Click to See Complete Forum and Search --> : need some help with iptables
Mark843
02-26-2003, 07:59 PM
Hey everyone! I am trying to get this damned iptables to work. I start to edit my script with my default polices (INPUT,OUTPUT,FORWARD) to drop, but when I start to add anything elts the auto change to accept. I am running RH 8.0 and a network behind this computer so I would like to use forwarding/masquerading.
Also if I edit my scripts with vi (with the policies set to drop) then I can't use GNOME.
Any help or suggestions would be greatly appreciated.
Mark
mdwatts
02-27-2003, 07:28 AM
I'll move this over to the Web Serving/Security forum in hopes someone will be able to assist you.
It may help if you post examples of your IPTABLES script.
Mark843
02-27-2003, 02:42 PM
Here is what I have so far. Still need some help.
Also how would I have to mod my startup script or do I not have to do that?
#!/bin/bash
#iptables script
# enable forwarding
#echo 1 > /proc/sys/net/ipv4/ip_forward
# Flush old rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F POSTROUTING
#DROP ALL
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#ACCEPT incoming from LAN
iptables -A INPUT -p ALL -i eth1 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -P ALL -i lo -s 192.168.1.1 -j ACCEPT
iptables -A INPUT -P ALL -i eth1 -d 192.168.1.255 -j ACCEPT
#DROP INPUT for SMB requests from internet
iptables -A INPUT -p tcp -- 139 -i eth0 -j DROP
iptables -A INPUT -p udp -- 139 -i eth0 -j DROP
#DROP SMB FROWARD requests
iptables -A FORWARD -p tcp --sport 139 -j DROP
iptables -A FORWARD -p udp --sport 139 -j DROP
#IP spoofing
iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i eth0 -j DROP
iptables -A FORWARD -p udp -s 192.168.1.0/24 -i eth0 -j DROP
#DROP elite ports
iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
#only OUTPUT packets with local addresses
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT
iptables -A OUTPUT -p ALL (I have a dynamic IP what do I put here?)
# enable Masquerade and forwarding
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -A FROWARD -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -s ! 192.168.1.0/24 -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT