[ale] iptables...

[leonard]

Timothy Ball wrote:
> 
> I need to filter some ports on my laptop... I don't know iptables...
> (i'm not a networking guy). I've tried looking at the docs, but again
> I'm not a networking guy.

The best is to start by denying evrything, then you open what you need.
See /var/log/messages for denied packets.

Here is my  ip-up.local, internal LAN traffic is accepted (NFS, SAMBA),
spoofing is denied, the DNS issue is adressed. eth0 is the LAN ethernet
card. ppp0 is the internet connection (going thru eth1 for me...)


LAN="192.168.0.0/24"
EXTIP="`ifconfig ppp0|grep inet|awk '{print $2}'|awk -F":" '{print $2}'`" 
ipchains -F

ipchains -F input 
ipchains -P input REJECT
> rejects evrything on input
ipchains -A input -i ppp0 -s $LAN -d 0.0.0.0/0 -l -j REJECT
> prevents spoofing
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT 
> internal virtual interface loop ok

ipchains -A input -i eth0 -s $LAN -d 0.0.0.0/0 -j ACCEPT 
> lan ok
ipchains -A input -i ppp0 -p tcp -s 0.0.0.0/0 -d $EXTIP/32 21 -j ACCEPT 
ipchains -A input -i ppp0 -p tcp -s 0.0.0.0/0 -d $EXTIP/32 22 -j ACCEPT 
> ssh/ftp

#ftp.        (proto 6 : tcp, 17=udp : /etc/protocols)
ipchains -A input -i ppp0 -p tcp -s 0.0.0.0/0 -d $EXTIP/32 20 -j ACCEPT 
> ftp data in, if you have a server running.
ipchains -A input -i ppp0 -p tcp -s 0.0.0.0/0 -d $EXTIP/32 1061 -j ACCEPT 
ipchains -A input -i ppp0 -p tcp -s 0.0.0.0/0 -d $EXTIP/32 2500:5000 -j ACCEPT 
> same again.
#masq
ipchains -A input -i ppp0 -p tcp -s 0.0.0.0/0 -d $EXTIP/32 61000: -j ACCEPT 
> all ports above 61000 ok , this is usefull for radio broadcasts etc..


#dns2go
ipchains -A input -i ppp0 -p tcp -s 63.64.164.92 1227 -d $EXTIP/32 1500:4000 -j ACCEPT 
ipchains -A input -i ppp0 -p tcp -s 63.64.164.93 1227 -d $EXTIP/32 1500:4000 -j ACCEPT 
ipchains -A input -i ppp0 -p tcp -s 63.149.6.93 1227 -d $EXTIP/32 1500:4000 -j ACCEPT 
#squid
ipchains -A input -i ppp0 -p tcp -s 0.0.0.0/0 -d $EXTIP/32 2240:2700 -j ACCEPT 
#udp ns2.dns2go
ipchains -A input -i ppp0 -p udp -s 63.64.164.92 1227 -d $EXTIP/32 -j ACCEPT 
ipchains -A input -i ppp0 -p udp -s 63.64.164.93 1227 -d $EXTIP/32 -j ACCEPT 
ipchains -A input -i ppp0 -p udp -s 63.149.6.93 1227 -d $EXTIP/32 -j ACCEPT 
> all that you may not need


#udp masq
ipchains -A input -i ppp0 -p udp -s 0.0.0.0/0 -d $EXTIP/32 61000: -j ACCEPT 
#pings
ipchains -A input -i ppp0 -p icmp -s 0.0.0.0/0 -d $EXTIP/32 0:3 -j ACCEPT


ipchains -F output 
ipchains -P output REJECT
ipchains -A output -i ppp0 -s $LAN -d 0.0.0.0/0 -l -j REJECT 
ipchains -A output -i ppp0 -s 0.0.0.0/0 -d $LAN -l -j REJECT 
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT 

#ipchains -A output -i eth0 -s $LAN -d $LAN -j ACCEPT 
#ipchains -A output -i eth0 -s 0/0 -d 0/0 -j ACCEPT 
ipchains -A output -i eth0 -s 0.0.0.0/0 -d $LAN -j ACCEPT 
ipchains -A output -i ppp0 -s $EXTIP/32 -d 0.0.0.0/0 -j ACCEPT 


> Ip masquerading
ipchains -F forward 
ipchains -P forward DENY
ipchains -A forward -i ppp0 -s $LAN -d 0.0.0.0/0 -j MASQ 
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT


depmod -a
insmod ip_masq_ftp
insmod ip_masq_irc
insmod ip_masq_raudio
#modprobe ip_masq_ftp
#modprobe ip_masq_raudio
#modprobe ip_masq_irc


> mindspring DNS
DNS1="207.69.188.185" 
DNS2="207.69.188.186" 

for dns in $DNS1 $DNS2 
do 
#ligne suivant redondante avec le fwd et output generals
#ipchains -A forward -i ppp0 -p udp -s $LAN -d $dns 53 -j MASQ 
#ipchains -A forward -i ppp0 -p tcp -s $LAN -d $dns 53 -j MASQ 
#ipchains -A output -i ppp0 -p udp -s $EXTIP/32 -d $dns 53 -j ACCEPT 
#ipchains -A output -i ppp0 -p tcp -s $EXTIP/32 -d $dns 53 -j ACCEPT 
ipchains -A input -i ppp0 -p udp -s $dns 53 -d $EXTIP/32 -j ACCEPT 
ipchains -A input -i ppp0 -p tcp -s $dns 53 -d $EXTIP/32 -j ACCEPT 
#ipchains -A input -i eth0 -p udp -s $LAN -d 0/0 53 -j ACCEPT 
#ipchains -A input -i eth0 -p tcp -s $LAN -d 0/0 53 -j ACCEPT 
#ipchains -A output -i eth0 -p udp -s $dns 53 -d $LAN -j ACCEPT 
#ipchains -A output -i eth0 -p tcp -s $dns 53 -d $LAN -j ACCEPT 
done 


ipchains -N ppp-in
ipchains -A input -i ppp0 -j ppp-in
ipchains -A ppp-in -s 224.0.0.0/8 -j REJECT -l
> denied broadcasting adresses


ipchains -N ppp-out
ipchains -A output -i ppp0 -j ppp-out
#
#Minimum Delay           0x01 0x10       ftp, telnet
#Maximum Throughput      0x01 0x08       ftp-data
#Maximum Reliability     0x01 0x04       snmp
#Minimum Cost            0x01 0x02       nntp
#
ipchains -A ppp-out -p TCP -d 0.0.0.0/0 ftp-data -t 0x01 0x02
> minimum cost for ftp data coming out.


ipchains -A input -j DENY -l 
ipchains -A output -j DENY -l 
ipchains -A forward -j DENY -l
> logs all denied packets.


Hope it helps, feel free to contact me if you have any questions.

-- 

Alt: leonard at madloutre.org /\ GnuPG clef 1024D/9A3D4CA1

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.