LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-19-2003, 01:23 PM   #1
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Drop 'em at the firewall


My current iptables script looks like this:


# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# (2) User-Defined chain for ACCEPTed TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

# (3) INPUT chain rules

# Rules for incoming packets from the LAN
iptables -A INPUT -p ALL -i eth0 -s 192.100.0.0/8 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.100.0.100 -j ACCEPT

# Packets for established connections
iptables -A INPUT -p ALL -d 192.100.0.100 -m state --state ESTABLISHED,RELATED -j ACCEPT

# TCP rules

# SSH
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
# HTTP
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
# IDENTD (Necessary for IRC ?????)
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 113 -j okay
# HTTPS (SSL)
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
# IPP
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 631 -j okay
# MySQL
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 3306 -j okay

# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j okay
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j okay

# ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT

# (4) OUTPUT chain rules
# Only output packets with local addresses (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.100.0.100 -j ACCEPT
iptables -A OUTPUT -p ALL -s 54.67.87.33 -j ACCEPT

Currently I am using tcpwrappers to deny access to ssh. Only specified ip addresses are allowed to use the ssh service. I'd like to allow specific ip addresses through the firewall only.

What do I have to change to allow only specified ip addresses to access port 22?

Also, and this may be better in a new thread, I would like to be notified of failed attempts. I know you can log iptables but I find the tutorials tuff to follow.

Last edited by Crashed_Again; 03-20-2003 at 05:32 PM.
 
Old 03-19-2003, 11:41 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
>What do I have to change to allow only specified ip addresses to access port 22?

If the ip addresses you want to accept are in an ip block together (like 123.456.789.001 and 123.456.789.100) it is easy to do.
-s 123.456.789.0/24
where the number following the slash tells it how many numbers of the ip address to check. Here's the catch though, it's in octets so if you want all :
123.XXX.XXX.XXX you would use /8
123.456.XXX.XXX you would use /16
123.456.789.XXX you would use /24
123.456.789.001 you would use ? yes /32

If you have a bunch of varied ips, stick with hosts.allow.

BTW, those iptables rules look funny. Especially the "-j okay" target. Did you make a user defined target or should that be -j ACCEPT?

To do logging, make a rule and use the -j LOG target. BUT, if you do logging via iptables you open yourself up to DOS attacks. For example if I syn flood you and you happen to be logging that request, you're in trouble. So it's a two-edged sword.
 
Old 03-20-2003, 05:34 PM   #3
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Original Poster
Rep: Reputation: 57
Quote:
If you have a bunch of varied ips, stick with hosts.allow.
So you are saying that iptables can only allow a range of ip addresses in and not specific ip addresses?



Quote:
BTW, those iptables rules look funny.
Sorry. I just realized that I did not post my full iptables script. I edited it for you.

I find it hard to believe that I can not specify certain ip addresses to do this.
 
Old 03-20-2003, 06:01 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You're completely right, but the problem you run into is that you have to write an iptables rule for each one if they're not in the same subnet. So if you want to allow 15 different ip addresses, it can get to be a pain writing out all the rules. See my point. That's why I would use hosts.allow/deny to accomplish it. But it would work completely if you wanted to write out iptables rules for all of them. You could just put them one after another in your script like
iptables .......... -s 124.545.457.432 -j ACCEPT
iptables .......... -s 643.236.765.335 -j ACCEPT
etc,etc,etc...

I agree with you that it would be nice if you could import a list of allowed addresses using something like a pointer in a single iptables rule, but I've never seen that done. If you can figure out a way to do that, I sure as hell would like to know!
 
Old 03-20-2003, 06:07 PM   #5
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Original Poster
Rep: Reputation: 57
hehe I can tell you I surely will not figure out how to do that. My concentration in College was in programming and I find writing iptables scripts one of the hardest things I've ever done. I think I just have a mental block with them.

One more question and I won't bug you anymore. So if I use the:

iptables .......... -s 124.545.457.432 -j ACCEPT
iptables .......... -s 643.236.765.335 -j ACCEPT
etc,etc,etc...

will that automatically block all other IP addresses that are not allowed or do I have to add another rule?
 
Old 03-20-2003, 06:15 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Any ip address which doesn't match the ones you specify will get fall through the rules untill they hit the default INPUT rule. Which in your case is DROP, so they won't get anything when they try and connect.

If you just need to allow a couple of addresses, you can do this no problem.

>I think I just have a mental block with them
You're not the only one, I feel like my head is going to pop when I'm trying to think through them.
 
Old 03-20-2003, 06:19 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I'm sure that if I'm wrong about that, unspawn will arrive promptly and pimp-slap me anyway.
 
Old 03-20-2003, 06:22 PM   #8
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Original Poster
Rep: Reputation: 57
Sometimes I need unspawn's pimp-slapping. It puts me back in my place. Thanks unspawn!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Drop connections to port 80 at firewall machine also drop at protected network? Niceman2005 Linux - Security 2 10-27-2005 09:21 AM
Azureus +firewall: UDP-discovery drop packetsport 8008 alt_http What is Azureus doing Emmanuel_uk Linux - Networking 0 08-31-2005 07:06 AM
drop line jmdlcar Slackware 2 03-14-2005 12:28 AM
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 03:07 AM
DHCP drop? Duren Linux - Networking 2 10-05-2003 12:49 PM


All times are GMT -5. The time now is 09:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration