LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-21-2003, 07:21 PM   #1
brentos
Member
 
Registered: Nov 2003
Distribution: Fedora Core3, RHEL3,4
Posts: 92

Rep: Reputation: 15
Firewall/iptables


I have just experiance a hack on one of my servers and I am now trying to secure my others before it happens to them.

I am familiar with Linux and expecially RedHat but I have never had to configure the Iptables before.

I have to do it all over ssh (the server is hosted) and I basically want to block everything accept the ports I use, such as http, ftp, ssh and a few other for my mail and so on.

Could any body give me an idea on how to get started or where I can look for help.
 
Old 11-22-2003, 09:00 AM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
The simplest way is:
# Accept SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Accept http
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# do the above for each port you want to allow.
# Allow establised and related conenctions
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Disallow everything else
iptables -P INPUT DROP
iptables -P OUTPUT DROP
 
Old 11-22-2003, 02:06 PM   #3
brentos
Member
 
Registered: Nov 2003
Distribution: Fedora Core3, RHEL3,4
Posts: 92

Original Poster
Rep: Reputation: 15
Thanks could you possible just tell me what my current iptable means?? I do not want to remove anthing if it is needed since some of it might have been setup by cpanel. I have change the actual host to host.com, not cause i don't trust you just i don't want to display my holes all over the net

Chain INPUT (policy ACCEPT)
target prot opt source destination
acctboth all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
acctboth all -- anywhere anywhere

Chain acctboth (2 references)
target prot opt source destination
tcp -- neo.mugglenet.com anywhere tcp dpt:http
tcp -- anywhere host.com tcp spt:http
tcp -- neo.mugglenet.com anywhere tcp dpt:smtp
tcp -- anywhere host.com tcp spt:smtp
tcp -- neo.mugglenet.com anywhere tcp dptop3
tcp -- anywhere host.com tcp sptop3
icmp -- neo.mugglenet.com anywhere
icmp -- anywhere host.com
tcp -- neo.mugglenet.com anywhere
tcp -- anywhere host.com
udp -- neo.mugglenet.com anywhere
udp -- anywhere host.com
all -- neo.mugglenet.com anywhere
all -- anywhere host.com
all -- anywhere anywhere
 
Old 11-23-2003, 02:29 PM   #4
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
It is basically saying that you are accepting connections from the hosts listed. This wouln;t make much difference though since the default policy is accept
 
Old 11-23-2003, 05:02 PM   #5
brentos
Member
 
Registered: Nov 2003
Distribution: Fedora Core3, RHEL3,4
Posts: 92

Original Poster
Rep: Reputation: 15
So then I can safely clear those out and add my own then?
 
Old 11-23-2003, 05:23 PM   #6
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
I would assume so. You may want to make specific allowances for those hosts if they are there for particular reasons.
 
Old 11-24-2003, 03:13 AM   #7
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
your best bet is to create a SSH script and have it do all the rules for you
I have attached an example script that allows ALL connections OUT and none IN
but this is also used as gateway so you may want to modify some of the MASQUERADE options etc

#!/bin/sh

# IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


# Blocks External Ping requests
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Set an absolute path to IPTABLES and define the interfaces.
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.

IPTABLES="/sbin/iptables"
OUTSIDE=eth0
INSIDE=eth1

# Other Definitions
# You may want to add in your http server if its on a seperate box
# and follow the examples below to configure the firewall to FWD to it
EXT_IP="202.xxx.xxx.xx"
INT_IP="192.168.1.1"
MAILSVR="192.168.1.251"

# Test Machine Definitions
TEST_PC="192.168.1.250"
TEST_HTTP="8080"
TEST_HTTPS="8081"

# Clear out any existing firewall rules, and any chains that might have
# been created.
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -X

# Set Default Rules
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.

# silent - Just dop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack

$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP

# Use below to enable MASQUERADE eth1
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags

# Allow selected ICMP types and drop the rest.
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled

# The loopback interface is inheritly trustworthy
$IPTABLES -A INPUT -i lo -j ACCEPT

# Inside Machine are trustworthy
$IPTABLES -A INPUT -i $INSIDE -d $INT_IP -j ACCEPT

# Port forwarding.

# Redirect Traffic for Port 80 to Squid Proxy Server:3128
$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp --dport 80 -j REDIRECT --to-port 3128

# Redirect External & Internal HTTP on 8080 to Local PC
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTP -d $EXT_IP -j DNAT --to $TEST_PC:$TEST_HTTP
#$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp -m tcp --dport $TEST_HTTP -d $EXT_IP -j DNAT --to $TEST_PC:$TEST_HTTP

# Redirect External & Internal SSH on 8081 to Local PC
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTPS -j DNAT --to $TEST_PC:$TEST_HTTPS
#$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp -m tcp --dport $TEST_HTTPS -j DNAT --to $TEST_PC:$TEST_HTTPS

# Redirect External Emails to Mailserver
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 110 -j DNAT --to $MAILSVR:110
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 25 -j DNAT --to $MAILSVR:25

# INPUT SETTINGS

# Pop3
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 110 -j ACCEPT
# SMTP
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 25 -j ACCEPT
# SSH
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
# HTTP
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 80 -j ACCEPT
# HTTPS
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 443 -j ACCEPT
# TEST PC
#$IPTABLES -A INPUT -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTP -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTPS -j ACCEPT



# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Anything that hasn't already matched gets logged and then dropped.
$IPTABLES -A INPUT -j firewalled
 
Old 11-24-2003, 10:48 AM   #8
brentos
Member
 
Registered: Nov 2003
Distribution: Fedora Core3, RHEL3,4
Posts: 92

Original Poster
Rep: Reputation: 15
I will try to make a script for it. I think I have enough infomation to start.

But just to clarify. All the host.com that I showed in my iptables are the actual host of the machine itself. I actaully see that I did not remove them all. So I think the iptables basically say, if its from anywhere to my server allow it and if its from my server to anywhere allow it.
 
Old 11-24-2003, 02:16 PM   #9
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
Yes - it is probably to allow conections to mysql etc that run on the same host.
 
Old 11-24-2003, 03:15 PM   #10
brentos
Member
 
Registered: Nov 2003
Distribution: Fedora Core3, RHEL3,4
Posts: 92

Original Poster
Rep: Reputation: 15
So then is it safe to remove them or not.

Sorry to be asking what may sound like a stupid question, I just don't want to mess up.

Could I make it so that if its from my server to my server allow anything so that I will not have to worry about it connecting to itself??
 
Old 11-24-2003, 03:32 PM   #11
Dewar
Member
 
Registered: Sep 2003
Location: Washington State
Distribution: SuSE 8.0, SuSE 9.0, Slack 9.1
Posts: 90

Rep: Reputation: 15
The command to allow anything to the loop back address (used for same computer connections) is

iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT

of course, someone could still spoof a packet coming from the loop back address, but the above script posted by chrisfirestar handles both this line, and the anti-spoofing rules as well.
 
Old 11-24-2003, 05:35 PM   #12
brentos
Member
 
Registered: Nov 2003
Distribution: Fedora Core3, RHEL3,4
Posts: 92

Original Poster
Rep: Reputation: 15
Alright thanks for all the help. I am going to give it a shot and let you know

Just want to find a way to backup my iptables before I do so that if I really mess up I won't have to remember it all
 
Old 11-25-2003, 12:31 PM   #13
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
Try:
iptables-save
 
Old 11-25-2003, 03:28 PM   #14
brentos
Member
 
Registered: Nov 2003
Distribution: Fedora Core3, RHEL3,4
Posts: 92

Original Poster
Rep: Reputation: 15
Thanks for all the help.
I got it all to work with out any problems

I just have to review which ports I really need. For now I left open all the ones that were listening but I want to see if I really need them all, I just don't want anything to stop working and for that to be the reason.

Thanks again
 
Old 11-25-2003, 05:47 PM   #15
brentos
Member
 
Registered: Nov 2003
Distribution: Fedora Core3, RHEL3,4
Posts: 92

Original Poster
Rep: Reputation: 15
Ok I ran into a little problem I thought I might ask about.

I allowed connections to my ftp on port 21 and it works ok except not in passive mode.

Since a lot of the users of the server seem to use passive mode, is there any way to allow this without total compremissing my security?

I read one article that says to open up all not-priv ports but I mean that just leaves a lot of the server open in my opinion.

Got any ideas?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 07:20 AM
iptables and firewall J4b0l Linux - Security 5 10-10-2005 08:02 AM
IPTABLES firewall Vs rc firewall netguy2000 Linux - Security 7 02-28-2004 04:31 AM
firewall iptables SchwipSchwap Linux - Newbie 2 09-14-2002 06:41 AM
IPTables Firewall bfloeagle Linux - Security 6 06-19-2001 02:51 PM


All times are GMT -5. The time now is 02:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration