Topic: firewall help ...

[i-techzone]

Hi All,

I would like to know how to see manually all the iptables rules ... in server gateway mode. i don't find the iptables files in the box.

anyone can help me ..

thank you in advance ...

[raem]

i-techzone

> ...how to see manually all the iptables rules

man iptables
will show you
try
iptables -L

[i-techzone]

thanx raymitchell.

i try already to use that one ...

but ... i need full code ... that iptables -L will show summary of the what code we put..

for redhat 9.0 there is a file in etc but in sme i can't find it.

[raem]

i-techzone

Try these

/etc/e-smith/templates/etc/rc.d/init.d/masq

/etc/rc.d/init.d/masq

Also look at the documentation on contribs.org about creating custom templates
http://no.longer.valid/phpwiki/index.php/Customizing

[i-techzone]

thanks again raymitchell

i just go thru the link that have u gave me.

but i still don't understand the iptables ...

can u tell me or give me an examples of the firewall for server-mode but similar to gateway server something like this



#FLUSH ANY EXISTING CHAINS AND SET DEFAULT POLICIES
iptables -F INPUT
iptables -F OUTPUT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# ALLOW ALL PACKETS ON THE LOOPBACK INTERFACE
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# ICMP
iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
iptables -I INPUT 1 -p tcp --source 192.168.1.2/255.255.255.0 --dport 137:139 -j ACCEPT
iptables -I INPUT 1 -p udp --source 192.168.1.2/255.255.255.0 --dport 137:139 -j ACCEPT

# APPLY ICMP TYPE MATCH BLOCKING
iptables -I INPUT -p icmp --icmp-type redirect -j DROP
iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP

# SQUID
iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.1.2 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d 192.168.1.2 -j SNAT --to 192.168.1.1
iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.1.2 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

# OPEN PORTS TO THE FIREWALL
iptables -A INPUT -p udp -m udp --dport 53 --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 113 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT

# LOGGING
iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "
 
# DROP ALL OTHER PACKETS
iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP

can u help me because i have no experience in firewall

thanks in advance

[raem]

i-techzone

> ...give me an examples of the firewall for server-mode

As I understand it, in server only mode the firewall is disabled.
Server only mode implies that you have another firewall between the server and the Internet. That could be another sme server configured as server-gateway or a standalone firewall/router.

You seem to have some misunderstandings, have you read the manuals, in particular
http://mirror.contribs.org/smeserver/contribs/bobk/SME_Manual/chpt-05.09.html
& other info under the Documentation link at contribs.org.

[i-techzone]

thanks again ...

i already read about that. but my condition is (sorry not to tell in advance) ...

for your information, i use Linksys as my internet gateway. then ... i set my linksys dmz ip address is to my sme server. the point here, when i scan security check to my adsl ipaddress it's will show like this.

INFO:
Linksys:192.168.1.1    DMZ IP:192.168.1.2
SME-Server:192.168.1.2

Condition1: SME-Server-Only
if SME is life, all the port show result open.
if SME are dead (shutdown), all the port are stealth.

Condition2: SME-Server-Gateway
if SME is life, all port are in stealth but one or two are open.

before this i try to make port forwarding (in router) which service are using to my sme all port that are enable are stealth but i have limited access and the best thing here i not feel secure. (like drop packet and icmp and etc). other reason i don't know which one to open and forward.

the problem for sme-gateway is i got slow network because i only use 1 network card.

i'm thinking to change my linksys router to software linux like monowall or smoothwall. but i have a limited hardware. the best choice is i make a firewall to this server-only but based on server-gateway. this is because i don't know what service show i accept or deny.

could anyone give me an idea.

thanx in advance ...

[raem]

i-techzone

> the problem for sme-gateway is i got slow network > because i only use 1 network card.

sme is designed to have 2 NICs in server-gateway mode, one for the local network, one for the connection to modem.

> i'm thinking to change my linksys router to software linux like monowall or smoothwall....
> ...i don't know what service show i accept or deny.

If you don't understand all that then make life easy for yourself.
I strongly suggest you use the sme server as it is primarily designed to be used, in server-gateway mode with a bridged modem (ie all traffic is passed directly to the server).
Your firewall is the sme box and all configuration is done there automatically by the initial Configuration process & later in the GUI server manager panel, by selecting what features/services you want to run.
The required ports are opened & closed as required, you don't have to configure those directly, you can see the iptables rules change as you select different functionality.
It is very secure when setup that way as it has been designed to be secure.
If you must fiddle (and in many situations you don't need to fiddle) then you still have other contribs & the command line to do further customisation of the firewall using iptables rules.

Forget routers & DMZs & smoothwall/monowall boxes. Just get a bridged modem, a second NIC & set sme to server-gateway mode and Configure it as required, using the provided configuration tools (screens).
Perhaps your Linksys router can be set for bridged mode.

[raem]

To set your server in Stealth mode do

grep masq /home/e-smith/configuration
masq=service|Logging|none|Stealth|no|pptp|yes|status|enabled

/sbin/e-smith/config setprop masq Stealth yes
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
                                   
grep masq /home/e-smith/configuration
masq=service|Logging|none|Stealth|yes|pptp|yes|status|enabled

To read more about iptables rules see:
http://www.linuxguruz.com/iptables/howto/
but please learn how to use your sme server first as you probably don't need to play with the iptables rules

[raem]

Another thought to help you determine which rules do what etc.

For test purposes (unless you really want to keep it this way), configure your sme for Private Server & Gateway mode, then examine the iptables rules (see references where to find these in earlier post).

Everything external will be blocked using this configuration, as far as the outside world is concerned your server does not exist & will "reject" everything.

You can see the (firewall) iptables rules that do this and use some of them if you want to customise your normal Sever & Gateway mode settings (after reconfiguration to that mode).

[i-techzone]

thank a lot ...

i works to me but i still make some comparison to match the iptables.

thanks again ..

[raem]

i-techzone

> i works to me but....

What did you do that "works to me", I'm interested to know what you have done now.

[jackl]

Ray,
Sorry for butting in, but thanks for the tip on stealth mode, been meaning to look up how to do that on SME for ages, never got round to it.  The thoughts of messing around with iptables was putting me off.
Thanks again

Regards
Jack

[i-techzone]

ray,

erk .. i think i'm not sure what i'm saying about. lol.

i still make a few arrangement.i need to up my second hdd (just post new topic) first then i will configure all the firewall setting.

the other things to implement is running squid on port 80 and httpd on the other port.

that's it ...my standalone will be perfect ... lol and i sleep very well this end of the week.