Linux Iptables firewall

8 posts in this topic

Dear All,

I am really interested in learn Linux Iptables firewall. When I am doing my configurations I always use iptables firewall rules for get certain level of protection for my serves. But I need to start again from begin and add some extra protection to my mail, proxy and web serves than simply adding few rules to protect it. This means I need to learn more from the beginning to end with the help of good tutorial.

So Guys pls send any good tutorials PDF or urls that related to iptables.



Share this post

Link to post
Share on other sites

I did this study myself because my Linux box was hooked directly to the Big Bad Net for a while before I got a router.

Twas very educational, and perhaps headache inducing at times. A little googling (or the sites people have already

given you) will show some boilerplate rules that should be on most every firewall. For example, many local

nets may use 192.168.0 as their subnet, so if you see traffic coming from the outside *claiming* to be from that

subnet, you drop it. You pick default policies (Accept, Reject, Drop..) for your main chains, like INPUT, OUTPUT, and FORWARD, then

you make exceptions to suit your taste.

Then you can move on to dealing with fragments, if you like, or filtering by MAC address, and so on.

Kernel rebuilds may be required for more advanced stuff.

The nice part is that I can now safely forward anything i want from the router, and watch the attack

attempts from the outside, or let particular IP's in to particular ports. And the possibilities of logging

from iptables does WAY better than the pathetic router log.

Some day I'll play with some forwarding and/or masquarading to a VM running Apache.

I also understand there's friendly GUI frontends to iptables, but I haven't played with them.


Share this post

Link to post
Share on other sites

On a related note I'm having some trouble setting up my firewall. Essentially I'm trying to setup source nat'ing from my host only vmware network and allowing just dns and http out. I got it to work when I just setup of the source nat but when I put in the drop rules it appears to be blocking the responses. When I tcpdump on my vmware interface I see the dns request but not the response. On eth1 I see the request and the response. I'm not really sure what is going on so if any of you can help it would be appreciated.

echo 1 > /proc/sys/net/ipv4/ip_forward
ifconfig eth1:0 netmask

/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X

iptables -t nat -A POSTROUTING -o eth1 -s -j SNAT --to-source
iptables -P FORWARD DROP
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT


Share this post

Link to post
Share on other sites

Old post i know, but in case you never figured this out, i was just down a similiar trail.

Do you have ip_forward turned on?

Don't you also need a FORWARD rule for replies comining back from dns/http?

Don't you also want TCP for http?

Do you have a default gateway of the host for the guest?

In my case, i didn't use any POSTROUTING, and all of the above could be BS, but

perhaps some things to think about.

I want to feed traffic for a particular port through to the guest, and I also seemed to

see some oddities with VM interfaces not seeing everything, but eth0 WAS, so

there might be some subtleties there I just don't follow. I was using bridged

networking though -- which I could find a good writeup on when you'd want to use

what, though. I understand what NAT does, but picking the practical choice between NAT

and BRIDGED seems confusing.


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now