|
List Info
Thread: iptables problem
|
|
| iptables problem |
|
2006-12-20 12:52:07 |
hi i want to check the error and the recommendadtions in my
iptables rules
here is
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
state NEW
ACCEPT all -- anywhere anywhere
state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere
tcp spt:http
ACCEPT tcp -- anywhere anywhere
tcp spt:imap
ACCEPT tcp -- anywhere anywhere
tcp spt:domain
ACCEPT tcp -- anywhere anywhere
tcp spt:bootps
ACCEPT tcp -- anywhere anywhere
tcp spt:https
LOG all -- anywhere anywhere
LOG level warning
ACCEPT tcp -- 192.168.1.0/24 anywhere
tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere
tcp dpt:smtp state NEW
DROP tcp -- anywhere anywhere
tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere
tcp spt:31337 dpt:31337
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere
tcp dpt:bootps
ACCEPT tcp -- anywhere anywhere
tcp dpt:http
ACCEPT tcp -- anywhere anywhere
tcp dpt:domain
ACCEPT tcp -- anywhere anywhere
tcp dpt:https
ACCEPT tcp -- anywhere anywhere
tcp spt:http state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.1.0/24 anywhere
tcp dpt:smtp
DROP tcp -- anywhere anywhere
tcp spt:31337 dpt:31337
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection
around
http://mail.yahoo.com
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat.com?subject=unsubscribe
h
ttps://www.redhat.com/mailman/listinfo/redhat-list
|
|
| iptables problem |
|
2006-12-20 15:23:05 |
Quoting tamer amr <tamer_linuxyahoo.com>:
> hi i want to check the error and the recommendadtions
in my iptables rules
Well, it's obvious you have no idea how to configure the
firewall.
Those rules make no sense at all, and will accept preatty
much
everything.
My advice, either read documentation or use some GUI to
generate
firewall rules for you.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-requestredhat.com?subject=unsubscribe
h
ttps://www.redhat.com/mailman/listinfo/redhat-list
|
|
| iptables problem |
|
2006-12-20 15:48:22 |
tamer amr wrote:
> hi i want to check the error and the recommendadtions
in my iptables rules
>
> here is
>
> Chain INPUT (policy DROP)
> target prot opt source destination
>
this line you don't want because will grant access to every
newly
started communication
> ACCEPT all -- anywhere anywhere
state NEW
>
These are good
> ACCEPT all -- anywhere anywhere
state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere
tcp spt:http
> ACCEPT tcp -- anywhere anywhere
tcp spt:imap
>
You might want to check if your name server uses standard 53
port for
comunication. I use bind and I know you can force it to use
only
standard port for communication
> ACCEPT tcp -- anywhere anywhere
tcp spt:domain
>
You are sure you want public ip's to access bootps? you
might want to
further restrict to source ip net range
> ACCEPT tcp -- anywhere anywhere
tcp spt:bootps
> ACCEPT tcp -- anywhere anywhere
tcp spt:https
>
Logging rule should be last so to catch only packets that do
not conform
to any rule.
> LOG all -- anywhere anywhere
LOG level warning
>
Here you can merge the next two rules into just one:
*iptables -A INPUT
-p tcp --sport 25 -j ACCEPT*
> ACCEPT tcp -- 192.168.1.0/24 anywhere
tcp dpt:smtp
> ACCEPT tcp -- anywhere anywhere
tcp dpt:smtp state NEW
>
I think the next rule was wrote by a configuration wizard
but it doesn't
make sense in this config. It should be deleted and let
chain policy
have it's way with unmatched packets so far
> DROP tcp -- anywhere anywhere
tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
>
Why do you want to drop this port?
> DROP tcp -- anywhere anywhere
tcp spt:31337 dpt:31337
>
> Chain OUTPUT (policy ACCEPT)
>
I allready told you. As long as you have accept policy on
the chain it's
useless to specific further accept rules.
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere
tcp dpt:bootps
> ACCEPT tcp -- anywhere anywhere
tcp dpt:http
> ACCEPT tcp -- anywhere anywhere
tcp dpt:domain
> ACCEPT tcp -- anywhere anywhere
tcp dpt:https
> ACCEPT tcp -- anywhere anywhere
tcp spt:http state RELATED,ESTABLISHED
> ACCEPT tcp -- 192.168.1.0/24 anywhere
tcp dpt:smtp
> DROP tcp -- anywhere anywhere
tcp spt:31337 dpt:31337
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
protection around
> http://mail.yahoo.com
>
I think you should do something else. You should erase all
your existing
rules and start your own. Take a pen and a paper and write
down all
services on the machine. Then for each an every service
write the policy
for local and external ips. Then use the table to create
your rules. I
get the feeling that you didn't quite got the grasp of
filtering and so
you should start from 0.
Say I have a server that runs services for web, mail,
domain, time and
is also a gateway (I will use masquerading for the last
although you can
use plain NAT). Start writing down services and identify
ports used for
them:
mail (25)
http(80)
https(443)
domain (53)
time(123)
masquerading
Next write down how they should be accessed:
Services
WAN
LAN
mail (tcp 25)
accesible
accesible
domain (tcp&udp 53)
accesible
accesible
http (tcp 80)
accesible
accesible
https (tcp 443)
accesible
not accesible
time (udp 123)
not accesible
accesible
masquerading
not accesible
accesible
This is how your table should look like.
Next based on this table write your rules:
#Give some credits to Lord of Gore <lordofgorelogsoftgrup.ro>  )
#First I will define some variables to make the script more
portable:
localnet=192.168.1.0/24
localip=192.168.1.1
externalip=55.66.77.88
externalinterface=eth0
localinterface=eth1
ipt=/sbin/iptables
#first let's tidy up
$ipt -F INPUT
$ipt -F OUTPUT
$ipt -F FORWARD
$ipt -t nat -F PREROUTING
$ipt -t nat -F POSTROUTING
#here I set the policy for the input chain
$ipt -P INPUT DROP
#first of all I want to allow comunication for my server's
software
$ipt -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
#next I will allow communication for mail from external and
internal net
(this means everyone)
$ipt -A INPUT -s 0.0.0.0/0 -p tcp --dport 25 -j ACCEPT
#allow domain from everywhere
$ipt -A INPUT -s 0.0.0.0/0 -p tcp --dport 53 -j ACCEPT
$ipt -A INPUT -s 0.0.0.0/0 -p udp --dport 53 -j ACCEPT
#allow http from everywhere
$ipt -A INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT
#allow https only from outside. I can't wite down all world
ips in my
script so I will REJECT local ips. I will REJECT because I
don't want my
machines to wait for timeout
$ipt -A INPUT -s $localnet -p tcp --dport 443 -i
$localinterface -j REJECT
#time accesible only from local net
$ipt -A INPUT -s $localnet -p udp --dport 123 -i
$localinterface -j ACCEPT
#all packets that do not match rules so far will be logged:
$ipt -A INPUT -j LOG --log-prefix "chain INPUT"
#next is FORWARD
$ipt -P FORWARD DROP
#accept forwarding originating only from localnet
$ipt -A FORWARD -s $localnet -j ACCEPT
#accept connection matching packets
$ipt -A FORWARD -s 0.0.0.0/0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
#and of course logging for debuging and other purposes:
$ipt -A FORWARD -j LOG --log-prefix "chain FWD"
#Although in strict environments same should be done with
output chain I
will consider this as not being an strict environment
$ipt -P OUTPUT ACCEPT
#masquerading is done in a single line
$ipt -t nat -A POSTROUTING -s $localnet -o
$externalinterface -j MASQUERADE
#enable forwarding:
echo "1">/proc/sys/net/ipv4/ip_forward
#all this you can paste inside a file chmod +x and use it at
startup to
enable filtering and masquerading
Now everything should work fine. If it doesn't check the
logs and see
what packets are blocked then modify or add rules.
This is *not* a tutorial
Check out for tutorials on google.
There are quite a few. I'd write another one but I'm not
sure if there's
any room left for it...
I should tell you that I learned how to use iptables *only*
from the man
page. If you know how TCP/IP works and read the iptables man
page then
you shouldn't have any problems.
I suspect that you have problems with TCP/IP also. Maybe you
should read
about it before starting with iptables.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-requestredhat.com?subject=unsubscribe
h
ttps://www.redhat.com/mailman/listinfo/redhat-list
|
|
| iptables problem |
|
2006-12-20 17:15:33 |
Quoting Lord of Gore <lordofgorelogsoftgrup.ro>:
[ deleted some good advice ]
Actually, if you look into his rules, he was configuring the
system
that allows outgoing connections to limited set of services,
and
accepting incomming connections only on port 25 (SMTP). The
system
also seems to be DHCP client. Or at least that was the way
he
attempted to construct his firewall rules. Unless he got
everything
totally messed up.
Something like this. Again, not tutorial, just an example
that could
be closed down a bit more than it is now.
# define filter table and set default policy to DROP in all
chains
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# some generic stuff, no need to go wild with RELATED
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# this could be closed down a bit to allow only unreachable
and ttl exceeded
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
# smtp service running on this host
-A INPUT -p tcp --dport 25 --syn -m state --state NEW -j
ACCEPT
# accept DHCP replies, assuming IP address of DHCP server is
known
# and we always get address on fixed network. replace
dhcp-server
# and local-network with appropriate IP addresses
-A INPUT -p udp --sport 67 --dport 68 -s dhcp-server-ip -d
local-network -j ACCEPT
# log
-A INPUT -j LOG --log-prefix="INPUT "
# unless this host is router, no rules in FORWARD chain
# other than logging
-A FORWARD -j LOG --log-prefix="FORWARD "
# again some generic stuff
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state RELATED -j ACCEPT
# allow this host to access these services, and nothing else
-A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j
ACCEPT
-A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j
ACCEPT
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --dport 53 --syn -m state --state NEW -j
ACCEPT
-A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j
ACCEPT
# Allow this system to request and renew its IP address,
this
# could be closed down a bit more, but not much gain in
doing it
-A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT
# log the rest
-A OUTPUT -j LOG --log-prefix="OUTPUT "
--
redhat-list mailing list
unsubscribe mailto:redhat-list-requestredhat.com?subject=unsubscribe
h
ttps://www.redhat.com/mailman/listinfo/redhat-list
|
|
| iptables problem |
|
2006-12-20 17:15:08 |
On 12/20/06, tamer amr <tamer_linuxyahoo.com> wrote:
> hi i want to check the error and the recommendadtions
in my iptables rules
>
> here is
[snip]
u make me want touch head hard to desk many many times over
and over
Seriously, I can feel my IQ dropping just reading through
this stuff...
--
Jeremy L. Gaddis, MCP, GCWN
http://www.linuxwiz.net/
--
redhat-list mailing list
unsubscribe mailto:redhat-list-requestredhat.com?subject=unsubscribe
h
ttps://www.redhat.com/mailman/listinfo/redhat-list
|
|
| iptables problem |
|
2006-12-20 23:22:22 |
Aleksandar Milivojevic wrote:
> Quoting Lord of Gore <lordofgorelogsoftgrup.ro>:
>
> [ deleted some good advice ]
>
> Actually, if you look into his rules, he was
configuring the system
> that allows outgoing connections to limited set of
services, and
> accepting incomming connections only on port 25 (SMTP).
The system
> also seems to be DHCP client. Or at least that was the
way he
> attempted to construct his firewall rules. Unless he
got everything
> totally messed up.
>
> Something like this. Again, not tutorial, just an
example that could
> be closed down a bit more than it is now.
>
> # define filter table and set default policy to DROP in
all chains
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
>
> # some generic stuff, no need to go wild with RELATED
> -A INPUT -m state --state ESTABLISHED -j ACCEPT
I knew I had to forget something ^
>
> # this could be closed down a bit to allow only
unreachable and ttl
> exceeded
> -A INPUT -p icmp -m state --state RELATED -j ACCEPT
>
> # smtp service running on this host
> -A INPUT -p tcp --dport 25 --syn -m state --state NEW
-j ACCEPT
>
> # accept DHCP replies, assuming IP address of DHCP
server is known
> # and we always get address on fixed network. replace
dhcp-server
> # and local-network with appropriate IP addresses
> -A INPUT -p udp --sport 67 --dport 68 -s dhcp-server-ip
-d
> local-network -j ACCEPT
>
> # log
> -A INPUT -j LOG --log-prefix="INPUT "
>
> # unless this host is router, no rules in FORWARD chain
> # other than logging
> -A FORWARD -j LOG --log-prefix="FORWARD "
>
> # again some generic stuff
> -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
> -A OUTPUT -p icmp -m state --state RELATED -j ACCEPT
>
> # allow this host to access these services, and nothing
else
> -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW
-j ACCEPT
> -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW
-j ACCEPT
> -A OUTPUT -p udp --dport 53 -m state --state NEW -j
ACCEPT
> -A OUTPUT -p tcp --dport 53 --syn -m state --state NEW
-j ACCEPT
> -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW
-j ACCEPT
>
> # Allow this system to request and renew its IP
address, this
> # could be closed down a bit more, but not much gain in
doing it
> -A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT
>
> # log the rest
> -A OUTPUT -j LOG --log-prefix="OUTPUT "
Yes this should be stricter and more complete. I just wanted
to make him
understand how he should be thinking while developing some
rules.
mr tamer you have good friends on this list (<joke>of
course you might
have made enemies also but you should see the half full
glass</joke> )
--
redhat-list mailing list
unsubscribe mailto:redhat-list-requestredhat.com?subject=unsubscribe
h
ttps://www.redhat.com/mailman/listinfo/redhat-list
|
|
| iptables problem |
|
2006-12-21 04:55:10 |
Gaddis, Jeremy L. wrote:
> On 12/20/06, tamer amr <tamer_linuxyahoo.com> wrote:
>> hi i want to check the error and the
recommendadtions in my iptables
>> rules
>>
>> here is
>
> [snip]
>
> u make me want touch head hard to desk many many times
over and over
>
> Seriously, I can feel my IQ dropping just reading
through this stuff...
>
thanks for this question, refreshing my memory about
iptables. i forget
how to write my own iptables script since they release
system-config-securitylevel .
--
redhat-list mailing list
unsubscribe mailto:redhat-list-requestredhat.com?subject=unsubscribe
h
ttps://www.redhat.com/mailman/listinfo/redhat-list
|
|
[1-7]
|
|
|
about | contact Other archives ( Real Estate discussion Medical topics )
|