Firewall Configuration but I dont know where to stick it!

suerevans · 04-06-2004, 08:53 AM

Hi all...

I am trying to update my firewall file.

I need to allow some ports back into our network and try as I might I am just not getting it.

I have 13 or so ports to allow back in (all are already allowed out) and I have tried a couple of things but I dont seem to be getting anywhere.

Is there a major simple document somewhere that will tell me where I need to add them in the file and how?

I am using iptables and the kernel is Red Hat 2.4.18 with an rc.DMZ.firewall file and 3 network cards (if that is relevant!)

I added lines for the internet, lan and dmz settings in the Firewall Rules section but this hasnt helped and Im told that was the wrong place to put them. Unfortunatly that wasnt then followed up with where I should have put them!!

Is there anything out there that a non-security, non-networking (in reality dba & finance director) can read that would make sense?

Thanks :-)

Sue

Capt_Caveman · 04-06-2004, 03:20 PM

In redhat, the iptables rules can exist in one of two places: either in the /etc/sysconfig/iptables file or in a script that is set to run at startup. For the first option (the iptables file) enter all your rules from the command line and then use: iptables-save > /etc/sysconfig/iptables to save them. Do not directly edit the /etc/sysconfig/iptables file.

For the second option, put the rules into a standard bash script, make it executable and then put the full path to the script in one of the startup scripts so that the script is executed at boot.

From your post I can't tell where you're trying to put them. "Firewall rules" section of what?

For more general info, checkout the online documentation for your specific version:
http://www.redhat.com/support/knowledgebase/products/
http://www.redhat.com/docs/manuals/l...-iptables.html

suerevans · 04-07-2004, 06:13 AM

Hi

Thanks for this - Unfortunatly, Im still lost.

Ive looked at the iptables in /etc/sysconfig but that relates to a network environment from a few years back.

So I looked in the init.d directory at that iptables (which is the one we have been updating) and found that basically, it checks to see if the /etc/sysconfig/iptables file exists, and if it does, it ignores it and resets everything. It then calls the firewall file.

The firewall file includes various firewall stuff and a huge amount of iptables -A commands.

That is where I had added the ones for the ports I need to open.

When I do an iptables -L (see Im learning cos I didnt know that yesterday!) I can see a listing of most of those ports but not all of them.

Out of the ones I need to add, Im missing 50 and 500 - but the lines in the firewall file exist and seem to be what is expected.

I am certainly confused as to why our original network person set up the system in this way, but dont see why it isnt working.

Ive specified both ports 50 and 500 as TCP and UDP if that is any help.

I did read through the documentation you suggested, but its still a bit alien to me so I appologise if this is something that anyone else would automatically know :-)

Sue

Capt_Caveman · 04-07-2004, 08:10 AM

No need to apologize. Iptables is certainly not one of the more intuitive parts of linux. From what you've described, it sounds like a non-standard setup that your previous admin put together (in a default install there is no rc.DMZ.firewall file). My guess is that is a firewall script like I mentioned in my above post as being option 2.

I guess the best way to approach this would be to clear your old rules and then try to execute that script directly and see if all the rules are loading properly (could be an syntax error in one of those rules that is failing). So open up a terminal (console) window and try the following:

iptables -F
iptables -t nat -F

Next make sure the file is executable, if not do:
chmod u+x firewall_file

Now run the script directly:
./firewall_file

Now take a look at the loaded rules using the iptables -L command and match them up with the ones in the script. Hopefully the rules should look the same as were loaded before (that way we know that this is indeed the right script to be modifying). If it is indeed the same, go through and identify any rules which are not being loaded. Go ahead and post these after removing any identifiable IP addresses. If the rules are different than the ones loaded before, then we know we're looking at the wrong file. In that case post the /etc/init.d/iptables file and hopefully we can figure out what is going on.

suerevans · 04-23-2004, 04:45 AM

Hi

Sorry it has been so long since the last post - Ive been trying to work it out, but not really getting anywhere.

The iptables stuff you suggested showed that the stuff being loaded matches that which was already there.

So I decided to try re-doing the whole thing. Only problem was, with the documentation, etc you had suggested before and the fact that I only know how to work around the rc... file, I decided to try re-writing it.

I figured it was that causing the issues mostly - the basic information is in there (as given in the example on http://www.shad.net/tech/manuals/iptables/) but with several additions and detractions.

Firstly, the example is for 2 network cards. We have 3. and secondly, all our ports seemed to be forwarded to specific machines rather than just allowed through.

So, taking the example, I started to re-write... I now have sections for the standard stuff like config settings, loading the modules etc, prerouting, input, output, dns routing and forwarding. (the http stuff is forwarded/prerouted because it shares the 192 IP address with the firewall and dns box, and is then hopefully splitting out according to the port being used)

The file is below - Ive chopped the ip addresses as you suggested. Could you take a look at it and see if Im either over-killing, too open or just what is going on?

My explaination of whats going on is a tad simplistic I suspect, but we now have network a, b and c.
A is the firewall/dns box (they are on the same machine) into external world network
b is the servers DMZ
c is the workstations DMZ

A can see everything. Internet, b and c located machines but is not passing connections through from the internet to the servers or workstations
B can see everyone within itself and A but cannot get through A to the internet
C can also see everyone within itself and A but also cant pass through to the internet.

(when I say they can see themselves, Im using ping to test)

I guess its something simple???? Perhaps the Iptables stuff is getting in the way, or Ive just missed something simple or stuck it in the wrong place. I just dont see it. And now Im going around in circles getting nowhere!!!

Could you have a look for me???

#!/bin/sh
###########
# Configuration options
INET_IP="192."
INET_IFACE="eth0"

DMZ_IP="10"
DMZ_BCAST="10."
DMZ_IFACE="eth1"

LAN_IP="10"
LAN_BCAST_ADRESS="10"
LAN_IFACE="eth2"

DNS_IP="217."
DMZ_DNS_IP="192."

HTTP_IP="192."
DMZ_HTTP_IP="10."

MAIL_IP="192."
DMZ_MAIL_IP="10."

OEM_IP="192."
DMZ_OEM_IP="10."

LO_IP="127.0.0.1"
LO_IFACE="lo"

IPTABLES="/usr/local/sbin/iptables"

#########
# Load all required IPTables modules
/sbin/depmod -a

# Adds some iptables targets like LOG, REJECT and MASQUARADE.
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE

# Support for connection tracking of FTP and IRC.
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

# CRITICAL: Enable IP forwarding since it is disabled by default.
echo "1" > /proc/sys/net/ipv4/ip_forward

# set default policies for the INPUT, FORWARD and OUTPUT chains
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# Enable simple IP FORWARDING
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

# Create separate chains for ICMP, TCP and UDP to traverse
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

# The allowed chain for TCP connections
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A allowed -m limit
$IPTABLES -A allowed -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT allowed packet died: "
$IPTABLES -A allowed -p TCP -j DROP

# ICMP rules
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT #Echo Reply
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT #Destination unreachable
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT #Redirect
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT #Echo
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT #Time Exceeded

# TCP rules
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 50 -j allowed #Securemote Ports
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 256 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 257 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 258 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 259 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 260 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 261 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 262 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 263 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 264 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 265 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 500 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 2746 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed #Exchange Ports
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 4899 -j allowed #Remote Admin
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1478 -j allowed #OEM Ports
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1754 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 7772 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 7773 -j allowed

# UDP ports
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 50 -j ACCEPT #Securemote Ports
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 256 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 257 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 258 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 259 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 260 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 261 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 262 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 263 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 264 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 265 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 500 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2746 -j ACCEPT

# PREROUTING chain.
# Do some checks for obviously spoofed IP's
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP

# INPUT chain
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

$IPTABLES -A INPUT -p ALL -d $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $DMZ_IP -j ACCEPT

$IPTABLES -A INPUT -p TCP -i $INET_IFACE --dport 53 -j allowed
$IPTABLES -A INPUT -p UDP -i $INET_IFACE --dport 53 -j ACCEPT

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

# OUTPUT chain
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $DMZ_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -p TCP -i $INET_IFACE --dport 53 -j allowed
$IPTABLES -A OUTPUT -p UDP -i $INET_IFACE --dport 53 -j ACCEPT

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

# Enable advanced IP PREROUTING
# Web Server routing
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $HTTP_IP --dport 22 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $HTTP_IP --dport 53 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $DMZ_IFACE -d $HTTP_IP --dport 53 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $HTTP_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $DMZ_IFACE -d $HTTP_IP --dport 109 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $HTTP_IP --dport 109 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $HTTP_IP --dport 110 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 110 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $DMZ_IFACE -d $HTTP_IP --dport 110 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 143 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $DMZ_IFACE -d $HTTP_IP --dport 143 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $HTTP_IP --dport 143 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 443 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $DMZ_IFACE -d $HTTP_IP --dport 443 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p ICMP -i $INET_IFACE -d $HTTP_IP -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p ICMP -i $LAN_IFACE -d $HTTP_IP -j DNAT --to-destination $DMZ_HTTP_IP

# DNS Server routing
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP

# Enable advanced IP FORWARDING
# Web Server routing
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP --dport 22 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP --dport 80 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP --dport 109 -j allowed
$IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP --dport 109 -j allowed
$IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP --dport 110 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP --dport 110 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP --dport 143 -j allowed
$IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP --dport 143 -j allowed
$IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP --dport 443 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP --dport 443 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $LAN_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP -j icmp_packets
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP -j icmp_packets

# DNS Server routing
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP --dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP -j icmp_packets

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Thanks
Sue