[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

How to edit firewall rule for this ?

Posted on 2008-06-17
10
Medium Priority
?
370 Views
Last Modified: 2010-04-09
I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.

I want to edit iptables accordingly.
Please advice. I am using GNU/Linux

0
Comment
Question by:jaisonshereen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 21808046
Do you have any outgoing ports blocked? That is really a separate question.
For incoming calls, you have to decide which host is to receive the call - i.e. when the external interface is called on port 25 then that is forwarded and Network Address Translated (NAT'd) to a specific interface and host on that interface. If you want it to come in to the box running iptables, change the filter rule. Examples below
# --- NAT script (part of) ----
 
set -x
 
# We don't expect the gateway address to change, but check it anyway...
gateway=`cat /etc/dhcpc/dhcpcd-eth1.info|grep IPADDR|cut -d= -f2`
[ -z "$gateway" ] && gateway=210.49.215.145
 
# We don't expect the address of Andrew's computer to change,
# but check it anyway...
andrew=`/usr/bin/dig andrew.mshome.net| \
  /usr/bin/grep -A1 "ANSWER SECTION"| \
  /usr/bin/grep -i andrew.mshome.net| \
  /usr/bin/awk '{print $5}'`
[ -z "$andrew" ] && andrew=192.168.0.99
 
# nat table (Router function)
# === ===== ======= =========
 
# Mangle source addresses of all outgoing traffic
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $gateway
 
# Route some specific incoming calls to Andrew's pc
for i in \
  6112 \
  6500 \
  6969 \
  7777 \
  7778 \
  47624 \
  9000
do
  iptables -t nat -A PREROUTING -i eth1 -p tcp --dport $i -j DNAT --to $andrew
done
 
 
# --- Complete firewall script
 
# filter table (Firewall function)
# ====== ===== ========= =========
 
# A chain to log & drop a packet, except don't log FIN pkts
iptables -N logdrop
iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
# Actually all logging is commented out because too much stuff gets logged
#iptables -A logdrop -j LOG --log-level debug
iptables -A logdrop -j DROP
 
# A chain to inspect incoming (to this box) packets from cable modem
iptables -N cable
# Allow bootps->bootpc udp
iptables -A cable -p udp --source-port 67 --destination-port 68 -j ACCEPT
# Allow icmp but not too many
iptables -A cable -p icmp -m limit --limit 5/second -j ACCEPT
# Allow DNS replies
iptables -A cable -p udp --source-port 53 -j ACCEPT
iptables -A cable -j logdrop
 
# Firewall rule - check incoming (to this box) packets from cable modem
iptables -A INPUT -i eth1 -j cable
set +x

Open in new window

0
 

Author Comment

by:jaisonshereen
ID: 21808177
Hi,

I am a newbie in linux.Please explain in detail.

Do you have any outgoing ports blocked?

How to check this?

The question here is

 I shouldn't let to expose 25 and 5432 through the firewall. ---------> mean expect 25 and 5432 everything  i can allow.Please provide the command for this.

I need to unblock ports 22 for ssh, 80 for http and 443 for https.---> means unblock 22 and 80 433 ..right?
Please provide the command.


25 should be kept open for outgoing traffic only.---> means we already blocked 25 we need to allow this for outgoing only right?Please provide the command.
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 21812050
I don't block any outgoing connections and have never looked up how to do that. Consult the iptables / netfilter man pages and kernel source documentation to find out how to do it and whether it's in effect just now.
To give you more explicit commands I need to know: do you want incoming port 25 (and the others) to the system running iptables? Or do you want it on some other system on a lan that the iptables system routes to?
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 

Author Comment

by:jaisonshereen
ID: 21812673
do you want incoming port 25 (and the others) to the system running iptables?
Yes
Or do you want it on some other system on a lan that the iptables system routes to?
No

How to check any outgoing ports are blocked?
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 21817676
I assume you are using eth0 for your connection. "ifconfig" will confirm this. A rule to open port 22:

iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j ACCEPT

Put this rule first (or early on).
I do not know how 25 outgoing is blocked. Please post all the rules that you have and I'll have a try.
0
 

Author Comment

by:jaisonshereen
ID: 21817881
This is what iptables list :

Can u tell me each entry what it means:


[root@server monit-5.0-beta1]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
[root@server monit-5.0-beta1]#

Open in new window

0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 21821451
No. I don't find the output from "iptables -L" particularly helpful actually. What I wanted you to post was your rules files. Please do that.
0
 

Author Comment

by:jaisonshereen
ID: 21821479
root@server sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@server sysconfig]#

0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 21827046
Thanks for that. I'm not familiar with the Red Hat configuration system - was hoping to see the actual iptables command lines (which is how I configure it).  But you might have trouble getting these.
Actually the -A lines look like they are the arguments to iptables. Maybe I can make sense of this after work (have to go now)
0
 
LVL 35

Accepted Solution

by:
Duncan Roe earned 2000 total points
ID: 21835825
I have a little more information for you. Some comes straight from the man page, acknowledged by xml-style <man></man>
There are 4 *tables* which are: filter, nat, mangle and raw. Mangle and raw are rather specialised and not used in a typical installation. Nat is used when routing packets to other systems. That leaves "filter". <man>It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).</man>
"iptables -L" will list all chains in a single table - by default it lists "filter". This is likely the only table you have anyway. According to your iptables -L output, your output chain is empty with a policy of ACCEPT. So there should be no restrictions on outgoing connections.

The FORWARD and INPUT chains also have policy ACCEPT. These chains send all packets to the RH-Firewall-1-INPUT chain, which is user-defined. You can see its definition in your post above: it's all the lines that start -A RH-Firewall-1-INPUT.
The first rule (with "-i" in it) applies only to loopback connections:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
"-i lo" identifies the "local" interface, 127.0.0.1. Calls to this interface are always accepted. That's fine, but gives rise to the following line in "iptables -L":

ACCEPT     all  --  anywhere             anywhere

which makes it look like the firewall is completely open. That's the reason I asked to see your rules.
The "icmp" line lets other systems ping you. You can (but haven't) limit ping responses to some number per second, in order to combat Denial of Service (DoS) attacks. You can see in my first post how to do that.

protocols 50 and 51 are open. I don't know what these are. "iptables -l" lists them as esp and ah.

There's a 1:1 correspondence between lines in your rules file and the output from iptables -L from now on. I'm not sure what is the deal is with the "state" lines but have run out of time again. You need to find out what is the file you are supposed to modify since it's not the file you posted.

Hope that's some help - post any more questions you may have
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question