Solved

IPTABLES - Restrict ssh access

Posted on 2013-10-23
10
533 Views
Last Modified: 2013-10-25
I'm trying to restrict logging on to a Linux system via ssh using IPTABLES.

On the following CentOS site:

http://wiki.centos.org/HowTos/Network/SecuringSSH

I read that using the command below should do it:

iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT

that is, the above rule says allow SSH logins from IP address x.x.x.x (and presumably, from no other)

However, I am able to log in from a different IP no problem.

Here are my iptables settings (from /etc/sysconfig/iptables

______________________________________________________________________________
# Generated by iptables-save v1.4.7 on Wed Oct 23 11:22:21 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [31:2596]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -p tcp -s 69.17.129.174 -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

[numerous rules which drop packes from specific IPs are removed - no poiint in listing these here]

-A INPUT -j LOG
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Oct 23 11:22:21 2013
_____________________________________________________________________________________

If I do a listing (iptables -L) , I see the following:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  vps-1001071-386.stwadmin.net  anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  mail.maglin.com      anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

ETC

So this line from /etc/sysconfig/iptables

-A INPUT -p tcp -s 69.17.129.174 -m state --state NEW -m tcp --dport 22 -j ACCEPT

is supposed to allow access for SSH from only one IP (my assumption), and corresponds to this in the listing (iptables -L):

ACCEPT     tcp  --  mail.maglin.com      anywhere            state NEW tcp dpt:ssh

However, as I said, I can log in from a different IP no problem.

Thanks!
0
Comment
Question by:MaglinFurniture
  • 5
  • 5
10 Comments
 
LVL 34

Expert Comment

by:Duncan Roe
Comment Utility
(and presumably, from no other)
Not true. in the absence of a specific rule, the policy for the chain applies. This is ACCEPT, according to your posted output. You can change the chain policy to DROP - see (the output from entering in a command window) man iptables. In particular
-P, --policy chain target
Set the policy for the chain to the given target.  See the section TARGETS for the legal targets.  Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.
0
 

Author Comment

by:MaglinFurniture
Comment Utility
@duncan_roe

I'm not sure I'd want to set the policy to DROP

The machine is a web server machine.

There are two basic things I want:

Allow web access
Prevent access via ssh except for certain IPs (possibly more than one -- say 3)

To address your specific reply:

From the CentOS link above, my understanding is that

iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT

is a specific rule. I did try this rule, but it had no effect, or, the same effect.

Are you saying that if my default policy for INPUT was DROP instead of ACCEPT, then applying this rule:

iptables -A INPUT -p tcp -s  69.17.129.174 --dport 22 -j ACCEPT

or even:

-A INPUT -p tcp -s 69.17.129.174 -m state --state NEW -m tcp --dport 22 -j ACCEPT

I would achieve my goal for ssh?


IF SO, if the default policy is ACCEPT, what would the rule have to be to allow access from a specific IP address?
0
 
LVL 34

Expert Comment

by:Duncan Roe
Comment Utility
If you want to let a few specified ssh addresses in and no others, stay with policy ACCEPT.

All you need do is

iptables -A INPUT -p tcp -s  69.17.129.174 --dport 22 -j ACCEPT
(other ips if any)
iptables -A INPUT -p tcp --dport 22 -j DROP

This will drop all other addresses attempting to use ssh.
0
 

Author Comment

by:MaglinFurniture
Comment Utility
@duncan_roe

Hi

I tried this. Did not work.

Here is the current iptables  -L


Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  mail.maglin.com      anywhere            state NEW tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
LOG        all  --  anywhere             anywhere            LOG level warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level warning
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED


Here is /etc/sysconfig/iptables:
_________________________________________________________________________________
# Generated by iptables-save v1.4.7 on Thu Oct 24 11:21:00 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [463:137552]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -s 69.17.129.174/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j LOG
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Oct 24 11:21:00 2013
______________________________________________________________________________

would the state information in this line

-A INPUT -s 69.17.129.174/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

 cause the problem?

If not, what is wrong?

Thanks!
0
 

Author Comment

by:MaglinFurniture
Comment Utility
@duncan_roe

I am working another server, on which I have installed CentOS 6.4, and just finished configuring IPTABLES.

Bizzare, but adding the DROP line for SSH works fine on this machine!

Here is my current /et/sysconfig/iptables (on the live machine):


# Generated by iptables-save v1.4.7 on Thu Oct 24 16:52:23 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [32:3688]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -s 69.17.129.174/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j LOG
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Oct 24 16:52:23 2013


and iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  mail.maglin.com      anywhere            state NEW tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp-data state RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
LOG        all  --  anywhere             anywhere            LOG level warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level warning
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data state ESTABLISHED


On the machine I just set up (or am setting up), here is /etc/sysconfig/iptables



# Generated by iptables-save v1.4.7 on Thu Oct 24 17:06:23 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [142:24957]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.86.66.167/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Oct 24 17:06:23 2013



and iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  10.86.66.167         anywhere            state NEW tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


============================================

The machine I am setting up should have more recent versions of software on it -- I do a yum update when I install the OS.

Is it possible there is a 'bug' in the previous installation (for the live machine)?

In any case, I can't see what is causing the problem at this point.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 34

Expert Comment

by:Duncan Roe
Comment Utility
As an aside, could you please use this command for displaying your configuration in future
{ set -x;for i in filter nat mangle raw;do iptables -t $i -n -v --line-numbers -L;done;set +x; } 2>&1|tee report.txt

Open in new window

and post report.txt That's the format I'm most used to looking at.
On your system that lets in unwanted connections, it has to be a rule that precedes the new DROP rule that's letting them in. You might well see which rule it is from the output of the the suggested command, in the packet count. Otherwise, what is interface em1?
0
 

Author Comment

by:MaglinFurniture
Comment Utility
@duncan_roe

See attached: report.txt

em1 is the Nic on the machine that connects it to the Internet.

Not sure the command is providing all the info, but please take a look.

Thanks!
report.txt
0
 
LVL 34

Accepted Solution

by:
Duncan Roe earned 500 total points
Comment Utility
The em1 rule is accepting everything from the Internet. Move it after the ssh DROP rule at least.
Really the rules are a bit of a mess. Rule 11 can never be reached because of rule 10, for instance. Table filter chain FORWARD rules are superfluous because you have no rules in table nat. The OUTPUT rules in table filter are likewise superfluous because the chain has policy ACCEPT already.

I think it would pay you to take some time to understand report.txt. It's telling you a lot.
0
 

Author Closing Comment

by:MaglinFurniture
Comment Utility
@duncan_roe

I've made adjustments per your reply and it looks to be working fine now.

If you have any recommendations on information resources for learning more, so that I will understand report.txt much better, I would appreciate it.

Thanks very much for your assistance with this.
0
 
LVL 34

Expert Comment

by:Duncan Roe
Comment Utility
All I can suggest is that you [re-]read the iptables man page. That will tell you what output to expect, given the options passed to the iptables command
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now