Where *nix and security meet the general public
IPTABLES explained: Part 3 (Creating a complex IPTables script)
Next we write the rules to deny all traffic coming towards our MAIN network on the WLAN interface:
#BLOCK WiFI FROM REACHING 192.168.1.0/24 or 192.168.0.0/24
echo “-> BLOCKING WiFi”
$IPT -A FORWARD -i eth1 -p all -s $any -d $good -j DROP
Then we allow DNS queries from our MAIN network. Keep in mind, the default policies are locked down completely. This means you have to allow every service specifically.
#accept dns
echo “-> ALLOWING DNS”
$IPT -A INPUT -i eth0 -p udp -s $good -d 192.168.0.9/32 –dport 53 -j ACCEPT
Now we will allow traffic between all GOOD networks and traffic coming to the server on the MAIN interface.
#ACCEPT FROM LAN
echo “-> ALLOWING LAN”
$IPT -A lan -i eth0 -p all -s $good -d $good-j ACCEPT
$IPT -A lan -i eth0 -p all -s $good -d $good–j ACCEPT
$IPT -A lan -i tun1 -p all -s $good -d $good–j ACCEPT
$IPT -Alan-i tun0 -p all -s $good -d $good- -j ACCEPT
$IPT -A INPUT -j lan
$IPT -A OUTPUT -j lan
$IPT -A FORWARD -j lan
Now we will accept OpenVPN connections on both interfaces and SSH on both. This will nail it down quite nicely.
#Accept OPENVPN. Duh.
echo “-> ACCEPTING OPENVPN”
$IPT -A vpn -i eth0 -p tcp -s $any –destination-port 9000 -j ACCEPT
$IPT -A vpn -i eth1 -p tcp -s $bad –destination-port 9000 -j ACCEPT
$IPT -A vpn-o eth1-p tcp –source-port 9000 -j ACCEPT
$IPT -A vpn-o eth0 -p tcp –source-port 9000 -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp -s $bad –destination-port 22 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp -s $any –destination-port 22 -j ACCEPT
$IPT -A INPUT -j vpn
$IPT -A OUTPUT -j vpn
And last but not least we make the log chain, this allows s to prefix the log entry with anything so it is easier to spot in the logs.
$IPT -A log -j LOG –log-level info –log-prefix “IPTABLES: ”
$IPT -A log -j DROP
$IPT -A INPUT -j log
$IPT -A OUTPUT-j log
$IPT -A FORWARD -j log
There you have it, now you can save the file and run it. After that you can check with iptables -L and see if your tables are there. Also verify your traffic, is everything working. If it isn’t check the logs it tells you from where it did not allow something.
Any thoughts and comments are welcome. A special thanks goes to mobsec.com for letting me write about this ?venture?. If you want to go after a big script and want to try out dissecting it, here is a very good example!
//Flosse
If you are interested in the full series,pick another part, or just go to the category root:
- Category: /sbin/iptables
- IPTables explained: Part 1 (a tutorial to understanding and creating your own rules)
- IPTABLES explained : Part 2 ( or a how to for iptables about efficient rule design)
- IPTABLES explained: Part 3 (Creating a complex IPTables script)
Also if you want to go further with iptables HERE is a very good article about restricting iptables by time of the day!
No Tags
Popularity: 9% [?]
Pages: 1 2
[…] IMPORTANT: This tutorial is oriented for Fedora, but shouldn’t be hard to adapt to Debian/Ubuntu. If someone knows the startup scripts well, mail me or please leave a comment with the changes needed. Ok, as we saw in the previous chapters of this tutorial series, iptables is an amazingly flexible and powerful tool. By now you should have a good grasp of what iptables can do. It is time to bring in the sidekick: Portsentry. Due to the fact that portsentry has no pre-built packages (to my knowledge) for any distributions, you will have to download it from here:[Sourceforge] ; and build it. The process is very easy BUT (yes there is always a but) it requires you to edit one file. More on that a bit down the road. First, what does Portsentry do? Well, you see Portsentry is a nifty little program that listens on your Linux (or any Unix, but for now Linux) box on a set of defined (by you) ports. That way, when someone port scans you to find open ports, say for example ssh or web or any other open port that they could attack, Portsentry will notice this and take an appropriate action (also defined by you!). […]
[…] IPTABLES explained: Part 3 (Creating a complex IPTables script) EMail this post to a friend […]
Hello again,
Just finished reading this part. I like your easy writing style, it definitely makes iptables much clearer.
Can you give me some more information about your friend’s openvpn and wireless setup? I’ve got a similar situation that i’d like to use this setup.
Thanks.
Dave.
hey dave, i sure can, you can mail me directly at flosse@2blocksaway.com cheers..