Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 262
  • Last Modified:

iptables advice

Hello... i'm a linux newbie trying to learn. I'm trying to setup my firewall and I'd like some advice.

I want to limit my exposure as much as possible. The only connections I require are a successful ping to this system and an ssh session (rsync actually, but it seems to work on 22 with the rsync_rsh=ssh option set).

target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere           icmp echo-request

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:ssh
ACCEPT     icmp --  anywhere             anywhere           icmp echo-reply

How's that look?  Any holes? redundancies?  Thanks for the input!
0
s_mack
Asked:
s_mack
  • 6
  • 5
  • 3
1 Solution
 
s_mackAuthor Commented:
i don't get it... i still get UDP connections as well as I'm seeing several request for http (i don't have a web server running though)

I thought since all three chains are set to DROP by default that it would allow NOTHING accept what I explicitly allow, in this case SSH and Ping.

help please
0
 
HartmanCommented:
Mack,

Here is what you need to have for the INPUT chain.

Chain INPUT (policy ACCEPT)
target     prot opt source      destination
ACCEPT     tcp  --  anywhere    hostname tcp dpt:ssh
DROP       tcp  --  anywhere    hostname tcp dpts:0:1024
DROP       udp  --  anywhere    hostname udp dpts:0:1024
DROP       tcp  --  anywhere    hostname tcp dpts:x11:6100

This allows you to use ssh and ping and random non-privileged high ports needed for TCP sessions. The 3 DROP rules protect all low privileged ports and the last stops x-forwarding.

So below is are the commands ($ip = your systems IP)

iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 22

iptables -A INPUT -j DROP -p tcp -i $OUT_IF -d $ip --dport :1024

iptables -A INPUT -j DROP -p udp -i $OUT_IF -d $ip --dport :1024

iptables -A INPUT -j DROP -p tcp -i $OUT_IF -d $ip --dport 6000:6100

Hope this helps
Hartman
0
 
HartmanCommented:
Oh, Also don't forget that iptables is loading into the kernal and a system reboot will clear the tables. To stop this you must make a script that run at boot to add the tables again.

If you want this let me know I have one that starts/stops/clears/and gives status of the tables.

Hartman
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
majorwooCommented:
hartman

I'm always interested to see people's inventions ;-) link us
0
 
HartmanCommented:
majorwoo,

It is just a simple shell script that only deals with 1 interface and IP address. You can add/remove what rules you want in the start section.

#!/bin/sh
#
#
#
OUT_IP="your IP"
OUT_IF=eth0

case $1 in
start)
        # Clear all rules
        echo "Clearing all rules"
        iptables -F INPUT
        iptables -F FORWARD
        iptables -F OUTPUT
        for ip in $OUT_IP
                do
                iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 22
                iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 25
                iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 53
                iptables -A INPUT -j ACCEPT -p udp -d $ip --dport 53
                iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 80
                iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 123
                iptables -A INPUT -j ACCEPT -p udp -d $ip --dport 443
                iptables -A INPUT -j DROP -p tcp -i $OUT_IF -d $ip --dport :1024
                iptables -A INPUT -j DROP -p udp -i $OUT_IF -d $ip --dport :1024
                iptables -A INPUT -j DROP -p tcp -i $OUT_IF -d $ip --dport 6000:6100
                done
                echo "Done setting rules"
        ;;
stop)
        # Clearing all rules
        echo "Removing all Rules"
        iptables -F INPUT
        iptables -F FORWARD
        iptables -F OUTPUT
        ;;
status)
        iptables -L
        exit 0
        ;;
*)
        echo "Usage: $0 {start|stop|status}"
        exit 0
        ;;
esac
exit 0
0
 
majorwooCommented:
i keep saying i am going to convert mine to something more like that so i can shut it off when i want to, but usually when i want to test something i just turn on logging and wait for a hit ;-)

http://majorwoo.dynup.net:1024/pub/rc.firewall
0
 
s_mackAuthor Commented:
back to my original request... why wouldn't I set the default policies to DROP and only allow port 22?  Isn't that safer?

Of course, I must be missing something because I still get tons of people trying to connect on port 80. They aren't getting very far, but its obvious they are seeing the port... i think...

Here's what i have now

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             sXX-XXX-XXX-XXX.bc.hsia.telus.net tcp dpt:ssh
ACCEPT     icmp --  anywhere           sXX-XXX-XXX-XXX.bc.hsia.telus.net icmp echo-request

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  sXX-XXX-XXX-XXX.bc.hsia.telus.net  anywhere           tcp spt:ssh
ACCEPT     icmp --  sXX-XXX-XXX-XXX.bc.hsia.telus.net  anywhere           icmp echo-reply

The XX's are just to hide my IP.
0
 
majorwooCommented:
ok first off

NEVER use hostname in your iptables script unless you have NO CHOICE.  Using the hostname will result in a DNS lookup for every packet to hit your firewall.

Instead use your IP, if it is dynamic and your host name is not look into the hooks provided in dhcpd /etc/dhclient-exit-hooks or use /etc/ppp/ip=ip.local to rerun your script after using a command to get the IP in the script

EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

The script he showed was just an example, but you are right.  You just open the port you want.  Just because people are trying to access your port 80 does'nt mean it's open, in fact if your firewall logs say they are getting dropped that is what you want.  The important part is trying, they are not connecting.  You may wish to disable icmp as a machine that does not respond to the internet is less likley to be probed again.  

for example, the ip of my firewall is

majorwoo.dynup.net  (its dynamic)

you can ping or do hatever you want, but only ssh and http (on port 1024 because my ISP blocks 80) are open.  Everything else gets dropped. (including ping) as if my machine was off.
0
 
s_mackAuthor Commented:
I did use IP..  that is, I entered
iptables -A INPUT -p tcp --dport 22 -d 64.103.54.25 -j ACCEPT

and it automatically plugged the full hostname into the chains... is there something I can do about that?  (btw that IP I gave is fictional)

My IP is static.

should I just leave the -d out and have an anywhere to anywhere rule?

As far as ICMP being open.. i NEED pings to get through. Well.. at least the software my clients are using do a ping to check that the server is alive.  I suppose I could rewrite the client to do a quick ssh connect instead.  Hmm... that would have been brighter, wouldn't it.  Ok.. that's in version 2 :)

Thanks for the input.
0
 
majorwooCommented:
what automagically did that?

no keep the -d its much more secure.

(nope, that's fine icmp is your call)
0
 
s_mackAuthor Commented:
I don't know what automatically did that :)  I'm too new to Linux to be much more descriptive.  This is RH 8.0. I uninstalled the lokkit package (didn't seem to Lock It very good) and was just using the iptables command as I stated above.   When I entered the command, I simply used -d 64.103.54.25 but when i run iptables -L it shows the full hostname as the destination address.

Maybe there's an option to not resolve DNS?
0
 
s_mackAuthor Commented:
Does the -n option make a difference?  I read that this will speed up the time it takes for the chains to DISPLAY (says nothing of actual performance) but only if using an internal IP that can't resolve.

Aparantly, according to http://www.coolview.nl/iptables/faq/netfilter-faq-3.html

iptables always does a reverse dns lookup for each -d and -s specified.

I think I'll throw the -n in there to force numeric since you seemed to think it would make a difference.
0
 
majorwooCommented:
the reverse lookup is only done when you do iptables -L, im sorry I thought i said that in my last messagee.  As long as you used IP's in your script you are ok.
0
 
s_mackAuthor Commented:
I've moved on :)  I'm going to assign points just to clear this up.  Thanks for the help.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now