Chris Leonard
asked on
Help with IPTables
Hi, I have an iptables firewall which was here before I started the job, its setup very strange and not by the book.
I have a new IP range which is 10.11.0.0 which I need to have access to the iptables network and override all block rules
At the moment I see things like this is the logs
Aug 30 18:34:23 fw-gs iptables GSFWD denied: IN=tun1 OUT=eth0 MAC= SRC=10.11.0.201 DST=10.1.60.50 LEN=60 TOS=00 PREC=0x00 TTL=60 ID=26312 DF PROTO=TCP SPT=47658 DPT=10050 SEQ=4127790723 ACK=0 WINDOW=29200 SYN URGP=0
Aug 30 18:34:25 fw-gs iptables BLADES denied: IN=tun1 OUT=eth0 MAC= SRC=10.11.0.201 DST=10.1.60.50 LEN=60 TOS=00 PREC=0x00 TTL=60 ID=26313 DF PROTO=TCP SPT=47658 DPT=10050 SEQ=4127790723 ACK=0 WINDOW=29200 SYN URGP=0
Aug 30 18:34:25 fw-gs iptables GSFWD denied: IN=tun1 OUT=eth0 MAC= SRC=10.11.0.201 DST=10.1.60.50 LEN=60 TOS=00 PREC=0x00 TTL=60 ID=26313 DF PROTO=TCP SPT=47658 DPT=10050 SEQ=4127
I need a way to override and allow access to everything from 10.11.0.0
I have tried the command iptables -A INPUT -s 10.11.0.0/16 -j ACCEPT
but still see things like
Aug 30 18:37:33 fw-gs iptables GSFWD denied: IN=tun1 OUT=eth0 MAC= SRC=10.11.0.201 DST=10.1.60.50 LEN=60 TOS=00 PREC=0x00 TTL=60 ID=6274 DF PROTO=TCP SPT=48066 DPT=10050 SEQ=488128362 ACK=0 WINDOW=29200 SYN URGP=0
Many Thanks
Chris
I have a new IP range which is 10.11.0.0 which I need to have access to the iptables network and override all block rules
At the moment I see things like this is the logs
Aug 30 18:34:23 fw-gs iptables GSFWD denied: IN=tun1 OUT=eth0 MAC= SRC=10.11.0.201 DST=10.1.60.50 LEN=60 TOS=00 PREC=0x00 TTL=60 ID=26312 DF PROTO=TCP SPT=47658 DPT=10050 SEQ=4127790723 ACK=0 WINDOW=29200 SYN URGP=0
Aug 30 18:34:25 fw-gs iptables BLADES denied: IN=tun1 OUT=eth0 MAC= SRC=10.11.0.201 DST=10.1.60.50 LEN=60 TOS=00 PREC=0x00 TTL=60 ID=26313 DF PROTO=TCP SPT=47658 DPT=10050 SEQ=4127790723 ACK=0 WINDOW=29200 SYN URGP=0
Aug 30 18:34:25 fw-gs iptables GSFWD denied: IN=tun1 OUT=eth0 MAC= SRC=10.11.0.201 DST=10.1.60.50 LEN=60 TOS=00 PREC=0x00 TTL=60 ID=26313 DF PROTO=TCP SPT=47658 DPT=10050 SEQ=4127
I need a way to override and allow access to everything from 10.11.0.0
I have tried the command iptables -A INPUT -s 10.11.0.0/16 -j ACCEPT
but still see things like
Aug 30 18:37:33 fw-gs iptables GSFWD denied: IN=tun1 OUT=eth0 MAC= SRC=10.11.0.201 DST=10.1.60.50 LEN=60 TOS=00 PREC=0x00 TTL=60 ID=6274 DF PROTO=TCP SPT=48066 DPT=10050 SEQ=488128362 ACK=0 WINDOW=29200 SYN URGP=0
Many Thanks
Chris
ASKER
Hi, How do I do this? I dont think this one is a script file...
I have to do all from command line.
I have to do all from command line.
ASKER
I just need to know how to allow a whole subnet over all of my chains?
You're loading all your iptables rules manually each time the system is rebooted?
ASKER
no but I cant find the .rules file?
I have tried this iptables -I INPUT 1 -s 10.11.0.0/16 -j ACCEPT
It did nothing, all the other chains are denying that subnet.
I have tried this iptables -I INPUT 1 -s 10.11.0.0/16 -j ACCEPT
It did nothing, all the other chains are denying that subnet.
You need to find where the iptables rules are being loaded, and then insert the override as the very first rule.
Once rules have been inserted into INPUT, the override can not be done.
An example from a debian / ubuntu system, which should work on most variants of linux.
Look in /etc/init.d for a boot script called iptables. The one below loads script files from /etc/iptables one at a time in numerical sequence. This allows multiple chains hanging off INPUT, and eliminates tampering with INPUT.
Then insert your override commands in the script00.sh file:
This results in a neat and manageable set of iptables rules in several different files, only one of which need be edited at any given time:
Once rules have been inserted into INPUT, the override can not be done.
An example from a debian / ubuntu system, which should work on most variants of linux.
Look in /etc/init.d for a boot script called iptables. The one below loads script files from /etc/iptables one at a time in numerical sequence. This allows multiple chains hanging off INPUT, and eliminates tampering with INPUT.
/etc/init.d/iptables
#!/bin/bash
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: networking pdnsd ntpdate dnsclient
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Default-Stop:
# Short-Description: Start iptables packet filtering
# Description:
# Start iptables packet filtering and load the rules
# from the rules files in /etc/iptables
### END INIT INFO
# init.d script for iptables on a Debian 2.6 system
#
# IF THERE IS AN EXISTING IPTABLES SCRIPT IN /etc/init.d THAT
# YOU WANT TO KEEP, COPY IT SOMEWHERE SAFE BEFORE PROCEEDING.
#
# 1. Remove any existing script
# rm /etc/init.d/iptables
# 2. Remove any existing links in the rc.d directories
# update-rc.d -f iptables remove
# 3. Copy this file to /etc/init.d as iptables
# cp this-file-name /etc/init.d/iptables
# 4. Create links to run this script just after networking
# is started or stopped
# update-rc.d iptables start 41 S . stop 36 0 1 6 .
# 5. Create the directory /etc/iptables. This is where
# the iptables script files are located.
# 6. Create shell script files in /etc/iptables. These
# files are named script0.sh to script9.sh. They are run
# in ascending order, beginning with script0, until
# there is no next file.
# 7. If your iptables commands are unchanging, install them
# in the scriptn file. If your iptables commands are,
# say, perl scripts, use the scriptn file to kick off
# perl.
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
iptloc="/sbin/iptables"
scrloc="/etc/iptables"
declare -i scrno1=0
declare -i scrno2=0
declare -i sfail=0
# ==================================================
# ipusage()
# Display instructions for use
#
ipusage () {
echo "$0 options:"
echo " start|restart|reload|force-reload"
echo " Clear all tables"
echo " Set table filter default policy ACCEPT"
echo " Run scripts in $scrloc"
echo " stop|clear|halt"
echo " Clear all tables"
echo " Set table filter default policy ACCEPT"
}
# ==================================================
# ipclear()
#
# - Clear all tables
# - Set table filter default policy ACCEPT
#
ipclear () {
echo "Stopping iptables packet filtering"
# Clear all tables
echo " Clear all tables"
$iptloc -F
# Set table filter default policy ACCEPT
echo " Set table filter default policy ACCEPT"
$iptloc -t filter -P INPUT ACCEPT
$iptloc -t filter -P OUTPUT ACCEPT
$iptloc -t filter -P FORWARD ACCEPT
echo " Done"
}
# ==================================================
# ipstart()
#
# - Clear all tables
# - Set table filter default policy ACCEPT
ipstart() {
echo "Starting iptables packet filtering"
# Clear all tables
echo " Clear all tables"
$iptloc -F
# Set table filter default policy ACCEPT
echo " Set table filter default policy ACCEPT"
$iptloc -t filter -P INPUT ACCEPT
$iptloc -t filter -P OUTPUT ACCEPT
$iptloc -t filter -P FORWARD ACCEPT
# Test for existence of the script directory
if [ ! -e $scrloc ]
then
echo " Warning - Script directory $scrloc missing"
exit 1
fi
# Scan for script files and run them in order
until [ ! -e $scrloc/script$scrno2$scrno1.sh ]
do
# Check that the script is executable
if [ ! -x $scrloc/script$scrno2$scrno1.sh ]
then
# If not, report it and remember the error
echo " Warning - $scrloc/script$scrno2$scrno1.sh is not executable"
sfail=1
else
# Run the script file
echo -n " Run $scrloc/script$scrno2$scrno1.sh ... "
$scrloc/script$scrno2$scrno1.sh
if [ $? -eq 0 ]
then
# End the line showing success
echo "ok"
else
# End the line showing failure, and remember it
echo "FAILED"
sfail=1
fi
fi
scrno1=scrno1+1
if [ $scrno1 -eq 10 ]
then
scrno1=0
scrno2=scrno2+1
fi
done
echo " Done"
}
# ==================================================
# Dispatcher
# Parse the command line and dispatch handler routines
#
case "$1" in
start|restart|reload|force-reload)
ipstart
exit $sfail
;;
stop|halt|clear)
ipclear
exit 0
;;
usage)
ipusage
exit 0
;;
*)
echo "$0: Unknown command <$*>"
ipusage
exit 1
;;
esac
exit 0
Then insert your override commands in the script00.sh file:
#!/bin/bash
# /etc/iptables/script0
#
# This script is executed first when /etc/init.d/iptables is
# called during the startup process.
#
# The iptables rules in this file prevent network lockout
# by the system administrators. This is necessary in case
# a rule added later were to lock out the administrators.
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
iptloc="/sbin/iptables"
declare -i sfail=0
# Delete all rules in any pre-existing chain
# $iptloc -F FailSafe
# Suppress error messages
$iptloc -F FailSafe > /dev/null 2> /dev/null
# Flush any pre-existing chain
# $iptloc -X FailSafe
# Suppress error messages
$iptloc -X FailSafe > /dev/null 2> /dev/null
# Declare a new iptables chain for these rules
$iptloc -t filter -N FailSafe
sfail=sfail+$?
# ================================
# Port 22, ssh, the secure remote shell port
# 192.168.0, for access from within a 192.168.0 LAN
$iptloc -t filter -A FailSafe -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
sfail=sfail+$?
# Tarpit ssh connections coming from anywhere else
$iptloc -t filter -A FailSafe -p tcp --dport 22 -j DROP
sfail=sfail+$?
# ================================
# Port 110, the POP3 mail client remote access port
# 192.168.0, for access from with a 192.168.0 LAN
$iptloc -t filter -A FailSafe -s 192.168.0.0/24 -p tcp --dport 110 -j ACCEPT
sfail=sfail+$?
# Tarpit POP3 connections coming from anywhere else
$iptloc -t filter -A FailSafe -p tcp --dport 110 -j DROP
sfail=sfail+$?
# ================================
# Return to the calling chain
$iptloc -t filter -A FailSafe -j RETURN
sfail=sfail+$?
# Now insert a call to this chain at the top of INPUT
$iptloc -I INPUT 1 -j FailSafe
sfail=sfail+$?
exit $sfail
This results in a neat and manageable set of iptables rules in several different files, only one of which need be edited at any given time:
root@www:/etc/iptables# iptables -L -n|more
Chain INPUT (policy ACCEPT)
target prot opt source destination
FailSafe all -- 0.0.0.0/0 0.0.0.0/0
CountryLockouts tcp -- 0.0.0.0/0 0.0.0.0/0
PortDenies tcp -- 0.0.0.0/0 0.0.0.0/0
HostingLockouts tcp -- 0.0.0.0/0 0.0.0.0/0
Cyveillance tcp -- 0.0.0.0/0 0.0.0.0/0
Websense tcp -- 0.0.0.0/0 0.0.0.0/0
Verisign tcp -- 0.0.0.0/0 0.0.0.0/0
PicScout tcp -- 0.0.0.0/0 0.0.0.0/0
MSAzure tcp -- 0.0.0.0/0 0.0.0.0/0
MailLockouts tcp -- 0.0.0.0/0 0.0.0.0/0
WebLockouts tcp -- 0.0.0.0/0 0.0.0.0/0
ProblemIPs tcp -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 82.81.32.0/20 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 192.185.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT tcp -- 162.144.0.0/16 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ASKER
mine looks like this
default=/etc/default/iptables
if test -f $default; then
. $default
fi
have_a_cow_man () {
for i in $@; do
if ! command -v "$i" >/dev/null 2>&1; then
echo "Aborting iptables initd: no $i executable."
exit 0
fi
done
}
iptables="/sbin/${iptables_command-iptables}"
iptables_save="${iptables}-save"
iptables_restore="${iptables}-restore"
have_a_cow_man "$iptables_save" "$iptables_restore"
libdir=/var/lib/iptables
autosave="${libdir}/autosave"
initd="$0"
initd_clear () {
rm -f "$autosave"
echo -n "Clearing iptables ruleset: default ACCEPT policy"
$iptables_save | sed "/-/d;/^#/d;s/DROP/ACCEPT/" | $iptables_restore
echo "."
}
initd_halt () {
rm -f $autosave
echo -n "Clearing iptables ruleset: default DROP policy"
$iptables_save | sed "/-/d;/^#/d;s/ACCEPT/DROP/" | $iptables_restore
echo "."
}
initd_load () {
ruleset="$libdir/$@"
if ! test -f "$ruleset"; then
echo "Aborting iptables load: unknown ruleset, \"$@\"."
if ! test "${ruleset#${libdir}/}" = active -o inactive; then
usage
fi
exit 0
fi
if test "${ruleset#${libdir}/}" = inactive; then
initd_autosave
fi
rm -f "$autosave"
echo -n "Loading iptables ruleset: load \"$@\""
$iptables_restore < "$ruleset"
echo "."
}
initd_counters () {
if test "${enable_save_counters:-false}" = true; then
echo -n " with counters"
$iptables_save -c > "$ruleset"
else
$iptables_save | sed '/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g' > "$ruleset"
fi
}
initd_save () {
rm -f $autosave
ruleset="${libdir}/$@"
echo -n "Savinging iptables ruleset: save \"$@\""
initd_counters
echo "."
}
initd_autosave () {
if test -f $autosave -a ${enable_autosave-false} = true; then
ruleset="${libdir}/active"
echo -n "Autosaving iptables ruleset: save \"active\""
initd_counters
echo "."
fi
}
usage () {
current="$(ls -m /var/lib/iptables \
| sed 's/ \{0,1\}autosave,\{0,1\} \{0,1\}//')"
cat << END
$initd options:
start|restart|reload|force-reload
load the "active" ruleset
save <ruleset>
save the current ruleset
load <ruleset>
load a ruleset
stop
load the "inactive" ruleset
clear
remove all rules and user-defined chains, set default policy to ACCEPT
halt
remove all rules and user-defined chains, set default policy to DROP
Saved rulesets:
$current
Please read: $default
END
}
case "$1" in
start|restart|reload|force-reload)
initd_load active
if test ${enable_autosave-false} = true; then
touch $autosave
fi
;;
stop)
initd_load inactive
;;
clear)
initd_clear
;;
halt)
initd_halt
;;
save)
shift
initd_save "$@"
;;
load)
shift
initd_load "$@"
;;
save_active) #legacy option
initd_save active
;;
save_inactive) #legacy option
initd_save inactive
;;
*)
if test "$@"; then
echo "Aborting iptables initd: unknown command(s): \"$@\"."
fi
usage
;;
esac
exit 0
ASKER
I have added to the top, it still does not work
Chain INPUT (policy DROP 32M packets, 2704M bytes)
pkts bytes target prot opt in out source destination
4 240 ACCEPT all -- * * 10.11.0.0/16 0.0.0.0/0
1773 122K ACCEPT all -- * * 10.10.20.219 0.0.0.0/0 /* Allow ssh from Mark S VM */
0 0 REJECT all -- * * 92.60.120.206 0.0.0.0/0 /* Reject David Hodgkinson IP */ reject-with icmp-port-unreachable
0 0 DROP all -- * * 10.10.10.238 0.0.0.0/0 /* Drop an IP from the old wifi network that has somehow resurrected */
21 1064 ACCEPT tcp -- * * 10.0.0.0/8 10.0.0.0/8 multiport dports 135,137:139 /* Allow netbios, AD, and DCOM internally */
5583K 527M ACCEPT udp -- * * 10.0.0.0/8 10.0.0.0/8 multiport dports 135,137:139 /* Allow netbios, AD, and DCOM internally */
47 6021 ACCEPT all -- * * 10.1.60.100 10.0.0.0/8 /* Allow traffic from DC to internal network */
4 463 ACCEPT all -- * * 10.1.60.101 10.0.0.0/8 /* Allow traffic from DC to internal network */
2793 218K ACCEPT udp -- * * 10.1.60.103 10.1.63.255 udp dpt:137 /* Allow 137 UDP for DFS to broadcast */
2059 471K ACCEPT udp -- * * 10.1.60.103 10.1.63.255 udp dpt:138 /* Allow 138 UDP for DFS to broadcast */
0 0 REJECT all -- * * 82.165.39.191 0.0.0.0/0 /* Block Drav from drav.net */ reject-with icmp-port-unreachable
0 0 REJECT all -- * * 217.37.187.185 0.0.0.0/0 /* Block Drav BT Infinity */ reject-with icmp-port-unreachable
0 0 REJECT all -- * * 82.13.52.73 0.0.0.0/0 /* Block Drav from Virginmedia */ reject-with icmp-port-unreachable
0 0 REJECT all -- * * 192.168.253.0/30 0.0.0.0/0 /* Block Drav's VPN address */ reject-with icmp-port-unreachable
32G 17T ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* allow established */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state RELATED,ESTABLISHED /* Allow ping */
27M 2270M ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,RELATED,ESTABLISHED
30M 2618M DENYALL all -- * * 0.0.0.0/0 0.0.0.0/0 /* Deny host chain */
45310 1816K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* Allow loopback */
2912K 151M ACCEPT all -- * * 10.1.63.254 224.0.0.0/24 /* Allow RIP from fw-gs */
56504 3393K OFFICEIN all -- * * 10.5.0.0/23 0.0.0.0/0 /* Watford Office Chain (from blades) */
22 3117 OFFICEIN all -- * * 10.8.0.0/24 0.0.0.0/0 /* Watford Office Chain (from blade dev segement) */
3441K 299M OFFICEIN all -- tun1 * 0.0.0.0/0 0.0.0.0/0 /* Watford Office Chain (from fw-gs tun interface) */
1243 69408 OFFICEIN all -- * * 31.221.16.130 0.0.0.0/0 /* Watford Office Chain (from office external address) */
689K 227M LOCALSSH all -- eth0 * 0.0.0.0/0 10.1.63.254 /* Local SSH Chain */
797K 35M REMOTESSH tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* Remote Access to SSH */
1 40 VPN all -- * * 192.168.248.0/21 0.0.0.0/0 /* Access from VPN */
457 27420 ACCEPT tcp -- eth0 * 10.1.50.225 0.0.0.0/0 tcp dpt:873 /* Allow Rsync from th-backup2 */
5226K 467M ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 ULOG copy_range 0 nlgroup 1 prefix `iptables INPUT denied: ' queue_threshold 1
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi
Thanks for all the advice and I will be sure to do that but for now it's kind or urgent I allow this subnet
Can anyone help me do This please
Thanks for all the advice and I will be sure to do that but for now it's kind or urgent I allow this subnet
Can anyone help me do This please
ASKER
Wow if this is how much help you get on one of the most used products in Linux I don't think I'll be renewing my subscription here.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Look at lines 7-13
You might want to add -i tun1 to the input rule since it seems
Your other issue is that you might be looking in the wrong place.
look at what it is you have. The path is that a packet from 10.11. Entering on tun1 is trying to leave over eth0 to get to 10.1.60.
Merely adding the entry to input you need to also add a rule to forward with
Run
iptables -t nat -L --line-numbers
iptables -t filter -L --line-numbers
Note the deny notes the chain that drops the packet.
GFSWD, BLADES.?
You might want to add -i tun1 to the input rule since it seems
Your other issue is that you might be looking in the wrong place.
look at what it is you have. The path is that a packet from 10.11. Entering on tun1 is trying to leave over eth0 to get to 10.1.60.
Merely adding the entry to input you need to also add a rule to forward with
Run
iptables -t nat -L --line-numbers
iptables -t filter -L --line-numbers
Note the deny notes the chain that drops the packet.
GFSWD, BLADES.?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Auto requested close
Edit the iptables script that loads at startup and add your override rule at the beginning of the script file. The command you cited above adds the override at the end of the INPUT chain, after all other restrictions have been processed.