Single IP firewall help...

Single IP firewall help...

[Chris Poupart]

Hello,

I have been having a heck of a time getting a IPTables firewall working 
(directly) on our future webserver.

Essentially, it should be easy, I want to accept SSH, HTTP and HTTPS and 
deny everything else (incoming) and, at least for the moment, allow all 
outgoing.

I am sure that this can be done in about 4 lines, and yet all that I 
have tried has ended in me getting locked out (and having to go to the 
console).  So I am stuck, and I have to have this ready to go live by 
friday.

Assuming that the IP address was (we will give a nice private one) 
192.168.0.10 does anyone have any ideas?

Thanks for any help that you guys can offer on this.

-- Chris Poupart

Re: Single IP firewall help...

[Steve Mickeler]

This should work for you.


$IPTABLES -A INPUT -d 192.168.0.10 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -d 192.168.0.10 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -d 192.168.0.10 -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -d 192.168.0.10 -p tcp --syn -j REJECT
$IPTABLES -A INPUT -d 192.168.0.10 -p udp -j REJECT


> Hello,
>
> I have been having a heck of a time getting a IPTables firewall working
> (directly) on our future webserver.
>
> Essentially, it should be easy, I want to accept SSH, HTTP and HTTPS and
> deny everything else (incoming) and, at least for the moment, allow all
> outgoing.
>
> I am sure that this can be done in about 4 lines, and yet all that I
> have tried has ended in me getting locked out (and having to go to the
> console).  So I am stuck, and I have to have this ready to go live by
> friday.
>
> Assuming that the IP address was (we will give a nice private one)
> 192.168.0.10 does anyone have any ideas?
>
> Thanks for any help that you guys can offer on this.
>
> -- Chris Poupart
>
>



[-] Steve Mickeler [ steve@neptune.ca ]

[|] Todays root password is brought to you by /dev/random

[+] 1024D/9AA80CDF = 4103 9E35 2713 D432 924F  3C2E A7B9 A0FE 9AA8 0CDF

RE: Single IP firewall help...

[Brad Morgan]

Don't forget to change the default policy on INPUT to be DROP.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Steve Mickeler
Sent: Thursday, September 12, 2002 10:32 AM
To: Chris Poupart
Cc: netfilter@lists.netfilter.org
Subject: Re: Single IP firewall help...



This should work for you.


$IPTABLES -A INPUT -d 192.168.0.10 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -d 192.168.0.10 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -d 192.168.0.10 -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -d 192.168.0.10 -p tcp --syn -j REJECT
$IPTABLES -A INPUT -d 192.168.0.10 -p udp -j REJECT


> Hello,
>
> I have been having a heck of a time getting a IPTables firewall working
> (directly) on our future webserver.
>
> Essentially, it should be easy, I want to accept SSH, HTTP and HTTPS and
> deny everything else (incoming) and, at least for the moment, allow all
> outgoing.
>
> I am sure that this can be done in about 4 lines, and yet all that I
> have tried has ended in me getting locked out (and having to go to the
> console).  So I am stuck, and I have to have this ready to go live by
> friday.
>
> Assuming that the IP address was (we will give a nice private one)
> 192.168.0.10 does anyone have any ideas?
>
> Thanks for any help that you guys can offer on this.
>
> -- Chris Poupart
>
>



[-] Steve Mickeler [ steve@neptune.ca ]

[|] Todays root password is brought to you by /dev/random

[+] 1024D/9AA80CDF = 4103 9E35 2713 D432 924F  3C2E A7B9 A0FE 9AA8 0CDF

Re: Single IP firewall help...

[Roy Sigurd Karlsbakk]

ok.

I beleive this should look like this.

                +--------+
         off.ip |        | priv.ip
INTERNET -------+ fw+web +--------- LAN
           eth1 |        | eth0
                +--------+

given your internal IP is 192.168.0.0/16, I'd do it like this


iptables -A INPUT -i eth0 -s 192.168.144.0/16 -j ACCEPT
iptables -A INPUT -i eth1 -d ! 192.168.144.0/16 -p tcp -m multiport --dports \
	22,80,443 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
(some -j DROP/REJECT lines here to filter out what you don't want to log)
iptables -A INPUT -j LOG
iptables -P INPUT DROP

then

iptables -A POSTROUTING -t nat -s 192.168.0.0/16 \
	-d ! 192.168.0.0/16 -o eth1 -j MASQUERADE


perhaps add some logging in case someone tries to forward through it...

any comments?

roy
-- 
Roy Sigurd Karlsbakk, Datavaktmester
ProntoTV AS - http://www.pronto.tv/
Tel: +47 9801 3356

Computers are like air conditioners.
They stop working when you open Windows.

Re: Single IP firewall help...

[Maciej Soltysiak]

> Assuming that the IP address was (we will give a nice private one)
> 192.168.0.10 does anyone have any ideas?
Assuming the setup is this:

Internet -- Router/NAT -- Web Server

And assuming your (S/D)NAT is configured properly.

You do on your router:
iptables -P FORWARD DROP
iptables -A FORWARD -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
iptables -A FORWARD -d 192.168.0.10 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 192.168.0.10 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 192.168.0.10 -p tcp --dport 22 -j ACCEPT

If you want to ping the machine.
iptables -A FORWARD -d 192.168.0.10 -p icmp --icmp-type 8/0 -j ACCEPT

That would be all.

Note: Instead these simple -p tcp 80 -j ACCEPT rules, you may try:
-p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

or even:
-p tcp --dport 80 --syn -m state --state NEW -m length --length 40:68 \
  -j ACCEPT

Which are more strict on the initiating packets.


If my assumptions are wrong please say so.

Regards,
Maciej Soltysiak

Re: Single IP firewall help...

[Chris Poupart]

Maciej Soltysiak wrote:
>>Assuming that the IP address was (we will give a nice private one)
>>192.168.0.10 does anyone have any ideas?
> 
> Assuming the setup is this:
> 
> Internet -- Router/NAT -- Web Server

No, see THAT I have no problem with, and have a nice one setup for home 
use.  In this case, IPTables is running on the web server.  Because I 
don't need anything too fancy, I don't think that this will be a problem.

I will check out the rules offered by Steve Mickeler, they look like 
what I have tried, but who knows?  Maybe I just wasn't flushing my 
tables properly or something.

Thanks!

-- Chris

Re: Single IP firewall help...

[Maciej Soltysiak]

> use.  In this case, IPTables is running on the web server.  Because I
Aaah, sorry.

Well What he proposed seemed fine.
Personally i would anyway use the state module. (that is what stateful
firewalls are for)

iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -d <ip> --dport 80 --syn -j ACCEPT
iptables -A INPUT -p tcp -d <ip> --dport 443 --syn -j ACCEPT
iptables -A INPUT -p tcp -d <ip> --dport 22 --syn -j ACCEPT

The UDP rule is not that important, it will only tell port scanners that
the ports are open/filtered (which is not true,anyway,but it will seem
as it is).

As you said, nothing fancy :)

Regards,
Maciej Soltysiak