+ Post New Thread
Results 1 to 5 of 5
*nix Thread, iptables firewall rules in Technical; Ive got my squid box exposed to the internet so its acting as the gateway for the network, its got ...
  1. #1

    Join Date
    Jan 2007
    Location
    Durham, UK
    Posts
    328
    Thank Post
    33
    Thanked 17 Times in 12 Posts
    Rep Power
    20

    iptables firewall rules

    Ive got my squid box exposed to the internet so its acting as the gateway for the network, its got all ports open to the outside world on it. What firewall rules should i be using to give me decent protection. Currently ive got a one to drop all traffic that isnt established or related but that isnt a good level of protection is it?

    Thanks
    Jack

  2. #2

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,566
    Thank Post
    721
    Thanked 1,682 Times in 1,497 Posts
    Rep Power
    432
    i would unplug your network from the internet until you have some protection.

  3. #3

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by Jackd View Post
    Ive got my squid box exposed to the internet so its acting as the gateway for the network, its got all ports open to the outside world on it. What firewall rules should i be using to give me decent protection. Currently ive got a one to drop all traffic that isnt established or related but that isnt a good level of protection is it?
    Depending how you've done it, it's fine. (why, what else do you think it should do?) You should be dropping in the default for the incoming chain and have an exception in for established or related.

    If it's the gateway though, rather than just a filtering server, presumably you already have it set up to do NAT and forwarding?

  4. #4

    Join Date
    Jan 2007
    Location
    Durham, UK
    Posts
    328
    Thank Post
    33
    Thanked 17 Times in 12 Posts
    Rep Power
    20
    Code:
    -A INPUT -m state -i eth0 ! --state ESTABLISHED,RELATED -j DROP
    Thats the blocking rule ive got and yes ive got some masquerading rules too for it, but is that ok or do i need other rules for it to be better?

    Jack

  5. #5

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Reverse that rule and make the chain default to drop, and add a rule to allow established and related connections. Something like this (substituting $EDEV for your external interface, $IDEV for your internal interface, and $RANGE for your IP range, eg 192.168.0.0/24):

    Code:
    iptables --flush #flush out existing rules
    iptables -A INPUT -p tcp --dport 22 -s $RANGE -j ACCEPT #example: allow incoming SSH
    iptables -A INPUT -p tcp --dport 80 -s $RANGE -j ACCEPT #example: allow incoming HTTP
    iptables -P INPUT DROP #finally, drop all other packets
    
    iptables -A FORWARD -i -j ACCEPT       #forwarding from internal to external
    iptables -t nat --flush     #flush NAT rules 
    iptables -t nat -A POSTROUTING -o $EFACE -j MASQUERADE    #enable NAT masquerading
    echo 1 > /proc/sys/net/ipv4/ip_forward   #enable packet forwarding
    iptables -P FORWARD DROP   #finally, drop other forward traffic

SHARE:
+ Post New Thread

Similar Threads

  1. [CLOSED] Bug/Error: Forum Rules
    By localzuk in forum EduGeek.net Site Problems
    Replies: 5
    Last Post: 21st February 2009, 03:59 PM
  2. IPTables - Port rules
    By ahuxham in forum *nix
    Replies: 2
    Last Post: 17th September 2008, 02:56 PM
  3. iptables multiple ports
    By Jackd in forum *nix
    Replies: 1
    Last Post: 23rd December 2007, 10:19 PM
  4. Setting up NAT using IPTABLES
    By ChrisH in forum *nix
    Replies: 23
    Last Post: 9th November 2005, 01:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •