Solved

How to edit firewall rule for this ?

Posted on 2008-06-17
10
335 Views
Last Modified: 2010-04-09
I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.

I want to edit iptables accordingly.
Please advice. I am using GNU/Linux

0
Comment
Question by:jaisonshereen
  • 6
  • 4
10 Comments
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 21808046
Do you have any outgoing ports blocked? That is really a separate question.
For incoming calls, you have to decide which host is to receive the call - i.e. when the external interface is called on port 25 then that is forwarded and Network Address Translated (NAT'd) to a specific interface and host on that interface. If you want it to come in to the box running iptables, change the filter rule. Examples below
# --- NAT script (part of) ----
 

set -x
 

# We don't expect the gateway address to change, but check it anyway...

gateway=`cat /etc/dhcpc/dhcpcd-eth1.info|grep IPADDR|cut -d= -f2`

[ -z "$gateway" ] && gateway=210.49.215.145
 

# We don't expect the address of Andrew's computer to change,

# but check it anyway...

andrew=`/usr/bin/dig andrew.mshome.net| \

  /usr/bin/grep -A1 "ANSWER SECTION"| \

  /usr/bin/grep -i andrew.mshome.net| \

  /usr/bin/awk '{print $5}'`

[ -z "$andrew" ] && andrew=192.168.0.99
 

# nat table (Router function)

# === ===== ======= =========
 

# Mangle source addresses of all outgoing traffic

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $gateway
 

# Route some specific incoming calls to Andrew's pc

for i in \

  6112 \

  6500 \

  6969 \

  7777 \

  7778 \

  47624 \

  9000

do

  iptables -t nat -A PREROUTING -i eth1 -p tcp --dport $i -j DNAT --to $andrew

done
 
 

# --- Complete firewall script
 

# filter table (Firewall function)

# ====== ===== ========= =========
 

# A chain to log & drop a packet, except don't log FIN pkts

iptables -N logdrop

iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP

# Actually all logging is commented out because too much stuff gets logged

#iptables -A logdrop -j LOG --log-level debug

iptables -A logdrop -j DROP
 

# A chain to inspect incoming (to this box) packets from cable modem

iptables -N cable

# Allow bootps->bootpc udp

iptables -A cable -p udp --source-port 67 --destination-port 68 -j ACCEPT

# Allow icmp but not too many

iptables -A cable -p icmp -m limit --limit 5/second -j ACCEPT

# Allow DNS replies

iptables -A cable -p udp --source-port 53 -j ACCEPT

iptables -A cable -j logdrop
 

# Firewall rule - check incoming (to this box) packets from cable modem

iptables -A INPUT -i eth1 -j cable

set +x

Open in new window

0
 

Author Comment

by:jaisonshereen
ID: 21808177
Hi,

I am a newbie in linux.Please explain in detail.

Do you have any outgoing ports blocked?

How to check this?

The question here is

 I shouldn't let to expose 25 and 5432 through the firewall. ---------> mean expect 25 and 5432 everything  i can allow.Please provide the command for this.

I need to unblock ports 22 for ssh, 80 for http and 443 for https.---> means unblock 22 and 80 433 ..right?
Please provide the command.


25 should be kept open for outgoing traffic only.---> means we already blocked 25 we need to allow this for outgoing only right?Please provide the command.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 21812050
I don't block any outgoing connections and have never looked up how to do that. Consult the iptables / netfilter man pages and kernel source documentation to find out how to do it and whether it's in effect just now.
To give you more explicit commands I need to know: do you want incoming port 25 (and the others) to the system running iptables? Or do you want it on some other system on a lan that the iptables system routes to?
0
 

Author Comment

by:jaisonshereen
ID: 21812673
do you want incoming port 25 (and the others) to the system running iptables?
Yes
Or do you want it on some other system on a lan that the iptables system routes to?
No

How to check any outgoing ports are blocked?
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 21817676
I assume you are using eth0 for your connection. "ifconfig" will confirm this. A rule to open port 22:

iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j ACCEPT

Put this rule first (or early on).
I do not know how 25 outgoing is blocked. Please post all the rules that you have and I'll have a try.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:jaisonshereen
ID: 21817881
This is what iptables list :

Can u tell me each entry what it means:


[root@server monit-5.0-beta1]# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
 

Chain RH-Firewall-1-INPUT (2 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere            icmp any

ACCEPT     esp  --  anywhere             anywhere

ACCEPT     ah   --  anywhere             anywhere

ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns

ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh

[root@server monit-5.0-beta1]#

Open in new window

0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 21821451
No. I don't find the output from "iptables -L" particularly helpful actually. What I wanted you to post was your rules files. Please do that.
0
 

Author Comment

by:jaisonshereen
ID: 21821479
root@server sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@server sysconfig]#

0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 21827046
Thanks for that. I'm not familiar with the Red Hat configuration system - was hoping to see the actual iptables command lines (which is how I configure it).  But you might have trouble getting these.
Actually the -A lines look like they are the arguments to iptables. Maybe I can make sense of this after work (have to go now)
0
 
LVL 34

Accepted Solution

by:
Duncan Roe earned 500 total points
ID: 21835825
I have a little more information for you. Some comes straight from the man page, acknowledged by xml-style <man></man>
There are 4 *tables* which are: filter, nat, mangle and raw. Mangle and raw are rather specialised and not used in a typical installation. Nat is used when routing packets to other systems. That leaves "filter". <man>It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).</man>
"iptables -L" will list all chains in a single table - by default it lists "filter". This is likely the only table you have anyway. According to your iptables -L output, your output chain is empty with a policy of ACCEPT. So there should be no restrictions on outgoing connections.

The FORWARD and INPUT chains also have policy ACCEPT. These chains send all packets to the RH-Firewall-1-INPUT chain, which is user-defined. You can see its definition in your post above: it's all the lines that start -A RH-Firewall-1-INPUT.
The first rule (with "-i" in it) applies only to loopback connections:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
"-i lo" identifies the "local" interface, 127.0.0.1. Calls to this interface are always accepted. That's fine, but gives rise to the following line in "iptables -L":

ACCEPT     all  --  anywhere             anywhere

which makes it look like the firewall is completely open. That's the reason I asked to see your rules.
The "icmp" line lets other systems ping you. You can (but haven't) limit ping responses to some number per second, in order to combat Denial of Service (DoS) attacks. You can see in my first post how to do that.

protocols 50 and 51 are open. I don't know what these are. "iptables -l" lists them as esp and ah.

There's a 1:1 correspondence between lines in your rules file and the output from iptables -L from now on. I'm not sure what is the deal is with the "state" lines but have run out of time again. You need to find out what is the file you are supposed to modify since it's not the file you posted.

Hope that's some help - post any more questions you may have
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now