# linux newbie needs a sanity critique for a IPTABLE setup

## dlm1065

DETAILS

I am trying to do a proper setup of IPTABLES for a multihomed computer. 

The computer that is doing this will also be doing web, mail, print servering, 

and other misc roles. All roles will be minimal load levels.

   Interface	Address

A) eth0 	192.168.0.1

B) eth1 	192.168.1.1

C) eth2 	dynamic(ISP assigned)

C is the internet interface. Anything not initially originated from interface(s) 

 A/B  should be blocked. A & B are both segments that need to be allowed 

to the internet and at this point to one another. Right now I need 

full access between the 2 segments but in the future I will need to 

restrict that to allow only certain things to be allowable. 

Solution Candidate

Looking at the docs on setting up a home server this is what I think will 

let me do my goal. Can someone that is more familiar with IPTABLES tell

me if I did this correctly or if this has major holes in it??

```

iptables -F

iptables -t nat -F

#lock down services

iptables -I INPUT 1 -i eth0 -j ACCEPT

iptables -I INPUT 1 -i eth1 -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT

iptables -A INPUT -p UDP --dport bootps -i ! eth1 -j REJECT

iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT

iptables -A INPUT -p UDP --dport domain -i ! eth1 -j REJECT

#Allow access to the ssh server from the WAN

iptables -A INPUT -p TCP --dport ssh -i eth2 -j ACCEPT

#Drop TCP/UDP packets to priveleged ports

iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p TCP -i ! eth1 -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p UDP -i ! eth1 -d 0/0 --dport 0:1023 -j DROP

#add the NAT rules

iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.255.0 -j DROP

iptables -I FORWARD -i eth1 -d 192.168.1.0/255.255.255.0 -j DROP

iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i eth1 -s 192.168.1.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i eth2 -d 192.168.0.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i eth2 -d 192.168.1.0/255.255.255.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

#tell the kernel ip forwarding is OK

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

#so on reboot routing in place

/etc/init.d/iptables save

rc-update add iptables default
```

----------

## speed_bump

What's the default policy for the chain? In general, your best bet from a security perspective is to deny everything by default and write rules that specifically allow the things you need. It's more difficult, but there's less chance of overlooking something.

----------

## mcdermottpa

As suggested above you should disallow all access first and then expicitly state what will be allowed. Here's what I have in my iptables script:

```
# All packets that are not explicitly accepted should be dropped.

/bin/echo -e '   [Dropping] All packets not explicitly accepted'

/sbin/iptables -P INPUT DROP

/sbin/iptables -P OUTPUT DROP

/sbin/iptables -P FORWARD DROP
```

The netfilter/itables project has lots of valuable documentation. 

http://www.netfilter.org/

----------

## dlm1065

Ok the fact that I thought that this was doing what you both are suggesting means I know even less than I thought  I did & I knew I didn't know much *sigh*   I followed the Home Router How-To in the gentoo docs

Thank you both, I appreciate the script and the doc reference, but it makes me curious.  Are there any other good places for a linux beginner to start understanding bettter how to lock things down??

----------

## charliecompany

I know it doesn't teach you as much but you could try using a gui to create your firewall rules. I have heard shorewall is good and I personally use fwbuilder. That has worked really well for me.

----------

## mcdermottpa

Well if you want some bedside reading, I found that this Linux Security HOWTO does a good job of outlining security considerations and providing some practical solutions. http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Security-HOWTO.html but it really does take a lot of work to develop an in-depth understanding of Linux security. Most of us have a long way to go, so welcome to the club   :Rolling Eyes:  .

----------

## GenKreton

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Best guide on iptables I found.

I  too was just learning iptables and found that unless under special circumstances denying all forward and input is safe. Allow all output and then all input on related connections.

This setup has a few issues but will keep you safe from virtually everything.

My lax rules are as follows (I have a strict set I use normally that denies output but it is a HUGE hassle):

```

## Variables

# Locations

IPT='/sbin/iptables'

## Flush rules

$IPT -F

$IPT -X

$IPT -Z

## Standard policy

$IPT -P INPUT DROP

$IPT -P OUTPUT ACCEPT

$IPT -P FORWARD DROP

$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

## Filter

# Localhost

$IPT -A INPUT -i lo -j ACCEPT

# SSH

$IPT -A INPUT -p tcp --dport 22 -j ACCEPT

...

```

There are more rules but you get the idea and probably won't need them.

*EDIT: lots of stupidity was happening here in my post...

----------

