LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Help me to apply a few iptables rules (http://www.linuxquestions.org/questions/linux-networking-3/help-me-to-apply-a-few-iptables-rules-4175446933/)

moby@root 01-23-2013 02:15 PM

Help me to apply a few iptables rules
 
Hey,
I am running a Linux router that provides internet access for it's users. That means all traffic is being sent/received through this router machine and I need to apply some iptable rules to block/ratelimit ports like 25 (SMTP) to prevent spamming, ip and port scanning, DoS /DDoS attacks, SSH brute force attacks, etc.

I have made a check list containing useful iptables rules to make this filters but when I apply them, they do not work properly.

The first rule is to block SMTP traffic.

Server:
Code:

root@GeneralVPS:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere
ACCEPT    all  --  anywhere            anywhere

root@GeneralVPS:~# iptables -A FORWARD -i eth0 -p tcp --dport 25 -j REJECT

root@GeneralVPS:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere
ACCEPT    all  --  anywhere            anywhere
REJECT    tcp  --  anywhere            anywhere            tcp dpt:smtp reject-with icmp-port-unreachable
root@GeneralVPS:~#

After applying this rule, clients still can connect to any mail server on port 25 without any problem!

Client:
Code:

C:\nc>nc mail.linuxquestions.org 25
220 sql02.linuxquestions.org ESMTP Sendmail 8.13.8/8.13.8; Wed, 23 Jan 2013 14:0
6:40 -0500
HELP
214-2.0.0 This is sendmail
214-2.0.0 Topics:
214-2.0.0      HELO    EHLO    MAIL    RCPT    DATA
214-2.0.0      RSET    NOOP    QUIT    HELP    VRFY
214-2.0.0      EXPN    VERB    ETRN    DSN    AUTH
214-2.0.0      STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0      http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
QUIT
221 2.0.0 sql02.linuxquestions.org closing connection

C:\nc>


To make sure the client traffic is passing through the configured linux router I did a trace route:

Code:

C:\nc>tracert mail.linuxquestions.org

Tracing route to smtp.linuxquestions.org [208.101.3.244]
over a maximum of 30 hops:

  1  352 ms  350 ms  352 ms  10.8.0.1
  2  348 ms  350 ms  350 ms  node21.buyvm.net [205.185.xxx.xxx]
  3    *      351 ms  352 ms  10.1.1.1
  4  364 ms  354 ms  364 ms  10gigabitethernet3-2.core1.las1.he.net [64.62.24
9.89]
  5  362 ms  369 ms  359 ms  10gigabitethernet3-2.core1.lax2.he.net [184.105.
222.161]
  6  362 ms    *      357 ms  te2-6.bbr01.cs01.lax01.networklayer.com.any2ix.c
oresite.com [206.223.143.131]
  7  485 ms    *        *    ae19.bbr01.eq01.dal03.networklayer.com [173.192.
18.140]
  8  433 ms  435 ms  432 ms  ae0.dar02.sr01.dal01.networklayer.com [173.192.1
8.253]
  9    *      417 ms  419 ms  po2.fcr01.sr01.dal01.networklayer.com [66.228.11
8.158]
 10  422 ms  425 ms  427 ms  smtp.linuxquestions.org [208.101.3.244]

Trace complete.


Do you know what the problem is?


Router machine has one ethernet card with a routeable IP address and clients connect to this machine using pptp service.

jschiwal 01-26-2013 03:08 AM

Could you double check that eth0 is the Internet facing nic device?

moby@root 01-26-2013 05:13 PM

Quote:

Originally Posted by jschiwal (Post 4877818)
Could you double check that eth0 is the Internet facing nic device?

Hi jschiwal,
Thank you for the reply. The server and client I am testing this issue on both have only one ethernet card. There is no way that traffic could pass through another link.

hamlindsza 01-31-2013 10:58 AM

Hi, The problem seems to be in the placement of your iptables rules:

Quote:

root@GeneralVPS:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
iptables will see the packets from top to bottow, the first two rules say ACCEPT from any to any.

Place your rule above the ACCEPT rule with the -I option, so the syntax would be:

Code:

iptables -I FORWARD -i eth0 -p tcp --dport 25 -j REJECT

KinnowGrower 01-31-2013 11:03 PM

Quote:

Originally Posted by hamlindsza (Post 4881430)
Hi, The problem seems to be in the placement of your iptables rules:



iptables will see the packets from top to bottow, the first two rules say ACCEPT from any to any.

Place your rule above the ACCEPT rule with the -I option, so the syntax would be:

Code:

iptables -I FORWARD -i eth0 -p tcp --dport 25 -j REJECT


If the eth0 is internet facing NIC then I think the correct rule would be
Quote:

iptables -I FORWARD -o eth0 -p tcp --dport 25 -j REJECT
Please try and let us know

thanks

hamlindsza 02-01-2013 01:23 AM

Quote:

If the eth0 is internet facing NIC then I think the correct rule would be
Quote:
iptables -I FORWARD -o eth0 -p tcp --dport 25 -j REJECT
Ideally this would be right, but since the server has only 1 NIC it wouldn't matter.

Quote:

Thank you for the reply. The server and client I am testing this issue on both have only one ethernet card.

moby@root 02-01-2013 05:16 AM

Thank you guys,
tried with both -i and -o options, but clients can still connect to remote SMTP servers. :confused:

Server:
Code:

root@GeneralVPS:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target    prot opt source              destination
REJECT    tcp  --  anywhere            anywhere            tcp dpt:smtp reject-with icmp-port-unreachable
TCPMSS    tcp  --  anywhere            anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
REJECT    tcp  --  anywhere            anywhere            tcp dpt:smtp reject-with icmp-port-unreachable
ACCEPT    all  --  anywhere            anywhere
ACCEPT    all  --  anywhere            anywhere
ACCEPT    all  --  anywhere            anywhere
ACCEPT    all  --  anywhere            anywhere
ACCEPT    all  --  anywhere            anywhere


Client:
Code:

C:\nc>nc mail.linuxquestions.org 25
220 sql02.linuxquestions.org ESMTP Sendmail 8.13.8/8.13.8; Fri, 1 Feb 2013 05:14
:39 -0500
HELP
214-2.0.0 This is sendmail
214-2.0.0 Topics:
214-2.0.0      HELO    EHLO    MAIL    RCPT    DATA
214-2.0.0      RSET    NOOP    QUIT    HELP    VRFY
214-2.0.0      EXPN    VERB    ETRN    DSN    AUTH
214-2.0.0      STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0      http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
QUIT
221 2.0.0 sql02.linuxquestions.org closing connection


hamlindsza 02-01-2013 05:42 AM

Plz post the output of: iptables -nvL

moby@root 02-03-2013 12:33 AM

Finally got it to work!
Actually it didn't work on my OpenVZ VPS, I don't know why but I know there are some differences between different virtualizations. I tried your iptables commands on an ESXI VPS and it works (the one with -o eth0 option) perfectly well now.

This is the output for "iptables -nvL" on my OpenVZ VPS.

Code:

root@GeneralVPS:~# iptables -nvL
Chain INPUT (policy ACCEPT 42 packets, 5093 bytes)
 pkts bytes target    prot opt in    out    source              destination
  29  2800 ACCEPT    tcp  --  venet0 *      0.0.0.0/0            0.0.0.0/0          tcp dpt:1723
  251 30225 ACCEPT    47  --  venet0 *      0.0.0.0/0            0.0.0.0/0
    0    0 ACCEPT    tcp  --  venet0 *      0.0.0.0/0            0.0.0.0/0          tcp dpt:4334
    0    0 ACCEPT    47  --  venet0 *      0.0.0.0/0            0.0.0.0/0
    0    0 ACCEPT    all  --  tun+  *      0.0.0.0/0            0.0.0.0/0
    0    0 ACCEPT    udp  --  eth0  *      0.0.0.0/0            0.0.0.0/0          udp dpt:4334

Chain FORWARD (policy ACCEPT 9 packets, 360 bytes)
 pkts bytes target    prot opt in    out    source              destination
    7  344 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0    0 REJECT    tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0          tcp dpt:25 reject-with icmp-port-unreachable
  19  932 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0    0 REJECT    tcp  --  eth0  *      0.0.0.0/0            0.0.0.0/0          tcp dpt:25 reject-with icmp-port-unreachable
  109 10661 ACCEPT    all  --  ppp+  venet0  0.0.0.0/0            0.0.0.0/0
  51 13085 ACCEPT    all  --  venet0 ppp+    0.0.0.0/0            0.0.0.0/0
    0    0 ACCEPT    all  --  ppp+  venet0  0.0.0.0/0            0.0.0.0/0
    0    0 ACCEPT    all  --  venet0 ppp+    0.0.0.0/0            0.0.0.0/0
    0    0 ACCEPT    all  --  tun+  *      0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 6 packets, 982 bytes)
 pkts bytes target    prot opt in    out    source              destination
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:1723
  204 16856 ACCEPT    47  --  *      *      0.0.0.0/0            0.0.0.0/0
    6  394 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:4334
    0    0 ACCEPT    47  --  *      *      0.0.0.0/0            0.0.0.0/0


It would be great if I can do this on OpenVZ either.
Thank You.

KinnowGrower 02-04-2013 07:17 PM

On the forward chain there is rule before the SMTP reject rule. That may be allowing it pass through the fire wall.
Quote:

Chain FORWARD (policy ACCEPT 9 packets, 360 bytes)
pkts bytes target prot opt in out source destination
7 344 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 REJECT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 reject-with icmp-port-unreachable
Just let you know. The best practice for the firewall is Default deny policy on INPUT, OUTPUT and FORWARD Chains and then ONLY allow the traffic you want to allow. This way you know what you want IN/OUT/FORWARD and if you dont have rule that will automatically be DROPed


Just curious to know are you running container or Virtual machine?

moby@root 02-08-2013 01:46 PM

I could revise my iptables checklist and block SMTP and rate limite FTP and SSH connections with your help. The only thing left is to block bittorrent traffic.

I tried to use l7-filter-userspace package but it's manual is vague to me and there is not a clear and complete guide about how someone can use it. I would be thankful if you share your solution for blocking torrent traffic.


Quote:

Originally Posted by KinnowGrower (Post 4884450)
On the forward chain there is rule before the SMTP reject rule. That may be allowing it pass through the fire wall.


Just let you know. The best practice for the firewall is Default deny policy on INPUT, OUTPUT and FORWARD Chains and then ONLY allow the traffic you want to allow. This way you know what you want IN/OUT/FORWARD and if you dont have rule that will automatically be DROPed


Just curious to know are you running container or Virtual machine?

Thank you. The server is a virtual machine. Blocking all ports by default and opening a few of them manually can be a good choice when the server is dedicated for a specific services like HTTP or SQL but I can do that on a router machine.


All times are GMT -5. The time now is 05:30 AM.