Solved

Help with IPTables

Posted on 2016-08-30
15
24 Views
Last Modified: 2016-09-19
Hi, I have an iptables firewall which was here before I started the job, its setup very strange and not by the book.

I have a new IP range which is 10.11.0.0 which I need to have access to the iptables network and override all block rules

At the moment I see things like this is the logs

Aug 30 18:34:23 fw-gs iptables GSFWD denied:  IN=tun1 OUT=eth0 MAC= SRC=10.11.0.201 DST=10.1.60.50 LEN=60 TOS=00 PREC=0x00 TTL=60 ID=26312 DF PROTO=TCP SPT=47658 DPT=10050 SEQ=4127790723 ACK=0 WINDOW=29200 SYN URGP=0
Aug 30 18:34:25 fw-gs iptables BLADES denied:  IN=tun1 OUT=eth0 MAC= SRC=10.11.0.201 DST=10.1.60.50 LEN=60 TOS=00 PREC=0x00 TTL=60 ID=26313 DF PROTO=TCP SPT=47658 DPT=10050 SEQ=4127790723 ACK=0 WINDOW=29200 SYN URGP=0
Aug 30 18:34:25 fw-gs iptables GSFWD denied:  IN=tun1 OUT=eth0 MAC= SRC=10.11.0.201 DST=10.1.60.50 LEN=60 TOS=00 PREC=0x00 TTL=60 ID=26313 DF PROTO=TCP SPT=47658 DPT=10050 SEQ=4127

I need a way to override and allow access to everything from 10.11.0.0

I have tried the command iptables -A INPUT -s 10.11.0.0/16 -j ACCEPT

but still see things like

Aug 30 18:37:33 fw-gs iptables GSFWD denied:  IN=tun1 OUT=eth0 MAC= SRC=10.11.0.201 DST=10.1.60.50 LEN=60 TOS=00 PREC=0x00 TTL=60 ID=6274 DF PROTO=TCP SPT=48066 DPT=10050 SEQ=488128362 ACK=0 WINDOW=29200 SYN URGP=0


Many Thanks

Chris
0
Comment
Question by:Chris Leonard
  • 7
  • 5
  • 2
  • +1
15 Comments
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 41776769
Assuming that your iptables rules are loaded at boot time from a script file ...

Edit the iptables script that loads at startup and add your override rule at the beginning of the script file.  The command you cited above adds the override at the end of the INPUT chain, after all other restrictions have been processed.
0
 

Author Comment

by:Chris Leonard
ID: 41776771
Hi, How do I do this? I dont think this one is a script file...

I have to do all from command line.
0
 

Author Comment

by:Chris Leonard
ID: 41776796
I just need to know how to allow a whole subnet over all of my chains?
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 41776812
You're loading all your iptables rules manually each time the system is rebooted?
0
 

Author Comment

by:Chris Leonard
ID: 41776818
no but I cant find the .rules file?

I have tried this iptables -I INPUT 1 -s 10.11.0.0/16 -j ACCEPT

It did nothing, all the other chains are denying that subnet.
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 41776852
You need to find where the iptables rules are being loaded, and then insert the override as the very first rule.

Once rules have been inserted into INPUT, the override can not be done.

An example from a debian / ubuntu system, which should work on most variants of linux.

Look in /etc/init.d for a boot script called iptables.  The one below loads script files from /etc/iptables one at a time in numerical sequence.  This allows multiple chains hanging off INPUT, and eliminates tampering with INPUT.

/etc/init.d/iptables

#!/bin/bash
### BEGIN INIT INFO
# Provides:          iptables
# Required-Start:    networking pdnsd ntpdate dnsclient
# Required-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Default-Stop:
# Short-Description:  Start iptables packet filtering
# Description:
#       Start iptables packet filtering and load the rules
#       from the rules files in /etc/iptables
### END INIT INFO

# init.d script for iptables on a Debian 2.6 system
#
# IF THERE IS AN EXISTING IPTABLES SCRIPT IN /etc/init.d THAT
# YOU WANT TO KEEP, COPY IT SOMEWHERE SAFE BEFORE PROCEEDING.
#
# 1.  Remove any existing script
#     rm /etc/init.d/iptables
# 2.  Remove any existing links in the rc.d directories
#     update-rc.d -f iptables remove
# 3.  Copy this file to /etc/init.d as iptables
#     cp this-file-name /etc/init.d/iptables
# 4.  Create links to run this script just after networking
#     is started or stopped
#     update-rc.d iptables start 41 S . stop 36 0 1 6 .
# 5.  Create the directory /etc/iptables.  This is where
#     the iptables script files are located.
# 6.  Create shell script files in /etc/iptables.  These
#     files are named script0.sh to script9.sh.  They are run
#     in ascending order, beginning with script0, until
#     there is no next file.
# 7.  If your iptables commands are unchanging, install them
#     in the scriptn file.  If your iptables commands are,
#     say, perl scripts, use the scriptn file to kick off
#     perl.


PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
iptloc="/sbin/iptables"
scrloc="/etc/iptables"
declare -i scrno1=0
declare -i scrno2=0
declare -i sfail=0

# ==================================================
# ipusage()
# Display instructions for use
#

ipusage () {
  echo "$0 options:"
  echo "  start|restart|reload|force-reload"
  echo "    Clear all tables"
  echo "    Set table filter default policy ACCEPT"
  echo "    Run scripts in $scrloc"
  echo "  stop|clear|halt"
  echo "    Clear all tables"
  echo "    Set table filter default policy ACCEPT"
}

# ==================================================
# ipclear()
#
# - Clear all tables
# - Set table filter default policy ACCEPT
#

ipclear () {
  echo "Stopping iptables packet filtering"
# Clear all tables
  echo "  Clear all tables"
  $iptloc -F
# Set table filter default policy ACCEPT
  echo "  Set table filter default policy ACCEPT"
  $iptloc -t filter -P INPUT ACCEPT
  $iptloc -t filter -P OUTPUT ACCEPT
  $iptloc -t filter -P FORWARD ACCEPT
  echo "  Done"
}

# ==================================================
# ipstart()
#
# - Clear all tables
# - Set table filter default policy ACCEPT

ipstart() {
  echo "Starting iptables packet filtering"
# Clear all tables
  echo "  Clear all tables"
  $iptloc -F
# Set table filter default policy ACCEPT
  echo "  Set table filter default policy ACCEPT"
  $iptloc -t filter -P INPUT ACCEPT
  $iptloc -t filter -P OUTPUT ACCEPT
  $iptloc -t filter -P FORWARD ACCEPT
# Test for existence of the script directory
  if [ ! -e $scrloc ]
  then
    echo "  Warning - Script directory $scrloc missing"
    exit 1
  fi
# Scan for script files and run them in order
  until [ ! -e $scrloc/script$scrno2$scrno1.sh ]
  do
    # Check that the script is executable
    if [ ! -x $scrloc/script$scrno2$scrno1.sh ]
    then
      # If not, report it and remember the error
      echo "  Warning - $scrloc/script$scrno2$scrno1.sh is not executable"
      sfail=1
    else
      # Run the script file
      echo -n "  Run $scrloc/script$scrno2$scrno1.sh ... "
      $scrloc/script$scrno2$scrno1.sh
      if [ $? -eq 0 ]
      then
        # End the line showing success
        echo "ok"
      else
        # End the line showing failure, and remember it
        echo "FAILED"
        sfail=1
      fi
    fi
    scrno1=scrno1+1
    if [ $scrno1 -eq 10 ]
    then
      scrno1=0
      scrno2=scrno2+1
    fi
  done
  echo "  Done"
}

# ==================================================
# Dispatcher
# Parse the command line and dispatch handler routines
#

case "$1" in
  start|restart|reload|force-reload)
    ipstart
    exit $sfail
  ;;
  stop|halt|clear)
    ipclear
    exit 0
  ;;
  usage)
    ipusage
    exit 0
  ;;
  *)
    echo "$0: Unknown command <$*>"
    ipusage
    exit 1
  ;;
esac
exit 0

Open in new window


Then insert your override commands in the script00.sh file:

#!/bin/bash
# /etc/iptables/script0
#
# This script is executed first when /etc/init.d/iptables is
# called during the startup process.
#
# The iptables rules in this file prevent network lockout
# by the system administrators.  This is necessary in case
# a rule added later were to lock out the administrators.

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
iptloc="/sbin/iptables"
declare -i sfail=0

# Delete all rules in any pre-existing chain
# $iptloc -F FailSafe
# Suppress error messages
$iptloc -F FailSafe > /dev/null 2> /dev/null

# Flush any pre-existing chain
# $iptloc -X FailSafe
# Suppress error messages
$iptloc -X FailSafe > /dev/null 2> /dev/null

# Declare a new iptables chain for these rules
$iptloc -t filter -N FailSafe
sfail=sfail+$?


# ================================
# Port 22, ssh, the secure remote shell port

# 192.168.0, for access from within a 192.168.0 LAN
$iptloc -t filter -A FailSafe -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
sfail=sfail+$?

# Tarpit ssh connections coming from anywhere else
$iptloc -t filter -A FailSafe -p tcp --dport 22 -j DROP
sfail=sfail+$?


# ================================
# Port 110, the POP3 mail client remote access port

# 192.168.0, for access from with a 192.168.0 LAN
$iptloc -t filter -A FailSafe -s 192.168.0.0/24 -p tcp --dport 110 -j ACCEPT
sfail=sfail+$?

# Tarpit POP3 connections coming from anywhere else
$iptloc -t filter -A FailSafe -p tcp --dport 110 -j DROP
sfail=sfail+$?


# ================================
# Return to the calling chain
$iptloc -t filter -A FailSafe -j RETURN
sfail=sfail+$?

# Now insert a call to this chain at the top of INPUT
$iptloc -I INPUT 1 -j FailSafe
sfail=sfail+$?

exit $sfail

Open in new window


This results in a neat and manageable set of iptables rules in several different files, only one of which need be edited at any given time:

root@www:/etc/iptables# iptables -L -n|more
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
FailSafe   all  --  0.0.0.0/0            0.0.0.0/0
CountryLockouts  tcp  --  0.0.0.0/0            0.0.0.0/0
PortDenies  tcp  --  0.0.0.0/0            0.0.0.0/0
HostingLockouts  tcp  --  0.0.0.0/0            0.0.0.0/0
Cyveillance  tcp  --  0.0.0.0/0            0.0.0.0/0
Websense   tcp  --  0.0.0.0/0            0.0.0.0/0
Verisign   tcp  --  0.0.0.0/0            0.0.0.0/0
PicScout   tcp  --  0.0.0.0/0            0.0.0.0/0
MSAzure    tcp  --  0.0.0.0/0            0.0.0.0/0
MailLockouts  tcp  --  0.0.0.0/0            0.0.0.0/0
WebLockouts  tcp  --  0.0.0.0/0            0.0.0.0/0
ProblemIPs  tcp  --  0.0.0.0/0            0.0.0.0/0
REJECT     tcp  --  82.81.32.0/20        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     tcp  --  192.185.0.0/16       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     tcp  --  162.144.0.0/16       0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Open in new window

0
 

Author Comment

by:Chris Leonard
ID: 41776860
mine looks like this

default=/etc/default/iptables
if test -f $default; then
  . $default
fi
  
have_a_cow_man () {
  for i in $@; do
    if ! command -v "$i" >/dev/null 2>&1; then
      echo "Aborting iptables initd: no $i executable."
      exit 0
    fi
  done
}

iptables="/sbin/${iptables_command-iptables}"
iptables_save="${iptables}-save"
iptables_restore="${iptables}-restore"

have_a_cow_man "$iptables_save" "$iptables_restore"

libdir=/var/lib/iptables
autosave="${libdir}/autosave"
initd="$0"

initd_clear () {
  rm -f "$autosave"
  echo -n "Clearing iptables ruleset: default ACCEPT policy"
  $iptables_save | sed "/-/d;/^#/d;s/DROP/ACCEPT/" | $iptables_restore
  echo "."
}

initd_halt () {
  rm -f $autosave
  echo -n "Clearing iptables ruleset: default DROP policy"
  $iptables_save | sed "/-/d;/^#/d;s/ACCEPT/DROP/" | $iptables_restore
  echo "."
}

initd_load () {
  ruleset="$libdir/$@"
  if ! test -f "$ruleset"; then
    echo "Aborting iptables load: unknown ruleset, \"$@\"."
    if  ! test "${ruleset#${libdir}/}" = active -o inactive; then
        usage
    fi
    exit 0
  fi
  if test "${ruleset#${libdir}/}" = inactive; then
    initd_autosave
  fi
  rm -f "$autosave"
  echo -n "Loading iptables ruleset: load \"$@\""
  $iptables_restore < "$ruleset"
  echo "."
}

initd_counters () {
  if test "${enable_save_counters:-false}" = true; then
    echo -n " with counters"
    $iptables_save -c > "$ruleset"
  else
    $iptables_save | sed '/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g'  > "$ruleset"
  fi
}

initd_save () {
  rm -f $autosave
  ruleset="${libdir}/$@"
  echo -n "Savinging iptables ruleset: save \"$@\""
   initd_counters
  echo "."
}

initd_autosave () {
  if test -f $autosave -a ${enable_autosave-false} = true; then
    ruleset="${libdir}/active"
    echo -n "Autosaving iptables ruleset: save \"active\""
    initd_counters
    echo "."
  fi
}

usage () {
  current="$(ls -m /var/lib/iptables \
    | sed 's/ \{0,1\}autosave,\{0,1\} \{0,1\}//')"
cat << END
$initd options:
  start|restart|reload|force-reload
     load the "active" ruleset
  save <ruleset>
     save the current ruleset
  load <ruleset>
     load a ruleset
  stop
     load the "inactive" ruleset
  clear
     remove all rules and user-defined chains, set default policy to ACCEPT
  halt
     remove all rules and user-defined chains, set default policy to DROP

Saved rulesets:
  $current

Please read: $default

END
}

case "$1" in
  start|restart|reload|force-reload)
    initd_load active
    if test ${enable_autosave-false} = true; then
      touch $autosave
    fi
    ;;
  stop)
    initd_load inactive
    ;;
  clear)
    initd_clear
    ;;
  halt)
    initd_halt
    ;;
  save)
    shift
    initd_save "$@"
    ;;
  load)
    shift
    initd_load "$@"
    ;;
  save_active) #legacy option
    initd_save active
    ;;
  save_inactive) #legacy option
    initd_save inactive
    ;;
  *)
    if test "$@"; then
      echo "Aborting iptables initd: unknown command(s): \"$@\"."
    fi
    usage
    ;;
esac

exit 0

Open in new window

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:Chris Leonard
ID: 41776869
I have added to the top, it still does not work

Chain INPUT (policy DROP 32M packets, 2704M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   240 ACCEPT     all  --  *      *       10.11.0.0/16         0.0.0.0/0           
 1773  122K ACCEPT     all  --  *      *       10.10.20.219         0.0.0.0/0           /* Allow ssh from Mark S VM */ 
    0     0 REJECT     all  --  *      *       92.60.120.206        0.0.0.0/0           /* Reject David Hodgkinson IP */ reject-with icmp-port-unreachable 
    0     0 DROP       all  --  *      *       10.10.10.238         0.0.0.0/0           /* Drop an IP from the old wifi network that has somehow resurrected */ 
   21  1064 ACCEPT     tcp  --  *      *       10.0.0.0/8           10.0.0.0/8          multiport dports 135,137:139 /* Allow netbios, AD, and DCOM internally */ 
5583K  527M ACCEPT     udp  --  *      *       10.0.0.0/8           10.0.0.0/8          multiport dports 135,137:139 /* Allow netbios, AD, and DCOM internally */ 
   47  6021 ACCEPT     all  --  *      *       10.1.60.100          10.0.0.0/8          /* Allow traffic from DC to internal network */ 
    4   463 ACCEPT     all  --  *      *       10.1.60.101          10.0.0.0/8          /* Allow traffic from DC to internal network */ 
 2793  218K ACCEPT     udp  --  *      *       10.1.60.103          10.1.63.255         udp dpt:137 /* Allow 137 UDP for DFS to broadcast */ 
 2059  471K ACCEPT     udp  --  *      *       10.1.60.103          10.1.63.255         udp dpt:138 /* Allow 138 UDP for DFS to broadcast */ 
    0     0 REJECT     all  --  *      *       82.165.39.191        0.0.0.0/0           /* Block Drav from drav.net */ reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       217.37.187.185       0.0.0.0/0           /* Block Drav BT Infinity */ reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       82.13.52.73          0.0.0.0/0           /* Block Drav from Virginmedia */ reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  *      *       192.168.253.0/30     0.0.0.0/0           /* Block Drav's VPN address */ reject-with icmp-port-unreachable 
  32G   17T ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED /* allow established */ 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 0 state RELATED,ESTABLISHED /* Allow ping */ 
  27M 2270M ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 state NEW,RELATED,ESTABLISHED 
  30M 2618M DENYALL    all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* Deny host chain */ 
45310 1816K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           /* Allow loopback */ 
2912K  151M ACCEPT     all  --  *      *       10.1.63.254          224.0.0.0/24        /* Allow RIP from fw-gs */ 
56504 3393K OFFICEIN   all  --  *      *       10.5.0.0/23          0.0.0.0/0           /* Watford Office Chain (from blades) */ 
   22  3117 OFFICEIN   all  --  *      *       10.8.0.0/24          0.0.0.0/0           /* Watford Office Chain (from blade dev segement) */ 
3441K  299M OFFICEIN   all  --  tun1   *       0.0.0.0/0            0.0.0.0/0           /* Watford Office Chain (from fw-gs tun interface) */ 
 1243 69408 OFFICEIN   all  --  *      *       31.221.16.130        0.0.0.0/0           /* Watford Office Chain (from office external address) */ 
 689K  227M LOCALSSH   all  --  eth0   *       0.0.0.0/0            10.1.63.254         /* Local SSH Chain */ 
 797K   35M REMOTESSH  tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 /* Remote Access to SSH */ 
    1    40 VPN        all  --  *      *       192.168.248.0/21     0.0.0.0/0           /* Access from VPN */ 
  457 27420 ACCEPT     tcp  --  eth0   *       10.1.50.225          0.0.0.0/0           tcp dpt:873 /* Allow Rsync from th-backup2 */ 
5226K  467M ULOG       all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 5 ULOG copy_range 0 nlgroup 1 prefix `iptables INPUT denied: ' queue_threshold 1 

Open in new window

0
 
LVL 23

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 200 total points (awarded by participants)
ID: 41776873
This expert suggested creating a Gigs project.
Your system is using iptables save and restore, not script files.  Suggest that you find a linux expert who can convert them to script files.  imo it will simpler to support, both for yourself and the next system maintainer who has to deal with it.
0
 

Author Comment

by:Chris Leonard
ID: 41777020
Hi

Thanks for all the advice and I will be sure to do that but for now it's kind or urgent I allow this subnet

Can anyone help me do This please
0
 

Author Comment

by:Chris Leonard
ID: 41777108
Wow if this is how much help you get on one of the most used products in Linux I don't think I'll be renewing my subscription here.
0
 
LVL 27

Accepted Solution

by:
serialband earned 200 total points (awarded by participants)
ID: 41777391
iptables-save tends to save it to a file named iptables-save.  Your script looks like it creates a file named autosave.

Line 66 starts your save function and it looks like your save file exists in ${libdir}, which is set on line 21 libdir=/var/lib/iptables

I suggest you look in /var/lib/iptables/ for your iptables save file.

P.S.
I never liked that gig idea.  It distracts from the original question and answer format.
1
 
LVL 76

Expert Comment

by:arnold
ID: 41777807
Look at lines 7-13

You might want to add -i tun1 to the input rule since it seems

Your other issue is that you might be looking in the wrong place.
look at what it is you have.  The path is that a packet from 10.11. Entering on tun1 is trying to leave over eth0 to get to 10.1.60.

Merely adding the entry to input you need to also add a rule to forward with



Run
iptables -t nat -L --line-numbers
iptables -t filter -L --line-numbers

Note the deny notes the chain that drops the packet.
GFSWD, BLADES.?
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 100 total points (awarded by participants)
ID: 41777819
See if you can use fwbuilder or big rots to manage your rules
Usually input is one place, output, forward, etc ....
The two requests to view the rules in the nat space (-t nat) and the other (-t filter)
There are other DNAT, SNAT, MANGLE..
Presumably this is a Linux as a router setup
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 41804474
Auto requested close
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now