iptables Default Policy of DROP

Protecting your Linux box
Post Reply
Javed4u
Cadet
Posts: 12
Joined: Sun Feb 24, 2008 12:24 am

iptables Default Policy of DROP

Post by Javed4u »

AOA

I am using Fedora 6 as my gateway configured with nat and iptables.I have two questions.
First of all i want to secure my linux box as much as possible by impliment firewall script using iptables to change default policy of every chain to DROP and then allow only specific services that are required to run on my network, like http, ftp.

Secondly i have blocked some sites in squid. But user managed to open it by entering its ip address instead of url. Plz help me to resolve this issue using squid.

Regards,

Asif
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Please first search this forum, as firewall related issues are there that will solve your porblem.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
kbukhari
Major General
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Location: Lahore
Contact:

Re: iptables Default Policy of DROP

Post by kbukhari »

Javed4u wrote:AOA

I am using Fedora 6 as my gateway configured with nat and iptables.I have two questions.
First of all i want to secure my linux box as much as possible by impliment firewall script using iptables to change default policy of every chain to DROP and then allow only specific services that are required to run on my network, like http, ftp.

Secondly i have blocked some sites in squid. But user managed to open it by entering its ip address instead of url. Plz help me to resolve this issue using squid.

Regards,

Asif
Q1. Do you know how to play with iptables ?
Q2. block ip based url in squid using regex.
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
Javed4u
Cadet
Posts: 12
Joined: Sun Feb 24, 2008 12:24 am

Post by Javed4u »

Ans 1: I am in learning phase and increasing my knowledge of iptables and linux day by day.

Ans 2: Thanks but is there any more better and efficient way than that.
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear Javed4u,
Salam,

For Reference you can look into this.

FYI, http://www.netfilter.org/documentation/index.html

Best Regards.
Farrukh Ahmed
ghulam yaseen
Naik
Posts: 68
Joined: Thu Aug 07, 2008 6:09 pm
Location: karachi

Re: iptables Default Policy of DROP

Post by ghulam yaseen »

Hello :);

you can remove all previous firewall rules and then implement this IP tables rule

>> iptables -I INPUT -p udp -i eth0 --dport 80 -j ACCEPT

>> iptables -I INPUT -p tcp -i eth0 --dport 21 -j ACCEPT

>> iptables -I INPUT -p tcp -s IP_addr --dport 80 -j ACCEPT

>> iptables -I INPUT -p tcp -s IP_addr --dport 22 -j ACCEPT

>> iptables -I INPUT -p tcp -s IP_addr --dport 21 -j ACCEPT

>> service iptables save

>> service iptables restart

>> iptables -A INPUT -j REJECT

Also for web sites access issue, this should be squid issue not iptables.

Regards,
Ghulam Yaseen
Javed4u wrote:AOA

I am using Fedora 6 as my gateway configured with nat and iptables.I have two questions.
First of all i want to secure my linux box as much as possible by impliment firewall script using iptables to change default policy of every chain to DROP and then allow only specific services that are required to run on my network, like http, ftp.

Secondly i have blocked some sites in squid. But user managed to open it by entering its ip address instead of url. Plz help me to resolve this issue using squid.

Regards,

Asif
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

iptables -I INPUT -p udp -i eth0 --dport 80 -j ACCEPT
yeah, that'll work great.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Nice one Lambda bhai :D
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

does iptables released its new version with changed options??? :P
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
ghulam yaseen
Naik
Posts: 68
Joined: Thu Aug 07, 2008 6:09 pm
Location: karachi

regarding -i eth0

Post by ghulam yaseen »

Sorry for writting -i eth0 with the iptables rule

lambda wrote:
iptables -I INPUT -p udp -i eth0 --dport 80 -j ACCEPT
yeah, that'll work great.
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

Apology accepted!
:P
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re: regarding -i eth0

Post by LinuxFreaK »

Dear x2oxen,
Salam,
ghulam yaseen wrote:iptables -I INPUT -p udp -i eth0 --dport 80 -j ACCEPT
What is the problem in this rule ?

Best Regards.
Farrukh Ahmed
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

http uses tcp.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

Dear Farrukh Bhai,

Do i need to repeat what just lambda said.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Post by LinuxFreaK »

Dear x2oxen,
Salam,
x2oxen wrote:Do i need to repeat what just lambda said.
I was just talking about rule. I did not read what he need to achieve.

Best Regards.
Farrukh Ahmed
Post Reply