LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPtables quick question (http://www.linuxquestions.org/questions/linux-networking-3/iptables-quick-question-944159/)

gr0undzer0 05-09-2012 10:13 PM

IPtables quick question
 
I wrote the following script for my webserver. When I run it however I loose the ability to access any ports or even ping from the local host. I thought that the line i worte with 127.0.0.1 would take care of that. I also though the last two lines would basically force the server to close all OTHER ports. Not the ones listed here. Do I have some syntax wrong here I'm missing?

#!/bin/sh
#Script for configuring 'Firewall' Rules
#Written by Chris Jones <gnd.zer0@gmail.com>

#Basic Rules?

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#SSH
iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT

#HTLM Own Cloud
iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT
iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT
#Probably a Good idea to take requests from my self
iptables -A INPUT -d 10.0.0.xx -s 127.0.0.1 -j ACCEPT

#Lock It down
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

Slackyman 05-10-2012 02:23 AM

Put
Code:

iptables -P INPUT DROP
iptables -P FORWARD DROP

at the beginning and remove the last two lines.
There are, anyway, different conceptual errors, but, sorry, now I've few time. :)

fukawi1 05-10-2012 03:47 AM

Firstly may I ask, what is the point/purpose of redacting your local IP addresses and ports? It does nothing to help you in the "security by obscurity" school of thought, and really makes helping you a crystal ball job.

Quote:

When I run it however I loose the ability to access any ports or even ping from the local host.
Code:

iptables -A INPUT -d 10.0.0.xx -s 127.0.0.1 -j ACCEPT

To enable traffic on the loopback interface, you would need to use a rule such as
Code:

iptables -A INPUT -i lo -j ACCEPT
Which will accept anything and everything on the loopback interface. This is usually standard practice.

Since you are running a webserver you are most likely going to want to allow access to either the entire internet, or an entire lan. Matching by destination IP is a bit pointless, since the packets have got to the host, chances are they have the hosts IP as the packets destination IP. Normally one would use a rule such as
Code:

iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT
This would allow anything coming from the 10.0.0.0/24 subnet, and drop everything else. In the case of a public webserver, you would omit the -s match.

I try to think of iptables rules by breaking them down. Looking at the specific characteristics of the connections I want to allow
Lets take your ssh rule as an example.
Code:

iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT
iptables -A INPUT (append a rule to the end of the filter table, INPUT chain)
-d 10.0.0.xx (match packets with a destination IP 10.0.0.xx AND)
-p tcp --dport xxx (protocol: tcp, destination port xxx)
-j ACCEPT (this ones pretty obvious)

It is also worthwhile to enable logging, this is helpful for diagnosing problems.
Also using "watch" in conjunction with "iptables -nvL $chain" while generating a bunch of traffic using hping or nc and watching the byte/packet counters.

I really do recommend this link for a good description of how iptables works, with flowcharts and tables explaining the tables, and chains etc..
http://www.linuxhomenetworking.com/w...Using_iptables

gr0undzer0 05-10-2012 05:16 AM

I appreciate your time gentlemen. I'm headed to that site as soon as I hit my lunch break today fukawi. I'll try that code out later today Slackyman.

gr0undzer0 05-10-2012 11:12 AM

Fukawi1,
In particular which part of this script is causing all traffic to be blocked? From your response and the site you posted I gather that although its not necessary

iptables -A INPUT -d 10.0.0.26 -p tcp --dport80 -j ACCEPT

should let any traffic from any ip using port 80 go right on through to the host. Are you saying that if I put in the IP on a machine the packet has already arrived at it wont work? If it will work I am still having issues with not being able to reach this server from within the network.

Slackyman 05-10-2012 12:15 PM

To allow web traffic:
Code:

iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

To let the machine give response to the ping:
Code:

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

A request can be accepted in input but you have even to accept a response in output.

gr0undzer0 05-10-2012 12:27 PM

Slacky,

Will test at home. I did play around with the iptables on a test machine here at work and was successful in allowing / blocking ssh with no issue with the code i started with. I found the issues.

1. The ip address on the individual filters was wrong
2. The i needed a space between dport and the port.


All times are GMT -5. The time now is 09:26 AM.