You are not logged in.
Hello!
I'd like to write quick & easy iptables.rules that only just work for now until I've got time to get into the "more advanced basics". I took a look at the "Simple stateful firewall Howto and what I need now is to reenable everything that does not work any more (Samba, ssh etc.).
- Is there some easy way to take a look at what's blocked while I try out all programs that use the network one after another so I can add "ACCEPT"-lines with the corresponding ports by copying the howto's ACCEPT - lines and replacing the ports?
- I can't figure out a "rule" to let everything inside the private network trough... something like "-A -i wlan0 something 192.*" ...
So... I really have to much to figure out at once at the moment. Is there a way to do this stuff really fast without knowing the basics for now or is it in general safe enough to just remove iptables again until I've got time to read me trough how it works in detail?
Last edited by whoops (2009-03-30 14:52:42)
Offline
Is there some easy way to take a look at what's blocked while I try out all programs that use the network one after another so I can add "ACCEPT"-lines with the corresponding ports by copying the howto's ACCEPT - lines and replacing the ports?
Add this chain to your config:
iptables -N LOG_REJECT
iptables -A LOG_REJECT -j LOG --log-prefix "[IPTABLES REJECT] : " --log-tcp-options --log-ip-options
iptables -A LOG_REJECT -j REJECT
Then add a rule to the INPUT chain to call this chain when nothing else matches (ie, AFTER every other rule):
iptables -A INPUT -j LOG_REJECT
You'll then be able to see everything that gets blocked by looking in /var/log/messages
I can't figure out a "rule" to let everything inside the private network trough... something like "-A -i wlan0 something 192.*"
iptables -A INPUT -i wlan0 -s 192.168.0.0/24 -j ACCEPT
This is assuming your local network is 192.168.0.x. Change the IP address to suit (ie, 192.168.100.0). If it's a bigger or smaller netmask, then you'll just need to adjust the /24 part to suit.
Last edited by fukawi2 (2009-03-29 22:22:01)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Combining with what fukawi2 said, I think this would be a good start for you. Sorry that it isn't formatted very well.
iptables -P INPUT DROP
# set default policy on the INPUT chain to drop
iptables -P FORWARD DROP
# set default policy on the FORWARD chain to drop
iptables -N LOG_REJECT
iptables -A LOG_REJECT -j LOG --log-prefix "[IPTABLES REJECT] : " --log-tcp-options --log-ip-options
iptables -A LOG_REJECT -j REJECT
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
# make sure new connections are SYN packets
iptables -A INPUT -f -j DROP
# drops all fragmented packets
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
# drop packets for xmas attack
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
# drops packets for null attack
iptables -A INPUT -i lo -j ACCEPT
# accepts traffic on the loopback interface
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allows connections that originated with your machine
iptables -A INPUT -i wlan0 -s 192.168.0.0/24 -j ACCEPT
# allows local network
iptables -A INPUT -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT
# this allows ssh, you can allow any other service the same way, for a span of ports, portnumber:portnumber should work, like 5000:5009
iptables -A INPUT -j LOG_REJECT
# any traffic that doesn't match a rule above is sent to the LOG_REJECT chain which is set to drop all packets sent to it and to add [IPTABLES REJECT] in the log file.
Offline
Thanks, I guess that will buy me some time until I've got my base system figured out & running!
Offline