projects
asked on
iptables allow from IP is allowing anyone
I'm confused about (centos) iptables.
I have rules which are supposed to only allow my network into a remote host for certain ports yet I've found that I can access those ports from other networks.
For example, I have ssh blocked to only my own network yet I can reach the ssh port from other networks.
Drop If source is x.x.73.0/24
Drop If source is x.x.74.0/24
Accept If state of connection is RELATED,ESTABLISHED
Accept If protocol is ICMP
Accept If input interface is lo
Accept If protocol is TCP and destination port is 80 and state of connection is NEW
Accept If protocol is TCP and destination port is 443 and state of connection is NEW
Accept If protocol is TCP and source is 1.2.3.4/32 and destination port is 22 and state of connection is NEW
The Drop section works just fine but the Accept section allows any IP to connect.
What am I missing here???
I have rules which are supposed to only allow my network into a remote host for certain ports yet I've found that I can access those ports from other networks.
For example, I have ssh blocked to only my own network yet I can reach the ssh port from other networks.
Drop If source is x.x.73.0/24
Drop If source is x.x.74.0/24
Accept If state of connection is RELATED,ESTABLISHED
Accept If protocol is ICMP
Accept If input interface is lo
Accept If protocol is TCP and destination port is 80 and state of connection is NEW
Accept If protocol is TCP and destination port is 443 and state of connection is NEW
Accept If protocol is TCP and source is 1.2.3.4/32 and destination port is 22 and state of connection is NEW
The Drop section works just fine but the Accept section allows any IP to connect.
What am I missing here???
I'm not familiar with CentOs, but I'd assume your default is set to ACCEPT and, thus, if it doesn't match a rule it's being accepted. You want to set it to DROP as default, thus, only allowing things through that are actively accepted.
"cat /etc/sysconfig/iptables" and post it.
so that we can take a look at it. it's probably a simple error.
so that we can take a look at it. it's probably a simple error.
You need to add a catch all drop at the bottom of the list. IPTables works in order, so it reads from the first rule down. If the traffic matches any of the rules it takes the action (ACCEPT, DROP, REJECT, etc..) associated with that rule. If it doesn't match any of the rules it allows the traffic.
You can fix this my adding a catch all DROP at the end of the list.
iptables -A INPUT -j DROP
You can fix this my adding a catch all DROP at the end of the list.
iptables -A INPUT -j DROP
ASKER
# DO NOT CHANGE WITHOUT ASKING CUSTOMER!!
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*nat
:PREROUTING ACCEPT [334216:25598960]
:POSTROUTING ACCEPT [319279:20338388]
:OUTPUT ACCEPT [319279:20338388]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*mangle
:PREROUTING ACCEPT [27015165:19172637819]
:INPUT ACCEPT [27014858:19172613225]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21624194:7365342073]
:POSTROUTING ACCEPT [21624194:7365342073]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1174:209854]
#
-A INPUT -s 14.63.212.77/32 -j DROP
-A INPUT -s 14.63.170.53/32 -j DROP
-A INPUT -s 107.23.208.48/32 -j DROP
-A INPUT -s 107.23.240.102/32 -j DROP
-A INPUT -s 112.78.8.80/32 -j DROP
-A INPUT -s 112.78.197.217/32 -j DROP
-A INPUT -s 146.0.73.0/24 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 1004 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 33 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -s 23.21.230.0/24 -j REJECT --reject-with icmp-port-unreachable
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
The public IP was changed to 1.2.3.4 and the ports were changed also but I'll get the point once you see what is wrong. The public IP would be a remote network which is allowed to connect to various ports so it's firewall is allowed.
The port 500 item will have a very long list of allowed IPs and would likely be better with it's own section but I don't know how. The reason being that a script will be updating this port continuously to allow only certain IPs soon.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That's all that was wrong? I do need to make sure that icmp is allowed because we ping this server all the time.
Also, you see my rule #42?
Could someone tell me how to make a section just for that, so that a bash script can parse the file, adding and removing allowed IPs for that service only, automatically.
Also, you see my rule #42?
Could someone tell me how to make a section just for that, so that a bash script can parse the file, adding and removing allowed IPs for that service only, automatically.
What you're saying with those last lines are "if you aren't allowed, send an icmp prohibit message."
Your IP will still be pingable.
I can help with a script. Is this something to be run on command?
Your IP will still be pingable.
I can help with a script. Is this something to be run on command?
ASKER
An admin had edited my rules and I don't know enough about iptables to have noticed this.
Thank you!!!
You already earned this solution so maybe a new question would be more fair.
https://www.experts-exchange.com/questions/28566400/php-and-iptables-safely.html
Thank you!!!
You already earned this solution so maybe a new question would be more fair.
https://www.experts-exchange.com/questions/28566400/php-and-iptables-safely.html