[lug] IP Tables

David L. Anselmi anselmi at anselmi.us
Sat Sep 22 10:48:33 MDT 2007


So this is an interesting example of software engineering.  Harlen 
doesn't know how to make iptables do what he wants.  Does he know how to 
specify requirements so Kevin can do it?

Kevin Fenzi wrote:
> On Fri, 21 Sep 2007 17:33:12 -0700 (PDT)
> horlenkarl at yahoo.com (karl horlen) wrote:
> 
>> would anybody mind sharing a rock solid iptables
>> script that does the following things.
[...]
>> Requirements:
>>
>> RedHat based system
>>
>> - denies all ports by default
>> - allows smtp port 25 to send to all outside

Port 25 probably doesn't send anything, just receives.  But there's no 
requirement for it to receive anything.

>> - allows http 80 from all outside
>> -allows ssh but only from a given ip address (i'll
>> change /fill in)
>> - logs other attempts that try to go to ssh but not on
>> the allowed ip address
>> - allows all inside generated requests to go out and
>> accept replies from all inside generated requests
>> (probably covers sendmail above?)

Yes, for sending.

>> - drops everything else
[...]
> iptables -A INPUT -i lo -j ACCEPT

This allows local connections, which wasn't specified.

> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 111.222.333.444 -j ACCEPT 
> iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j LOG
> iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

Harlan said "drop" but Kevin has used reject.  Same or not?

And then of course a new requirement emerges as soon as Kevin has 
answered, "turns on at boot".  Where I work they call that piece 
"integration".  Separate phase of the software life cycle.

 > Fill in 111.222.333.444 with your ssh allowed ip.
 >
 > Not tested, YMMV.

Standard practice to ship beta software and let the customer figure it 
out. ;-)

No slight intended to Harlan or Kevin.  Just a "gee, I see this all the 
time at work" moment.

Dave



More information about the LUG mailing list