Re: iptables and permits ports

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Anders Fugmann <afu@fugmann.dhs.org>
To: Mohamed Nassih <nassihmohamed@caramail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: iptables and permits ports
Date: Thu, 12 Sep 2002 09:02:38 +0200	[thread overview]
Message-ID: <3D803C0E.4010306@fugmann.dhs.org> (raw)
In-Reply-To: 1031772226005316@caramail.com

Mohamed Nassih wrote:
>  Hi,
> 
>  my firewall file is like below, It is work without any 
> problem, today I test to connect to a oracle server via the 
> internet from inside to the port 1521(in outside oracle 
> server), and it is work.
> 
>  Can I have please explanation of this..
Yes. You say that you connect from the "inside". I assume that
you hereby mean a machine located behind the firewall on the lan, and 
has to go through the firewall in order to connect to the internet.

If this is correct, the you can connect because you have no FORWARD 
rules. The packet is masqueraded perfectly, and all replys to the 
connection is routed without problem the the machine on the lan.
You should read: 
http://www.netfilter.org/documentation/tutorials/blueflux/,
and understand how packets traverse the chains.

The INPUT and OUTPUT are only for packets for the server itself and for 
packets originating from the server itself.

> 
> 
> The firewall file :
> 
> /sbin/modprobe iptables iptable_nat 
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_irc
> /sbin/modprobe iptable_filter
> 
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
> then
> for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
> do
> echo 1 > $filtre
> done
> fi
> 
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> 
> iptables -F
> iptables -X
> 
> iptables -t nat -A POSTROUTING -o eth0 -s 10.154.17.0/24 -j 
> MASQUERADE
> 
> iptables -A INPUT -i eth0 -s 199.243.181.226 -j DROP
> 
> iptables -A INPUT -i eth1 -s ! 10.154.17.0/24 -j DROP
> iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state 
> NEW -j DROP
> 
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j 
> ACCEPT
> 
> iptables -A INPUT -i eth1 -p tcp --destination-port www -j 
> ACCEPT
> iptables -A INPUT -i eth1 -p tcp --destination-port ftp -j 
> ACCEPT
> iptables -A INPUT -i eth1 -p tcp --destination-port ftp-
> data -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --destination-port smtp -j 
> ACCEPT
> iptables -A INPUT -i eth1 -p tcp --destination-port 110 -j 
> ACCEPT
> iptables -A INPUT -i eth1 -d 198.235.216.131 -p udp --
> destination-port domain -j ACCEPT
> iptables -A INPUT -i eth1 -d 198.235.216.131 -p tcp --
> destination-port domain -j ACCEPT
> iptables -A INPUT -i eth1 -d 198.235.216.130 -p udp --
> destination-port domain -j ACCEPT
> iptables -A INPUT -i eth1 -d 198.235.216.130 -p tcp --
> destination-port domain -j ACCEPT
> 
> iptables -A INPUT -i eth0 -p tcp --destination-port www -j 
> ACCEPT
> iptables -A INPUT -i eth0 -p tcp --destination-port ftp -j 
> ACCEPT
> iptables -A INPUT -i eth0 -p tcp --destination-port ftp-
> data -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --destination-port smtp -j 
> ACCEPT
> #iptables -A INPUT -i eth0 -p tcp --destination-port 110 -j 
> ACCEPT
> 
> iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-
> with tcp-reset
> 
> iptables -A INPUT -j DROP
> 
> Thanks in advance.
I strongly advice your to start your script with these three commands:
	iptables -P INPUT DROP
	iptables -P FORWARD DROP
	iptables -P OUTPUT DROP

This sets the default policy on all filter chains, meaning that if no 
rule matched the packet, the packet is dropped.

Beware. When you do this, no users on the lan can access the internet,
and the firewall cannot communicate with any other machines, because you 
only accept packets to the loopback interface.

Regards
Anders Fugmann

-- 
Author of FIAIF
FIAIF Is An Intelligent/Iptables Firewall
http://fiaif.fugmann.dhs.org

next prev parent reply	other threads:[~2002-09-12  7:02 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-09-11 20:23 iptables and permits ports Mohamed Nassih
2002-09-12  7:02 ` Anders Fugmann [this message]
2002-09-12  8:34 ` Antony Stone

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3D803C0E.4010306@fugmann.dhs.org \
    --to=afu@fugmann.dhs.org \
    --cc=nassihmohamed@caramail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox