Re: Adding Telnet to a Working Setup

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ralf Spenneberg <lists@spenneberg.org>
To: alyn@emph.com
Cc: Netfilter <netfilter@lists.netfilter.org>
Subject: Re: Adding Telnet to a Working Setup
Date: 29 Aug 2003 09:11:54 +0200	[thread overview]
Message-ID: <1062141113.1605.13.camel@kermit> (raw)
In-Reply-To: <023a01c36ca1$54a1f320$0500a8c0@emph05>

Hi,

Am Mit, 2003-08-27 um 15.44 schrieb Alyn Ashworth:
> I have a working iptables setup that uses the following script, and that I
> would like to change to allow telnet connexions from the local network
> (eth0) but nor from ppp0.
Going where? To the firewall or the external network?
>  Can anyone suggest the best way to do this
> (politely and in words of one sylable, please!), and I would also welcome
> any other comments on my script....
> 
> #============================SCRIPT STARTS==================================
> # Load modules
> modprobe ip_tables
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> 
> # (1) Policies (default)
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> 
> # (2) User-defined chain for ACCEPTed TCP packets - called okay
> iptables -N okay
> #next line would allow new connections
> #iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A okay -p TCP -j DROP
> 
> # (3) INPUT chain rules
> 
> # Rules for incoming pakets from LAN
> iptables -A INPUT -p ALL -i eth0 -s 192.168.0.0/16 -j ACCEPT
Last rule allow telnet access to the firewall.

> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.0.0/16 -j ACCEPT
You do not need the last rule. Replace the last two with:
iptables -A INPUT -i lo -j ACCEPT
You trust everything on loopback.

> 
> #Rules for incoming packets from the Internet
> 
> #Packets for established connexions
> iptables -A INPUT -p ALL -i ppp0 -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> 
> #TCP rules (not used as pres as no services running over net)
> 
> #UDP rules
> iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 53 -j ACCEPT
> iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 2074 -j ACCEPT
> iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 4000 -j ACCEPT
> 
> #ICMP rules
> iptables -A INPUT -p ICMP -i ppp0 -s 0/0 --icmp-type 8 -j ACCEPT
> iptables -A INPUT -p ICMP -i ppp0 -s 0/0 --icmp-type 11 -j ACCEPT
> 
> # (4) FORWARD chain rules
> # Accept packets we want to forward
> iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Last two rules allow telnet access to the internet.

> # (5) OUTPUT chain rules
> # only output packets with local addreses (no spoofing)
> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.88 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.0/24 -j ACCEPT
I do not know who 192.168.0.88 is. If it is the firewall, then this rule
 allows the firewall to answer to telnet, dns, whatever requests. Anyway,
you probably should add
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -m ACCEPT
This allows the firewall to answer all valid (see above) requests.
But I would strongly recommend to read some documents on (especially
stateful) firewalling, to understand whats going on.

> # (6) POSTROUTING chain rules
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

next prev parent reply	other threads:[~2003-08-29  7:11 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-08-27 13:44 Adding Telnet to a Working Setup Alyn Ashworth
2003-08-29  7:11 ` Ralf Spenneberg [this message]
2003-08-29  8:33 ` cc

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1062141113.1605.13.camel@kermit \
    --to=lists@spenneberg.org \
    --cc=alyn@emph.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.