Avatar of Nathan_London
Nathan_London asked on

IP Tables - Someone do it for me i cant do it!!! ;-)

...Well I cant quite get the tricky tables to work.

Problem i have is i only have one remote box to set up. If I get it wrong then Im going to block my own access.

I have all the inbound blocking working fine.

I have 2 problems;

1) Outbound traffic is all blocked and I cant get it working with any combination of outbound chains. Im obviously doing something wrong!

2) I just can not get logging to work! and once I do what web based log analyser would be best.


i need;
Inbound already works
outbound all
logging on for rejects

Do you want to see my current config?

Nathan


Linux Security

Avatar of undefined
Last Comment
Nathan_London

8/22/2022 - Mon
Alf666

Yes. Send it here.

Once again, I can't help but advertise the excellent fwbuilder (http://www.fwbuilder.org)
It allows you to build your iptables scripts with an interface quite like Checkpoint's Firewall One.

Easy and well documented.

ASKER
Nathan_London

Looks nice but I dont have x just shell and web access. Its a web server @ an ISP.

Here is
more /etc/sysconfig/iptables

I have hidden real ip addreses.



*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# ssh (22)
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 22 -j ACCEPT

# ssh (22)
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 22 -j ACCEPT

# ssh for support.  
-A INPUT -p tcp -m tcp -s 64.255.167.0/24 -d server_adminIP --dport 22 -j ACCEPT

# www
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 80 -j ACCEPT

# MYSQL
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 3306 -j ACCEPT

# Webmin for Joffice
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 100 -j ACCEPT

# irc
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 6667 -j ACCEPT

# ftp
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 20:21 -j ACCEPT

# ftp
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 20:21 -j ACCEPT

# ICMP from us
-A INPUT -p icmp -s officeIP -d server_adminIP -j ACCEPT

# ICMP from Joffice
-A INPUT -p icmp -s JofficeIP -d server_adminIP -j ACCEPT

# Webmin
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 100 -j ACCEPT

# ALL
-A OUTPUT -j ACCEPT

# SMTP
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 25 -j ACCEPT
-A INPUT -j DROP
COMMIT
ASKER CERTIFIED SOLUTION
Alf666

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Nathan_London

thanks.

I have been using webmin to enter the tables how do i do it from shell and make sure the changes are applied.
Is there a config file just to edit.

N
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Alf666

webmin is updating your /etc/sysconfig/iptables file.

Once done with webmin, you can edit it by hand.
ASKER
Nathan_London

Logging is now working :)

Please explain  here these go in the rules and what they are doing exactly.

-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

N
Alf666

They go somewhere before the DROP rules.

Basically, it says that packets belonging to "existing sessions" are allowed to pass.
The state of a packet can be INVALID, NEW, ESTABLISHED, RELATED.
INVALID means it's not tied to any existing "session"
NEW means it's a packet for a new "session"
ESTABLISHED means an existing "session"
And finally, RELATED allows certain modules (like the conntrack_ftp) to allow dynamically certain packets to pass thu. These modules are used for protocols allocating ports dynamically.

State can also be SNAT or DNAT. Refer to your doc about these.

This is handled by the connection tracking module. It's called the "state" module (hence the "-m").

The state module is very usefull to keep track of the real connections. I always put "session" between quotes, because UDP, for example, has not session concept. But the state module emulates these.

Why do I have two of these ?

The INPUT one is mandatory for you. It means that you will accept returning packets from the hosts which you have allowed your firewall to talk to. That's probably why your host can not "talk" to anybody, even if you have authorized outbound traffic.

The OUTPUT one is the same, the other way. Once you'll start restricting access to outbound, you won't get packets back from your firewall, even on these ports you have allowed access to.

If you want to test this out, I recommend setting up the following first :

Create a shell script that clears up all rules.
Add it to a cron job that activates once every minute.
If it works, then activate it only every ten minutes (or more).
Then you can do your tests. It will be tricky not to be surprised by the cron job during your normal tests, but, if you "loose" the box, then it will revert back to a clean state by itself :-)

Beyond this, you'd better read a bit about it, or I'll end up rewritting an iptables manual :-))
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Alf666

Hi,

Do you need anymore info ?
ASKER
Nathan_London

Thats great thanks!

I have another question. I'll post it!