Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
RE: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES
  • From: "Knut Erik Hauslo" <KNUTH@xxxxxxxxxxxx>
  • Date: Wed, 23 Jul 2003 14:38:16 +0200
  • Message-id: <84ECB0B9D002A54EA3E926AAA94E580801907A@xxxxxxxxxxxxxx>
With this ruleset (see original message below), you only allow incoming
HTTP requests.

Let me see if i got this correct (reduced to a minimum for readability):
*** BEGIN ***
# eth0 internal interface
# eth1 external interface

iptables -N allowed_out

iptables -A allowed_out -i eth0 -p tcp --dport 80 -m state ! --state
INVALID -j ACCEPT
# Active FTP Rules following
iptables -A allowed_out -i eth0 -p tcp --dport 21 -m state ! --state
INVALID -j ACCEPT
iptables -A allowed_out -i eth0 -p tcp --dport 20 -m state ! --state
INVALID -j ACCEPT

iptables -N allowed_in
# Allow incoming Highports FTP - only when active FTP is being used
iptables -A allowed_in -i eth1 -p tcp --sport 20 --dport 1024: -j ACCEPT

iptables -N block
# Block all other
iptables -A block -i eth1 -m state --state NEW,INVALID -j drop
*** END ***

This sample above, would allow HTTP in both directions, and FTP outbound
(from Eth0)?


Cheers
Knut Erik

-----Original Message-----
From: keith@xxxxxxxxxxxxxxxxxxxxxxxx
[mailto:keith@xxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, July 22, 2003 6:33 PM
To: Knut Erik Hauslo; suse-security@xxxxxxxx
Subject: RE: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES

<SNIP>

#------------------------------------------------------#
# create a new chain for apache connections
#------------------------------------------------------#

iptables -N open_port_80

# LOG all NEW, ESTABLISHED, RELATED
# remote connections coming in on ppp0 to apache port 80 iptables -A
open_port_80 -i ppp0 -p tcp --dport 80 \
-m state ! --state INVALID \
-j LOG --log-prefix 'Remote Port 80 connects '

# ACCEPT all NEW, ESTABLISHED, RELATED
# remote connections coming in on ppp0 to apache port 80 iptables -A
open_port_80 -i ppp0 -p tcp --dport 80 \
-m state ! --state INVALID \
-j ACCEPT

# LOG all local connections to apache port 80
iptables -A open_port_80 -i ! ppp0 -p tcp --dport 80 \
-j LOG --log-prefix 'Local Port 80 connects '

# ACCEPT all local connections to apache port 80
iptables -A open_port_80 -i ! ppp0 -p tcp --dport 80 -j ACCEPT

#------------------------------------------------------#
# create new chain that blocks all other
# new connection attempts coming in from ppp0
#------------------------------------------------------#

iptables -N block

# LOG all other new connection attempts (& invalid packets) coming from
ppp0 iptables -A block -i ppp0 -m state --state NEW,INVALID \
-j LOG --log-prefix 'DROPPED NEW CONNS ON PPP0 '

# DROP all new connection attempts (& invalid packets) coming from ppp0
# and not for apache web server iptables -A block -i ppp0 -m state
--state NEW,INVALID -j DROP

<SNIP>

< Previous Next >