Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

iptables allow from IP is allowing anyone

Posted on 2014-11-18
8
Medium Priority
?
257 Views
Last Modified: 2014-11-20
I'm confused about (centos) iptables.

I have rules which are supposed to only allow my network into a remote host for certain ports yet I've found that I can access those ports from other networks.

For example, I have ssh blocked to only my own network yet I can reach the ssh port from other networks.

Drop       If source is x.x.73.0/24             
Drop       If source is x.x.74.0/24             
Accept       If state of connection is RELATED,ESTABLISHED             
Accept       If protocol is ICMP             
Accept       If input interface is lo             
Accept       If protocol is TCP and destination port is 80 and state of connection is NEW             
Accept       If protocol is TCP and destination port is 443 and state of connection is NEW             
Accept       If protocol is TCP and source is 1.2.3.4/32 and destination port is 22 and state of connection is NEW             

The Drop section works just fine but the Accept section allows any IP to connect.
What am I missing here???
0
Comment
Question by:projects
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 3

Expert Comment

by:Richard Obenchain
ID: 40451615
I'm not familiar with CentOs, but I'd assume your default is set to ACCEPT and, thus, if it doesn't match a rule it's being accepted.  You want to set it to DROP as default, thus, only allowing things through that are actively accepted.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40452287
"cat /etc/sysconfig/iptables" and post it.

so that we can take a look at it.  it's probably a simple error.
0
 
LVL 23

Expert Comment

by:savone
ID: 40452441
You need to add a catch all drop at the bottom of the list.  IPTables works in order, so it reads from the first rule down.  If the traffic matches any of the rules it takes the action (ACCEPT, DROP, REJECT, etc..) associated with that rule.  If it doesn't match any of the rules it allows the  traffic.  

You can fix this my adding a catch all DROP at the end of the list.  

iptables -A INPUT -j DROP
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Author Comment

by:projects
ID: 40452460
# DO NOT CHANGE WITHOUT ASKING CUSTOMER!!

# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*nat
:PREROUTING ACCEPT [334216:25598960]
:POSTROUTING ACCEPT [319279:20338388]
:OUTPUT ACCEPT [319279:20338388]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*mangle
:PREROUTING ACCEPT [27015165:19172637819]
:INPUT ACCEPT [27014858:19172613225]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21624194:7365342073]
:POSTROUTING ACCEPT [21624194:7365342073]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1174:209854]
#
-A INPUT -s 14.63.212.77/32 -j DROP
-A INPUT -s 14.63.170.53/32 -j DROP
-A INPUT -s 107.23.208.48/32 -j DROP
-A INPUT -s 107.23.240.102/32 -j DROP
-A INPUT -s 112.78.8.80/32 -j DROP
-A INPUT -s 112.78.197.217/32 -j DROP
-A INPUT -s 146.0.73.0/24 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 1004 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 33 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -s 23.21.230.0/24 -j REJECT --reject-with icmp-port-unreachable
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 15 20:57:58 2014

Open in new window


The public IP was changed to 1.2.3.4 and the ports were changed also but I'll get the point once you see what is wrong. The public IP would be a remote network which is allowed to connect to various ports so it's firewall is allowed.

The port 500 item will have a very long list of allowed IPs and would likely be better with it's own section but I don't know how. The reason being that a script will be updating this port continuously to allow only certain IPs soon.
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 40452472
Remove the comments (#) from lines 43 and 45.
0
 

Author Comment

by:projects
ID: 40453981
That's all that was wrong? I do need to make sure that icmp is allowed because we ping this server all the time.
Also, you see my rule #42?

Could someone tell me how to make a section just for that, so that a bash script can parse the file, adding and removing allowed IPs for that service only, automatically.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40455046
What you're saying with those last lines are "if you aren't allowed, send an icmp prohibit message."

Your IP will still be pingable.

I can help with a script.  Is this something to be run on command?
0
 

Author Comment

by:projects
ID: 40455112
An admin had edited my rules and I don't know enough about iptables to have noticed this.
Thank you!!!

You already earned this solution so maybe a new question would be more fair.
http://www.experts-exchange.com/Database/MySQL/Q_28566400.html
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question