s_mack
asked on
iptables advice
Hello... i'm a linux newbie trying to learn. I'm trying to setup my firewall and I'd like some advice.
I want to limit my exposure as much as possible. The only connections I require are a successful ping to this system and an ssh session (rsync actually, but it seems to work on 22 with the rsync_rsh=ssh option set).
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-reply
How's that look? Any holes? redundancies? Thanks for the input!
I want to limit my exposure as much as possible. The only connections I require are a successful ping to this system and an ssh session (rsync actually, but it seems to work on 22 with the rsync_rsh=ssh option set).
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-reply
How's that look? Any holes? redundancies? Thanks for the input!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh, Also don't forget that iptables is loading into the kernal and a system reboot will clear the tables. To stop this you must make a script that run at boot to add the tables again.
If you want this let me know I have one that starts/stops/clears/and gives status of the tables.
Hartman
If you want this let me know I have one that starts/stops/clears/and gives status of the tables.
Hartman
hartman
I'm always interested to see people's inventions ;-) link us
I'm always interested to see people's inventions ;-) link us
majorwoo,
It is just a simple shell script that only deals with 1 interface and IP address. You can add/remove what rules you want in the start section.
#!/bin/sh
#
#
#
OUT_IP="your IP"
OUT_IF=eth0
case $1 in
start)
# Clear all rules
echo "Clearing all rules"
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
for ip in $OUT_IP
do
iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 22
iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 25
iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 53
iptables -A INPUT -j ACCEPT -p udp -d $ip --dport 53
iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 80
iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 123
iptables -A INPUT -j ACCEPT -p udp -d $ip --dport 443
iptables -A INPUT -j DROP -p tcp -i $OUT_IF -d $ip --dport :1024
iptables -A INPUT -j DROP -p udp -i $OUT_IF -d $ip --dport :1024
iptables -A INPUT -j DROP -p tcp -i $OUT_IF -d $ip --dport 6000:6100
done
echo "Done setting rules"
;;
stop)
# Clearing all rules
echo "Removing all Rules"
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
;;
status)
iptables -L
exit 0
;;
*)
echo "Usage: $0 {start|stop|status}"
exit 0
;;
esac
exit 0
It is just a simple shell script that only deals with 1 interface and IP address. You can add/remove what rules you want in the start section.
#!/bin/sh
#
#
#
OUT_IP="your IP"
OUT_IF=eth0
case $1 in
start)
# Clear all rules
echo "Clearing all rules"
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
for ip in $OUT_IP
do
iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 22
iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 25
iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 53
iptables -A INPUT -j ACCEPT -p udp -d $ip --dport 53
iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 80
iptables -A INPUT -j ACCEPT -p tcp -d $ip --dport 123
iptables -A INPUT -j ACCEPT -p udp -d $ip --dport 443
iptables -A INPUT -j DROP -p tcp -i $OUT_IF -d $ip --dport :1024
iptables -A INPUT -j DROP -p udp -i $OUT_IF -d $ip --dport :1024
iptables -A INPUT -j DROP -p tcp -i $OUT_IF -d $ip --dport 6000:6100
done
echo "Done setting rules"
;;
stop)
# Clearing all rules
echo "Removing all Rules"
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
;;
status)
iptables -L
exit 0
;;
*)
echo "Usage: $0 {start|stop|status}"
exit 0
;;
esac
exit 0
i keep saying i am going to convert mine to something more like that so i can shut it off when i want to, but usually when i want to test something i just turn on logging and wait for a hit ;-)
http://majorwoo.dynup.net:1024/pub/rc.firewall
http://majorwoo.dynup.net:1024/pub/rc.firewall
ASKER
back to my original request... why wouldn't I set the default policies to DROP and only allow port 22? Isn't that safer?
Of course, I must be missing something because I still get tons of people trying to connect on port 80. They aren't getting very far, but its obvious they are seeing the port... i think...
Here's what i have now
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere sXX-XXX-XXX-XXX.bc.hsia.te lus.net tcp dpt:ssh
ACCEPT icmp -- anywhere sXX-XXX-XXX-XXX.bc.hsia.te lus.net icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- sXX-XXX-XXX-XXX.bc.hsia.te lus.net anywhere tcp spt:ssh
ACCEPT icmp -- sXX-XXX-XXX-XXX.bc.hsia.te lus.net anywhere icmp echo-reply
The XX's are just to hide my IP.
Of course, I must be missing something because I still get tons of people trying to connect on port 80. They aren't getting very far, but its obvious they are seeing the port... i think...
Here's what i have now
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere sXX-XXX-XXX-XXX.bc.hsia.te
ACCEPT icmp -- anywhere sXX-XXX-XXX-XXX.bc.hsia.te
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- sXX-XXX-XXX-XXX.bc.hsia.te
ACCEPT icmp -- sXX-XXX-XXX-XXX.bc.hsia.te
The XX's are just to hide my IP.
ok first off
NEVER use hostname in your iptables script unless you have NO CHOICE. Using the hostname will result in a DNS lookup for every packet to hit your firewall.
Instead use your IP, if it is dynamic and your host name is not look into the hooks provided in dhcpd /etc/dhclient-exit-hooks or use /etc/ppp/ip=ip.local to rerun your script after using a command to get the IP in the script
EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
The script he showed was just an example, but you are right. You just open the port you want. Just because people are trying to access your port 80 does'nt mean it's open, in fact if your firewall logs say they are getting dropped that is what you want. The important part is trying, they are not connecting. You may wish to disable icmp as a machine that does not respond to the internet is less likley to be probed again.
for example, the ip of my firewall is
majorwoo.dynup.net (its dynamic)
you can ping or do hatever you want, but only ssh and http (on port 1024 because my ISP blocks 80) are open. Everything else gets dropped. (including ping) as if my machine was off.
NEVER use hostname in your iptables script unless you have NO CHOICE. Using the hostname will result in a DNS lookup for every packet to hit your firewall.
Instead use your IP, if it is dynamic and your host name is not look into the hooks provided in dhcpd /etc/dhclient-exit-hooks or use /etc/ppp/ip=ip.local to rerun your script after using a command to get the IP in the script
EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
The script he showed was just an example, but you are right. You just open the port you want. Just because people are trying to access your port 80 does'nt mean it's open, in fact if your firewall logs say they are getting dropped that is what you want. The important part is trying, they are not connecting. You may wish to disable icmp as a machine that does not respond to the internet is less likley to be probed again.
for example, the ip of my firewall is
majorwoo.dynup.net (its dynamic)
you can ping or do hatever you want, but only ssh and http (on port 1024 because my ISP blocks 80) are open. Everything else gets dropped. (including ping) as if my machine was off.
ASKER
I did use IP.. that is, I entered
iptables -A INPUT -p tcp --dport 22 -d 64.103.54.25 -j ACCEPT
and it automatically plugged the full hostname into the chains... is there something I can do about that? (btw that IP I gave is fictional)
My IP is static.
should I just leave the -d out and have an anywhere to anywhere rule?
As far as ICMP being open.. i NEED pings to get through. Well.. at least the software my clients are using do a ping to check that the server is alive. I suppose I could rewrite the client to do a quick ssh connect instead. Hmm... that would have been brighter, wouldn't it. Ok.. that's in version 2 :)
Thanks for the input.
iptables -A INPUT -p tcp --dport 22 -d 64.103.54.25 -j ACCEPT
and it automatically plugged the full hostname into the chains... is there something I can do about that? (btw that IP I gave is fictional)
My IP is static.
should I just leave the -d out and have an anywhere to anywhere rule?
As far as ICMP being open.. i NEED pings to get through. Well.. at least the software my clients are using do a ping to check that the server is alive. I suppose I could rewrite the client to do a quick ssh connect instead. Hmm... that would have been brighter, wouldn't it. Ok.. that's in version 2 :)
Thanks for the input.
what automagically did that?
no keep the -d its much more secure.
(nope, that's fine icmp is your call)
no keep the -d its much more secure.
(nope, that's fine icmp is your call)
ASKER
I don't know what automatically did that :) I'm too new to Linux to be much more descriptive. This is RH 8.0. I uninstalled the lokkit package (didn't seem to Lock It very good) and was just using the iptables command as I stated above. When I entered the command, I simply used -d 64.103.54.25 but when i run iptables -L it shows the full hostname as the destination address.
Maybe there's an option to not resolve DNS?
Maybe there's an option to not resolve DNS?
ASKER
Does the -n option make a difference? I read that this will speed up the time it takes for the chains to DISPLAY (says nothing of actual performance) but only if using an internal IP that can't resolve.
Aparantly, according to http://www.coolview.nl/iptables/faq/netfilter-faq-3.html
iptables always does a reverse dns lookup for each -d and -s specified.
I think I'll throw the -n in there to force numeric since you seemed to think it would make a difference.
Aparantly, according to http://www.coolview.nl/iptables/faq/netfilter-faq-3.html
iptables always does a reverse dns lookup for each -d and -s specified.
I think I'll throw the -n in there to force numeric since you seemed to think it would make a difference.
the reverse lookup is only done when you do iptables -L, im sorry I thought i said that in my last messagee. As long as you used IP's in your script you are ok.
ASKER
I've moved on :) I'm going to assign points just to clear this up. Thanks for the help.
ASKER
I thought since all three chains are set to DROP by default that it would allow NOTHING accept what I explicitly allow, in this case SSH and Ping.
help please