Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 482
  • Last Modified:

Iptables question

Hello All

After wading trough much and much of material pertaining to iptables, I have made a set of chains that should secure this server.

The server has a network card on eth0 that should have open ports for:
 http, https, pop3, smtp, pop3s, and mysql

The server has a network card on eth1 that should have open ports for a lot of other services

The eth1 card is on the same subnet as eth0 but is considered to be "LAN ONLY".  It is providing network speed up to 2gigabit to our LAN.

I had these chains in use on a test setup for a few days now and they seem to work but there is a catch.  The mail that gets routed trough the sever does not leave.  Something is preventing outgoing trafic.  It seems that the server cannot open ports on other machines.

I appreciate any help.



Thanks a lot.


cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]


#prevent DOS by ping
-A INPUT -m limit --limit 1/m --limit-burst 5 -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-net-prohibited
-A INPUT -p icmp -j ACCEPT

#prevent TCP spoofing by Sequence Number Prediction
-A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

#prevent giving ourself away to NMAP & others

-A INPUT -p tcp --tcp-flags FIN,PSH,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#REJECT WAN on eth1
#NOTE: when a machine on the LAN starts, it will send broadcasts that are NOT on the subnet
#so to prevent them from showing here, we use the MAC maching to know that it comes from us

-A INPUT -s ! 192.168.0.1/24 -i eth1 -m mac --mac-source ! 00:11:11:11:00:07 -j LOG --log-prefix "Incomming WAN on eth1!"
-A INPUT -s ! 192.168.0.1/24 -i eth1 -m mac --mac-source ! 00:11:11:11:00:07 -j DROP

#ALLOW on eth1:

-A INPUT -s 192.168.0.1/24 -i eth1 -p tcp -m multiport --destination-port 22,25,37,81,82,83,84,110,631,139,143,993,995,3493 -j ACCEPT
-A INPUT -s 192.168.0.1/24 -i eth1 -p tcp -m multiport --destination-port 4000,4001,4002,4003,4004,123 -j ACCEPT
-A INPUT -s 192.168.0.1/24 -i eth1 -p tcp --dport 32700: -j ACCEPT

#some UDP alowed on eth1 from local network

-A INPUT -s 192.168.0.1/24 -i eth1 -p udp --dport 123 -j ACCEPT

#And be sure to drop them on eth0.  This should not be necassary but is just for redundancy
-A INPUT -i eth0 -p tcp -m multiport --destination-port 22,37,81,82,83,84,631,139,143,993,995,3493 -j REJECT
-A INPUT -i eth0 -p tcp -m multiport --destination-port 4000,4001,4002,4003,4004,123 -j REJECT
-A INPUT -i eth0 -p tcp --dport 32700: -j REJECT
-A INPUT -i eth0 -p udp --dport 123 -j REJECT

#Allowed services on eth0

-A INPUT -i eth0 -p tcp -m multiport --destination-port 25,80,110,443,445,995,3306 -j ACCEPT


COMMIT


0
x_terminat_or_3
Asked:
x_terminat_or_3
  • 4
  • 4
1 Solution
 
XoFCommented:
Hi,

> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]

First of all, you might want to spent a few thoughts on your default policy...


> -A INPUT -m limit --limit 1/m --limit-burst 5 -p icmp --icmp-type echo-request -j ACCEPT
> -A INPUT -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-net-prohibited
OK

> -A INPUT -p icmp -j ACCEPT

Unneccessary, default is "ACCEPT"

> -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
> -A INPUT -p tcp --tcp-flags FIN,PSH,URG FIN,PSH,URG -j DROP
> -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
OK

In generell:
192.168.0.1/24 obviously makes no sense at all, as 192.168.0.1 is a host address, not a network! This will evaluate to 192.168.0.0/24. Is that what you want?

> -A INPUT -s ! 192.168.0.1/24 -i eth1 -m mac --mac-source ! 00:11:11:11:00:07 -j LOG --log-prefix "Incomming WAN on eth1!"
> -A INPUT -s ! 192.168.0.1/24 -i eth1 -m mac --mac-source ! 00:11:11:11:00:07 -j DROP
What do you want to achieve with that mac-target? I guess, 00:11:11:11:00:07 is your router's MAC-Address, right? But for all packets on eth1 there are two possibilities:
- "local" packet, so the IP-Address is within 192.168.0.0/24
- "remote" packet, so the MAC-Address is set to the router's one

Your rule won't match either...

 

> -A INPUT -s 192.168.0.1/24 -i eth1 -p tcp -m multiport --destination-port 22,25,37,81,82,83,84,110,631,139,143,993,995,3493 -j ACCEPT
> -A INPUT -s 192.168.0.1/24 -i eth1 -p tcp -m multiport --destination-port 4000,4001,4002,4003,4004,123 -j ACCEPT
> -A INPUT -s 192.168.0.1/24 -i eth1 -p tcp --dport 32700: -j ACCEPT
> -A INPUT -s 192.168.0.1/24 -i eth1 -p udp --dport 123 -j ACCEPT
these rules  have no effect at all, as default is ACCEPT

> -A INPUT -i eth0 -p tcp -m multiport --destination-port 22,37,81,82,83,84,631,139,143,993,995,3493 -j REJECT
> -A INPUT -i eth0 -p tcp -m multiport --destination-port 4000,4001,4002,4003,4004,123 -j REJECT
Why not reject all and only allow needed services?

> -A INPUT -i eth0 -p tcp --dport 32700: -j REJECT
> -A INPUT -i eth0 -p udp --dport 123 -j REJECT
OK

> -A INPUT -i eth0 -p tcp -m multiport --destination-port 25,80,110,443,445,995,3306 -j ACCEPT
these rules have no effect at all, as default is ACCEPT



Could you explain your network setup a little bit more verbose? As far as I understood, you have one box, two NICs, both on the same subnet. One is needed for LAN connectivity, and the other one? WAN? Bad idea...
Do you do forwarding/routing on that server?


cheers,

-XoF-

0
 
x_terminat_or_3Author Commented:
Hi XoF

Actually you should drop the chains I mentioned there because the situation has been changed.

I got some advice on a forum that it would be better if I have one "input" and one "output" NIC on that server.

The output being the internet

It means that the workstations from the local network will use the server as a router

So eth1 (LAN) will be on the subnet 255.255.0.0 (128.138.0.0/16)
eth0 will be on the subnet 255.255.255.0 (192.168.0.0/24)

I need help making those iptables rules.

Could you make an example of how to do this.

*filter
INPUT:REJECT
OUTPUT:REJECT
FORWARD:REJECT


It will have to do NAT as well.  How?


Kind regards


Ramses aka x_terminat_or_3
0
 
XoFCommented:
Please describe clearly:

- what's your LAN-Interface (i guess eth0, not eth1 as described)? IP-Address?
- what's your WAN- Interface ( i guess eth1)? IP-Address?

- what's your internet router's IP-address?
- which ports do you need to be reachable from the outside?
- which ports do you need to be reachable from the inside?

- Are you really at the university of colorado (the owner of the mentioned class B network)?

cheers,

-XoF-
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
x_terminat_or_3Author Commented:
Dear XoF

I might have a misunderstanding in regard to subnets but the /16 subnet example IP range I gave I found in a book.  No, I am not the owner of Colorado University but since eth1 is Local Area Network, I so no reason not to use it.

Ip address of the internet router 192.168.0.1/255

LAN interface eth1 Ip address not yet set.  Was thinking on /16 network
WAN interface eth0 Ip address 192.168.0.10/255

Ports from the outside that need to connect to LAN: 80,110,25,443
Ports from the inside that need to connect to the internet: 80,25,110,443,others

Ports that are only open locally: 631,22, others

Thank you
0
 
XoFCommented:
Hi,

You should avoid using official registrated networks for a private setup. Therefore private networks do exist, e.g. 10.*.*.*/8, 172.*.*.*/16, 192.168.*.*/24.
You are definetly encouraged to use one of those, as these addresses are not being routed within the global network.

> Ip address of the internet router 192.168.0.1/255

well, that means, that you have to do DNAT on the internet router for the services on your server being reachable from the outer world.
That's not an iptables-question, but depends on the type of router you use.

Additionally, in a setup like yours, there's no need for the server to be a router between two networks.
Either use 192.168.0.0 as your LAN and place your server within it, or (pretty much better) put it into a seperate network (DMZ) attached to your internet router via a third interface.

a)
internet ------ router ------- LAN
                                 |
                                 |---- server

b) (preferred)
internet ------ router ------- LAN
                       |
                       |
                   server


c) your setup: (IMHO no advantage over a) )

internet ------ router ------- server ------LAN


cheers,

-XoF-
0
 
x_terminat_or_3Author Commented:
IYHO

What would be the best in this situation

Situation

internet-------router-----switch ---clients
                         |                |
                         |                |
                         \--------- server

The router is 10/100base

Switch 10/100/1000 as are the clients and eth1 on the server

I made this setup originally to allow gigabit speeds on the lan
Then I started the ipchains to secure the lot
Basically I wanted to void all internet trafic on eth1 and void all inbound traffic on eth0 unless it is specified in the chains.

0
 
XoFCommented:
Damn! Now I understand...
Line speed is your concern/problem. OK!

Comparing these two possible setups:

a)
internet-------router-----switch ---clients
                         |                |
                         |                |
                         \--------- server


and

b)
internet-------router-----switch ---clients
                                          |
                                          |
                                     server


Concerning security, a) IMHO has no advantage over b), so following the "KISS"-principle (Keep it small & simple/stupid), I'd implement setup b).
In each case, replacing the router by an application level firewall would be a _very good_ idea.
As you use a RFC-network (192.168.*.*) behind the router, you have to do DNAT on the router for the servers services being available to the outside. So these DNAT rules already implement some sort of access control to the server - only ports, which are DNATed on the router can be reached.

As you don't want to restrict services to certain clients within your LAN, you don't even need filter rules on your server - just make sure, that only needed services are running on the server. Restricting access to closed ports makes no sense at all.
DOS- and "TCP-abuse"-protection should be done on the router, not the server.

Really HTH,

-XoF-
0
 
x_terminat_or_3Author Commented:
Thanks that really helps.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now