LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-14-2012, 02:46 PM   #1
Vimuth
Member
 
Registered: Sep 2009
Posts: 59

Rep: Reputation: 15
Smile iptables


Hello,
Could someone please let me know as to how I should go about effectively configure iptables. Following is what I'd want

-only ssh, ftp, http traffic is accepted by the server.
-all the other traffic should be dropped.
-I'd like to understand m state (EST,RELATD) with use of examples.

Note that the the server is out of any rules at the moment(iptables -F)

Could someone please help? I'd want to figure out the order that I should be writing these rules

Also is there a manpage with examples? Like the manpage of ACL?


Thanks in advance.

/V
 
Old 11-14-2012, 03:15 PM   #3
Basher52
Member
 
Registered: Mar 2004
Location: .SE
Distribution: Fedora, CentOS, Scientific Linux
Posts: 275

Rep: Reputation: 10
This example has nice info above each, eth0 as network to WAN.

Quote:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Allow all input/output on localhost interface
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Accept Established and Related Connections
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop invalid packets
-A INPUT -m state --state INVALID -j DROP

# Services
# FTP, SSH, HTTP
-A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 21,22,80 -j ACCEPT

# Output to the internet
-A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

COMMIT

Quote:
State matching

We can also specific a ‘match’ option, using the -m flag. This allows us to use a kernel module to provide extra packet matching capabilities, the most popular usage of which is for connection tracking matching.
The ‘state’ match has four different types of connection which we can match against:
  • ESTABLISHED: corresponds to a connection which is already up and running. If the connection originated within our network, as soon as the packet passes through our firewall on its way to the Internet, it is tracked as ESTABLISHED.
  • RELATED: is provided by a protocol helper module. The most common use for this is with FTP by using the ip_conntrack_ftp.o module, which allows us to track FTP connections back into our network properly, as when we download from a FTP server, it will try to make a TCP connection back to our system.
  • NEW: means that the packet is part of a new connection, meaning that it has not yet been tracked by the connection tracking system.
  • INVALID: means that the connection is in an invalid state, so generally these should be dropped.
 
Old 11-15-2012, 06:32 AM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,052

Rep: Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881
Quote:
Originally Posted by Vimuth View Post

Also is there a manpage with examples? Like the manpage of ACL?
There is a manpage, it is really quite good (not all manpages are all that much use to the neophyte, unless you just want reminding the exact switch that you need, and this one is one of the better ones, in that it has more of an informative bent), but I don't recall many examples.

The easiest thing would be if you read it. Maybe then you would have some specific questions.

In general, if you want more (explanation, understanding) than is available on the manpage, you should go to the frozentux tutorial. While teckk has already given a link to that, that link is to the html version, and if you are using that seriously, you might find, a downloadable version, such as the pdf version, to be more convenient. Anyway, here is another link, from which you can choose your version.

Quote:
Originally Posted by Vimuth View Post

-only ssh, ftp, http traffic is accepted by the server.
-all the other traffic should be dropped.
-I'd like to understand m state (EST,RELATD) with use of examples.
Do you know the port numbers which the traffic that you are interested in uses? You have to find that out first.

For ssh in particular there can be good reasons for this not being the same port number as the standard port number for that traffic, so the question is 'what port number does your traffic use?' and not 'what is the default port number for that protocol?' (see Samhain for more info on ssh and its protection).

Once you know those port numbers, the general approach is:
Code:
let through traffic on this port number
let through traffic on that port number
let through traffic on the other port number
(until you have dealt with all of the ports that you want to allow)
drop
(an alternative, that partly deals with your question about established is:
Code:
allow established
let through traffic on this port number
let through traffic on that port number
let through traffic on the other port number
(until you have dealt with all of the ports that you want to allow)
drop
this depends on established traffic being successor traffic to some that has been through the 'port number filter'; it might be 'more efficient' in the limited sense that 'established' deals with the majority of traffic and this means that the majority doesn't have to go through multiple comparisons...probably still doesn't make up for the additional overhead of using the established feature, not that any of that is relevant in anything but the most extreme use cases, though.)

One question that you need to think about is that 'drop'. Do you really want to just drop (clean, efficient) or do you want to 'log and drop' (helps in debugging, helps to understand what is going on if you are under attack, adds to the overhead, because it implies a write to the log every time that you have a drop...you might think of applying a sensible rate limit to the drop, so that your server cannot be overwhelmed by the number of log file writes).

Quote:
Originally Posted by Vimuth View Post
I'd want to figure out the order that I should be writing these rules
For efficiency, you could argue that the rules should be written in the order that gives iptables the fewest number of comparisons to make. That is, if the majority of your traffic is html, place the 'accept html' rule first. It makes less difference if you are using the 'established' variant (in that case, you'd probably argue for the largest number of new connections to be the first rule after 'established', but by this point you are probably just arguing about something that can have no real world significance).

In the real world, this probably doesn't make any noticeable difference, but some people will want to do this out of a sense of neatness, anyway.
 
Old 11-15-2012, 06:45 AM   #5
Vimuth
Member
 
Registered: Sep 2009
Posts: 59

Original Poster
Rep: Reputation: 15
Thank you all for the replies.

Mr Basher, Thank you very much for the explanation. I really appreciate it. However If I could get my doubts clarified on the following I think I'm there.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

I believe the above would drop all the connections coming on to the box? If that is the cases shouldnt we just declare them after the set of rules that were implemented? What I have heard is that you sould first define the rules that allow access then to deny all. PLease advice.
 
Old 11-15-2012, 08:44 AM   #6
Basher52
Member
 
Registered: Mar 2004
Location: .SE
Distribution: Fedora, CentOS, Scientific Linux
Posts: 275

Rep: Reputation: 10
Quote:
Originally Posted by Vimuth View Post
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
These are the DEFAULT action that will happen if no specific rules apply. I always set these first then localhost etc.
I do this with a script though and not by the system's built in firewall handler.
If you have a chain of rules and a packet can't find any rule for that particular one then it will be dropped.

UPDATE: If you create a Default Action for the Output of DROP, then you'll have a LOT of work to do
For me on most machines I just ACCEPT all on OUTPUT.

Last edited by Basher52; 11-15-2012 at 10:42 AM.
 
Old 11-16-2012, 02:07 PM   #7
Basher52
Member
 
Registered: Mar 2004
Location: .SE
Distribution: Fedora, CentOS, Scientific Linux
Posts: 275

Rep: Reputation: 10
Did you fix it or did you happen to block everything 'OUTPUT'
 
Old 11-17-2012, 05:28 PM   #8
Vimuth
Member
 
Registered: Sep 2009
Posts: 59

Original Poster
Rep: Reputation: 15
Mr Basher. Thank you very much. lol no I think I did not burn down anything as yet. Now I get the picture thanks to all good advices provided. One simple question though. Say that I have an vsftp serv on the box and need to allow incoimng connections. What if I just say
iptables -A INPUT -p tcp --dport 21 -j ACCEPT; rather than saying

iptables -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT. ???

oh by the way assume that I have already declared the following rule before applying either of above.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Please advice good people

/V
 
Old 11-17-2012, 09:09 PM   #9
Basher52
Member
 
Registered: Mar 2004
Location: .SE
Distribution: Fedora, CentOS, Scientific Linux
Posts: 275

Rep: Reputation: 10
I'd go for the first one. (little that I know )

Quote:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
This won't matter since when someone want to connect to your FTP server,
it won't be a connection that is already established neither related to anything.

The FIRST connection is that they want to get into your FTP so that rule won't apply.
That first connection is not related(!) to any other previous connection since you
"just tried to connect" and since it's the first "call" on your FTP it's not established(!)

Hope you get that
 
1 members found this post helpful.
Old 11-18-2012, 02:18 AM   #10
Vimuth
Member
 
Registered: Sep 2009
Posts: 59

Original Poster
Rep: Reputation: 15
Oh I get it Sir. Thank you very much. I want to explore some other stuff that you could do with iptables thefore im going to keep this thread open for another few days. Im sure I will bother you again but bear with me for say just another week tops. thank you again Mr Basher.

/V
 
Old 01-08-2013, 05:57 PM   #11
Basher52
Member
 
Registered: Mar 2004
Location: .SE
Distribution: Fedora, CentOS, Scientific Linux
Posts: 275

Rep: Reputation: 10
Just to let you know, this post is still open
 
Old 01-09-2013, 01:03 AM   #12
Vimuth
Member
 
Registered: Sep 2009
Posts: 59

Original Poster
Rep: Reputation: 15
Greetings Mr Basher. Sorry for being a bastard to have not closing this thread on time. Thank you very much for all your kind support.

/V
 
Old 01-11-2013, 10:08 AM   #13
Basher52
Member
 
Registered: Mar 2004
Location: .SE
Distribution: Fedora, CentOS, Scientific Linux
Posts: 275

Rep: Reputation: 10
hehe bastard, well don't that and I made the same error when I found this place

 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables can't initialize iptables table `filter': Bad file descriptor donalbane Linux - Networking 2 08-17-2011 09:36 AM
iptables error in android: iptables-save and iptables-restore not working preetb123 Linux - Mobile 5 04-11-2011 02:56 PM
On what basis CHAIN integer values are generated in IPtables under iptables file? haariseshu Linux - Server 3 11-05-2009 05:25 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM


All times are GMT -5. The time now is 12:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration