Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been learning these tricks recently, often the hard way. More than often, I am locked out from accessing the remote server.
I have the following lines in my iptables. I think I need to add some ins and outs, because right now, I am allowing all outbound traffic.
I want to add a line somewhere that makes sure that I have ssh access (local access) even if I screw up things in the following lines.
I am using RHEL 5.6.
(1) What line, and where do I add? Gurus, please help.
Code:
*filter
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:FORWARD DROP [0:0]
:myFirewall_Input - [0:0]
-A INPUT -j myFirewall_Input
#### Output Chain add ###
:myFirewall_Output - [0:0]
-A OUTPUT -j myFirewall_Output
#loopback
-A myFirewall_Input -i lo -j ACCEPT
#ping
-A myFirewall_Input -p icmp --icmp-type 8 -s <IP> -j ACCEPT
-A myFirewall_Output -p icmp --icmp-type 8 -s <IP> -j ACCEPT
#ssh local only
-A myFirewall_Input -m tcp -p tcp -s <IP> --dport 22 -j ACCEPT
-A myFirewall_Input -m tcp -p tcp -s <IP> --dport 22 -j ACCEPT
#80 is ok from all
-A myFirewall_Input -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#outgoing is unrestricted
-A myFirewall_Output -m tcp -p tcp -s <IP> -j ACCEPT
(2)
I do not know if I have things that is not necessary and/or things I better have considering security.
I mean, if I have this for ping:
-A myFirewall_Input -p icmp --icmp-type 8 -s <IP> -j ACCEPT
do I need this?
-A myFirewall_Output -p icmp --icmp-type 8 -s <IP> -j ACCEPT
same for the ssh.
(3)I want to define a variable for IP and use that variable throughout. Currently, I am using real numbers for <IP>
I want to define like:
hostIP = "nnn.nnn.nnn.nnn"
and later on, say,
-A myFirewall_Output -p icmp --icmp-type 8 -s $hostIP -j ACCEPT
Question (1) is very important for me-- I don't want to go to the server room everytime I make mistake. (3) is just for convenience, nice to have, but can do w/o. (2) is in between.
1) What is "local" access? you have your "ssh" part already, so you'd just add in the right source network for whatever suits "local" I guess. Actually you might be wanting a separate point of entry here, and so I'd suggest putting this outside of your "MyFirewall" chains, if you put the accept at the top of the INPUT chain then you have a nice logical separation from that and your experiments.
2) Well normally your OUTPUT policy would be a default ACCEPT, so is probably not required because of that.
3) that's not a question.. yes you can do that, it's just bash though, nothing to do with iptables itself.
you're firewall is, as I'm sure you'll appreciate, pretty crude. There's no connection tracking at all, you should really only be allowing NEW connections on these certain services, and from then on all existing connections.
(1) by local, I mean, allow ssh only from withing our LAN.
>I'd suggest putting this outside of your "MyFirewall" chains
yes, that's what I want to do, but
(a) where do I put it? just before :INPUT DROP [0:0]? or even before *filter?
(b) and how do I write it?
iptables -A INPUT -p tcp -s <local lan IP> --dport 22 -j ACCEPT?
(2) yes, I have also read many times, that outgoing defauts to ACCEPT, but our people here want to run a tighter ship, so I will be adding a lot of OUTPUT chains.
(3) since this is not a bash script, then I am out of luck?
(4) connection tracking: do you mean I add "-m state --state NEW" for ping, ssh (access through port 80 already has this string)?
ahh right, ok so literally the line before the INPUT that sends everything to your own chain. That format seems fine, it should be only for state NEW packets though.
I would think that filtering outbound access is generally pointless even in most "tighter ships". Presumably all outbound traffic will hit either a physical firewall or the INPUT on another box. Those are the places to filter.
ah, yeah, not possible there, but you can do things like use other chains to fire certain traffic at, and in them define that IP address minimal times, if that logic holds true.
checking the NEW state is half of it yes, the other half is then to permit ESTABLISHED and RELATED as a first rule in the INPUT chain, to quickly allow all traffic that you've previously allowed to be created.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.