Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Ip Filtering, in Debian Linux
Dpaladin
post Jan 5 2005, 06:13 PM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 16
Joined: 12-August 04
Member No.: 3,542



I'm running an FTP server on my linux machine, but it's probably insecure as hell. One of the things I'd like to do is set up an IP filter (I believe this is the correct term; it blocks a remote ip address on all ports). How would I go about doing that?
Go to the top of the page
 
+Quote Post
Robert83
post Jan 6 2005, 04:16 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

well I would begin with something like this

cd /home
vi iptables

CODE
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


making the default rule DROP every packet that hits us

CODE
iptables -A input -s 127.0.0.1 -j ACCEPT
iptables -A input -i eth0 -j ACCEPT
iptables -m state --state RELATED,ESTABLISHED -j ACCEPT

so we allow localhost to send packets to the firewall
we allow eth0 wich is internal lan to send packets to the firewall
but we only allow packets that are related or established to be sent to us from the internet

CODE
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


we allow localhost to get out
we allow all packets to leave the firewall freely (it might be a good idea to later do some aditional port filtering, please check www.grc.com and run SHIELDSUP! [tm] and check what ports are vurneable to the most dangerous attack and you can block those ports, for example a virus hits you and it uses some well known port to spread , and if you block that port, you would do a great help to the rest of us by not allowing it to spread further from your location)

the forward rules are those stuff that go trough the firewall machine ... you should definitely read up a iptables howto ... for example there are really good documentations on tldp just www.google.com tldp iptables howto

CODE
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
itpables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


we allow internal lan to go freely trough the firewall to eth1 (internet)
we only allow packets that we requested in some way to come back to us from the internet, see the NEW missing ?

for example then if you want to allow a certain ip address to access FTP services on !!!THIS!!! computer you would do the following

CODE
iptables -A INPUT -i eth1 -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p tcp -dport 21 -j ACCEPT


replacing xxx.xxx.xxx.xxx with the remote host
and
replacing yyy.yyy.yyy.yyy with your public IP address

maybe you could also do it like this

CODE
iptables -A INPUT -i eth1 -s xxx.xxx.xxx.xxx -p tcp -dport 21-j ACCEPT


finaly to put these rules into action you could do this

CODE
/etc/init.d/iptables stop
source /home/iptables
iptables-save > /etc/sysconfig/iptables
/etc/init.d/iptables start


if this works then maybe later you need to modify this you can create a bash script to do the above 4 lines like this

CODE
cd /home
vi change_iptables


then put this into that change_iptables file

#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin

/etc/init.d/iptables stop &&
source /home/iptables &&
iptables-save > /etc/sysconfig/iptables
/etc/init.d/iptables start

then do a
CODE
chmod 755 /home/change_iptables


and if you change something in /home/iptables and want to quickly apply it
just type

CODE
/home/change_iptables


or

CODE
cd /home
./change_iptables



Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 11th December 2017 - 09:52 PM