LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-26-2007, 10:10 AM   #1
crashsystems
Member
 
Registered: May 2006
Location: Tennessee et. al
Distribution: Debian Sid, Etch
Posts: 138

Rep: Reputation: Disabled
bastille, iptables, and ssh woes


I'm currently dealing with a problem that has had me flummoxed for some time. I have a server in my office running Debian Etch that is acting as our gateway to the net. eth0 is pointing outwards, while eth1 points to our internal network. Among other things, I have ssh server installed on the box. Feeling a bit too lazy to grok iptables, I used bastille to configure NAT and firewall stuff. When answering the questions, I told it to allow access to port 22 on both interfaces, but I can only ssh into the box from the internal network. When I run the shields-up scan at grc.com, it shows all ports as being closed. I used iptables-save to get a list of the rules that bastille generated, and have provided them below. If anyone could give some advice for this situation, that would be great.

Code:
# Generated by iptables-save v1.3.6 on Thu Apr 26 09:33:35 2007
*mangle
:PREROUTING ACCEPT [68456280:39102080846]
:INPUT ACCEPT [14704884:7271324045]
:FORWARD ACCEPT [53675363:31822713624]
:OUTPUT ACCEPT [17804234:20335949857]
:POSTROUTING ACCEPT [71522409:52163641491]
COMMIT
# Completed on Thu Apr 26 09:33:35 2007
# Generated by iptables-save v1.3.6 on Thu Apr 26 09:33:35 2007
*nat
:PREROUTING ACCEPT [940353:80125177]
:POSTROUTING ACCEPT [33161:2192843]
:OUTPUT ACCEPT [54612:4264714]
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Thu Apr 26 09:33:35 2007
# Generated by iptables-save v1.3.6 on Thu Apr 26 09:33:35 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [377131:805845614]
:INT_IN - [0:0]
:INT_OUT - [0:0]
:PAROLE - [0:0]
:PUB_IN - [0:0]
:PUB_OUT - [0:0]
-A INPUT -d 127.0.0.0/255.0.0.0 -i ! lo -p tcp -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 224.0.0.0/240.0.0.0 -j DROP 
-A INPUT -i eth0 -j DROP 
-A INPUT -i eth0 -j DROP 
-A INPUT -i eth0 -j PUB_IN 
-A INPUT -i eth1 -j INT_IN 
-A INPUT -i eth2 -j INT_IN 
-A INPUT -j DROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 0.0.0.255/0.0.0.255 -o eth0 -p tcp -m tcp --dport 137:139 -j DROP 
-A FORWARD -d 0.0.0.255/0.0.0.255 -o eth0 -p udp -m udp --dport 137:139 -j DROP 
-A FORWARD -o eth0 -j ACCEPT 
-A FORWARD -j DROP 
-A OUTPUT -o eth0 -j PUB_OUT 
-A OUTPUT -o eth1 -j INT_OUT 
-A OUTPUT -o eth2 -j INT_OUT 
-A INT_IN -p tcp -m tcp --dport 22 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 138 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 139 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 445 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 67 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 1598 -j PAROLE 
-A INT_IN -p tcp -m tcp --dport 3306 -j PAROLE 
-A INT_IN -p udp -m udp --dport 22 -j ACCEPT 
-A INT_IN -p udp -m udp --dport 138 -j ACCEPT 
-A INT_IN -p udp -m udp --dport 139 -j ACCEPT 
-A INT_IN -p udp -m udp --dport 445 -j ACCEPT 
-A INT_IN -p udp -m udp --dport 67 -j ACCEPT 
-A INT_IN -p udp -m udp --dport 1598 -j ACCEPT 
-A INT_IN -p udp -m udp --dport 3306 -j ACCEPT 
-A INT_IN -p icmp -j ACCEPT 
-A INT_IN -j DROP 
-A INT_OUT -p icmp -j ACCEPT 
-A INT_OUT -j ACCEPT 
-A PAROLE -j ACCEPT 
-A PUB_IN -d 192.168.0.0/255.255.0.0 -j DROP 
-A PUB_IN -s 192.168.0.0/255.255.0.0 -j DROP 
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE 
-A PUB_IN -p udp -m udp --dport 22 -j ACCEPT 
-A PUB_IN -p tcp -m tcp --dport 23 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" 
-A PUB_IN -p tcp -m tcp --dport 21 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" 
-A PUB_IN -p tcp -m tcp --dport 143 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" 
-A PUB_IN -p tcp -m tcp --dport 110 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" 
-A PUB_IN -p tcp -m tcp --dport 79 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" 
-A PUB_IN -p tcp -m tcp --dport 111 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" 
-A PUB_IN -p tcp -m tcp --dport 512 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" 
-A PUB_IN -p tcp -m tcp --dport 513 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" 
-A PUB_IN -p tcp -m tcp --dport 98 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" 
-A PUB_IN -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" 
-A PUB_IN -p udp -m udp --dport 31337 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" 
-A PUB_IN -p icmp -m icmp --icmp-type 8 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit" 
-A PUB_IN -p icmp -j DROP 
-A PUB_IN -j DROP 
-A PUB_OUT -j ACCEPT 
COMMIT
# Completed on Thu Apr 26 09:33:35 2007
 
Old 04-26-2007, 10:38 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Code:
-A INPUT -d 127.0.0.0/255.0.0.0 -i ! lo -p tcp -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 224.0.0.0/240.0.0.0 -j DROP 
-A INPUT -i eth0 -j DROP 
-A INPUT -i eth0 -j DROP 
-A INPUT -i eth0 -j PUB_IN 
-A INPUT -i eth1 -j INT_IN 
-A INPUT -i eth2 -j INT_IN 
-A INPUT -j DROP
after a quick look, it would seem to me that those two rules in bold are the issue... they are sending to DROP any packets coming-into eth0 (which i assume is your external interface) before they can get sent to PUB_IN... if this is correct, then simply deleting those two rules should do the trick, as your PUB_IN has a rule for port 22 (ssh)... try by executing these commands:
Code:
iptables -D INPUT -i eth0 -j DROP
iptables -D INPUT -i eth0 -j DROP
it's the same command twice, as you have the same rule repeated so you need to do it twice to kill them both... if this fixes your issue then replace the old config with the new using iptables-save...
 
Old 04-26-2007, 10:56 AM   #3
crashsystems
Member
 
Registered: May 2006
Location: Tennessee et. al
Distribution: Debian Sid, Etch
Posts: 138

Original Poster
Rep: Reputation: Disabled
Well, that did the trick. Thanks for your help win32sux. Would you happen to know how I could change settings within bastille so that I wouldn't have to use these two commands every time the iptables rules were loaded?
 
Old 04-26-2007, 05:56 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by crashsystems
Well, that did the trick. Thanks for your help win32sux. Would you happen to know how I could change settings within bastille so that I wouldn't have to use these two commands every time the iptables rules were loaded?
no, i don't know how to do it from bastille... but can't you just replace your old config with your new ruleset?? like for example:
Code:
iptables-save > /etc/sysconfig/iptables
(or wherever your configuration is stored)

that should allow for everything to be automatic at startup...

Last edited by win32sux; 04-26-2007 at 05:57 PM.
 
Old 04-26-2007, 09:12 PM   #5
crashsystems
Member
 
Registered: May 2006
Location: Tennessee et. al
Distribution: Debian Sid, Etch
Posts: 138

Original Poster
Rep: Reputation: Disabled
I could just disable bastille-firewall and take the contents of iptables-save and make a startup script for it, but then I'd loose the ability to modify firewall rules inside the program. I could manually edit the settings file for bastille, but I haven't been able to figure it out so far. If nothing else, I can modify the /etc/init.d/bastille-firewall script by tailing those two commands to the end, where the "start" function is invoked.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables script generated by bastille rob_xx17 Linux - Security 3 01-31-2006 06:02 PM
iptables woes quadfour Linux - Networking 7 10-04-2005 11:19 PM
Bastille setup....now SSH etc. works slow rmanocha Linux - Networking 0 02-26-2004 12:19 PM
iptables woes tjm Linux - Security 2 11-30-2003 05:10 PM
Snort, prelude, fwbuilder, bastille or iptables ? christophe.dr Linux - Security 5 10-28-2003 01:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration