- This topic is empty.
February 19, 2009 at 9:26 pm #41485
I have planned to deploy zeroshell to seal off our internal lab environment.
Basically, I have 4 NICs, none of which is connected to the internet. I have them configured and traffic works fine as-is (although all ports open). I am trying to figure out the chains of FORWARD, INPUT and OUTPUT. By default, the policy is ACCEPT, thus everything is working. However, I want to have a policy of DENY, and only allow certain ports between segments.
ETH00 – 192.168.0.x
ETH01 – 192.168.10.x
ETH02 – 192.168.20.x
ETH03 – 192.168.30.x
I want traffic from any segment to 192.168.0.x (any IP) only on ports 8222 and 8333. That would be good to begin. What rules to I add to what chains for this, assuming a default of DENY on the chain?February 22, 2009 at 2:38 pm #47647bbozoMember
It is a bad idea to make any of the default chains DENY.
you should first make rules that allow traffic (there are almost always less things you want to allow then deny) and after that add deny rules. watch for sequences numbers.
INPUT chain deals with traffic that has its destination the firewall IPs
FORWARD chain deals with traffic that has its destiantion IPs different from firewalls
OUTPUT chain deals with traffic coming from firewall
this is simple explanation there are many other things to consider.
for your exapmle:
Protocol Matching: chose source or destination ports you want to allow
for examle if you would allow http then you chose destination port 80 protocol tcp
hope this helpsFebruary 23, 2009 at 8:48 pm #47648
I left the INPUT and OUTPUT chains alone for now. Just want to get the FORWARD working. I created a rule to allow all RELATED traffic from each subnet to each other subnet. I then added a rule under FORWARD to allow tcp/8333 and tcp/8222 from ETH01 to ETH00. It seems to function ok. I am trying to figure out the logging part now so I can see if stuff is dropping/etc.
Thanks for the reply!
[/quote]February 26, 2009 at 8:34 am #47649wbschindlerMember
vapor, you are on the right track. I will strongly disagree with others who say the default should not be DENY. It will be the LAST rule in the chain and thus should be DENY.
But, when you set your tables up you may want to do it like so:
# Flush all the previous rules
/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F OUTPUT
# Disable all routing until rules are in place
/sbin/iptables -P INPUT DENY
/sbin/iptables -P FORWARD DENY
/sbin/iptables -P OUTPUT DENY
# Now, add the FORWARD rules
/sbin/iptables -A FORWARD … becomes rule 2
/sbin/iptables -A FORWARD … becomes rule 1
#NOTE, each time you add a rule, it becomes the first one in the chain, so the DENY rule is indeed the default rule (3)
# Lastly, allow the INPUT and OUTPUT traffic
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
This is certainly not complete or an exhaustive description, you may want to look at:
HTHMarch 6, 2009 at 1:13 am #47650
Thanks. What I did was add the rules that I wanted, set them to logging to make sure all the traffic I wanted was being hit by those rules, then set the default to be deny. Works fine so far I think.. 🙂
- You must be logged in to reply to this topic.