LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-09-2006, 05:09 AM   #1
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
[iptables]Box closed very well


I'm running a little intranet server (LAMP). Based on some examples that I found floating around on the net, I created the below firewall configuration to seal it. This does not mean that I fully understand how iptables work. Unfortunately the configuration works too well.

My web application needs to act as an smtp-client to a MS exchange server (172.31.212.12 on port 25) so it can send emails.

As far as I understand the below config, port 25 is open for outgoing traffic. So I assume that my problem is in the incoming traffic (replies from the MS exchange server).

Which rule(s) do I need to add so my application can receive the replies; the bold line below was the one that made sense to me, but does not work.


Code:
# initial block
iptables -P INPUT DROP
iptables -P FORWARD DROP

# accept anything on localhost
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# allow HTTPS from any machine on 172.*.*.*
iptables -A INPUT -s 172.0.0.0/8 -p tcp --dport 443 -j ACCEPT

# allow SSH from trusted machines
iptables -A INPUT -s 172.31.212.19 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 172.31.212.53 -p tcp --dport 22 -j ACCEPT

# allow FTP from trusted machines
iptables -A INPUT -s 172.31.212.19 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -s 172.31.212.19 -p tcp --dport 20 -j ACCEPT
# passive ftp
iptables -A INPUT -s 172.31.212.19 -p tcp --sport 1024:65535 -j ACCEPT

iptables -A INPUT -s 172.31.212.12 -p tcp --dport 25 -j ACCEPT
 
Old 11-09-2006, 05:46 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,549
Blog Entries: 51

Rep: Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611
If you add "-j LOG" rules before chain decisions are made you get a better view of what fails and why.
Easiest way to start TS with Iptables.
 
Old 11-09-2006, 10:27 AM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
I'm not very good with iptables, but your FTP rules appear to be backwards, by the way. The data channel (20) is a connection from the FTP server to the FTP client. It goes in the opposite direction as the command channel (21) and passive FTP data channel. Incidentally, you seem to have opened up traffic to any port with your passive FTP rule (if it's coming from 172.31.212.19). This is probably not what you meant to do. You should modify your FTP server configuration to restrict what port it uses for passive FTP (say, 8000-9000), then only open the firewall for those ports, not everything between 1024 & 65535 (that's effectively pretty much every ephemeral port).

If the other rules work (particularly the HTTPS rule) then you shouldn't need anything to allow return replies that are part of an existing TCP connection. I think your SMTP rule is backwards. My guess is -s = source and what you really want is -d = destination?

By the way, what machine is that firewall on? Is it on your webserver, or on a different machine? Could you do a brief diagram to show us what your network looks like?
 
Old 11-10-2006, 03:37 AM   #4
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Main problem was that the IP address and dport/sport were incorrect. An additional problem came in as dns lookups were also blocked so the hostname in the application could not be resolved.

new rule(s):
Code:
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -s 10.17.131.12 -p tcp --sport 25 -j ACCEPT
The first one is not perfect yet, I must figure out the IP addresses.

@unSpawn
Thanks, it helped once I figured out how to get to the log results.

Outstanding question with regards to logging:
I used dmesg to check the log results. Is there another way? I could not straight away find a relevant logfile although I tried to find files that were modified less than x minutes ago.

@chort
I will look into the ftp issue. Those rules were determined by trial and error and (unfortunately) one stops once it's working (and there might be obsolete stuff in there).
 
Old 04-23-2008, 01:31 AM   #5
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
I've finally found time to work on the FTP part. Here's just an update; if someone still sees a mistake, feedback is appreciated.

This box is currently in WimS' local network, but the rules are prepared for the office network as well.

Code:
#!/bin/sh

# initial block
################################################################
iptables -P INPUT DROP
iptables -P FORWARD DROP

# accept anything on localhost
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# allow HTTP and HTTPS
# we allow any http(s) request as client addresses occasionally change
#  and users can get in
################################################################
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80  -j ACCEPT

# allow SSH from trusted machines; each machine needs to be specified
################################################################
# office network
iptables -A INPUT -s 172.31.212.19 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 172.31.212.53 -p tcp --dport 22 -j ACCEPT

# WimS' local network
iptables -A INPUT -s 172.18.32.0/8 -p tcp --dport 22 -j ACCEPT

# allow FTP from trusted machines
################################################################
# office network
iptables -A INPUT -s 172.31.212.19 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -s 172.31.212.19 -p tcp --dport 65000:65535 -j ACCEPT

# WimS' local network
iptables -A INPUT -s 172.18.32.3 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -s 172.18.32.3 -p tcp --dport 65000:65535 -j ACCEPT

# miscellaneous
################################################################
# need to resolve hostname
iptables -A INPUT -p udp --sport 53 -j ACCEPT
# need to receive stuff from rnbm-msg09
iptables -A INPUT -s 10.17.131.12 -p tcp --sport 25 -j ACCEPT

# log anything else
################################################################
iptables -A INPUT -j LOG

Last edited by Wim Sturkenboom; 04-23-2008 at 01:42 AM.
 
  


Reply

Tags
iptables, server


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables wide open, but no UDP packets allowed (all ports closed) please help mfeoli Linux - Networking 1 01-06-2006 09:52 AM
All UDP ports of my firewall are closed even without iptables rules, any clue? mfeoli Linux - Networking 2 01-05-2006 10:07 AM
IPTables on a RH3 box tarballed Linux - Security 5 12-06-2004 09:24 PM
can't allow ping from my box to the outside world - iptables anorman Linux - Networking 1 09-23-2004 08:53 AM
ftp to internal box with iptables thesnaggle Linux - Networking 1 04-02-2004 10:15 AM


All times are GMT -5. The time now is 12:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration