Link to home
Get AccessLog in
Avatar of Nathan_London
Nathan_London

asked on

IP Tables - Someone do it for me i cant do it!!! ;-)

...Well I cant quite get the tricky tables to work.

Problem i have is i only have one remote box to set up. If I get it wrong then Im going to block my own access.

I have all the inbound blocking working fine.

I have 2 problems;

1) Outbound traffic is all blocked and I cant get it working with any combination of outbound chains. Im obviously doing something wrong!

2) I just can not get logging to work! and once I do what web based log analyser would be best.


i need;
Inbound already works
outbound all
logging on for rejects

Do you want to see my current config?

Nathan


Avatar of Alf666
Alf666

Yes. Send it here.

Once again, I can't help but advertise the excellent fwbuilder (http://www.fwbuilder.org)
It allows you to build your iptables scripts with an interface quite like Checkpoint's Firewall One.

Easy and well documented.

Avatar of Nathan_London

ASKER

Looks nice but I dont have x just shell and web access. Its a web server @ an ISP.

Here is
more /etc/sysconfig/iptables

I have hidden real ip addreses.



*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# ssh (22)
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 22 -j ACCEPT

# ssh (22)
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 22 -j ACCEPT

# ssh for support.  
-A INPUT -p tcp -m tcp -s 64.255.167.0/24 -d server_adminIP --dport 22 -j ACCEPT

# www
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 80 -j ACCEPT

# MYSQL
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 3306 -j ACCEPT

# Webmin for Joffice
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 100 -j ACCEPT

# irc
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 6667 -j ACCEPT

# ftp
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 20:21 -j ACCEPT

# ftp
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 20:21 -j ACCEPT

# ICMP from us
-A INPUT -p icmp -s officeIP -d server_adminIP -j ACCEPT

# ICMP from Joffice
-A INPUT -p icmp -s JofficeIP -d server_adminIP -j ACCEPT

# Webmin
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 100 -j ACCEPT

# ALL
-A OUTPUT -j ACCEPT

# SMTP
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 25 -j ACCEPT
-A INPUT -j DROP
COMMIT
ASKER CERTIFIED SOLUTION
Avatar of Alf666
Alf666

Link to home
membership
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
thanks.

I have been using webmin to enter the tables how do i do it from shell and make sure the changes are applied.
Is there a config file just to edit.

N
webmin is updating your /etc/sysconfig/iptables file.

Once done with webmin, you can edit it by hand.
Logging is now working :)

Please explain  here these go in the rules and what they are doing exactly.

-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

N
They go somewhere before the DROP rules.

Basically, it says that packets belonging to "existing sessions" are allowed to pass.
The state of a packet can be INVALID, NEW, ESTABLISHED, RELATED.
INVALID means it's not tied to any existing "session"
NEW means it's a packet for a new "session"
ESTABLISHED means an existing "session"
And finally, RELATED allows certain modules (like the conntrack_ftp) to allow dynamically certain packets to pass thu. These modules are used for protocols allocating ports dynamically.

State can also be SNAT or DNAT. Refer to your doc about these.

This is handled by the connection tracking module. It's called the "state" module (hence the "-m").

The state module is very usefull to keep track of the real connections. I always put "session" between quotes, because UDP, for example, has not session concept. But the state module emulates these.

Why do I have two of these ?

The INPUT one is mandatory for you. It means that you will accept returning packets from the hosts which you have allowed your firewall to talk to. That's probably why your host can not "talk" to anybody, even if you have authorized outbound traffic.

The OUTPUT one is the same, the other way. Once you'll start restricting access to outbound, you won't get packets back from your firewall, even on these ports you have allowed access to.

If you want to test this out, I recommend setting up the following first :

Create a shell script that clears up all rules.
Add it to a cron job that activates once every minute.
If it works, then activate it only every ten minutes (or more).
Then you can do your tests. It will be tricky not to be surprised by the cron job during your normal tests, but, if you "loose" the box, then it will revert back to a clean state by itself :-)

Beyond this, you'd better read a bit about it, or I'll end up rewritting an iptables manual :-))
Hi,

Do you need anymore info ?
Thats great thanks!

I have another question. I'll post it!