LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 09-12-2012, 10:24 AM   #1
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 289

Rep: Reputation: 34
Problem with iptables


I had applied all chains to DROP all traffic & accepting traffic as per my requirement but I am unable to ping & ssh from my CentOS 6.2 OS where the below rules are applied as,

---------------------------------------------------------------
Chain INPUT (policy DROP)
iptables -A INPUT -i eth0 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Chain OUTPUT (policy DROP)
iptables -A OUTPUT -o eth0 -p icmp -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
 
Old 09-12-2012, 10:27 AM   #2
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 289

Original Poster
Rep: Reputation: 34
I am getting error message from ping as,

PING: sendmsg: Operation not permitted

& ssh show no error
 
Old 09-12-2012, 10:36 AM   #3
doublejoon
Member
 
Registered: Oct 2003
Location: King George, VA
Distribution: RHEL/CentOS/Scientific/Fedora, LinuxMint
Posts: 366

Rep: Reputation: 44
I would get rid of the "state" module in the OUPUT filter


iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
 
Old 09-12-2012, 10:47 AM   #4
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 289

Original Poster
Rep: Reputation: 34
OK, I modified the rules so now I am able to ping remote system but same error msg with localhost.

& also not able to ssh (local or remote).
 
Old 09-12-2012, 09:21 PM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,261

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
The localhost 'interface' is 'lo'; use ifconfig cmd
Code:
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:197 errors:0 dropped:0 overruns:0 frame:0
          TX packets:197 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:62896 (61.4 KiB)  TX bytes:62896 (61.4 KiB)
either add -i lo rules, or drop the interface '-i eth0' fields.
 
Old 09-13-2012, 12:38 AM   #6
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 289

Original Poster
Rep: Reputation: 34
Oh thank you.
Also I am having problem downloading a file from internal ftp server but unable to connect in PASV as,

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport sports ftp-data,ftp state ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports ftp-data,ftp state NEW,ESTABLISHED


ftp -c ftp://ip address/pub/file/file-0.97.5-2.el6.rf.x86_64.rpm
Connecting to 169.144.106.202:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /pub/file ... done.
==> SIZE file-0.97.5-2.el6.rf.x86_64.rpm ... 35995984
==> PASV ... <<----- unable to connect thereafter
 
Old 09-13-2012, 01:57 AM   #7
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,438
Blog Entries: 11

Rep: Reputation: 182Reputation: 182
The problem with ftp should be solveable with the ip_conntrack_ftp kernel module. See if you have it loaded.

Just some general stuff for basic firewalling.
Allow traffic on localhost interface. Always.
Code:
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
One could also add a rule that drops all packets coming from or going to 127.0.0.1 on other interfaces.

When it comes down to stateful firewalling don't forget the RELATED state. I am never sure how the kernel sees the states. Beside NEW which is quite clear. But if a connection is ESTABLISHED or related depends heavily on the protocol used. TCP works with ESTABLISHED (most of the time). But what about UDP and ICMP. Is the echo reply a RELATED or a ESTABLISHED state?
So to find out just put them in as explicit rules and watch the counter go up.

Code:
iptables -p icmp -m state --state ESTABLISHED -j ACCEPT
iptables -p icmp -m state --state RELATED -j ACCEPT
Code:
iptables -t filter -L -vn --line-numbers
 
1 members found this post helpful.
Old 09-13-2012, 03:16 AM   #8
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 289

Original Poster
Rep: Reputation: 34
Thanks, but from this I am able to download the file from localhost but not from remote host. I am not able to connect the ftp server after PASV...
 
Old 09-13-2012, 05:13 AM   #9
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,261

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
You may like to read this http://slacksite.com/other/ftp.html
 
1 members found this post helpful.
Old 09-13-2012, 11:32 AM   #10
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 289

Original Poster
Rep: Reputation: 34
thanks but still I am not able to connect my ftp server.
 
Old 09-14-2012, 02:37 AM   #11
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,438
Blog Entries: 11

Rep: Reputation: 182Reputation: 182
So show us what you have right now.
(Please use codetags)
 
Old 09-17-2012, 12:46 AM   #12
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 289

Original Poster
Rep: Reputation: 34
I mean I am able to ping & ftp to my server but not from the client after applying the iptables as,

iptable rules on the server:--
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --sports 20,21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m multiport --dports 20,21 -m state --state ESTABLISHED -j ACCEPT

ftp connection status from the client :-
[root@client ~]# wget ftp://<server ip>/pub/test
--2012-09-17 11:04:03-- ftp://192.168.1.3/pub/test
=> `test'
Connecting to 192.168.1.3:21... <<---- unable to connect thereafter


Also flush the iptables on the client system as well..

Any solution will be appreciated.
 
Old 09-17-2012, 01:53 AM   #13
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,438
Blog Entries: 11

Rep: Reputation: 182Reputation: 182
Try this

Code:
iptables -I OUTPUT 4 -p tcp --sport 20 -m state --state NEW -j ACCEPT
 
Old 09-17-2012, 04:06 AM   #14
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 289

Original Poster
Rep: Reputation: 34
not connecting with the above rule as well
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables error in android: iptables-save and iptables-restore not working preetb123 Linux - Mobile 5 04-11-2011 01:56 PM
[SOLVED] Rather huge IPtables chain, iptables: Memory allocation problem. Gangrif Linux - Networking 10 09-11-2009 03:30 PM
Strange IPTables or Perhaps its not IPtables problem? helptonewbie Linux - Security 4 01-28-2009 07:54 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
Iptables problem,help me please. ryanux Linux - Security 1 05-21-2004 09:59 PM


All times are GMT -5. The time now is 05:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration