Solved

IP Tables - Someone do it for me i cant do it!!! ;-)

Posted on 2004-03-30
9
233 Views
Last Modified: 2010-04-22
...Well I cant quite get the tricky tables to work.

Problem i have is i only have one remote box to set up. If I get it wrong then Im going to block my own access.

I have all the inbound blocking working fine.

I have 2 problems;

1) Outbound traffic is all blocked and I cant get it working with any combination of outbound chains. Im obviously doing something wrong!

2) I just can not get logging to work! and once I do what web based log analyser would be best.


i need;
Inbound already works
outbound all
logging on for rejects

Do you want to see my current config?

Nathan


0
Comment
Question by:Nathan_London
  • 5
  • 4
9 Comments
 
LVL 9

Expert Comment

by:Alf666
ID: 10715654
Yes. Send it here.

Once again, I can't help but advertise the excellent fwbuilder (http://www.fwbuilder.org)
It allows you to build your iptables scripts with an interface quite like Checkpoint's Firewall One.

Easy and well documented.

0
 

Author Comment

by:Nathan_London
ID: 10717205
Looks nice but I dont have x just shell and web access. Its a web server @ an ISP.

Here is
more /etc/sysconfig/iptables

I have hidden real ip addreses.



*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# ssh (22)
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 22 -j ACCEPT

# ssh (22)
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 22 -j ACCEPT

# ssh for support.  
-A INPUT -p tcp -m tcp -s 64.255.167.0/24 -d server_adminIP --dport 22 -j ACCEPT

# www
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 80 -j ACCEPT

# MYSQL
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 3306 -j ACCEPT

# Webmin for Joffice
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 100 -j ACCEPT

# irc
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 6667 -j ACCEPT

# ftp
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 20:21 -j ACCEPT

# ftp
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 20:21 -j ACCEPT

# ICMP from us
-A INPUT -p icmp -s officeIP -d server_adminIP -j ACCEPT

# ICMP from Joffice
-A INPUT -p icmp -s JofficeIP -d server_adminIP -j ACCEPT

# Webmin
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 100 -j ACCEPT

# ALL
-A OUTPUT -j ACCEPT

# SMTP
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 25 -j ACCEPT
-A INPUT -j DROP
COMMIT
0
 
LVL 9

Accepted Solution

by:
Alf666 earned 250 total points
ID: 10717949
You can use fwbuilder locally, build your rules file and upload it afterwards.

But about your actual rules. They look good. The packets can get out. The replies just can't get back in !

I don't know your iptables format, so I don't know if you have specific logging options, but the following additions should work :

At the beginning :

-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

This one is needed if you restrict the OUTPUT rules afterwards :

-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

Just before your drop rule :

-A INPUT -j LOG  --log-level info --log-prefix "DENY "

This should work.

I'd just like to emphasize that without proper anti spoofing rules, your security is not that good. But that's a bit too much to put in here.

0
 

Author Comment

by:Nathan_London
ID: 10723913
thanks.

I have been using webmin to enter the tables how do i do it from shell and make sure the changes are applied.
Is there a config file just to edit.

N
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 9

Expert Comment

by:Alf666
ID: 10724046
webmin is updating your /etc/sysconfig/iptables file.

Once done with webmin, you can edit it by hand.
0
 

Author Comment

by:Nathan_London
ID: 10730446
Logging is now working :)

Please explain  here these go in the rules and what they are doing exactly.

-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

N
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10730609
They go somewhere before the DROP rules.

Basically, it says that packets belonging to "existing sessions" are allowed to pass.
The state of a packet can be INVALID, NEW, ESTABLISHED, RELATED.
INVALID means it's not tied to any existing "session"
NEW means it's a packet for a new "session"
ESTABLISHED means an existing "session"
And finally, RELATED allows certain modules (like the conntrack_ftp) to allow dynamically certain packets to pass thu. These modules are used for protocols allocating ports dynamically.

State can also be SNAT or DNAT. Refer to your doc about these.

This is handled by the connection tracking module. It's called the "state" module (hence the "-m").

The state module is very usefull to keep track of the real connections. I always put "session" between quotes, because UDP, for example, has not session concept. But the state module emulates these.

Why do I have two of these ?

The INPUT one is mandatory for you. It means that you will accept returning packets from the hosts which you have allowed your firewall to talk to. That's probably why your host can not "talk" to anybody, even if you have authorized outbound traffic.

The OUTPUT one is the same, the other way. Once you'll start restricting access to outbound, you won't get packets back from your firewall, even on these ports you have allowed access to.

If you want to test this out, I recommend setting up the following first :

Create a shell script that clears up all rules.
Add it to a cron job that activates once every minute.
If it works, then activate it only every ten minutes (or more).
Then you can do your tests. It will be tricky not to be surprised by the cron job during your normal tests, but, if you "loose" the box, then it will revert back to a clean state by itself :-)

Beyond this, you'd better read a bit about it, or I'll end up rewritting an iptables manual :-))
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10744875
Hi,

Do you need anymore info ?
0
 

Author Comment

by:Nathan_London
ID: 10760530
Thats great thanks!

I have another question. I'll post it!
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Lock Down Lubuntu 27 247
Identify Linux loader 67 170
„dd“ vs „ddrescue“ 28 214
What are best practices for keeping up to date Linux servers? 5 103
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now