LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-01-2009, 04:53 PM   #1
Ruler2112
Member
 
Registered: Oct 2004
Location: Michigan, US
Distribution: Redhat 7.3, 9.0; Slackware 10, 10.1, 10.2, 11; FreeBSD 7.0; KnoppMyth 5.5
Posts: 125

Rep: Reputation: 16
Exclamation Assistance with iptables


I have a Linux Box running CentOS 5.3 Final, installed with the AsteriskNow install CD. I'm (obviously) running Asterisk on it. I have it interfaced to my Cisco Call Manager over our VPN. This will allow me to use 4-digit dialing from IP phones using the Asterisk system at our tent sale to our building as well as the reverse. There are two network cards in the Asterisk box, and I need to provide data connections to our store as well. Everything is working right now, however I'm very uneasy about the security of the system.

The reason for this is that this machine will be directly exposed to the internet and basically EVERYTHING is accepted by iptables. I know how to use pf in BSD and love the simplicity and elegance of it, but I haven't used iptables for the past five or more years. Quite honestly, I don't remember much about it, other than it was a royal pain to get it to act like I wanted.



Basically, I need the firewall to do the following:


Provide a trusted NAT segment with static IPs on eth1.

Allow all connections from eth1 and forward them out either eth0 or the VPN tunnel as appropriate. (Which packets go to the VPN and which go directly out appears to be handled transparently by the Cisco VPN client software. I have everything forwarded out eth0 and it appears to allow me to access the store via the VPN.)

Allow traffic coming in on eth0 related to connections established by boxes on eth1 through.

Allow connections on specific ports/port ranges using specific protocols on the VPN interface from specific IPs/IP ranges.

Drop everything else.



I know I must be making this harder than it is. BSD's pf will do exactly what I want in about 20 lines. So far, I've got about 4 pages of iptables rules and all it really does is forward everything from eth1 out eth0. Doing port scans from eth0 shows there to be no security on it at a firewall level. I've read documentation on iptables and it's given me a massive headache, but I don't see where it can be made simpler; I'll need several more pages of rules to accomplish what I want and even then I'm not 100% that it'll work the way I want to.

I did find reference to a port of pf to linux via google, but it appears the project is abandoned, as the page was last updated in 2004 and the machine name where the source code resides cannot be resolved.


Could somebody please help me with the rule-set I need to accomplish the above goal?
 
Old 06-01-2009, 07:35 PM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,226

Rep: Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023
This is apparently a good tool to build rules with: http://firehol.sourceforge.net/
 
Old 06-08-2009, 11:43 AM   #3
Ruler2112
Member
 
Registered: Oct 2004
Location: Michigan, US
Distribution: Redhat 7.3, 9.0; Slackware 10, 10.1, 10.2, 11; FreeBSD 7.0; KnoppMyth 5.5
Posts: 125

Original Poster
Rep: Reputation: 16
Thanks for the reply Chris. I wasn't able to get firehol working though.

I've been playing with iptables last week and pretty much all day yesterday. I've got things almost working. I start the machine, get a DHCP address from my modem, start up the VPN and let it connect, then run the firewall script I have. The windoze computer hanging off eth2 is able to ping the internet and surf. However, I'm unable to connect to anything over our VPN from this machine.


My firewall script as it stands now:
Code:
$IPTABLES="/sbin/iptables"

$IF_INET="eth0"
$IF_TENT="eth2"
$IF_CVPN="cipsec0"

#############################################################################
############################### End of Variables ############################
#############################################################################
############### If you change anything below this line, #####################
################ make sure you know what you're doing! ######################
#############################################################################
#### THIS MEANS THAT IF YOU BREAK IT, DON'T EXPECT ME TO FIX IT FOR YOU! ####
## If you were smart enough to break it, you can be smart enough to fix it. #
################## (Yes, this even includes you -----.) #####################
#############################################################################

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

echo 1 > /proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -i lo -p all -j ACCEPT
$IPTABLES -A OUTPUT -o lo -p all -j ACCEPT

$IPTABLES -A INPUT -i $IF_INET -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $IF_TENT -j ACCEPT
$IPTABLES -A INPUT -i $IF_CVPN -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $IF_INET -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $IF_CVPN -j MASQUERADE

$IPTABLES -A FORWARD -i $IF_TENT -o $IF_INET -j ACCEPT
$IPTABLES -A FORWARD -i $IF_TENT -o $IF_CVPN -j ACCEPT
The warning block in there was put in not in reference to anybody here, but directed at one particular person in our organization who does not understand much, but thinks that he does. He likes to change random settings because "that way makes more sense", but of course he doesn't document what he does or when he does it and cannot remember what was changed when asked.

There are two interesting behaviors I observed about this:

If I run tcpdump -a -i eth2 on the console, nothing at all appears when I try to ping a machine over the VPN from my laptop. If I ping a box out on the internet, the ping and reply appear.

I can ping both the internet and corporate network from the console.



Any ideas on this? My tent sale starts tomorrow and I'd really like to have it up and running if possible. (If not, I'll have to go with the old redhat 7.3 gateway that only handles data. Interestingly enough, the firewall script from that box does not work on here either, so there must be a difference between the version of iptables shipped with the 2.4 vs 2.6 kernel or the 4.0 and 4.9 versions of the Cisco VPN client software.) I've played with the script so much that I don't really know what else to try.
 
Old 06-08-2009, 12:18 PM   #4
Ruler2112
Member
 
Registered: Oct 2004
Location: Michigan, US
Distribution: Redhat 7.3, 9.0; Slackware 10, 10.1, 10.2, 11; FreeBSD 7.0; KnoppMyth 5.5
Posts: 125

Original Poster
Rep: Reputation: 16
Important correction to my last post. The old gateway machine runs Slackware 10.1, NOT RedHat 7.3. (Got my old machines I hardly ever use confused. ) It's got kernel 2.4.29 and Cisco VPN Client software version 4.0 installed, but again only does data.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables assistance for snmp jeebus2121 Linux - Networking 2 02-27-2008 07:42 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
Need assistance please wennie Linux - Software 5 03-16-2005 07:24 AM
Need some assistance with iptables rulesets... Diluted Linux - Networking 1 04-16-2003 07:53 AM


All times are GMT -5. The time now is 05:27 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration