[nzlug] iptables problems...

Steve Holdoway steve at greengecko.co.nz
Mon Feb 18 16:52:58 NZDT 2008 

I'm trying to set up a basic firewall - as a start, I'm just trying to have ssh traffic and nothing else running. However, this just doesn't work. What am I doing wrong?

It's going to act as a gateway - ssh tunnelling in, eventually restricting outgoing traffic to a few targets so it *should* make sense to default drop all output. The problem may be in the forwarding??

Script... ( eth0 *is* internet facing, and nothing upstream is interfering )

# Default policy drop everything
$IPTables -P INPUT DROP
$IPTables -P FORWARD DROP
$IPTables -P OUTPUT DROP

# Initialise the firewalling
# 1. Flush tables
$IPTables -F INPUT
$IPTables -F OUTPUT
$IPTables -F FORWARD

# 2. Set up input stuff. 
# Loopback's good.
$IPTables -A INPUT -i lo -j ACCEPT
$IPTables -A OUTPUT -s 127.0.0.0/24 -j ACCEPT

$IPTables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# No non-routable IP address sources
$IPTables -A INPUT -p tcp -i eth0 -s 192.168.0.0/16 -j DROP
$IPTables -A INPUT -p tcp -i eth0 -s 172.16.0.0/12 -j DROP
$IPTables -A INPUT -p tcp -i eth0 -s 10.0.0.0/8 -j DROP

# Allowed services - just ssh atm.
$IPTables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# 3. Set up output stuff.
$IPTables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT




# iptables --list -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  eth0   *       192.168.0.0/16       0.0.0.0/0           
    0     0 DROP       tcp  --  eth0   *       172.16.0.0/12        0.0.0.0/0           
    0     0 DROP       tcp  --  eth0   *       10.0.0.0/8           0.0.0.0/0           
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW,ESTABLISHED 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       127.0.0.0/24         0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:22 state ESTABLISHED 


Any suggestions would be gratefully received.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.linux.net.nz/pipermail/nzlug/attachments/20080218/b072490c/attachment.pgp

More information about the NZLUG mailing list