LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-26-2014, 09:42 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Rep: Reputation: Disabled
Help with iptables


Hoping to get a quick critique of my iptables setup. I've described what I "think" is going on. Please correct me where I am wrong, help me fill in the gaps, and provide recommended changes. Thank you

Chain INPUT (policy ACCEPT)
Line 1. Block anything as determined by fail2ban from anywhere.
Line 2. Allow SSH access from anywhere.
Line 3. Allow ping from anywhere.
Line 4. What? This is bad, and should be removed, right?
Line 5. Allow any previously established connection from anywhere? What is different between this line and Line 2?
Line 6. Allow MySQL only from servers on LAN.
Line 7, 8, 9, 10. Allow Samba only from servers on LAN.
Line 11, 12. Allow email from anywhere.
Line 13, 14. Allow HTTP and HTTPS from anywhere.
Line 15. Log anything that gets here.
Line 16. Will never occur since LOG happens first.

Chain FORWARD (policy ACCEPT)
What is FORWARD all about?
Line 1. N/A. There are no rules.

Chain OUTPUT (policy ACCEPT)
What is OUTPUT all about?
Line 1. Log anything that gets here.

Chain LOGGING (1 references)
This occurs whenever LOGGING is encountered in INPUT, right?
Line 1. Log anything that gets here.
Line 2. Drop anything that gets here.

Chain fail2ban-SSH (1 references)
This occurs whenever fail2ban-SSH is encountered in INPUT, right?
Line 1. Why RETURN and not DROP?

Code:
[root@devserver ~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
2    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
3    ACCEPT     icmp --  anywhere             anywhere
4    ACCEPT     all  --  anywhere             anywhere
5    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
6    ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:mysql state NEW
7    ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:microsoft-ds state NEW
8    ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:netbios-ssn state NEW
9    ACCEPT     udp  --  192.168.1.0/24       anywhere            udp dpt:netbios-dgm state NEW
10   ACCEPT     udp  --  192.168.1.0/24       anywhere            udp dpt:netbios-ns state NEW
11   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp state NEW
12   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ndmp state NEW
13   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https state NEW
14   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW
15   LOGGING    all  --  anywhere             anywhere
16   REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain LOGGING (1 references)
num  target     prot opt source               destination
1    LOG        all  --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level debug prefix `DROP: '
2    DROP       all  --  anywhere             anywhere

Chain fail2ban-SSH (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere
[root@devserver ~]#
 
Old 10-26-2014, 11:07 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
First of all it's better to present the current rule set as 'iptables-save' output. It's easier to read, complete as it shows all tables, and faster because it doesn't resolve anything.


Quote:
Originally Posted by NotionCommotion View Post
Line 4. This is bad, and should be removed, right?
If your filter table policies are to restrict access then yes and yes.


Quote:
Originally Posted by NotionCommotion View Post
Line 5. Allow any previously established connection from anywhere? What is different between this line and Line 2?
No, filter table INPUT chain rule #5 looks in its state table for connections it doesn't yet know about, aka "new" connections.


Quote:
Originally Posted by NotionCommotion View Post
Chain FORWARD (policy ACCEPT)
What is FORWARD all about?
Chain OUTPUT (policy ACCEPT)
What is OUTPUT all about?[/QUOTE]
Search for "frozentux iptables tutorial"?


Quote:
Originally Posted by NotionCommotion View Post
Chain LOGGING (1 references)
This occurs whenever LOGGING is encountered in INPUT, right?
No, this chain will see packets when a "-j LOGGING" is encountered. This target could be used in any chain.


Quote:
Originally Posted by NotionCommotion View Post
Chain fail2ban-SSH (1 references)
This occurs whenever fail2ban-SSH is encountered in INPUT, right?
Line 1. Why RETURN and not DROP?[CODE]
No, it does DROP packets at the end of the chain.
Maybe you meant to ask "Why DROP and not RETURN"?
*Do note fail2ban can use ipset which would mean you only need one iptables rule for it and not one rule per blocked IP address.
 
Old 10-26-2014, 11:53 AM   #3
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Original Poster
Rep: Reputation: Disabled
Thanks unSpawn. Everything you said makes sense except:
Quote:
Originally Posted by unSpawn View Post
No, it does DROP packets at the end of the chain.
Maybe you meant to ask "Why DROP and not RETURN"?
Please explain what this is doing:
Code:
Chain fail2ban-SSH (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere
Quote:
Originally Posted by unSpawn View Post
*Do note fail2ban can use ipset which would mean you only need one iptables rule for it and not one rule per blocked IP address.
Will fail2ban by default add blocked IPs to ipset?
 
Old 10-26-2014, 02:04 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by NotionCommotion View Post
Everything you said makes sense except:
Please explain what this is doing:
Code:
Chain fail2ban-SSH (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere
Yes, of course it didn't make sense because I read over it :-]
Fail2ban inserts its DROP rules above the "-j RETURN" one. That way any traffic that doesn't match will flow back to the chain it came from.


Quote:
Originally Posted by NotionCommotion View Post
Will fail2ban by default add blocked IPs to ipset?
You'll have to choose between iptables rules and an ipset entry. The documentation should show you how exactly. Note that having a few scans a day doesn't put any pressure on iptables but if you block a few hundred to thousands of addresses then it will make a difference performance and maintenance-wise.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables can't initialize iptables table `filter': Bad file descriptor donalbane Linux - Networking 2 08-17-2011 09:36 AM
iptables error in android: iptables-save and iptables-restore not working preetb123 Linux - Mobile 5 04-11-2011 02:56 PM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 03:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM


All times are GMT -5. The time now is 06:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration