Monday, June 02, 2008

iptables on the go

I usually use a shell script that loads the rules to the iptables on the Linux box, but, if I'm in hurry, and have to close down the access of a newly acquired server, hosted somewhere, I make a copy of the default rules, the one that they created during the install, and then edit those rule to make it easier on the eyes, and then close down what ever I don't want open, or limit the access to the IPs/ network that I want to.

This gives me time till I can really close things on the server,


Default rules:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT



Custom rules:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

#############################################
## Loopback
#############################################
-A RH-Firewall-1-INPUT -i lo -j ACCEPT

#############################################
## Ping requests
#############################################
-A RH-Firewall-1-INPUT -i eth0 -p icmp --icmp-type 8 -j ACCEPT

#############################################
## Established connections are maintained
#############################################
-A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#############################################
## SSH
#############################################
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.0/255.255.255.0 -d 192.168.12.11 -m tcp -p tcp --dport 22 --syn -j ACCEPT

#############################################
## HTTP/ HTTPS
#############################################
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -d 192.168.12.11 -m tcp -p tcp --dport http --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -d 192.168.12.11 -m tcp -p tcp --dport https --syn -j ACCEPT

#############################################
## NTPD server
#############################################
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.12 -d 192.168.12.11 -p tcp --dport ntp --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.12 -d 192.168.12.11 -p udp --dport ntp -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.13 -d 192.168.12.11 -p tcp --dport ntp --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.13 -d 192.168.12.11 -p udp --dport ntp -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.14 -d 192.168.12.11 -p tcp --dport ntp --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.14 -d 192.168.12.11 -p udp --dport ntp -j ACCEPT


#########################
## BEGIN Samba - WinBox01
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.13 -d 192.168.12.11 -p tcp --dport netbios-ns --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.13 -d 192.168.12.11 -p udp --dport netbios-ns -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.13 -d 192.168.12.11 -p tcp --dport netbios-dgm --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.13 -d 192.168.12.11 -p udp --dport netbios-dgm -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.13 -d 192.168.12.11 -p tcp --dport netbios-ssn --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.13 -d 192.168.12.11 -p udp --dport netbios-ssn -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.13 -d 192.168.12.11 -p tcp --dport microsoft-ds --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.13 -d 192.168.12.11 -p udp --dport microsoft-ds -j ACCEPT
## END Samba - WinBox01
#######################

#########################
## BEGIN Samba - WinBox02
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.14 -d 192.168.12.11 -p tcp --dport netbios-ns --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.14 -d 192.168.12.11 -p udp --dport netbios-ns -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.14 -d 192.168.12.11 -p tcp --dport netbios-dgm --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.14 -d 192.168.12.11 -p udp --dport netbios-dgm -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.14 -d 192.168.12.11 -p tcp --dport netbios-ssn --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.14 -d 192.168.12.11 -p udp --dport netbios-ssn -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.14 -d 192.168.12.11 -p tcp --dport microsoft-ds --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -i eth0 -s 192.168.12.14 -d 192.168.12.11 -p udp --dport microsoft-ds -j ACCEPT
## END Samba - WinBox02
########################

#############################################
## Close down
#############################################
-A RH-Firewall-1-INPUT -i eth0 -d 192.168.12.11 -j REJECT --reject-with icmp-host-prohibited
COMMIT

Labels: , ,

0 Comments:

Post a Comment

<< Home