iptables Default Policy of DROP

Protecting your Linux box

iptables Default Policy of DROP

Postby Javed4u » Sat Sep 13, 2008 6:13 am

AOA

I am using Fedora 6 as my gateway configured with nat and iptables.I have two questions.
First of all i want to secure my linux box as much as possible by impliment firewall script using iptables to change default policy of every chain to DROP and then allow only specific services that are required to run on my network, like http, ftp.

Secondly i have blocked some sites in squid. But user managed to open it by entering its ip address instead of url. Plz help me to resolve this issue using squid.

Regards,

Asif
Javed4u
Cadet
 
Posts: 12
Joined: Sun Feb 24, 2008 12:24 am

Postby mudasir » Sun Sep 14, 2008 7:15 am

AOA,

Please first search this forum, as firewall related issues are there that will solve your porblem.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Re: iptables Default Policy of DROP

Postby kbukhari » Thu Sep 18, 2008 4:51 pm

Javed4u wrote:AOA

I am using Fedora 6 as my gateway configured with nat and iptables.I have two questions.
First of all i want to secure my linux box as much as possible by impliment firewall script using iptables to change default policy of every chain to DROP and then allow only specific services that are required to run on my network, like http, ftp.

Secondly i have blocked some sites in squid. But user managed to open it by entering its ip address instead of url. Plz help me to resolve this issue using squid.

Regards,

Asif


Q1. Do you know how to play with iptables ?
Q2. block ip based url in squid using regex.
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
kbukhari
Major General
 
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Website: http://kashifbukhari.com
Location: Lahore

Postby Javed4u » Sat Sep 20, 2008 1:41 am

Ans 1: I am in learning phase and increasing my knowledge of iptables and linux day by day.

Ans 2: Thanks but is there any more better and efficient way than that.
Javed4u
Cadet
 
Posts: 12
Joined: Sun Feb 24, 2008 12:24 am

Re:

Postby LinuxFreaK » Mon Sep 22, 2008 10:07 am

Dear Javed4u,
Salam,

For Reference you can look into this.

FYI, http://www.netfilter.org/documentation/index.html

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Re: iptables Default Policy of DROP

Postby ghulam yaseen » Tue Jan 13, 2009 2:11 pm

Hello :);

you can remove all previous firewall rules and then implement this IP tables rule

>> iptables -I INPUT -p udp -i eth0 --dport 80 -j ACCEPT

>> iptables -I INPUT -p tcp -i eth0 --dport 21 -j ACCEPT

>> iptables -I INPUT -p tcp -s IP_addr --dport 80 -j ACCEPT

>> iptables -I INPUT -p tcp -s IP_addr --dport 22 -j ACCEPT

>> iptables -I INPUT -p tcp -s IP_addr --dport 21 -j ACCEPT

>> service iptables save

>> service iptables restart

>> iptables -A INPUT -j REJECT

Also for web sites access issue, this should be squid issue not iptables.

Regards,
Ghulam Yaseen
Javed4u wrote:AOA

I am using Fedora 6 as my gateway configured with nat and iptables.I have two questions.
First of all i want to secure my linux box as much as possible by impliment firewall script using iptables to change default policy of every chain to DROP and then allow only specific services that are required to run on my network, like http, ftp.

Secondly i have blocked some sites in squid. But user managed to open it by entering its ip address instead of url. Plz help me to resolve this issue using squid.

Regards,

Asif
ghulam yaseen
Naik
 
Posts: 68
Joined: Thu Aug 07, 2008 6:09 pm
Location: karachi

Postby lambda » Tue Jan 13, 2009 2:37 pm

iptables -I INPUT -p udp -i eth0 --dport 80 -j ACCEPT
yeah, that'll work great.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby mudasir » Tue Jan 13, 2009 4:47 pm

AOA,

Nice one Lambda bhai :D
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby x2oxen » Wed Jan 14, 2009 11:22 am

does iptables released its new version with changed options??? :P
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
x2oxen
Major General
 
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Website: http://usmanpk.com
WLM: x2oxen@hotmail.com
Yahoo Messenger: x2oxen
Location: Faisalabad

regarding -i eth0

Postby ghulam yaseen » Wed Jan 14, 2009 2:07 pm

Sorry for writting -i eth0 with the iptables rule


lambda wrote:
iptables -I INPUT -p udp -i eth0 --dport 80 -j ACCEPT
yeah, that'll work great.
ghulam yaseen
Naik
 
Posts: 68
Joined: Thu Aug 07, 2008 6:09 pm
Location: karachi

Postby x2oxen » Sun Jan 18, 2009 10:48 pm

Apology accepted!
:P
Muhammad Usman

+92-321-6640501

Chemonics International

http://usmanpk.com
x2oxen
Major General
 
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Website: http://usmanpk.com
WLM: x2oxen@hotmail.com
Yahoo Messenger: x2oxen
Location: Faisalabad

Re: regarding -i eth0

Postby LinuxFreaK » Wed Jan 21, 2009 10:39 am

Dear x2oxen,
Salam,

ghulam yaseen wrote:iptables -I INPUT -p udp -i eth0 --dport 80 -j ACCEPT


What is the problem in this rule ?

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Postby lambda » Wed Jan 21, 2009 10:55 pm

http uses tcp.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby x2oxen » Fri Jan 23, 2009 12:31 am

Dear Farrukh Bhai,

Do i need to repeat what just lambda said.
Muhammad Usman

+92-321-6640501

Chemonics International

http://usmanpk.com
x2oxen
Major General
 
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Website: http://usmanpk.com
WLM: x2oxen@hotmail.com
Yahoo Messenger: x2oxen
Location: Faisalabad

Postby LinuxFreaK » Fri Jan 23, 2009 1:27 pm

Dear x2oxen,
Salam,

x2oxen wrote:Do i need to repeat what just lambda said.


I was just talking about rule. I did not read what he need to achieve.

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 2 guests

cron