?
Solved

iptables advice

Posted on 2003-03-13
14
Medium Priority
?
259 Views
Last Modified: 2010-04-22
Hello... i'm a linux newbie trying to learn. I'm trying to setup my firewall and I'd like some advice.

I want to limit my exposure as much as possible. The only connections I require are a successful ping to this system and an ssh session (rsync actually, but it seems to work on 22 with the rsync_rsh=ssh option set).

target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere           icmp echo-request

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:ssh
ACCEPT     icmp --  anywhere             anywhere           icmp echo-reply

How's that look?  Any holes? redundancies?  Thanks for the input!
0
Comment
Question by:s_mack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
14 Comments
 

Author Comment

by:s_mack
ID: 8133046
i don't get it... i still get UDP connections as well as I'm seeing several request for http (i don't have a web server running though)

I thought since all three chains are set to DROP by default that it would allow NOTHING accept what I explicitly allow, in this case SSH and Ping.

help please
0
 
LVL 1

Accepted Solution

by:
Hartman earned 60 total points
ID: 8144398
Mack,

Here is what you need to have for the INPUT chain.

Chain INPUT (policy ACCEPT)
target     prot opt source      destination
ACCEPT     tcp  --  anywhere    hostname tcp dpt:ssh
DROP       tcp  --  anywhere    hostname tcp dpts:0:1024
DROP       udp  --  anywhere    hostname udp dpts:0:1024
DROP       tcp  --  anywhere    hostname tcp dpts:x11:6100

This allows you to use ssh and ping and random non-privileged high ports needed for TCP sessions. The 3 DROP rules protect all low privileged ports and the last stops x-forwarding.

So below is are the commands ($ip = your systems IP)

iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 22

iptables -A INPUT -j DROP -p tcp -i $OUT_IF -d $ip --dport :1024

iptables -A INPUT -j DROP -p udp -i $OUT_IF -d $ip --dport :1024

iptables -A INPUT -j DROP -p tcp -i $OUT_IF -d $ip --dport 6000:6100

Hope this helps
Hartman
0
 
LVL 1

Expert Comment

by:Hartman
ID: 8144424
Oh, Also don't forget that iptables is loading into the kernal and a system reboot will clear the tables. To stop this you must make a script that run at boot to add the tables again.

If you want this let me know I have one that starts/stops/clears/and gives status of the tables.

Hartman
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 9

Expert Comment

by:majorwoo
ID: 8146381
hartman

I'm always interested to see people's inventions ;-) link us
0
 
LVL 1

Expert Comment

by:Hartman
ID: 8147915
majorwoo,

It is just a simple shell script that only deals with 1 interface and IP address. You can add/remove what rules you want in the start section.

#!/bin/sh
#
#
#
OUT_IP="your IP"
OUT_IF=eth0

case $1 in
start)
        # Clear all rules
        echo "Clearing all rules"
        iptables -F INPUT
        iptables -F FORWARD
        iptables -F OUTPUT
        for ip in $OUT_IP
                do
                iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 22
                iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 25
                iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 53
                iptables -A INPUT -j ACCEPT -p udp -d $ip --dport 53
                iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 80
                iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 123
                iptables -A INPUT -j ACCEPT -p udp -d $ip --dport 443
                iptables -A INPUT -j DROP -p tcp -i $OUT_IF -d $ip --dport :1024
                iptables -A INPUT -j DROP -p udp -i $OUT_IF -d $ip --dport :1024
                iptables -A INPUT -j DROP -p tcp -i $OUT_IF -d $ip --dport 6000:6100
                done
                echo "Done setting rules"
        ;;
stop)
        # Clearing all rules
        echo "Removing all Rules"
        iptables -F INPUT
        iptables -F FORWARD
        iptables -F OUTPUT
        ;;
status)
        iptables -L
        exit 0
        ;;
*)
        echo "Usage: $0 {start|stop|status}"
        exit 0
        ;;
esac
exit 0
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8147933
i keep saying i am going to convert mine to something more like that so i can shut it off when i want to, but usually when i want to test something i just turn on logging and wait for a hit ;-)

http://majorwoo.dynup.net:1024/pub/rc.firewall
0
 

Author Comment

by:s_mack
ID: 8148673
back to my original request... why wouldn't I set the default policies to DROP and only allow port 22?  Isn't that safer?

Of course, I must be missing something because I still get tons of people trying to connect on port 80. They aren't getting very far, but its obvious they are seeing the port... i think...

Here's what i have now

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             sXX-XXX-XXX-XXX.bc.hsia.telus.net tcp dpt:ssh
ACCEPT     icmp --  anywhere           sXX-XXX-XXX-XXX.bc.hsia.telus.net icmp echo-request

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  sXX-XXX-XXX-XXX.bc.hsia.telus.net  anywhere           tcp spt:ssh
ACCEPT     icmp --  sXX-XXX-XXX-XXX.bc.hsia.telus.net  anywhere           icmp echo-reply

The XX's are just to hide my IP.
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8148710
ok first off

NEVER use hostname in your iptables script unless you have NO CHOICE.  Using the hostname will result in a DNS lookup for every packet to hit your firewall.

Instead use your IP, if it is dynamic and your host name is not look into the hooks provided in dhcpd /etc/dhclient-exit-hooks or use /etc/ppp/ip=ip.local to rerun your script after using a command to get the IP in the script

EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

The script he showed was just an example, but you are right.  You just open the port you want.  Just because people are trying to access your port 80 does'nt mean it's open, in fact if your firewall logs say they are getting dropped that is what you want.  The important part is trying, they are not connecting.  You may wish to disable icmp as a machine that does not respond to the internet is less likley to be probed again.  

for example, the ip of my firewall is

majorwoo.dynup.net  (its dynamic)

you can ping or do hatever you want, but only ssh and http (on port 1024 because my ISP blocks 80) are open.  Everything else gets dropped. (including ping) as if my machine was off.
0
 

Author Comment

by:s_mack
ID: 8149397
I did use IP..  that is, I entered
iptables -A INPUT -p tcp --dport 22 -d 64.103.54.25 -j ACCEPT

and it automatically plugged the full hostname into the chains... is there something I can do about that?  (btw that IP I gave is fictional)

My IP is static.

should I just leave the -d out and have an anywhere to anywhere rule?

As far as ICMP being open.. i NEED pings to get through. Well.. at least the software my clients are using do a ping to check that the server is alive.  I suppose I could rewrite the client to do a quick ssh connect instead.  Hmm... that would have been brighter, wouldn't it.  Ok.. that's in version 2 :)

Thanks for the input.
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8149439
what automagically did that?

no keep the -d its much more secure.

(nope, that's fine icmp is your call)
0
 

Author Comment

by:s_mack
ID: 8149680
I don't know what automatically did that :)  I'm too new to Linux to be much more descriptive.  This is RH 8.0. I uninstalled the lokkit package (didn't seem to Lock It very good) and was just using the iptables command as I stated above.   When I entered the command, I simply used -d 64.103.54.25 but when i run iptables -L it shows the full hostname as the destination address.

Maybe there's an option to not resolve DNS?
0
 

Author Comment

by:s_mack
ID: 8149699
Does the -n option make a difference?  I read that this will speed up the time it takes for the chains to DISPLAY (says nothing of actual performance) but only if using an internal IP that can't resolve.

Aparantly, according to http://www.coolview.nl/iptables/faq/netfilter-faq-3.html

iptables always does a reverse dns lookup for each -d and -s specified.

I think I'll throw the -n in there to force numeric since you seemed to think it would make a difference.
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8151763
the reverse lookup is only done when you do iptables -L, im sorry I thought i said that in my last messagee.  As long as you used IP's in your script you are ok.
0
 

Author Comment

by:s_mack
ID: 10882808
I've moved on :)  I'm going to assign points just to clear this up.  Thanks for the help.
0

Featured Post

TCP/IP Network Protocol Cheat Sheet

TCP/IP is a set of network protocols which is best known for connecting the machines that make up the Internet. The truth is that TCP/IP is one of the oldest network protocols and its survival is mainly based on its simplicity and universality.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question