iptables - will this work?

I am at the end of setting up my first server, I am sttting up the
iptables firewall and am concerned that I have missed something, the
only services that I think i want access to from outside are ssh and http.
The network is as follows:

---| |----------------|
---HUB---+eth1 SERVER eth0+---CABLE_MODEM---INTERNET
---| |----------------|

The script to set up the firewall i have come up with is:


#!/bin/bash
# delete old configuration, if any
#Flush all the rules in filter and nat tables
echo IPTABLES SCRIPT RUNNING.....
echo ...Flush tables...
iptables --flush
iptables --table nat --flush

# delete all chains that are not in default filter and nat table
iptables --delete-chain
iptables --table nat --delete-chain

echo ...Enable MASQUERADE...
# Set up IP FORWARDing and Masquerading (NAT)
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT


echo ...Set INPUT/OUTPUT policy...
#router : default = DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

echo ...Allow all outgoing and only RELATED and ESTABLISHED incoming...
#allow remote login from anywhere:
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED,NEW -j
ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

echo ...Open SSH and HTTP ports...
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

echo ...ALLOW ALL CONNECTIONS FROM LAN.
#allow all connections from LAN:
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

echo ...ALLOW ALL LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT



This appears to work sandboxed inside my current network but will it
protect me when it is set up as above?

Thanks for any help you can give.

Rage

--
FREE FPS DEATHMATCH:
http://www.nexuiz.com
PLAY IT FREE!

Rage <(E-Mail Removed)> wrote in news:dek769$204$(E-Mail Removed):

> I am at the end of setting up my first server, I am sttting up the
> iptables firewall and am concerned that I have missed something, the
> only services that I think i want access to from outside are ssh and
> http. The network is as follows:
>
> ---| |----------------|
> ---HUB---+eth1 SERVER eth0+---CABLE_MODEM---INTERNET
> ---| |----------------|
>
> The script to set up the firewall i have come up with is:
>
>
> #!/bin/bash
> # delete old configuration, if any
> #Flush all the rules in filter and nat tables
> echo IPTABLES SCRIPT RUNNING.....
> echo ...Flush tables...
> iptables --flush
> iptables --table nat --flush
>
> # delete all chains that are not in default filter and nat table
> iptables --delete-chain
> iptables --table nat --delete-chain
>
> echo ...Enable MASQUERADE...
> # Set up IP FORWARDing and Masquerading (NAT)
> iptables --table nat --append POSTROUTING --out-interface eth0 -j
> MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT
>
>
> echo ...Set INPUT/OUTPUT policy...
> #router : default = DROP
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
>
> echo ...Allow all outgoing and only RELATED and ESTABLISHED incoming...
> #allow remote login from anywhere:
> iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED,NEW -j
> ACCEPT
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> echo ...Open SSH and HTTP ports...
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>
> echo ...ALLOW ALL CONNECTIONS FROM LAN.
> #allow all connections from LAN:
> iptables -A INPUT -i eth1 -j ACCEPT
> iptables -A OUTPUT -o eth1 -j ACCEPT
>
> echo ...ALLOW ALL LOOPBACK
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
>
>
> This appears to work sandboxed inside my current network but will it
> protect me when it is set up as above?
>
> Thanks for any help you can give.
>
> Rage
>

You seem to be missing a FORWARD chain. INPUT is for packets destined to
the firewall itself. OUTPUT is for packets sourced from the Firewall. The
FORWARD chain is for packets passing through the Firewall - i.e where the
Firewall is acting as a router/gateway.

Klazmon.

Llanzlan Klazmon wrote:
> Rage <(E-Mail Removed)> wrote in news:dek769$204$(E-Mail Removed):
>
>
>>I am at the end of setting up my first server, I am sttting up the
>>iptables firewall and am concerned that I have missed something, the
>>only services that I think i want access to from outside are ssh and
>>http. The network is as follows:
>>
>>---| |----------------|
>>---HUB---+eth1 SERVER eth0+---CABLE_MODEM---INTERNET
>>---| |----------------|
>>
>>The script to set up the firewall i have come up with is:
>>
>>
>>#!/bin/bash
>># delete old configuration, if any
>>#Flush all the rules in filter and nat tables
>>echo IPTABLES SCRIPT RUNNING.....
>>echo ...Flush tables...
>>iptables --flush
>>iptables --table nat --flush
>>
>># delete all chains that are not in default filter and nat table
>>iptables --delete-chain
>>iptables --table nat --delete-chain
>>
>>echo ...Enable MASQUERADE...
>># Set up IP FORWARDing and Masquerading (NAT)
>>iptables --table nat --append POSTROUTING --out-interface eth0 -j
>>MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT
>>
>>
>>echo ...Set INPUT/OUTPUT policy...
>>#router : default = DROP
>>iptables -P INPUT DROP
>>iptables -P OUTPUT DROP
>>
>>echo ...Allow all outgoing and only RELATED and ESTABLISHED incoming...
>>#allow remote login from anywhere:
>>iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED,NEW -j
>>ACCEPT
>>iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j
>>ACCEPT
>>
>>echo ...Open SSH and HTTP ports...
>>iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>>iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>>
>>echo ...ALLOW ALL CONNECTIONS FROM LAN.
>>#allow all connections from LAN:
>>iptables -A INPUT -i eth1 -j ACCEPT
>>iptables -A OUTPUT -o eth1 -j ACCEPT
>>
>>echo ...ALLOW ALL LOOPBACK
>>iptables -A INPUT -i lo -j ACCEPT
>>iptables -A OUTPUT -o lo -j ACCEPT
>>
>>
>>
>>This appears to work sandboxed inside my current network but will it
>>protect me when it is set up as above?
>>
>>Thanks for any help you can give.
>>
>>Rage
>>
>
>
> You seem to be missing a FORWARD chain. INPUT is for packets destined to
> the firewall itself. OUTPUT is for packets sourced from the Firewall. The
> FORWARD chain is for packets passing through the Firewall - i.e where the
> Firewall is acting as a router/gateway.
>
> Klazmon.

Ah, thanks, this should be better if i get what you are saying:

iptables -P FORWARD DROP
echo ...FORWARD chain accepts only incomming ESTABLISHED AND RELATED...
iptables -A FORWARD -i eth1 -o eth0 -m state --state/
ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,/
RELATED -j ACCEPT

However should Masquerading not protect me from that kind of thing?
Thanks Klazmon,
Rage.

--
FREE FPS DEATHMATCH:
http://www.nexuiz.com
PLAY IT FREE!

Llanzlan Klazmon wrote:
> Rage <(E-Mail Removed)> wrote in news:dek769$204$(E-Mail Removed):
>
>
>>I am at the end of setting up my first server, I am sttting up the
>>iptables firewall and am concerned that I have missed something, the
>>only services that I think i want access to from outside are ssh and
>>http. The network is as follows:
>>
>>---| |----------------|
>>---HUB---+eth1 SERVER eth0+---CABLE_MODEM---INTERNET
>>---| |----------------|
>>
>>The script to set up the firewall i have come up with is:
>>
>>
>>#!/bin/bash
>># delete old configuration, if any
>>#Flush all the rules in filter and nat tables
>>echo IPTABLES SCRIPT RUNNING.....
>>echo ...Flush tables...
>>iptables --flush
>>iptables --table nat --flush
>>
>># delete all chains that are not in default filter and nat table
>>iptables --delete-chain
>>iptables --table nat --delete-chain
>>
>>echo ...Enable MASQUERADE...
>># Set up IP FORWARDing and Masquerading (NAT)
>>iptables --table nat --append POSTROUTING --out-interface eth0 -j
>>MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT
>>
>>
>>echo ...Set INPUT/OUTPUT policy...
>>#router : default = DROP
>>iptables -P INPUT DROP
>>iptables -P OUTPUT DROP
>>
>>echo ...Allow all outgoing and only RELATED and ESTABLISHED incoming...
>>#allow remote login from anywhere:
>>iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED,NEW -j
>>ACCEPT
>>iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j
>>ACCEPT
>>
>>echo ...Open SSH and HTTP ports...
>>iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>>iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>>
>>echo ...ALLOW ALL CONNECTIONS FROM LAN.
>>#allow all connections from LAN:
>>iptables -A INPUT -i eth1 -j ACCEPT
>>iptables -A OUTPUT -o eth1 -j ACCEPT
>>
>>echo ...ALLOW ALL LOOPBACK
>>iptables -A INPUT -i lo -j ACCEPT
>>iptables -A OUTPUT -o lo -j ACCEPT
>>
>>
>>
>>This appears to work sandboxed inside my current network but will it
>>protect me when it is set up as above?
>>
>>Thanks for any help you can give.
>>
>>Rage
>>
>
>
> You seem to be missing a FORWARD chain. INPUT is for packets destined to
> the firewall itself. OUTPUT is for packets sourced from the Firewall. The
> FORWARD chain is for packets passing through the Firewall - i.e where the
> Firewall is acting as a router/gateway.
>
> Klazmon.

Ah, thanks, this should be better if i get what you are saying:

iptables -P FORWARD DROP
echo ...FORWARD chain accepts only incomming ESTABLISHED AND RELATED...
iptables -A FORWARD -i eth1 -o eth0 -m state --state
ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED
-j ACCEPT

However should Masquerading not protect me from that kind of thing?
Thanks Klazmon,
Rage.

--
FREE FPS DEATHMATCH:
http://www.nexuiz.com
PLAY IT FREE!