Solved

IP Tables - Someone do it for me i cant do it!!! ;-)

Posted on 2004-03-30
9
231 Views
Last Modified: 2010-04-22
...Well I cant quite get the tricky tables to work.

Problem i have is i only have one remote box to set up. If I get it wrong then Im going to block my own access.

I have all the inbound blocking working fine.

I have 2 problems;

1) Outbound traffic is all blocked and I cant get it working with any combination of outbound chains. Im obviously doing something wrong!

2) I just can not get logging to work! and once I do what web based log analyser would be best.


i need;
Inbound already works
outbound all
logging on for rejects

Do you want to see my current config?

Nathan


0
Comment
Question by:Nathan_London
  • 5
  • 4
9 Comments
 
LVL 9

Expert Comment

by:Alf666
ID: 10715654
Yes. Send it here.

Once again, I can't help but advertise the excellent fwbuilder (http://www.fwbuilder.org)
It allows you to build your iptables scripts with an interface quite like Checkpoint's Firewall One.

Easy and well documented.

0
 

Author Comment

by:Nathan_London
ID: 10717205
Looks nice but I dont have x just shell and web access. Its a web server @ an ISP.

Here is
more /etc/sysconfig/iptables

I have hidden real ip addreses.



*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# ssh (22)
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 22 -j ACCEPT

# ssh (22)
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 22 -j ACCEPT

# ssh for support.  
-A INPUT -p tcp -m tcp -s 64.255.167.0/24 -d server_adminIP --dport 22 -j ACCEPT

# www
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 80 -j ACCEPT

# MYSQL
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 3306 -j ACCEPT

# Webmin for Joffice
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 100 -j ACCEPT

# irc
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 6667 -j ACCEPT

# ftp
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 20:21 -j ACCEPT

# ftp
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 20:21 -j ACCEPT

# ICMP from us
-A INPUT -p icmp -s officeIP -d server_adminIP -j ACCEPT

# ICMP from Joffice
-A INPUT -p icmp -s JofficeIP -d server_adminIP -j ACCEPT

# Webmin
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 100 -j ACCEPT

# ALL
-A OUTPUT -j ACCEPT

# SMTP
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 25 -j ACCEPT
-A INPUT -j DROP
COMMIT
0
 
LVL 9

Accepted Solution

by:
Alf666 earned 250 total points
ID: 10717949
You can use fwbuilder locally, build your rules file and upload it afterwards.

But about your actual rules. They look good. The packets can get out. The replies just can't get back in !

I don't know your iptables format, so I don't know if you have specific logging options, but the following additions should work :

At the beginning :

-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

This one is needed if you restrict the OUTPUT rules afterwards :

-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

Just before your drop rule :

-A INPUT -j LOG  --log-level info --log-prefix "DENY "

This should work.

I'd just like to emphasize that without proper anti spoofing rules, your security is not that good. But that's a bit too much to put in here.

0
 

Author Comment

by:Nathan_London
ID: 10723913
thanks.

I have been using webmin to enter the tables how do i do it from shell and make sure the changes are applied.
Is there a config file just to edit.

N
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 9

Expert Comment

by:Alf666
ID: 10724046
webmin is updating your /etc/sysconfig/iptables file.

Once done with webmin, you can edit it by hand.
0
 

Author Comment

by:Nathan_London
ID: 10730446
Logging is now working :)

Please explain  here these go in the rules and what they are doing exactly.

-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

N
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10730609
They go somewhere before the DROP rules.

Basically, it says that packets belonging to "existing sessions" are allowed to pass.
The state of a packet can be INVALID, NEW, ESTABLISHED, RELATED.
INVALID means it's not tied to any existing "session"
NEW means it's a packet for a new "session"
ESTABLISHED means an existing "session"
And finally, RELATED allows certain modules (like the conntrack_ftp) to allow dynamically certain packets to pass thu. These modules are used for protocols allocating ports dynamically.

State can also be SNAT or DNAT. Refer to your doc about these.

This is handled by the connection tracking module. It's called the "state" module (hence the "-m").

The state module is very usefull to keep track of the real connections. I always put "session" between quotes, because UDP, for example, has not session concept. But the state module emulates these.

Why do I have two of these ?

The INPUT one is mandatory for you. It means that you will accept returning packets from the hosts which you have allowed your firewall to talk to. That's probably why your host can not "talk" to anybody, even if you have authorized outbound traffic.

The OUTPUT one is the same, the other way. Once you'll start restricting access to outbound, you won't get packets back from your firewall, even on these ports you have allowed access to.

If you want to test this out, I recommend setting up the following first :

Create a shell script that clears up all rules.
Add it to a cron job that activates once every minute.
If it works, then activate it only every ten minutes (or more).
Then you can do your tests. It will be tricky not to be surprised by the cron job during your normal tests, but, if you "loose" the box, then it will revert back to a clean state by itself :-)

Beyond this, you'd better read a bit about it, or I'll end up rewritting an iptables manual :-))
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10744875
Hi,

Do you need anymore info ?
0
 

Author Comment

by:Nathan_London
ID: 10760530
Thats great thanks!

I have another question. I'll post it!
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now