LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 05-09-2012, 11:13 PM   #1
gr0undzer0
Member
 
Registered: Apr 2012
Location: Alexandria, VA
Distribution: Fedora
Posts: 46

Rep: Reputation: 1
Question IPtables quick question


I wrote the following script for my webserver. When I run it however I loose the ability to access any ports or even ping from the local host. I thought that the line i worte with 127.0.0.1 would take care of that. I also though the last two lines would basically force the server to close all OTHER ports. Not the ones listed here. Do I have some syntax wrong here I'm missing?

#!/bin/sh
#Script for configuring 'Firewall' Rules
#Written by Chris Jones <gnd.zer0@gmail.com>

#Basic Rules?

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#SSH
iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT

#HTLM Own Cloud
iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT
iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT
#Probably a Good idea to take requests from my self
iptables -A INPUT -d 10.0.0.xx -s 127.0.0.1 -j ACCEPT

#Lock It down
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
 
Old 05-10-2012, 03:23 AM   #2
Slackyman
Member
 
Registered: Mar 2011
Location: Rome - Italy
Distribution: Slackware 13.1
Posts: 347

Rep: Reputation: 44
Put
Code:
iptables -P INPUT DROP
iptables -P FORWARD DROP
at the beginning and remove the last two lines.
There are, anyway, different conceptual errors, but, sorry, now I've few time.
 
Old 05-10-2012, 04:47 AM   #3
fukawi1
Member
 
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854

Rep: Reputation: 189Reputation: 189
Firstly may I ask, what is the point/purpose of redacting your local IP addresses and ports? It does nothing to help you in the "security by obscurity" school of thought, and really makes helping you a crystal ball job.

Quote:
When I run it however I loose the ability to access any ports or even ping from the local host.
Code:
iptables -A INPUT -d 10.0.0.xx -s 127.0.0.1 -j ACCEPT
To enable traffic on the loopback interface, you would need to use a rule such as
Code:
iptables -A INPUT -i lo -j ACCEPT
Which will accept anything and everything on the loopback interface. This is usually standard practice.

Since you are running a webserver you are most likely going to want to allow access to either the entire internet, or an entire lan. Matching by destination IP is a bit pointless, since the packets have got to the host, chances are they have the hosts IP as the packets destination IP. Normally one would use a rule such as
Code:
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT
This would allow anything coming from the 10.0.0.0/24 subnet, and drop everything else. In the case of a public webserver, you would omit the -s match.

I try to think of iptables rules by breaking them down. Looking at the specific characteristics of the connections I want to allow
Lets take your ssh rule as an example.
Code:
iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT
iptables -A INPUT (append a rule to the end of the filter table, INPUT chain)
-d 10.0.0.xx (match packets with a destination IP 10.0.0.xx AND)
-p tcp --dport xxx (protocol: tcp, destination port xxx)
-j ACCEPT (this ones pretty obvious)

It is also worthwhile to enable logging, this is helpful for diagnosing problems.
Also using "watch" in conjunction with "iptables -nvL $chain" while generating a bunch of traffic using hping or nc and watching the byte/packet counters.

I really do recommend this link for a good description of how iptables works, with flowcharts and tables explaining the tables, and chains etc..
http://www.linuxhomenetworking.com/w...Using_iptables
 
Old 05-10-2012, 06:16 AM   #4
gr0undzer0
Member
 
Registered: Apr 2012
Location: Alexandria, VA
Distribution: Fedora
Posts: 46

Original Poster
Rep: Reputation: 1
I appreciate your time gentlemen. I'm headed to that site as soon as I hit my lunch break today fukawi. I'll try that code out later today Slackyman.
 
Old 05-10-2012, 12:12 PM   #5
gr0undzer0
Member
 
Registered: Apr 2012
Location: Alexandria, VA
Distribution: Fedora
Posts: 46

Original Poster
Rep: Reputation: 1
Fukawi1,
In particular which part of this script is causing all traffic to be blocked? From your response and the site you posted I gather that although its not necessary

iptables -A INPUT -d 10.0.0.26 -p tcp --dport80 -j ACCEPT

should let any traffic from any ip using port 80 go right on through to the host. Are you saying that if I put in the IP on a machine the packet has already arrived at it wont work? If it will work I am still having issues with not being able to reach this server from within the network.
 
Old 05-10-2012, 01:15 PM   #6
Slackyman
Member
 
Registered: Mar 2011
Location: Rome - Italy
Distribution: Slackware 13.1
Posts: 347

Rep: Reputation: 44
To allow web traffic:
Code:
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
To let the machine give response to the ping:
Code:
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
A request can be accepted in input but you have even to accept a response in output.
 
Old 05-10-2012, 01:27 PM   #7
gr0undzer0
Member
 
Registered: Apr 2012
Location: Alexandria, VA
Distribution: Fedora
Posts: 46

Original Poster
Rep: Reputation: 1
Slacky,

Will test at home. I did play around with the iptables on a test machine here at work and was successful in allowing / blocking ssh with no issue with the code i started with. I found the issues.

1. The ip address on the individual filters was wrong
2. The i needed a space between dport and the port.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Quick iptables Question... Darvocet Linux - Software 2 06-02-2005 02:35 PM
iptables syntax quick question abcampa Linux - Security 1 05-03-2005 09:03 AM
quick iptables question peok Linux - Networking 6 11-11-2003 03:34 PM
Quick iptables question... FlyingMoose Linux - Networking 2 08-02-2003 12:35 AM
Quick Iptables question moger Linux - General 1 01-01-2003 03:23 PM


All times are GMT -5. The time now is 04:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration