Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you changed the -J to -j at line 19 then it can only be your "x.y.0.0/16"-like ranges, at least that's what running '/sbin/iptables-restore --verbose --test < /tmp/iptablesNEW.txt' should show.
unSpawn, I've edited my last post, probably while you posted the last one.
This is what I get
# /sbin/iptables-restore --verbose --test < /tmp/iptablesNEW2.txt
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
#
# UNrestricted access: TCP FTP,FTP,SSH,MTA,DNS,HTTP,HTTPS,DNS,IMAPS,POP3S
#
# UNrestricted access: UDP FTP(?),FTP(?),DNS
#
# Restricted access: NTP,MySQL,AppMan(?),WebMin,UserMin
# Restricted access: UDP NTP
#
# Chain holding allowed IP ranges
#
# ICMP
#
# Log and REJECT the rest:
#
# Log and REJECT some outbound problems: telnet,IRC,IRC,IRCS,IRC,IRC,IRC,IRC,proxy,proxy,proxy
But it was in --test mode.
I still get the error at the last line "COMMIT"
# echo "/etc/rc.d/init.d/iptables stop" | /usr/bin/at now +5 minutes
# /sbin/iptables-restore --verbose < /tmp/iptablesNEW2.txt
iptables-restore: line 45 failed
Hello unSpawn, I added *filter and it went good. I'll also add comments
How can I check these rules in the 5 minutes I have?
# echo "/etc/rc.d/init.d/iptables stop" | /usr/bin/at now +5 minutes
# /sbin/iptables-restore < /tmp/iptablesNEW3.txt
How can I check these rules in the 5 minutes I have?
Code:
# Log in, activate firewall, watch logs:
tail -f /var/log/{messages,secure} /var/log/httpd/*_log
#...and from another machine:
# use a browser and access a web page:
curl http://some.do.main/page
# lookup a domain using your name server:
dig other.do.main @some.do.main
# try to access via FTP:
lftp ftp://username@some.do.main
# maybe run a port scan:
nmap -P0 -sV some.do.main
I'm not sure how to handle the chain RESTRICT you've created.
If I not misunderstand, RESTRICT --dports 123,3306,3312,10000,20000 drops those ports, NTP, MYSQL, Webmin, Usermin to ALL and -A RESTRICT -s 186.8.0.0/16 -j ACCEPT is accepted to access those ports. Is that so? -A INPUT -p tcp -m state -m tcp -m multiport --state NEW -j ACCEPT --dports 20,21,22,25,53,80,443,953,993,995
Those ports allow access to anyone?
I am making some tests: here I have two different internet connections so I can check drop behavior using one of them.
I tried to block xxx.xxx.xxx.xxx access to all ports.
I did that from Webmin CP and "Apply Changes".
The first part of iptables is:
Code:
*filter
:RESTRICT - [0:0]
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
#
-A INPUT -s xxx.xxx.xxx.xxx -j DROP
#
# Limit HTTP,HTTPS,DNS,IMAPS,POP3S requests:
-A INPUT -p tcp -m state -m tcp -m multiport --state NEW -j ACCEPT --dports 20,21,22,25,53,80,443,953,993,995
# UNrestricted access: UDP FTP(?),FTP(?),DNS
-A INPUT -p udp -m state -m udp -m multiport --state NEW -j ACCEPT --dports 20,21,53
# Restricted access: NTP,MySQL,AppMan(?),WebMin,UserMin
-A INPUT -p tcp -m state -m tcp -m multiport --state NEW -j RESTRICT --dports 123,3306,3312,10000,20000
# Restricted access: UDP NTP
-A INPUT -p udp -m state -m udp --dport 123 --state NEW -j RESTRICT
-A RESTRICT -s 186.8.0.0/16 -j ACCEPT
-A RESTRICT -s 186.48.0.0/16 -j ACCEPT
-A RESTRICT -s xxx.xxx.0.0/16 -j ACCEPT
From xxx.xxx.xxx.xxx I am able to http, https, ftp, webmin and ssh
After iptables -L I guess that 'I did that from Webmin CP and "Apply Changes".' was not enough to apply changes. I service iptables restart and iptables -L gave the correct status. I'll check again some rules. Anyway I keep the other questions from my previous post.
Thank you
PS: well, there's something I don't understand with iptables service. I restarted it but the rules are replaced by the old ones. atq displays nothing.
After restart iptables -L ->
...
Chain RESTRICT (2 references)
target prot opt source destination
ACCEPT all -- 186.8.0.0/16 anywhere
ACCEPT all -- r186-48-0-0.dialup.adsl.anteldata.net.uy/16 anywhere
ACCEPT all -- r186-52-0-0.dialup.adsl.anteldata.net.uy/16 anywhere
ACCEPT all -- 190.0.0.0/8 anywhere
ACCEPT all -- 200.0.0.0/8 anywhere
ACCEPT all -- 201.217.0.0/16 anywhere
ACCEPT all -- 201.219.224.0/24 anywhere
ACCEPT all -- 0.0.221.201.static.dedicado.com.uy/16 anywhere
After a while Chain INPUT (policy ACCEPT)
target prot opt source destination
I'm not sure how to handle the chain RESTRICT you've created.
If I not misunderstand, RESTRICT --dports 123,3306,3312,10000,20000 drops those ports, NTP, MYSQL, Webmin, Usermin to ALL and -A RESTRICT -s 186.8.0.0/16 -j ACCEPT is accepted to access those ports. Is that so?
No. The rule
Code:
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 123,3306,3312,10000,20000 -j RESTRICT
redirects all Ipv4 addresses trying to access TCP ports 123, 3306, 3312, 10000 and 20000 to the chain named "RESTRICT". Because the filter table INPUT chain has a policy of DROP, only those IP addresses or ranges listed in the RESTRICT chain are allowed to create a new connection.
Quote:
Originally Posted by marciano
-A INPUT -p tcp -m state -m tcp -m multiport --state NEW -j ACCEPT --dports 20,21,22,25,53,80,443,953,993,995
Those ports allow access to anyone?
Yes.
Quote:
Originally Posted by marciano
I am making some tests: here I have two different internet connections so I can check drop behavior using one of them.
I tried to block xxx.xxx.xxx.xxx access to all ports.
I did that from Webmin CP and "Apply Changes".
The first part of iptables is:
Code:
*filter
:RESTRICT - [0:0]
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
#
-A INPUT -s xxx.xxx.xxx.xxx -j DROP
#
# Limit HTTP,HTTPS,DNS,IMAPS,POP3S requests:
-A INPUT -p tcp -m state -m tcp -m multiport --state NEW -j ACCEPT --dports 20,21,22,25,53,80,443,953,993,995
# UNrestricted access: UDP FTP(?),FTP(?),DNS
-A INPUT -p udp -m state -m udp -m multiport --state NEW -j ACCEPT --dports 20,21,53
# Restricted access: NTP,MySQL,AppMan(?),WebMin,UserMin
-A INPUT -p tcp -m state -m tcp -m multiport --state NEW -j RESTRICT --dports 123,3306,3312,10000,20000
# Restricted access: UDP NTP
-A INPUT -p udp -m state -m udp --dport 123 --state NEW -j RESTRICT
-A RESTRICT -s 186.8.0.0/16 -j ACCEPT
-A RESTRICT -s 186.48.0.0/16 -j ACCEPT
-A RESTRICT -s xxx.xxx.0.0/16 -j ACCEPT
From xxx.xxx.xxx.xxx I am able to http, https, ftp, webmin and ssh
What I am missing?
Basically what you have to understand is the "Linux Firewall" consists of a kernel part (called "Netfilter") and a user land part. The latter is used for rule management: loading, deletion, modifying, etc. The pivotal and only tool that manages these rules is called 'iptables'. Any other tool like the CLI system-config-firewall tool in RHEL or CentOS, UFW in Ubuntu, the firewall module of Webmin, R-Fx APF or whatever else tool enshrouded in fscked up marketoid language, are what we call front-ends: they essentially only provide an "easy" interface to, and underneath only use, iptables.
The rules you loaded on the command line with the
Code:
/sbin/iptables-restore < /tmp/iptablesNEW.txt
command are activated right there and then. Any front-end that doesn't first check the activated rule set but only navel-stares at its own rule set will be ignorant of any changes and will ignore, overwrite and destroy your current rule set. If you are happy with the rules in /tmp/iptablesNEW.txt then in CentOS you would save them as the default with
Code:
# Create a backup first
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.prev
# Now replace the current rule set
iptables-save > /etc/sysconfig/iptables
then when you
Code:
/sbin/service iptables restart
you'll find your rule set is just as you wanted it.
Okay, I'll follow that.
Is there a reason you have omitted port 110?
Thanks again
PS: I also am having problems with passive transfers in Filezilla MLSD (Mac Transit works ok)
It seems I need to have a wide range 30000:32000 of open ports
What do you suggest?
Okay, I'll follow that.
Is there a reason you have omitted port 110?
Unless you enable TLS or alike it'll be one of those plain text protocols. Either prefer POP3S and IMAPS or add the ports: the choice is yours. And that goes for the 30000:32000 range as well.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.