Re: Adding Telnet to a Working Setup

[Ralf Spenneberg <lists@spenneberg.org>]

Hi,

Am Mit, 2003-08-27 um 15.44 schrieb Alyn Ashworth:
> I have a working iptables setup that uses the following script, and that I
> would like to change to allow telnet connexions from the local network
> (eth0) but nor from ppp0.
Going where? To the firewall or the external network?
>  Can anyone suggest the best way to do this
> (politely and in words of one sylable, please!), and I would also welcome
> any other comments on my script....
> 
> #============================SCRIPT STARTS==================================
> # Load modules
> modprobe ip_tables
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> 
> # (1) Policies (default)
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> 
> # (2) User-defined chain for ACCEPTed TCP packets - called okay
> iptables -N okay
> #next line would allow new connections
> #iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A okay -p TCP -j DROP
> 
> # (3) INPUT chain rules
> 
> # Rules for incoming pakets from LAN
> iptables -A INPUT -p ALL -i eth0 -s 192.168.0.0/16 -j ACCEPT
Last rule allow telnet access to the firewall.

> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.0.0/16 -j ACCEPT
You do not need the last rule. Replace the last two with:
iptables -A INPUT -i lo -j ACCEPT
You trust everything on loopback.

> 
> #Rules for incoming packets from the Internet
> 
> #Packets for established connexions
> iptables -A INPUT -p ALL -i ppp0 -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> 
> #TCP rules (not used as pres as no services running over net)
> 
> #UDP rules
> iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 53 -j ACCEPT
> iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 2074 -j ACCEPT
> iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 4000 -j ACCEPT
> 
> #ICMP rules
> iptables -A INPUT -p ICMP -i ppp0 -s 0/0 --icmp-type 8 -j ACCEPT
> iptables -A INPUT -p ICMP -i ppp0 -s 0/0 --icmp-type 11 -j ACCEPT
> 
> # (4) FORWARD chain rules
> # Accept packets we want to forward
> iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Last two rules allow telnet access to the internet.

> # (5) OUTPUT chain rules
> # only output packets with local addreses (no spoofing)
> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.88 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.0/24 -j ACCEPT
I do not know who 192.168.0.88 is. If it is the firewall, then this rule
 allows the firewall to answer to telnet, dns, whatever requests. Anyway,
you probably should add
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -m ACCEPT
This allows the firewall to answer all valid (see above) requests.
But I would strongly recommend to read some documents on (especially
stateful) firewalling, to understand whats going on.

> # (6) POSTROUTING chain rules
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org