• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 523
  • Last Modified:

IPtables and multiple interfaces

I have this script, but wonder if it needs to be changed to accommodate the fact that the machine has eth0 as well as eth0:1, eth0:2, eth0:3, eth0:4. Does it? if so how?
if [ "$1" = "save" ]
then
  echo -n "Saving firewall to /etc/sysconfig/iptables ... "
  /sbin/iptables-save > /etc/sysconfig/iptables
  echo "done"
  exit 0
elif [ "$1" = "restore" ]
then
  echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
  /sbin/iptables-restore < /etc/sysconfig/iptables
  echo "done"
  exit 0
fi
echo "Loading kernel modules ..."
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
if [ "/sbin/sysctl -w" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    /sbin/sysctl -w net.ipv4.tcp_syncookies="1"
fi
if [ "/sbin/sysctl -w" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    /sbin/sysctl -w net.ipv4.conf.all.rp_filter="1"
fi
if [ "/sbin/sysctl -w" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "/sbin/sysctl -w" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    /sbin/sysctl -w net.ipv4.conf.all.accept_source_route="0"
fi
if [ "/sbin/sysctl -w" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    /sbin/sysctl -w net.ipv4.conf.all.secure_redirects="1"
fi
if [ "/sbin/sysctl -w" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
    /sbin/sysctl -w net.ipv4.conf.all.log_martians="1"
fi
echo "Flushing Tables ..."
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
if [ "$1" = "stop" ]
then
  echo "Firewall completely flushed!  Now running with no firewall."
  exit 0
fi
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
echo "Create and populate custom rule chains ..."
/sbin/iptables -N bad_packets
/sbin/iptables -N bad_tcp_packets
/sbin/iptables -N icmp_packets
/sbin/iptables -N udp_inbound
/sbin/iptables -N udp_outbound
/sbin/iptables -N tcp_inbound
/sbin/iptables -N tcp_outbound
/sbin/iptables -A bad_packets -p ALL -m state --state INVALID -j LOG \
    --log-prefix "Invalid packet: "
/sbin/iptables -A bad_packets -p ALL -m state --state INVALID -j DROP
/sbin/iptables -A bad_packets -p tcp -j bad_tcp_packets
/sbin/iptables -A bad_packets -p ALL -j RETURN
/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
    --log-prefix "New not syn: "
/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
    --log-prefix "Stealth scan: "
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
    --log-prefix "Stealth scan: "
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
    --log-prefix "Stealth scan: "
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
    --log-prefix "Stealth scan: "
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
    --log-prefix "Stealth scan: "
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
    --log-prefix "Stealth scan: "
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp -j RETURN
/sbin/iptables -A icmp_packets --fragment -p ICMP -j LOG \
    --log-prefix "ICMP Fragment: "
/sbin/iptables -A icmp_packets --fragment -p ICMP -j DROP
/sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
/sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
/sbin/iptables -A icmp_packets -p ICMP -j RETURN
/sbin/iptables -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
/sbin/iptables -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
/sbin/iptables -A udp_inbound -p UDP -s 0/0 --destination-port 5353 -j ACCEPT
/sbin/iptables -A udp_inbound -p udp -s 10.30.0.0/24 --destination-port 161 -j ACCEPT
/sbin/iptables -A udp_inbound -p UDP -j RETURN
/sbin/iptables -A udp_outbound -p UDP -s 0/0 -j ACCEPT
/sbin/iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
/sbin/iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
/sbin/iptables -A tcp_inbound -p TCP -s 10.30.0.0/24 --destination-port 22 -j ACCEPT
/sbin/iptables -A tcp_inbound -p TCP -s 10.9.0.0/24 --destination-port 22 -j ACCEPT
/sbin/iptables -A tcp_inbound -p TCP -j RETURN
/sbin/iptables -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
echo "Process INPUT chain ..."
/sbin/iptables -A INPUT -p ALL -i lo -j ACCEPT
/sbin/iptables -A INPUT -p ALL -j bad_packets
/sbin/iptables -A INPUT -p ALL -d 224.0.0.1 -j DROP
/sbin/iptables -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED \
     -j ACCEPT
/sbin/iptables -A INPUT -p TCP -i eth0 -j tcp_inbound
/sbin/iptables -A INPUT -p UDP -i eth0 -j udp_inbound
/sbin/iptables -A INPUT -p ICMP -i eth0 -j icmp_packets
/sbin/iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
/sbin/iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "INPUT packet died: "
echo "Process FORWARD chain ..."
echo "Process OUTPUT chain ..."
/sbin/iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
/sbin/iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT
/sbin/iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "OUTPUT packet died: "
echo "Load rules for nat table ..."
echo "Load rules for mangle table ..."

Open in new window

0
ee-gd
Asked:
ee-gd
2 Solutions
 
shukalo83Commented:
Straight answer is to avoid subinterfaces with iptables. So, you can use eth0 in your script but add some sort of additional criteria as an ip address.

First take your script, find any occurrences of eth0 and consider all stuff that will be going through there, you can leave eth0, it will work but you need to add (if you want tight security) more criteria, i.e. -s <some source ip> -d <some other dest ip> and so on.

I see these in script:


/sbin/iptables -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p TCP -i eth0 -j tcp_inbound
/sbin/iptables -A INPUT -p UDP -i eth0 -j udp_inbound
/sbin/iptables -A INPUT -p ICMP -i eth0 -j icmp_packets
/sbin/iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT

Open in new window


These are all ok and will works as expected. I said, if you want tighter security, you can add some stuff.

Beware if you do -j MASQUARADE from eth0 (I don;t see you do, bu it if you want it later, be carefull)

0
 
arnoldCommented:
To shukalo83's point, if you want to have iptables enforce per IP rules, you need to use the IP as the test -d --destination IP_address on the INPUT and the OUTPUT if you want traffic to appear as though it is originating from the IP to which it was sent versus the primary IP on eth0.
This issue will only have an effect on encrypted communication where the response has to come from the same IP to which the request was sent.


0
 
ee-gdAuthor Commented:
Thanks to both of you - indeed I had to specify the individual IPs and below is part of what I ended up using


echo '*filter'
    # ================ Table 'filter', automatic rules
    echo :INPUT DROP [0:0]
    echo :FORWARD DROP [0:0]
    echo :OUTPUT DROP [0:0]
    # accept established sessions
    echo "-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT "
    echo "-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT "
    echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT "
    # drop packets that do not match any valid state 
    echo "-A OUTPUT   -m state --state INVALID  -j DROP "
    echo "-A INPUT    -m state --state INVALID  -j DROP "
    echo "-A FORWARD  -m state --state INVALID  -j DROP "
    # ================ Table 'filter', rule set Policy
    # 
    # Rule  0 (lo)
    echo "-A INPUT -i lo   -j ACCEPT "
    echo "-A OUTPUT -o lo   -j ACCEPT "
    # 
    # Rule  1 (global)
    echo ":Cid6744X69184.0 - [0:0]"
    echo "-A OUTPUT -p tcp -m tcp  -m multiport  --dports 80,443  -m state --state NEW  -j Cid6744X69184.0 "
    echo "-A Cid6744X69184.0  -d Public_IP_1   -j ACCEPT "
    echo "-A Cid6744X69184.0  -d Public_IP_2   -j ACCEPT "
    echo "-A Cid6744X69184.0  -d Public_IP_3   -j ACCEPT "
    echo "-A Cid6744X69184.0  -d Public_IP_4   -j ACCEPT "
    echo "-A Cid6744X69184.0  -d Public_IP_5   -j ACCEPT "
    echo "-A INPUT -p tcp -m tcp  -m multiport  --dports 80,443  -m state --state NEW  -j ACCEPT "
    # 
    # Rule  2 (global)
    echo "-A INPUT  -s HQ_Public_IP_MGT/24   -m state --state NEW  -j ACCEPT "
    # 
    # Rule  3 (global)
    echo "-A OUTPUT  -d HQ_Public_IP_MGT/24   -m state --state NEW  -j ACCEPT "
    # 
    # Rule  4 (global)
    echo ":Cid9117X69184.0 - [0:0]"
    echo "-A INPUT -p tcp -m tcp  --sport 20  --dport 1024:65535  -m state --state NEW  -j Cid9117X69184.0 "
    echo "-A INPUT -p tcp -m tcp  -m multiport  --dports 53,21,80,25  -m state --state NEW  -j Cid9117X69184.0 "
    echo "-A INPUT -p udp -m udp  -m multiport  --dports 53,123  -m state --state NEW  -j Cid9117X69184.0 "
    echo "-A Cid9117X69184.0  -s Public_IP_1   -j ACCEPT "
    echo "-A Cid9117X69184.0  -s Public_IP_2   -j ACCEPT "
    echo "-A Cid9117X69184.0  -s Public_IP_3   -j ACCEPT "
    echo "-A Cid9117X69184.0  -s Public_IP_4   -j ACCEPT "
    echo "-A Cid9117X69184.0  -s Public_IP_5   -j ACCEPT "
    echo "-A OUTPUT -p tcp -m tcp  --sport 20  --dport 1024:65535  -m state --state NEW  -j ACCEPT "
    echo "-A OUTPUT -p tcp -m tcp  -m multiport  --dports 53,21,80,25  -m state --state NEW  -j ACCEPT "
    echo "-A OUTPUT -p udp -m udp  -m multiport  --dports 53,123  -m state --state NEW  -j ACCEPT "
    # 
    # Rule  5 (global)
    echo ":Cid9291X69184.0 - [0:0]"
    echo "-A OUTPUT -p tcp -m tcp  --dport 113  -j Cid9291X69184.0 "
    echo "-A Cid9291X69184.0  -d Public_IP_1   -j REJECT  "
    echo "-A Cid9291X69184.0  -d Public_IP_2   -j REJECT  "
    echo "-A Cid9291X69184.0  -d Public_IP_3   -j REJECT  "
    echo "-A Cid9291X69184.0  -d Public_IP_4   -j REJECT  "
    echo "-A Cid9291X69184.0  -d Public_IP_5   -j REJECT  "
    echo "-A INPUT -p tcp -m tcp  --dport 113  -j REJECT  "
    # 
    # Rule  6 (global)
    echo "-A OUTPUT  -d Public_IP_1   -j DROP "
    echo "-A OUTPUT  -d Public_IP_2   -j DROP "
    echo "-A OUTPUT  -d Public_IP_3   -j DROP "
    echo "-A OUTPUT  -d Public_IP_4   -j DROP "
    echo "-A OUTPUT  -d Public_IP_5   -j DROP "
    echo "-A INPUT  -j DROP "
    #
    echo COMMIT

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now