* client on local network
@ 2004-03-28 8:31 IT Clown
2004-03-28 8:48 ` Antony Stone
0 siblings, 1 reply; 6+ messages in thread
From: IT Clown @ 2004-03-28 8:31 UTC (permalink / raw)
To: netfilter
Hi
i have setup a local network users iptables as follow to
access webpages:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --sport 80,8080 -j
ACCEPT
-A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m multiport --dport 80,8080 -j
ACCEPT
-A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
COMMIT
I would like to know the way i set it up is it correct or
is there a better way.The client can browse.
What i dont really understand is the sport and the dport.
When i say: -A INPUT -i eth0 -p tcp -m multiport --sport
80,8080 -j ACCEPT. Does that mean any ip external and port
80,8080 from external?
-A OUTPUT -o eth0 -p tcp -m multiport --dport 80,8080 -j
ACCEPT. The output and dport is that arguemant for the
network client to go out onto port 80,8080?
The rules i have here i did with trile and error.
Regards
__________________________________________________________________________
http://www.webmail.co.za/dialup Webmail ISP - Cool Connection, Cool Price
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: client on local network
2004-03-28 8:31 client on local network IT Clown
@ 2004-03-28 8:48 ` Antony Stone
2004-03-28 10:49 ` IT Clown
0 siblings, 1 reply; 6+ messages in thread
From: Antony Stone @ 2004-03-28 8:48 UTC (permalink / raw)
To: netfilter
On Sunday 28 March 2004 9:31 am, IT Clown wrote:
> Hi
>
> i have setup a local network users iptables as follow to
> access webpages:
>
> :INPUT DROP [0:0]
>
> -A INPUT -i eth0 -p tcp -m multiport --sport 80,8080 -j ACCEPT
Let's just look at the above two rules I have extracted from your ruleset.
The first says "default policy is to drop all incoming packets" (good idea).
The second says "accept all TCP packets coming in through eth0 from any
address to any service providing the source port is 80 or 8080" (not such a
good idea).
This will allow anything to connect to anything it can find (or run a port
scan etc) so long as the remote system uses source port 80 or 8080.
> I would like to know the way i set it up is it correct or is there a better
> way.The client can browse.
I really would recommend you do what was suggested to you on Friday by David
Cannings:
> There are three things I would suggest. The first is reading two
> tutorials on http://www.netfilter.org/documentation/index.html -
> specifically the "packet filtering HOWTO" and the "NAT HOWTO".
>
> The second is Oskar's excellent iptables tutorial, at
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html.
>
> The third is taking a while to work out what ports the services you
> mention work on. A basic feel for how TCP/IP connections work would help
> too. The knowledge that in most cases a client chooses a port >1024 and
> connects to the service port should suffice. People on the list could
> easily list the ports you need to allow or deny but you'll learn a
> tremendous amount by spending 10 minutes working it out.
Regards,
Antony.
--
The first fifty percent of an engineering project takes ninety percent of the
time, and the remaining fifty percent takes another ninety percent of the
time.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: client on local network
2004-03-28 8:48 ` Antony Stone
@ 2004-03-28 10:49 ` IT Clown
2004-03-28 11:02 ` Antony Stone
0 siblings, 1 reply; 6+ messages in thread
From: IT Clown @ 2004-03-28 10:49 UTC (permalink / raw)
To: netfilter
Hi
I have just finished reading netfilter howto and im just
over halfway with Oskar Andreasson's tutorial.Here is my
rule again does this look correct?
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i eth0 -s 192.168.0.1 -p tcp -d 192.168.0.11 -m
multiport --sport 80,8080 -j ACCEPT
-A INPUT -i eth0 -s 192.168.0.1 -p tcp -d 192.168.0.11
--sport 53 -j ACCEPT
-A OUTPUT -o eth0 -d 192.168.0.1 -p tcp -s 192.168.0.11 -m
multiport --dport 80,8080 -j ACCEPT
-A OUTPUT -o eth0 -d 192.168.0.1 -p udp -s 192.168.0.11
--dport 53 -j ACCEPT
COMMIT
192.168.0.1 is my firewall and proxy.
Regards
On Sun, 28 Mar 2004 09:48:45 +0100
Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> On Sunday 28 March 2004 9:31 am, IT Clown wrote:
>
> > Hi
> >
> > i have setup a local network users iptables as follow
> to
> > access webpages:
> >
> > :INPUT DROP [0:0]
> >
> > -A INPUT -i eth0 -p tcp -m multiport --sport 80,8080 -j
> ACCEPT
>
> Let's just look at the above two rules I have extracted
> from your ruleset.
>
> The first says "default policy is to drop all incoming
> packets" (good idea).
>
> The second says "accept all TCP packets coming in through
> eth0 from any
> address to any service providing the source port is 80 or
> 8080" (not such a
> good idea).
>
> This will allow anything to connect to anything it can
> find (or run a port
> scan etc) so long as the remote system uses source port
> 80 or 8080.
>
> > I would like to know the way i set it up is it correct
> or is there a better
> > way.The client can browse.
>
> I really would recommend you do what was suggested to you
> on Friday by David
> Cannings:
>
> > There are three things I would suggest. The first is
> reading two
> > tutorials on
> http://www.netfilter.org/documentation/index.html -
> > specifically the "packet filtering HOWTO" and the "NAT
> HOWTO".
> >
> > The second is Oskar's excellent iptables tutorial, at
> >
>
http://iptables-tutorial.frozentux.net/iptables-tutorial.html.
> >
> > The third is taking a while to work out what ports the
> services you
> > mention work on. A basic feel for how TCP/IP
> connections work would help
> > too. The knowledge that in most cases a client chooses
> a port >1024 and
> > connects to the service port should suffice. People on
> the list could
> > easily list the ports you need to allow or deny but
> you'll learn a
> > tremendous amount by spending 10 minutes working it
> out.
>
> Regards,
>
> Antony.
>
> --
> The first fifty percent of an engineering project takes
> ninety percent of the
> time, and the remaining fifty percent takes another
> ninety percent of the
> time.
>
>
Please
> reply to the list;
>
> please don't CC me.
>
>
__________________________________________________________________________
http://www.webmail.co.za/dialup Webmail ISP - Cool Connection, Cool Price
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: client on local network
2004-03-28 10:49 ` IT Clown
@ 2004-03-28 11:02 ` Antony Stone
2004-03-28 11:13 ` Antony Stone
0 siblings, 1 reply; 6+ messages in thread
From: Antony Stone @ 2004-03-28 11:02 UTC (permalink / raw)
To: netfilter
On Sunday 28 March 2004 11:49 am, IT Clown wrote:
> Hi
>
> I have just finished reading netfilter howto and im just
> over halfway with Oskar Andreasson's tutorial.Here is my
> rule again does this look correct?
You should be using the "-m state --state=ESTABLISHED,RELATED" match in your
INPUT chain to allow in replies to packets which went out, btu not to allow
new connections from outside (especially to any service on the firewall).
See Chapter 4 of Oskar's tutorial.
Regards,
Antony.
--
Anyone that's normal doesn't really achieve much.
- Mark Blair, Australian rocket engineer
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: client on local network
2004-03-28 11:02 ` Antony Stone
@ 2004-03-28 11:13 ` Antony Stone
2004-03-28 11:36 ` IT Clown
0 siblings, 1 reply; 6+ messages in thread
From: Antony Stone @ 2004-03-28 11:13 UTC (permalink / raw)
To: netfilter
On Sunday 28 March 2004 12:02 pm, Antony Stone wrote:
> On Sunday 28 March 2004 11:49 am, IT Clown wrote:
> > Hi
> >
> > I have just finished reading netfilter howto and im just
> > over halfway with Oskar Andreasson's tutorial.Here is my
> > rule again does this look correct?
>
> You should be using the "-m state --state ESTABLISHED,RELATED" match in
> your INPUT chain to allow in replies to packets which went out, but not to
> allow new connections from outside (especially to any service on the
> firewall).
>
> See Chapter 4 of Oskar's tutorial.
Here is an example, to allow browsing *from* the local machine, but no access
from anywhere else *to* the local machine.
# Set default DROP policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow out the packets we want
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
# Allow the replies back in again
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Done.
Regards,
Antony.
--
Perfection in design is achieved not when there is nothing left to add, but
rather when there is nothing left to take away.
- Antoine de Saint-Exupery
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: client on local network
2004-03-28 11:13 ` Antony Stone
@ 2004-03-28 11:36 ` IT Clown
0 siblings, 0 replies; 6+ messages in thread
From: IT Clown @ 2004-03-28 11:36 UTC (permalink / raw)
To: netfilter
Hi
Thanks for the help there now i understand the iptables -A
INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT.I
never looked at it that it sends the data back to the
OUTPUT rules that made a connection, thanks.
Regards
On Sun, 28 Mar 2004 12:13:26 +0100
Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> On Sunday 28 March 2004 12:02 pm, Antony Stone wrote:
>
> > On Sunday 28 March 2004 11:49 am, IT Clown wrote:
> > > Hi
> > >
> > > I have just finished reading netfilter howto and im
> just
> > > over halfway with Oskar Andreasson's tutorial.Here is
> my
> > > rule again does this look correct?
> >
> > You should be using the "-m state --state
> ESTABLISHED,RELATED" match in
> > your INPUT chain to allow in replies to packets which
> went out, but not to
> > allow new connections from outside (especially to any
> service on the
> > firewall).
> >
> > See Chapter 4 of Oskar's tutorial.
>
> Here is an example, to allow browsing *from* the local
> machine, but no access
> from anywhere else *to* the local machine.
>
> # Set default DROP policies
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # Allow out the packets we want
> iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
>
> # Allow the replies back in again
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> # Done.
>
> Regards,
>
> Antony.
>
> --
> Perfection in design is achieved not when there is
> nothing left to add, but
> rather when there is nothing left to take away.
>
> - Antoine de Saint-Exupery
>
>
Please
> reply to the list;
>
> please don't CC me.
>
>
__________________________________________________________________________
http://www.webmail.co.za/dialup Webmail ISP - Cool Connection, Cool Price
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2004-03-28 11:36 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-28 8:31 client on local network IT Clown
2004-03-28 8:48 ` Antony Stone
2004-03-28 10:49 ` IT Clown
2004-03-28 11:02 ` Antony Stone
2004-03-28 11:13 ` Antony Stone
2004-03-28 11:36 ` IT Clown
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.