simply add \
# net.ppp0 to your default runlevel
#iface_eth0="192.168.0.78 broadcast 192.168.0.255 netmask 255.255.0.0"
iface_eth1="192.168.1.78 broadcast 192.168.1.255 netmask 255.255.255.0"
iface_eth2="192.168.2.78 broadcast 192.168.2.255 netmask 255.255.255.0"
|
|
Just to point out that leaving external NIC setting blank will cause "/etc/init.d/net.eth0 start" to fail when you do:
Quote: |
Now add all the interfaces to the default run level and restart connections:
Server
Code: |
rc-update add net.eth0 default; rc-update add net.eth1 default; rc-update add net.eth2 default; rc-update add net.ppp0 default; \
/etc/init.d/net.eth0 start; /etc/init.d/net.eth1 start; /etc/init.d/net.eth2 start; /etc/init.d/net.ppp0 start;
|
|
Instead your example net file should be:
Code: | # For pppoe connections you do not want to set values for eth0, simply add \
# net.ppp0 to your default runlevel
iface_eth0="up"
iface_eth1="192.168.1.78 broadcast 192.168.1.255 netmask 255.255.255.0"
iface_eth2="192.168.2.78 broadcast 192.168.2.255 netmask 255.255.255.0"
|
Not sure why it worked for you in the first place. _________________ Han. |
|
Back to top |
|
|
|