Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I'm running a little intranet server (LAMP). Based on some examples that I found floating around on the net, I created the below firewall configuration to seal it. This does not mean that I fully understand how iptables work. Unfortunately the configuration works too well.
My web application needs to act as an smtp-client to a MS exchange server (172.31.212.12 on port 25) so it can send emails.
As far as I understand the below config, port 25 is open for outgoing traffic. So I assume that my problem is in the incoming traffic (replies from the MS exchange server).
Which rule(s) do I need to add so my application can receive the replies; the bold line below was the one that made sense to me, but does not work.
# initial block
iptables -P INPUT DROP
iptables -P FORWARD DROP
# accept anything on localhost
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# allow HTTPS from any machine on 172.*.*.*
iptables -A INPUT -s 126.96.36.199/8 -p tcp --dport 443 -j ACCEPT
# allow SSH from trusted machines
iptables -A INPUT -s 172.31.212.19 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 172.31.212.53 -p tcp --dport 22 -j ACCEPT
# allow FTP from trusted machines
iptables -A INPUT -s 172.31.212.19 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -s 172.31.212.19 -p tcp --dport 20 -j ACCEPT
# passive ftp
iptables -A INPUT -s 172.31.212.19 -p tcp --sport 1024:65535 -j ACCEPT
iptables -A INPUT -s 172.31.212.12 -p tcp --dport 25 -j ACCEPT
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
I'm not very good with iptables, but your FTP rules appear to be backwards, by the way. The data channel (20) is a connection from the FTP server to the FTP client. It goes in the opposite direction as the command channel (21) and passive FTP data channel. Incidentally, you seem to have opened up traffic to any port with your passive FTP rule (if it's coming from 172.31.212.19). This is probably not what you meant to do. You should modify your FTP server configuration to restrict what port it uses for passive FTP (say, 8000-9000), then only open the firewall for those ports, not everything between 1024 & 65535 (that's effectively pretty much every ephemeral port).
If the other rules work (particularly the HTTPS rule) then you shouldn't need anything to allow return replies that are part of an existing TCP connection. I think your SMTP rule is backwards. My guess is -s = source and what you really want is -d = destination?
By the way, what machine is that firewall on? Is it on your webserver, or on a different machine? Could you do a brief diagram to show us what your network looks like?
Main problem was that the IP address and dport/sport were incorrect. An additional problem came in as dns lookups were also blocked so the hostname in the application could not be resolved.
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -s 10.17.131.12 -p tcp --sport 25 -j ACCEPT
The first one is not perfect yet, I must figure out the IP addresses.
Thanks, it helped once I figured out how to get to the log results.
Outstanding question with regards to logging:
I used dmesg to check the log results. Is there another way? I could not straight away find a relevant logfile although I tried to find files that were modified less than x minutes ago.
I will look into the ftp issue. Those rules were determined by trial and error and (unfortunately) one stops once it's working (and there might be obsolete stuff in there).