Ok Yes. I am lazy. (IPTABLES)

[Fraggle]

Here is what I want to do.

I get the idea of iptables. I understand the concepts. Here is what I am asking for.

Show me your tables for the following:

Allow all on the 10.1.1.x (eth1)network
Allow NAT/IP Forwarding (in otherwords, allow established connections)
Allow nothing incoming on the eth0 network, but show me how to allow a port, such as port 25.

I just need some help getting started. I have gone through all the HOWTO's, and like I said, I get the idea. I just don't know where to start!

Thanks for the help, I REALLY appreciate it.

[AlterEgo]

Emerge firestarter.
Set it up in 1 minute, and enjoy
If you want to learn, have a look at the script it creates.

[Fraggle]

Emerge firestarter.
Set it up in 1 minute, and enjoy
If you want to learn, have a look at the script it creates.

Yup, I like firestarter, but this is a server machine, with no X. So I can't do that. It is for my company that I am starting. I don't need or want X on it.

[Liathus]

Here is my firewall... of course there is more here than you wanted (port forwards and the such) but you can always comment them out

Code: Select all

iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP


########## Port forwarding rules #############

#forward direct connect to laptop
iptables -t nat -A PREROUTING -p tcp --dport 9176:9186 -i eth0 -d 24.116.189.179 -j DNAT --to 90.0.254.117
iptables -t nat -A PREROUTING -p udp --dport 9176:9186 -i eth0 -d 24.116.189.179 -j DNAT --to 90.0.254.117

#Bittorrent for laptop
iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i eth0 -d 24.116.189.179 -j DNAT --to 90.0.254.117

########## Input Rules #############
#deny all incoming fake networks on eth0
iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i eth0 -j DROP
iptables -A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -i eth0 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -i eth0 -j DROP

iptables -A INPUT -i lo -j ACCEPT

#uncomment to allow eth1
#iptables -A INPUT -i eth1 -j ACCEPT

#REJECT Auth
iptables -A INPUT -p tcp --dport 113 -j REJECT
iptables -A FORWARD -p tcp --dport 113 -j REJECT

#Allow Pings
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#Allow FTP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p udp --dport 21 -j ACCEPT

#Allow and Log SSH to specific machines
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 22 -j ACCEPT

#Allow SMTP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p udp --dport 25 -j ACCEPT

#Allow Web
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 80 -j ACCEPT

#Allow Pop3
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p udp --dport 110 -j ACCEPT


## Statefull Part
#Allow connection through that we started internall
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



### Rules for internal lan

## turn on routing
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "8129" >/proc/sys/net/ipv4/ip_conntrack_max

# Net the internal network so internet works
iptables -A FORWARD -i eth1 -j ACCEPT

#dwr direct connect
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 9176:9186 -d 90.0.254.117 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 9176:9186 -d 90.0.254.117 -j ACCEPT

#bit torrent
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 6881:6889 -d 90.0.254.117 -j ACCEPT


iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

## turn on NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#Log Everything Else
#iptables -A INPUT -j LOG --log-level warning --log-prefix "Unauthorized Network Access"

[BitJam]

I use the GPL'ed rc.firewall script from: http://projectfiles.com/firewall/

It is the easiest, safest solution for what you want to do.

Your configuration would involve editing two (extremely well commented) lines in the script:

Code: Select all

#PERMIT="80/tcp 25/tcp 20-22/tcp 873/tcp"
PERMIT="$YOUR-PORT-HERE/tcp"

INTERNAL_INTERFACES="eth1"

[BradB]

firehol.sourceforge.net is good

Brad

[Fraggle]

firehol.sourceforge.net is good

Brad

firehol is the answer how great is this!

[splooge]

Show me your tables for the following:

Allow all on the 10.1.1.x (eth1)network

Allow NAT/IP Forwarding (in otherwords, allow established connections)
Allow nothing incoming on the eth0 network, but show me how to allow a port, such as port 25.

I just need some help getting started. I have gone through all the HOWTO's, and like I said, I get the idea. I just don't know where to start!

Thanks for the help, I REALLY appreciate it.

To actually answer your question:

echo 1 > /proc/sys/net/ipv4/ip_forward # turn on ip forwarding
iptables -P INPUT DROP # sets default rules to drop everything..except:
iptables -A INPUT -s 10.1.1.0/24 -j ACCEPT # accept everything from your 10.1.1.x network
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # get your inside workstations out
iptables -A INPUT -p 25 -j ACCEPT # allow incoming connections on port 25

[MOS-FET]

i've emerged firehol, and it works great! i can start and stop the firewall with no problems, there's just one thing: i've done an rc-update add iptables default after running firehol, but whenever i reboot, i don't have ANY internet access. i first have to stop iptables and run firehol start again -then it works. i've seen that /var/lib/iptables/rules-save contains my current IP address - which is of course a different one when i reboot, so i guess that's whats causing trouble. how can i correctly start firehol/iptables at boot time with the settings i've given in firehol.conf?

tom