We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

IP Tables - Someone do it for me i cant do it!!! ;-)

Nathan_London
on
Medium Priority
252 Views
Last Modified: 2010-04-22
...Well I cant quite get the tricky tables to work.

Problem i have is i only have one remote box to set up. If I get it wrong then Im going to block my own access.

I have all the inbound blocking working fine.

I have 2 problems;

1) Outbound traffic is all blocked and I cant get it working with any combination of outbound chains. Im obviously doing something wrong!

2) I just can not get logging to work! and once I do what web based log analyser would be best.


i need;
Inbound already works
outbound all
logging on for rejects

Do you want to see my current config?

Nathan


Comment
Watch Question

Commented:
Yes. Send it here.

Once again, I can't help but advertise the excellent fwbuilder (http://www.fwbuilder.org)
It allows you to build your iptables scripts with an interface quite like Checkpoint's Firewall One.

Easy and well documented.

Author

Commented:
Looks nice but I dont have x just shell and web access. Its a web server @ an ISP.

Here is
more /etc/sysconfig/iptables

I have hidden real ip addreses.



*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# ssh (22)
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 22 -j ACCEPT

# ssh (22)
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 22 -j ACCEPT

# ssh for support.  
-A INPUT -p tcp -m tcp -s 64.255.167.0/24 -d server_adminIP --dport 22 -j ACCEPT

# www
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 80 -j ACCEPT

# MYSQL
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 3306 -j ACCEPT

# Webmin for Joffice
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 100 -j ACCEPT

# irc
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 6667 -j ACCEPT

# ftp
-A INPUT -p tcp -m tcp -s JofficeIP -d server_adminIP --dport 20:21 -j ACCEPT

# ftp
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 20:21 -j ACCEPT

# ICMP from us
-A INPUT -p icmp -s officeIP -d server_adminIP -j ACCEPT

# ICMP from Joffice
-A INPUT -p icmp -s JofficeIP -d server_adminIP -j ACCEPT

# Webmin
-A INPUT -p tcp -m tcp -s officeIP -d server_adminIP --dport 100 -j ACCEPT

# ALL
-A OUTPUT -j ACCEPT

# SMTP
-A INPUT -p tcp -m tcp -d server_allinternetusersIP --dport 25 -j ACCEPT
-A INPUT -j DROP
COMMIT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
thanks.

I have been using webmin to enter the tables how do i do it from shell and make sure the changes are applied.
Is there a config file just to edit.

N

Commented:
webmin is updating your /etc/sysconfig/iptables file.

Once done with webmin, you can edit it by hand.

Author

Commented:
Logging is now working :)

Please explain  here these go in the rules and what they are doing exactly.

-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

N

Commented:
They go somewhere before the DROP rules.

Basically, it says that packets belonging to "existing sessions" are allowed to pass.
The state of a packet can be INVALID, NEW, ESTABLISHED, RELATED.
INVALID means it's not tied to any existing "session"
NEW means it's a packet for a new "session"
ESTABLISHED means an existing "session"
And finally, RELATED allows certain modules (like the conntrack_ftp) to allow dynamically certain packets to pass thu. These modules are used for protocols allocating ports dynamically.

State can also be SNAT or DNAT. Refer to your doc about these.

This is handled by the connection tracking module. It's called the "state" module (hence the "-m").

The state module is very usefull to keep track of the real connections. I always put "session" between quotes, because UDP, for example, has not session concept. But the state module emulates these.

Why do I have two of these ?

The INPUT one is mandatory for you. It means that you will accept returning packets from the hosts which you have allowed your firewall to talk to. That's probably why your host can not "talk" to anybody, even if you have authorized outbound traffic.

The OUTPUT one is the same, the other way. Once you'll start restricting access to outbound, you won't get packets back from your firewall, even on these ports you have allowed access to.

If you want to test this out, I recommend setting up the following first :

Create a shell script that clears up all rules.
Add it to a cron job that activates once every minute.
If it works, then activate it only every ten minutes (or more).
Then you can do your tests. It will be tricky not to be surprised by the cron job during your normal tests, but, if you "loose" the box, then it will revert back to a clean state by itself :-)

Beyond this, you'd better read a bit about it, or I'll end up rewritting an iptables manual :-))

Commented:
Hi,

Do you need anymore info ?

Author

Commented:
Thats great thanks!

I have another question. I'll post it!
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.