LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-23-2013, 01:15 PM   #1
moby@root
LQ Newbie
 
Registered: Sep 2010
Posts: 21

Rep: Reputation: 0
Help me to apply a few iptables rules


Hey,
I am running a Linux router that provides internet access for it's users. That means all traffic is being sent/received through this router machine and I need to apply some iptable rules to block/ratelimit ports like 25 (SMTP) to prevent spamming, ip and port scanning, DoS /DDoS attacks, SSH brute force attacks, etc.

I have made a check list containing useful iptables rules to make this filters but when I apply them, they do not work properly.

The first rule is to block SMTP traffic.

Server:
Code:
root@GeneralVPS:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

root@GeneralVPS:~# iptables -A FORWARD -i eth0 -p tcp --dport 25 -j REJECT

root@GeneralVPS:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            tcp dpt:smtp reject-with icmp-port-unreachable
root@GeneralVPS:~#
After applying this rule, clients still can connect to any mail server on port 25 without any problem!

Client:
Code:
C:\nc>nc mail.linuxquestions.org 25
220 sql02.linuxquestions.org ESMTP Sendmail 8.13.8/8.13.8; Wed, 23 Jan 2013 14:0
6:40 -0500
HELP
214-2.0.0 This is sendmail
214-2.0.0 Topics:
214-2.0.0       HELO    EHLO    MAIL    RCPT    DATA
214-2.0.0       RSET    NOOP    QUIT    HELP    VRFY
214-2.0.0       EXPN    VERB    ETRN    DSN     AUTH
214-2.0.0       STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0       http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
QUIT
221 2.0.0 sql02.linuxquestions.org closing connection

C:\nc>

To make sure the client traffic is passing through the configured linux router I did a trace route:

Code:
C:\nc>tracert mail.linuxquestions.org

Tracing route to smtp.linuxquestions.org [208.101.3.244]
over a maximum of 30 hops:

  1   352 ms   350 ms   352 ms  10.8.0.1
  2   348 ms   350 ms   350 ms  node21.buyvm.net [205.185.xxx.xxx]
  3     *      351 ms   352 ms  10.1.1.1
  4   364 ms   354 ms   364 ms  10gigabitethernet3-2.core1.las1.he.net [64.62.24
9.89]
  5   362 ms   369 ms   359 ms  10gigabitethernet3-2.core1.lax2.he.net [184.105.
222.161]
  6   362 ms     *      357 ms  te2-6.bbr01.cs01.lax01.networklayer.com.any2ix.c
oresite.com [206.223.143.131]
  7   485 ms     *        *     ae19.bbr01.eq01.dal03.networklayer.com [173.192.
18.140]
  8   433 ms   435 ms   432 ms  ae0.dar02.sr01.dal01.networklayer.com [173.192.1
8.253]
  9     *      417 ms   419 ms  po2.fcr01.sr01.dal01.networklayer.com [66.228.11
8.158]
 10   422 ms   425 ms   427 ms  smtp.linuxquestions.org [208.101.3.244]

Trace complete.

Do you know what the problem is?


Router machine has one ethernet card with a routeable IP address and clients connect to this machine using pptp service.
 
Old 01-26-2013, 02:08 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Could you double check that eth0 is the Internet facing nic device?

Last edited by jschiwal; 01-26-2013 at 02:16 AM.
 
Old 01-26-2013, 04:13 PM   #3
moby@root
LQ Newbie
 
Registered: Sep 2010
Posts: 21

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jschiwal View Post
Could you double check that eth0 is the Internet facing nic device?
Hi jschiwal,
Thank you for the reply. The server and client I am testing this issue on both have only one ethernet card. There is no way that traffic could pass through another link.
 
Old 01-31-2013, 09:58 AM   #4
hamlindsza
Member
 
Registered: Aug 2012
Distribution: Debian, CentOS
Posts: 74

Rep: Reputation: Disabled
Hi, The problem seems to be in the placement of your iptables rules:

Quote:
root@GeneralVPS:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
iptables will see the packets from top to bottow, the first two rules say ACCEPT from any to any.

Place your rule above the ACCEPT rule with the -I option, so the syntax would be:

Code:
iptables -I FORWARD -i eth0 -p tcp --dport 25 -j REJECT
 
Old 01-31-2013, 10:03 PM   #5
KinnowGrower
Member
 
Registered: May 2008
Location: Toronto
Distribution: Centos && Debian
Posts: 341

Rep: Reputation: 34
Quote:
Originally Posted by hamlindsza View Post
Hi, The problem seems to be in the placement of your iptables rules:



iptables will see the packets from top to bottow, the first two rules say ACCEPT from any to any.

Place your rule above the ACCEPT rule with the -I option, so the syntax would be:

Code:
iptables -I FORWARD -i eth0 -p tcp --dport 25 -j REJECT

If the eth0 is internet facing NIC then I think the correct rule would be
Quote:
iptables -I FORWARD -o eth0 -p tcp --dport 25 -j REJECT
Please try and let us know

thanks
 
1 members found this post helpful.
Old 02-01-2013, 12:23 AM   #6
hamlindsza
Member
 
Registered: Aug 2012
Distribution: Debian, CentOS
Posts: 74

Rep: Reputation: Disabled
Quote:
If the eth0 is internet facing NIC then I think the correct rule would be
Quote:
iptables -I FORWARD -o eth0 -p tcp --dport 25 -j REJECT
Ideally this would be right, but since the server has only 1 NIC it wouldn't matter.

Quote:
Thank you for the reply. The server and client I am testing this issue on both have only one ethernet card.
 
Old 02-01-2013, 04:16 AM   #7
moby@root
LQ Newbie
 
Registered: Sep 2010
Posts: 21

Original Poster
Rep: Reputation: 0
Thank you guys,
tried with both -i and -o options, but clients can still connect to remote SMTP servers.

Server:
Code:
root@GeneralVPS:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            tcp dpt:smtp reject-with icmp-port-unreachable
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
REJECT     tcp  --  anywhere             anywhere            tcp dpt:smtp reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Client:
Code:
C:\nc>nc mail.linuxquestions.org 25
220 sql02.linuxquestions.org ESMTP Sendmail 8.13.8/8.13.8; Fri, 1 Feb 2013 05:14
:39 -0500
HELP
214-2.0.0 This is sendmail
214-2.0.0 Topics:
214-2.0.0       HELO    EHLO    MAIL    RCPT    DATA
214-2.0.0       RSET    NOOP    QUIT    HELP    VRFY
214-2.0.0       EXPN    VERB    ETRN    DSN     AUTH
214-2.0.0       STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0       http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
QUIT
221 2.0.0 sql02.linuxquestions.org closing connection

Last edited by moby@root; 02-01-2013 at 04:18 AM.
 
Old 02-01-2013, 04:42 AM   #8
hamlindsza
Member
 
Registered: Aug 2012
Distribution: Debian, CentOS
Posts: 74

Rep: Reputation: Disabled
Plz post the output of: iptables -nvL
 
1 members found this post helpful.
Old 02-02-2013, 11:33 PM   #9
moby@root
LQ Newbie
 
Registered: Sep 2010
Posts: 21

Original Poster
Rep: Reputation: 0
Finally got it to work!
Actually it didn't work on my OpenVZ VPS, I don't know why but I know there are some differences between different virtualizations. I tried your iptables commands on an ESXI VPS and it works (the one with -o eth0 option) perfectly well now.

This is the output for "iptables -nvL" on my OpenVZ VPS.

Code:
root@GeneralVPS:~# iptables -nvL
Chain INPUT (policy ACCEPT 42 packets, 5093 bytes)
 pkts bytes target     prot opt in     out     source               destination
   29  2800 ACCEPT     tcp  --  venet0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
  251 30225 ACCEPT     47   --  venet0 *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  venet0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4334
    0     0 ACCEPT     47   --  venet0 *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:4334

Chain FORWARD (policy ACCEPT 9 packets, 360 bytes)
 pkts bytes target     prot opt in     out     source               destination
    7   344 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 REJECT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:25 reject-with icmp-port-unreachable
   19   932 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 REJECT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 reject-with icmp-port-unreachable
  109 10661 ACCEPT     all  --  ppp+   venet0  0.0.0.0/0            0.0.0.0/0
   51 13085 ACCEPT     all  --  venet0 ppp+    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  ppp+   venet0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  venet0 ppp+    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 6 packets, 982 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
  204 16856 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
    6   394 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4334
    0     0 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0

It would be great if I can do this on OpenVZ either.
Thank You.
 
Old 02-04-2013, 06:17 PM   #10
KinnowGrower
Member
 
Registered: May 2008
Location: Toronto
Distribution: Centos && Debian
Posts: 341

Rep: Reputation: 34
On the forward chain there is rule before the SMTP reject rule. That may be allowing it pass through the fire wall.
Quote:
Chain FORWARD (policy ACCEPT 9 packets, 360 bytes)
pkts bytes target prot opt in out source destination
7 344 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 REJECT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 reject-with icmp-port-unreachable
Just let you know. The best practice for the firewall is Default deny policy on INPUT, OUTPUT and FORWARD Chains and then ONLY allow the traffic you want to allow. This way you know what you want IN/OUT/FORWARD and if you dont have rule that will automatically be DROPed


Just curious to know are you running container or Virtual machine?
 
Old 02-08-2013, 12:46 PM   #11
moby@root
LQ Newbie
 
Registered: Sep 2010
Posts: 21

Original Poster
Rep: Reputation: 0
I could revise my iptables checklist and block SMTP and rate limite FTP and SSH connections with your help. The only thing left is to block bittorrent traffic.

I tried to use l7-filter-userspace package but it's manual is vague to me and there is not a clear and complete guide about how someone can use it. I would be thankful if you share your solution for blocking torrent traffic.


Quote:
Originally Posted by KinnowGrower View Post
On the forward chain there is rule before the SMTP reject rule. That may be allowing it pass through the fire wall.


Just let you know. The best practice for the firewall is Default deny policy on INPUT, OUTPUT and FORWARD Chains and then ONLY allow the traffic you want to allow. This way you know what you want IN/OUT/FORWARD and if you dont have rule that will automatically be DROPed


Just curious to know are you running container or Virtual machine?
Thank you. The server is a virtual machine. Blocking all ports by default and opening a few of them manually can be a good choice when the server is dedicated for a specific services like HTTP or SQL but I can do that on a router machine.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't APPLY Iptables rules lordbux Linux - Networking 1 05-22-2011 07:25 AM
IPTABLES Apply Certain Rules to Certain Mac Addresses weboy Linux - Security 6 07-17-2010 09:12 AM
[SOLVED] udev rules to automatically apply 666 permission linuxmandrake Linux - Newbie 2 04-03-2010 03:31 AM
iptables doesn't seem to apply new rules to already open TCP connections Ahmed_Baghdad Linux - Networking 2 09-27-2007 02:06 AM
Ximian Evolution wont apply rules/filters!! newbie2002 Linux - General 2 12-05-2002 10:50 PM


All times are GMT -5. The time now is 04:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration