| View previous topic :: View next topic |
| Author |
Message |
Psychoman
n00b
Joined: 20 Jul 2005
Posts: 23
|
 Posted: Sun Aug 07, 2005 8:51 pm Post subject: Iptables as firewall [Solved] |
 |
|
I have a very simple network:
internet <-> eth0
Without firewall I'm aible to access the internet.
Everything OK till there.
After that I compiled a new kernel to support iptables as described in http://gentoo-wiki.com/HOWTO_Iptables_for_newbies
I emerged iptables and I'm stuck with the configuration of it.
Righ now, all I need are
sshd (port 22)
postfix (port 25)
apache (port 80,443)
The last iptables rules I used were those:
| Code: | iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT |
As I'm configuring the server from a remote location
I put those commands in an executable file (chmod 700).
When I run this file I get disconnected from ssh
and there is no way I can get back in (from the remote location)
without restarting the server.
The first thing that botters me is the fact that
my ssh connection is blocked even when iptables hasn't started yet.
I just don't get it.
I would also like someone to help me with my basic iptables rules.
I would like to block everything on the server
and open the ports who are needed for the services to run.
What's wrong with my rules?
Last edited by Psychoman on Sat Apr 05, 2008 5:05 pm; edited 1 time in total |
|
| Back to top |
|
 |
tutaepaki
Apprentice
Joined: 11 Nov 2003
Posts: 279
Location: New Zealand
|
| Posted: Mon Aug 08, 2005 12:03 am Post subject: |
|
|
You need to repeat your "OUTPUT RELATED,ESTABLISHED" for INPUT too. (or just change it to INPUT, seeing as you're allowing all OUTPUT traffic anyway) This is to allow the replies to traffic initiated from your machine.
Setting the INPUT policy to drop will drop all connections not specifically allowed in your rules. What is probably happening, is, because the policy rule is first, you are losing your tty before the script is finished. you could try either putting the policies at the end, or running the script "nohup <script> &". |
|
| Back to top |
|
|
Psychoman
n00b
Joined: 20 Jul 2005
Posts: 23
|
| Posted: Mon Aug 08, 2005 7:26 pm Post subject: |
|
|
I re-emerged iptabes.
Then I put in the new rules.
Your rule fixed it.
Thanks a lot.
My new iptables are:
| Code: | iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP |
I haven't done the configuration of the rest of the system,
but it seems ok. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
