[SOLVED] Easy iptables setup to begin with...

whoops · 2009-03-29 13:42:02

Hello!

I'd like to write quick & easy iptables.rules that only just work for now until I've got time to get into the "more advanced basics". I took a look at the "Simple stateful firewall Howto and what I need now is to reenable everything that does not work any more (Samba, ssh etc.).

- Is there some easy way to take a look at what's blocked while I try out all programs that use the network one after another so I can add "ACCEPT"-lines with the corresponding ports by copying the howto's ACCEPT - lines and replacing the ports?
- I can't figure out a "rule" to let everything inside the private network trough... something like "-A -i wlan0 something 192.*" ...

So... I really have to much to figure out at once at the moment. Is there a way to do this stuff really fast without knowing the basics for now or is it in general safe enough to just remove iptables again until I've got time to read me trough how it works in detail?

Last edited by whoops (2009-03-30 14:52:42)

fukawi2 · 2009-03-29 22:21:06

whoops wrote:

Is there some easy way to take a look at what's blocked while I try out all programs that use the network one after another so I can add "ACCEPT"-lines with the corresponding ports by copying the howto's ACCEPT - lines and replacing the ports?

Add this chain to your config:

iptables -N LOG_REJECT
iptables -A LOG_REJECT -j LOG --log-prefix "[IPTABLES REJECT] : " --log-tcp-options --log-ip-options
iptables -A LOG_REJECT -j REJECT

Then add a rule to the INPUT chain to call this chain when nothing else matches (ie, AFTER every other rule):

iptables -A INPUT -j LOG_REJECT

You'll then be able to see everything that gets blocked by looking in /var/log/messages

whoops wrote:

I can't figure out a "rule" to let everything inside the private network trough... something like "-A -i wlan0 something 192.*"

iptables -A INPUT -i wlan0 -s 192.168.0.0/24 -j ACCEPT
This is assuming your local network is 192.168.0.x. Change the IP address to suit (ie, 192.168.100.0). If it's a bigger or smaller netmask, then you'll just need to adjust the /24 part to suit.

Last edited by fukawi2 (2009-03-29 22:22:01)

Sjoden · 2009-03-30 05:54:19

Combining with what fukawi2 said, I think this would be a good start for you. Sorry that it isn't formatted very well.

iptables -P INPUT DROP
# set default policy on the INPUT chain to drop

iptables -P FORWARD DROP
# set default policy on the FORWARD chain to drop

iptables -N LOG_REJECT
iptables -A LOG_REJECT -j LOG --log-prefix "[IPTABLES REJECT] : " --log-tcp-options --log-ip-options
iptables -A LOG_REJECT -j REJECT

iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
# make sure new connections are SYN packets

iptables -A INPUT -f -j DROP
# drops all fragmented packets

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
# drop packets for xmas attack

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
# drops packets for null attack

iptables -A INPUT -i lo -j ACCEPT
# accepts traffic on the loopback interface

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allows connections that originated with your machine 

iptables -A INPUT -i wlan0 -s 192.168.0.0/24 -j ACCEPT
# allows local network

iptables -A INPUT -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT
# this allows ssh, you can allow any other service the same way, for a span of ports, portnumber:portnumber should work, like 5000:5009

iptables -A INPUT -j LOG_REJECT
# any traffic that doesn't match a rule above is sent to the LOG_REJECT chain which is set to drop all packets sent to it and to add [IPTABLES REJECT] in the log file.

whoops · 2009-03-30 14:52:25

Thanks, I guess that will buy me some time until I've got my base system figured out & running!

Arch Linux

#1 2009-03-29 13:42:02

[SOLVED] Easy iptables setup to begin with...

#2 2009-03-29 22:21:06

Re: [SOLVED] Easy iptables setup to begin with...

#3 2009-03-30 05:54:19

Re: [SOLVED] Easy iptables setup to begin with...

#4 2009-03-30 14:52:25

Re: [SOLVED] Easy iptables setup to begin with...

Board footer