Scenario: You have a Fedora Core 2 system that is to function as a Web proxy server. Client machines are on the 192.168.1/24 network. The Internet connection is via a router on the 172.20.5/24 network. Your proxy server has two network interfaces: eth0 is 192.168.1.100 and eth1 is 172.20.5.17 . Both interfaces use a subnet mask of 255.255.255.0 (24-bits). Assume that the network routes and proxy services ( squid and named ) are correctly configured.
The solutions given here are just some of the many possible sets of iptables rules that will meet the stated requirements. If you are going to try these out on a remote machine (that is, one where you have to connect via a network), you run the risk of blocking your own connection that you are using to configure iptables and therefore not being able to correct the problem.
One way to prevent yourself from being locked out is to set up an at job that will disable the firewall in, say, 15 minutes so that if your connections do get blocked, you will have to wait only 15 minutes at most before being able to reconnect and fix the problem. The command to do this is:
echo "/sbin/service iptables stop " at now + 15 minutes
The system will respond with a message similar to this:
job 11 at 2004-05-20 17:43
Now you can set up your iptables rules, remembering to save them frequently with this command because they will get cleared when the at job runs.
service iptables save
(Alternatively, you can edit the file /etc/sysconfig/iptables-config and set the IPTABLES_SAVE_ON_STOP variable to yes and remove the # from the start of the line where it is set). If you are happy with the firewall configuration and want to stop the at job from running, use the following command:
where job# is the job number you were given when you set up the at job (11 in the preceding example).
Make sure your rules will be applied each time the system boots.
After your proxy server has been running for a while, a new requirement is identified. Machines on the 192.168.1/24 network need to be able to make PPTP connections to an external VPN server with an IP address of 10.1.3.97 . Update the iptables rules to satisfy this requirement. (Assume that IP forwarding is enabled on your proxy server).
Deal with each firewall chain ( INPUT , OUTPUT , and FORWARD ) separately. For each chain, start by flushing the existing firewall rules set up by the system-config-securitylevel application, and set the default policy to DROP.
# INPUT chain iptables -F INPUT # Flush existing rules iptables -P INPUT DROP # Default policy set to DROP # Accept incoming SSH connections on eth0 from 192.168.1.155. # There is one rule for TCP and a similar one for UDP. # Use the state module (-m state) so that the rule matches only # new connections (--state NEW). iptables -A INPUT -p tcp -i eth0 -s 192.168.1.155 --dport ssh \ -m state --state NEW -j ACCEPT iptables -A INPUT -p udp -i eth0 -s 192.168.1.155 --dport ssh \ -m state --state NEW -j ACCEPT # As previous pair of rules but for different source IP address iptables -A INPUT -p tcp -i eth0 -s 192.168.1.201 --dport ssh \ -m state --state NEW -j ACCEPT iptables -A INPUT -p udp -i eth0 -s 192.168.1.201 --dport ssh \ -m state --state NEW -j ACCEPT # Accept incoming connections on port 3128 from 192.168.1/24 network iptables -A INPUT -p tcp -i eth0 -s 192.168.1/24 --dport squid -j ACCEPT iptables -A INPUT -p udp -i eth0 -s 192.168.1/24 --dport squid -j ACCEPT # Accept incoming connections on port 53 from 192.168.1/24 network iptables -A INPUT -p tcp -i eth0 -s 192.168.1/24 --dport domain -j ACCEPT iptables -A INPUT -p udp -i eth0 -s 192.168.1/24 --dport domain -j ACCEPT # Allow ICMP packets iptables -A INPUT -p icmp -j ACCEPT # Log unauthorized attempt to use Telnet or FTP iptables -A INPUT -p tcp -i eth0 -s 192.168.1/24 --dport telnet -j LOG iptables -A INPUT -p udp -i eth0 -s 192.168.1/24 --dport telnet -j LOG iptables -A INPUT -p tcp -i eth0 -s 192.168.1/24 --dport ftp -j LOG iptables -A INPUT -p udp -i eth0 -s 192.168.1/24 --dport ftp -j LOG # Accept packets on any interface that are related to established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # # # OUTPUT chain # iptables -F OUTPUT iptables -P OUTPUT DROP # Allow outgoing packets on any interface that are part of established connections iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing packets on eth1 for HTTP, FTP, HTTPS and DNS. Using the # multiport match extension reduces the number of rules to two (one for # UDP the other for TCP). Note that the service name used by DNS is "domain". iptables -A OUTPUT -p udp -i eth1 -m multiport --dports http, ftp, ftp-data, \ https, domain -j ACCEPT iptables -A OUTPUT -p tcp -i eth1 -m multiport --dports http, ftp, ftp-data, \ https, domain -j ACCEPT # Allow proxy to send ICMP packets iptables -A OUTPUT -p icmp -j ACCEPT # FORWARD chain # The proxy server should not forward any packets, so drop everything. iptables -F FORWARD iptables -P FORWARD DROP
Your customized iptables rules are saved to the file /etc/sysconfig/iptables by running the following command: service iptables save .
Rules in /etc/sysconfig/iptables are applied when the system boots and the iptables service starts. It is a good idea to make a backup of this configuration file.
PPTP connections use TCP port 1723 and the GRE protocol (protocol number 47). Add the following rules to the rules defined in Exercise 1:
# FORWARD chain # # Additions for PPTP support. These two rules specify the interfaces # so that the PPTP control traffic on port 1723 is only forwarded in # one direction - the VPN server iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 10.1.3.97 --dport 1723 -j ACCEPT iptables -A FORWARD -p tcp -i eth1 -o eth0 -s 10.1.3.97 --sport 1723 -j ACCEPT # Pass GRE traffic between networks. iptables -A FORWARD -p gre -j ACCEPT