LinuxQuestions.org - 2 IPs - need to block different ports on each

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - 2 IPs - need to block different ports on each (https://www.linuxquestions.org/questions/linux-security-4/2-ips-need-to-block-different-ports-on-each-645216/)

2 IPs - need to block different ports on each

Hello all.

Here is my setup.

eth0 - 192.168.0.50
eth0:1 - 192.168.0.60

I would like to let my specified trafic to eth0.
( listed below )

But only allow eth0:1 to use ftp-data:ftp

iptables -L

Code:

Chain INPUT (policy DROP)

target    prot opt source              destination

DROP      tcp  --  anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW

DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN/FIN,SYN

DROP      tcp  --  anywhere            anywhere            tcp flags:SYN,RST/SYN,RST

DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG

DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN

DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE

DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG

ACCEPT    all  --  localhost            localhost

ACCEPT    all  --  anywhere            anywhere

ACCEPT    all  --  default              anywhere

ACCEPT    all  --  anywhere            anywhere            state ESTABLISHED

ACCEPT    icmp --  anywhere            anywhere            icmp echo-request state NEW,RELATED,ESTABLISHED

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:sftp

ACCEPT    tcp  --  cpe-76-174-0-0.socal.res.rr.com/76.174.0.0  anywhere            tcp dpt:www

ACCEPT    tcp  --  192-168-0-74.mydomain.com  anywhere            tcp dpt:mysql

DROP      all  --  192.168.0.60          anywhere

ACCEPT    tcp  --  192.168.0.60          anywhere            tcp dpts:ftp-data:ftp







Chain FORWARD (policy ACCEPT)

target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

Is this close to correct?

I can still ping eth0:1 (192.168.0.60)

Does the order they are listed in matter?

Also my sftp not working.

Any help is appreciated.

Jon

[solved] as far as I know...

Ok, I needed to be more specific in writing the rules.
I had not used -d for the destination IP.

iptables -A INPUT -p all -s 0.0.0.0 -d 192.168.0.50 -j ACCEPT

Here is the result.

iptables -L

Code:

Chain INPUT (policy DROP)

target    prot opt source              destination

DROP      tcp  --  anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW

DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN/FIN,SYN

DROP      tcp  --  anywhere            anywhere            tcp flags:SYN,RST/SYN,RST

DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG

DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN

DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE

DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG

ACCEPT    all  --  anywhere            anywhere            state ESTABLISHED

ACCEPT    all  --  anywhere            anywhere

ACCEPT    all  --  localhost            localhost

ACCEPT    all  --  192.168.1.0/24      192.168.1.3

ACCEPT    all  --  default              192.168.0.50

ACCEPT    icmp --  default              192.168.0.50 icmp echo-request state NEW,RELATED,ESTABLISHED

ACCEPT    tcp  --  default              192.168.0.50 tcp dpt:ssh

ACCEPT    tcp  --  default              192.168.0.50 tcp dpt:sftp

ACCEPT    tcp  --  default                192.168.0.50 tcp dpt:www

ACCEPT    tcp  --  mysql.mydomain.com  192.168.0.50 tcp dpt:mysql

ACCEPT    tcp  --  default              192.168.0.60 tcp dpts:ftp-data:ftp



Chain FORWARD (policy ACCEPT)

target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

Everything seems to be working well now and 192.168.0.60 only use the ftp ports.

I may need to add
-m state --state NEW,ESTABLISHED,RELATED
to the rest of my rules.

Thank you for taking the time to view the post.

Jon

Glad to see you got it working. BTW, another approach could be to stick the alias IP rule(s) at the top, and remove the destination IP from the real IP rules. That way you wouldn't need to worry about changing the rules if the real IP ever changes. Also, in cases such as this I would usually create a dedicated chain for the alias IP, with a DROP or REJECT rule at the end. Just a thought.

Hi Win32Sux and thanks for the reply.

I tried the approach from this post.
http://www.linuxquestions.org/questi...5/#post3162072

Now were you talking about creating another chain for the ftp IP only?
Not sure if I am following you or not...

iptables -L -n

Code:

Chain INPUT (policy DROP)

target    prot opt source              destination

ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0

ACCEPT    all  --  127.0.0.1            127.0.0.1

ACCEPT    all  --  192.168.1.0/24      192.168.1.3        state NEW,RELATED,ESTABLISHED

tcp_packets  tcp  --  0.0.0.0/0            0.0.0.0/0

udp_packets  udp  --  0.0.0.0/0            0.0.0.0/0

icmp_packets  icmp --  0.0.0.0/0            0.0.0.0/0



Chain FORWARD (policy DROP)

target    prot opt source              destination

ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0

ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state NEW,RELATED,ESTABLISHED



Chain icmp_packets (1 references)

target    prot opt source              destination

ACCEPT    icmp --  0.0.0.0/0            0.0.0.0/0          state ESTABLISHED

ACCEPT    icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8



Chain tcp_packets (1 references)

target    prot opt source              destination

ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state ESTABLISHED

ACCEPT    tcp  --  0.0.0.0/0            192.168.0.50      tcp dpt:22 state NEW,RELATED,ESTABLISHED

ACCEPT    tcp  --  0.0.0.0/0            192.168.0.50      tcp dpt:115 state NEW,RELATED,ESTABLISHED

ACCEPT    tcp  --  0.0.0.0/0            192.168.0.50      tcp dpt:80 state NEW,RELATED,ESTABLISHED

ACCEPT    tcp  --  0.0.0.0/0            192.168.0.60      tcp dpts:21:22 state NEW,RELATED,ESTABLISHED

DROP      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:!0x17/0x02 state NEW

DROP      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x03/0x03

DROP      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x06

DROP      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x29

DROP      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x01

DROP      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x00

DROP      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x3F



Chain udp_packets (1 references)

target    prot opt source              destination

ACCEPT    udp  --  0.0.0.0/0            0.0.0.0/0          state ESTABLISHED

ACCEPT    udp  --  0.0.0.0/0            192.168.0.50      udp dpts:50000:50004

ACCEPT    udp  --  0.0.0.0/0            192.168.0.50      udp dpt:554

ACCEPT    udp  --  0.0.0.0/0            192.168.0.50      udp dpt:8554

I read in your post you thought this method was more complicated, maybe than it needs to be. But I figure if there is any benefit I will try it.

Jon

Quote:

Originally Posted by jchambers (Post 3170004)

Now were you talking about creating another chain for the ftp IP only?
Not sure if I am following you or not...

Yeah, I was talking about creating a chain specifically for packets heading into 192.168.0.60, as that IP was meant to get special treatment. Keep in mind that, when I said that, you had only the INPUT chain, unlike what you have now which is chains for each protocol.

If I was you, I'd probably just stick with two user-built chains - a bad packet one and the alias IP one. But that's just me. That said, even with all the protocol-specific chains you now have, I do see a lot of redundant and unnecessary rules. For example, there's no reason why you would need more than one rule for packets in ESTABLISHED or RELATED states. Also, the RELATED match doesn't directly apply to any of your rules (aside from the FTP one) - so I'm not sure why you are specifying it per-rule.

Quote:

I read in your post you thought this method was more complicated, maybe than it needs to be. But I figure if there is any benefit I will try it.

There are benefits sometimes. Some are technical, others are subjective. For example, if you have a crapload of UDP packets coming into your box (like, say you run a popular video game or DNS server or something), there's no reason why they should have to traverse a bunch of rules which are written to check for bad TCP packets. So having a rule that lets UDP packets bypass all of those TCP packet checks can be a good idea. It's just an example, of course.

As for the subjective benefits, some people find scripts easier to manage with a bunch of chains. Others find them easier to manage without any user-built chains, or with a minimal amount of them. There are differences in the types and purposes of chains people prefer, too. For example, I tend to lean more toward chains made per IP, privilege level, etc. and not so much for traffic type. But like everything, it depends.