Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
01-23-2013, 01:15 PM
|
#1
|
|
LQ Newbie
Registered: Sep 2010
Posts: 21
Rep: 
|
Help me to apply a few iptables rules
Hey,
I am running a Linux router that provides internet access for it's users. That means all traffic is being sent/received through this router machine and I need to apply some iptable rules to block/ratelimit ports like 25 (SMTP) to prevent spamming, ip and port scanning, DoS /DDoS attacks, SSH brute force attacks, etc.
I have made a check list containing useful iptables rules to make this filters but when I apply them, they do not work properly.
The first rule is to block SMTP traffic.
Server:
Code:
root@GeneralVPS:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
root@GeneralVPS:~# iptables -A FORWARD -i eth0 -p tcp --dport 25 -j REJECT
root@GeneralVPS:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
root@GeneralVPS:~#
After applying this rule, clients still can connect to any mail server on port 25 without any problem!
Client:
Code:
C:\nc>nc mail.linuxquestions.org 25
220 sql02.linuxquestions.org ESMTP Sendmail 8.13.8/8.13.8; Wed, 23 Jan 2013 14:0
6:40 -0500
HELP
214-2.0.0 This is sendmail
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0 http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
QUIT
221 2.0.0 sql02.linuxquestions.org closing connection
C:\nc>
To make sure the client traffic is passing through the configured linux router I did a trace route:
Code:
C:\nc>tracert mail.linuxquestions.org
Tracing route to smtp.linuxquestions.org [208.101.3.244]
over a maximum of 30 hops:
1 352 ms 350 ms 352 ms 10.8.0.1
2 348 ms 350 ms 350 ms node21.buyvm.net [205.185.xxx.xxx]
3 * 351 ms 352 ms 10.1.1.1
4 364 ms 354 ms 364 ms 10gigabitethernet3-2.core1.las1.he.net [64.62.24
9.89]
5 362 ms 369 ms 359 ms 10gigabitethernet3-2.core1.lax2.he.net [184.105.
222.161]
6 362 ms * 357 ms te2-6.bbr01.cs01.lax01.networklayer.com.any2ix.c
oresite.com [206.223.143.131]
7 485 ms * * ae19.bbr01.eq01.dal03.networklayer.com [173.192.
18.140]
8 433 ms 435 ms 432 ms ae0.dar02.sr01.dal01.networklayer.com [173.192.1
8.253]
9 * 417 ms 419 ms po2.fcr01.sr01.dal01.networklayer.com [66.228.11
8.158]
10 422 ms 425 ms 427 ms smtp.linuxquestions.org [208.101.3.244]
Trace complete.
Do you know what the problem is?
Router machine has one ethernet card with a routeable IP address and clients connect to this machine using pptp service. |
|
|
|
|
01-26-2013, 02:08 AM
|
#2
|
|
Moderator
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Could you double check that eth0 is the Internet facing nic device?
Last edited by jschiwal; 01-26-2013 at 02:16 AM.
|
|
|
|
|
01-26-2013, 04:13 PM
|
#3
|
|
LQ Newbie
Registered: Sep 2010
Posts: 21
Original Poster
Rep:
|
Quote:
Originally Posted by jschiwal
Could you double check that eth0 is the Internet facing nic device?
|
Hi jschiwal,
Thank you for the reply. The server and client I am testing this issue on both have only one ethernet card. There is no way that traffic could pass through another link. |
|
|
|
|
01-31-2013, 09:58 AM
|
#4
|
|
Member
Registered: Aug 2012
Distribution: Debian, CentOS
Posts: 71
Rep: 
|
Hi, The problem seems to be in the placement of your iptables rules:
Quote:
root@GeneralVPS:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
|
iptables will see the packets from top to bottow, the first two rules say ACCEPT from any to any.
Place your rule above the ACCEPT rule with the -I option, so the syntax would be:
Code:
iptables -I FORWARD -i eth0 -p tcp --dport 25 -j REJECT
|
|
|
|
|
01-31-2013, 10:03 PM
|
#5
|
|
Member
Registered: May 2008
Location: Toronto
Distribution: Centos && Debian
Posts: 331
Rep: 
|
Quote:
Originally Posted by hamlindsza
Hi, The problem seems to be in the placement of your iptables rules:
iptables will see the packets from top to bottow, the first two rules say ACCEPT from any to any.
Place your rule above the ACCEPT rule with the -I option, so the syntax would be:
Code:
iptables -I FORWARD -i eth0 -p tcp --dport 25 -j REJECT
|
If the eth0 is internet facing NIC then I think the correct rule would be
Quote:
|
iptables -I FORWARD -o eth0 -p tcp --dport 25 -j REJECT
|
Please try and let us know
thanks |
|
|
1 members found this post helpful.
|
|
02-01-2013, 12:23 AM
|
#6
|
|
Member
Registered: Aug 2012
Distribution: Debian, CentOS
Posts: 71
Rep:
|
Quote:
If the eth0 is internet facing NIC then I think the correct rule would be
Quote:
iptables -I FORWARD -o eth0 -p tcp --dport 25 -j REJECT
|
Ideally this would be right, but since the server has only 1 NIC it wouldn't matter.
Quote:
|
Thank you for the reply. The server and client I am testing this issue on both have only one ethernet card.
|
|
|
|
|
|
02-01-2013, 04:16 AM
|
#7
|
|
LQ Newbie
Registered: Sep 2010
Posts: 21
Original Poster
Rep:
|
Thank you guys,
tried with both -i and -o options, but clients can still connect to remote SMTP servers. 
Server:
Code:
root@GeneralVPS:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Client:
Code:
C:\nc>nc mail.linuxquestions.org 25
220 sql02.linuxquestions.org ESMTP Sendmail 8.13.8/8.13.8; Fri, 1 Feb 2013 05:14
:39 -0500
HELP
214-2.0.0 This is sendmail
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0 http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
QUIT
221 2.0.0 sql02.linuxquestions.org closing connection
Last edited by moby@root; 02-01-2013 at 04:18 AM.
|
|
|
|
|
02-01-2013, 04:42 AM
|
#8
|
|
Member
Registered: Aug 2012
Distribution: Debian, CentOS
Posts: 71
Rep:
|
Plz post the output of: iptables -nvL
|
|
|
1 members found this post helpful.
|
|
02-02-2013, 11:33 PM
|
#9
|
|
LQ Newbie
Registered: Sep 2010
Posts: 21
Original Poster
Rep:
|
Finally got it to work!
Actually it didn't work on my OpenVZ VPS, I don't know why but I know there are some differences between different virtualizations. I tried your iptables commands on an ESXI VPS and it works (the one with -o eth0 option) perfectly well now.
This is the output for "iptables -nvL" on my OpenVZ VPS.
Code:
root@GeneralVPS:~# iptables -nvL
Chain INPUT (policy ACCEPT 42 packets, 5093 bytes)
pkts bytes target prot opt in out source destination
29 2800 ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
251 30225 ACCEPT 47 -- venet0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- venet0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4334
0 0 ACCEPT 47 -- venet0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4334
Chain FORWARD (policy ACCEPT 9 packets, 360 bytes)
pkts bytes target prot opt in out source destination
7 344 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 REJECT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 reject-with icmp-port-unreachable
19 932 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 REJECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 reject-with icmp-port-unreachable
109 10661 ACCEPT all -- ppp+ venet0 0.0.0.0/0 0.0.0.0/0
51 13085 ACCEPT all -- venet0 ppp+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp+ venet0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- venet0 ppp+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 6 packets, 982 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
204 16856 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
6 394 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4334
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
It would be great if I can do this on OpenVZ either.
Thank You. |
|
|
|
|
02-04-2013, 06:17 PM
|
#10
|
|
Member
Registered: May 2008
Location: Toronto
Distribution: Centos && Debian
Posts: 331
Rep:
|
On the forward chain there is rule before the SMTP reject rule. That may be allowing it pass through the fire wall.
Quote:
Chain FORWARD (policy ACCEPT 9 packets, 360 bytes)
pkts bytes target prot opt in out source destination
7 344 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 REJECT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 reject-with icmp-port-unreachable
|
Just let you know. The best practice for the firewall is Default deny policy on INPUT, OUTPUT and FORWARD Chains and then ONLY allow the traffic you want to allow. This way you know what you want IN/OUT/FORWARD and if you dont have rule that will automatically be DROPed
Just curious to know are you running container or Virtual machine? |
|
|
|
|
02-08-2013, 12:46 PM
|
#11
|
|
LQ Newbie
Registered: Sep 2010
Posts: 21
Original Poster
Rep:
|
I could revise my iptables checklist and block SMTP and rate limite FTP and SSH connections with your help. The only thing left is to block bittorrent traffic.
I tried to use l7-filter-userspace package but it's manual is vague to me and there is not a clear and complete guide about how someone can use it. I would be thankful if you share your solution for blocking torrent traffic.
Quote:
Originally Posted by KinnowGrower
On the forward chain there is rule before the SMTP reject rule. That may be allowing it pass through the fire wall.
Just let you know. The best practice for the firewall is Default deny policy on INPUT, OUTPUT and FORWARD Chains and then ONLY allow the traffic you want to allow. This way you know what you want IN/OUT/FORWARD and if you dont have rule that will automatically be DROPed
Just curious to know are you running container or Virtual machine?
|
Thank you. The server is a virtual machine. Blocking all ports by default and opening a few of them manually can be a good choice when the server is dedicated for a specific services like HTTP or SQL but I can do that on a router machine. |
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 09:54 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
