iptables Default Policy of DROP

Protecting your Linux box
Javed4u
Cadet
Posts: 12
Joined: Sun Feb 24, 2008 12:24 am

iptables Default Policy of DROP

Postby Javed4u » Sat Sep 13, 2008 6:13 am

AOA

I am using Fedora 6 as my gateway configured with nat and iptables.I have two questions.
First of all i want to secure my linux box as much as possible by impliment firewall script using iptables to change default policy of every chain to DROP and then allow only specific services that are required to run on my network, like http, ftp.

Secondly i have blocked some sites in squid. But user managed to open it by entering its ip address instead of url. Plz help me to resolve this issue using squid.

Regards,

Asif

mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Postby mudasir » Sun Sep 14, 2008 7:15 am

AOA,

Please first search this forum, as firewall related issues are there that will solve your porblem.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com

kbukhari
Major General
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Location: Lahore
Contact:

Re: iptables Default Policy of DROP

Postby kbukhari » Thu Sep 18, 2008 4:51 pm

Javed4u wrote:AOA

I am using Fedora 6 as my gateway configured with nat and iptables.I have two questions.
First of all i want to secure my linux box as much as possible by impliment firewall script using iptables to change default policy of every chain to DROP and then allow only specific services that are required to run on my network, like http, ftp.

Secondly i have blocked some sites in squid. But user managed to open it by entering its ip address instead of url. Plz help me to resolve this issue using squid.

Regards,

Asif


Q1. Do you know how to play with iptables ?
Q2. block ip based url in squid using regex.
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com

Javed4u
Cadet
Posts: 12
Joined: Sun Feb 24, 2008 12:24 am

Postby Javed4u » Sat Sep 20, 2008 1:41 am

Ans 1: I am in learning phase and increasing my knowledge of iptables and linux day by day.

Ans 2: Thanks but is there any more better and efficient way than that.

LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Postby LinuxFreaK » Mon Sep 22, 2008 10:07 am

Dear Javed4u,
Salam,

For Reference you can look into this.

FYI, http://www.netfilter.org/documentation/index.html

Best Regards.
Farrukh Ahmed

ghulam yaseen
Naik
Posts: 68
Joined: Thu Aug 07, 2008 6:09 pm
Location: karachi

Re: iptables Default Policy of DROP

Postby ghulam yaseen » Tue Jan 13, 2009 2:11 pm

Hello :);

you can remove all previous firewall rules and then implement this IP tables rule

>> iptables -I INPUT -p udp -i eth0 --dport 80 -j ACCEPT

>> iptables -I INPUT -p tcp -i eth0 --dport 21 -j ACCEPT

>> iptables -I INPUT -p tcp -s IP_addr --dport 80 -j ACCEPT

>> iptables -I INPUT -p tcp -s IP_addr --dport 22 -j ACCEPT

>> iptables -I INPUT -p tcp -s IP_addr --dport 21 -j ACCEPT

>> service iptables save

>> service iptables restart

>> iptables -A INPUT -j REJECT

Also for web sites access issue, this should be squid issue not iptables.

Regards,
Ghulam Yaseen
Javed4u wrote:AOA

I am using Fedora 6 as my gateway configured with nat and iptables.I have two questions.
First of all i want to secure my linux box as much as possible by impliment firewall script using iptables to change default policy of every chain to DROP and then allow only specific services that are required to run on my network, like http, ftp.

Secondly i have blocked some sites in squid. But user managed to open it by entering its ip address instead of url. Plz help me to resolve this issue using squid.

Regards,

Asif

lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Postby lambda » Tue Jan 13, 2009 2:37 pm

iptables -I INPUT -p udp -i eth0 --dport 80 -j ACCEPT
yeah, that'll work great.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?

mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Postby mudasir » Tue Jan 13, 2009 4:47 pm

AOA,

Nice one Lambda bhai :D
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com

x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Postby x2oxen » Wed Jan 14, 2009 11:22 am

does iptables released its new version with changed options??? :P
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com

ghulam yaseen
Naik
Posts: 68
Joined: Thu Aug 07, 2008 6:09 pm
Location: karachi

regarding -i eth0

Postby ghulam yaseen » Wed Jan 14, 2009 2:07 pm

Sorry for writting -i eth0 with the iptables rule


lambda wrote:
iptables -I INPUT -p udp -i eth0 --dport 80 -j ACCEPT
yeah, that'll work great.

x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Postby x2oxen » Sun Jan 18, 2009 10:48 pm

Apology accepted!
:P
Muhammad Usman

+92-321-6640501

Chemonics International

http://usmanpk.com

LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re: regarding -i eth0

Postby LinuxFreaK » Wed Jan 21, 2009 10:39 am

Dear x2oxen,
Salam,

ghulam yaseen wrote:iptables -I INPUT -p udp -i eth0 --dport 80 -j ACCEPT


What is the problem in this rule ?

Best Regards.
Farrukh Ahmed

lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Postby lambda » Wed Jan 21, 2009 10:55 pm

http uses tcp.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?

x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Postby x2oxen » Fri Jan 23, 2009 12:31 am

Dear Farrukh Bhai,

Do i need to repeat what just lambda said.
Muhammad Usman

+92-321-6640501

Chemonics International

http://usmanpk.com

LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Postby LinuxFreaK » Fri Jan 23, 2009 1:27 pm

Dear x2oxen,
Salam,

x2oxen wrote:Do i need to repeat what just lambda said.


I was just talking about rule. I did not read what he need to achieve.

Best Regards.
Farrukh Ahmed


Return to “Security”

Who is online

Users browsing this forum: No registered users and 1 guest