LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-26-2008, 06:07 AM   #1
active
LQ Newbie
 
Registered: Dec 2008
Posts: 9

Rep: Reputation: 0
Question ipchains direct me to right rules


Hi,
Directly coming to the case with ipchains please guide me with this scenario.

My set follows as given below

Eth1 = External ip (ex:88.88.88.88) Internet interface
Eth0 = Internal Ip (192.168.5.1) Lan interface
The internal subnet is 192.168.5.0/24

I want to block outgoing as well as selectively allowing SMTP traffic on port 25
The reason I want to block is our static ip evey time (once in two days) get black listed and request for delisting.

I have ipchains on 2.2 kernel on redhat linux 7

Following is the present firewall rules script which starts with bootup.

#!/bin/sh

# Flush Rules
ipchains -F forward
ipchains -F output
ipchains -F input

# Set default to deny all
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY

#ICMP REDIRECT PROTECTION
#possible alteration of routing tables if left open
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
/bin/echo "0" > ${interface}
done

#IP_SPOOFING PROTECTION
#assymettirc routed packets will fail
#who cares anyways
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done

# Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# FTP masq
#/sbin/modprobe ip_masq_ftp


# Add Rules
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT

# prevent spoofed packets from outside
ipchains -A input -s 192.168.5.0/24 -i eth1 -j DENY -l
ipchains -A input -s 127.0.0.0/8 -i ! lo -j DENY -l

# DENY DNS from outside
ipchains -A input -j DENY -l -s 0/0 -d 88.88.88.88 53:53 -p udp -i eth1

# first add list of blocked addresses from file
for bad_addr in `cat /root/firewall/blacklist | awk '{ print $2 }'`; do
ipchains -A input -j DENY -l -s $bad_addr -d 88.88.88.88/32 -p all -i eth1
ipchains -A input -j DENY -l -s 192.168.5.0/24 -d $bad_addr -p all -i eth0
done

# Ping
# we need to ping outside
ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 -p icmp --icmp-type echo-reply -i eth1
ipchains -A output -j ACCEPT -d 0/0 -p icmp --icmp-type echo-request -i eth1

# but outside cannot ping us )
ipchains -A input -j DENY -s 0/0 -d 88.88.88.88/32 -p icmp --icmp-type echo-request -i eth1
ipchains -A output -j DENY -d 0/0 -p icmp --icmp-type echo-reply -i eth1

# allow ping from internal network
ipchains -A output -j ACCEPT -s 0/0 -d 192.168.5.0/24 -p icmp -i eth0
ipchains -A input -j ACCEPT -s 192.168.5.0/24 -d 0/0 -p icmp -i eth0

# VOIP
# Allow udp to ciscoata UDP ports 69, 5060,5061,5062 10000-10800
# dont know the server from which traffic originates.
# That stupid idiot at the VOIP provider doesn't know himself. @&&#o1e
ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 -p udp -i eth0

#ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 69:69 -p udp -i eth0
#ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 5060:5062 -p udp -i eth0
#ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 10000:11500 -p udp -i eth0
ipchains -A output -j ACCEPT -p udp -i eth0

ipchains -A input -j ACCEPT -s 0/0 -p udp -i eth1
#ipchains -A input -j ACCEPT -s 0/0 69:69 -p udp -i eth1
#ipchains -A input -j ACCEPT -s 0/0 5060:5062 -p udp -i eth1
#ipchains -A input -j ACCEPT -s 0/0 10000:11500 -p udp -i eth1
ipchains -A output -j ACCEPT -p udp -i eth1

# Accept all but port 21 to 23 to and from internal net
# matrix genesis and neo allows all
# Im the goddamn sysadmin.
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.3 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.50 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.51 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.150 -d 0/0 21:23 -i eth0
#ipchains -A input -j ACCEPT -p tcp -s 192.168.5.10 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.15 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.9 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.25 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -s 192.168.5.0/24 -d 0/0 -i eth0
ipchains -A output -j ACCEPT -s 0/0 -d 192.168.5.0/24 -i eth0


# allow traffic originating internally
ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 -p tcp -i eth1
ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 -p tcp ! -y -i eth1

# DNS
ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 53:53 -p udp -i eth1
ipchains -A input -j ACCEPT -s 0/0 53:53 -d 88.88.88.88/32 -p udp -i eth1

# Forward /Masq internal network
for host_addr in `cat /root/firewall/hostlist`; do
ipchains -A forward -j MASQ -s $host_addr -d 0.0.0.0/0
done

ipchains -A forward -s 192.168.5.0/24 -d 0.0.0.0/0 -j MASQ

ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 80:80 -p tcp -i eth1
ipchains -A output -j ACCEPT -s 88.88.88.88/32 80:80 -d 0/0 -p tcp ! -y -i eth1

ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 110:110 -p tcp -i eth1
ipchains -A output -j ACCEPT -s 88.88.88.88/32 110:110 -d 0/0 -p tcp ! -y -i eth1

ipchains -A input -j DENY -s 0/0 -d 88.88.88.88/32 25:25 -p tcp -i eth1
ipchains -A output -j DENY -s 88.88.88.88/32 25:25 -d 0/0 -p tcp ! -y -i eth1

As you can see in extreme below the rules I have denyed port 25 for smtp,
But still I can send mail using

mail s subject user@example.com
from a linux system and it successfully sends out mail

Why my ipchains rules is not working as expected for smtp port 25
Please help me out of this mess.
Thanking you people in advance
Mark
 
Old 12-26-2008, 09:03 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by active View Post
ipchains -A input -j DENY -s 0/0 -d 88.88.88.88/32 25:25 -p tcp -i eth1
ipchains -A output -j DENY -s 88.88.88.88/32 25:25 -d 0/0 -p tcp ! -y -i eth1
These rules would block an incoming connection to your mail server (if you have one) and would block an outgoing response from your mail server.

If you want to block all outgoing SMTP traffic (based on its standard port #):

Code:
ipchains -A output -j DENY -p tcp --dport 25
if you want to allow it to several addresses and block all others, put ACCEPT rules prior to the DENY rule:

Code:
ipchains -A output -j ACCEPT -p tcp --dport 25 -d 1.2.3.4
ipchains -A output -j ACCEPT -p tcp --dport 25 -d 4.5.6.7
ipchains -A output -j DENY -p tcp --dport 25
You may be able to omit the "-p tcp --dport 25" on the ACCEPT rules, depending upon your need.

Just a general observation about your script (which I didn't look at in detail), normally you don't need to be specifying your own IP address (88.88.88.88). However, maybe you have a special need that would dictate doing so. I see you already know how to specify which interface with the -i option.

Also, please bear in mind the security risks of running an unsupported distro.

EDIT: You also don't need to mention "any address." I.e. "-s 0/0" and "-d 0/0" do nothing. You may as well leave them out.

Last edited by blackhole54; 12-26-2008 at 09:07 AM.
 
Old 12-26-2008, 10:00 AM   #3
active
LQ Newbie
 
Registered: Dec 2008
Posts: 9

Original Poster
Rep: Reputation: 0
Question Not helping

Both the rules (Mine as well as yours) are not working to block smtp port 25

Will be helpful if you paste the exact rules.
Can you think of any other reason why this is not working even the rules are very specific (what I have paste)
Tnx
 
Old 12-26-2008, 11:58 AM   #4
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I believe I found the problem. I think the rules I posted were correct. However, I believe you have this rule before them:

Quote:
Originally Posted by active View Post
# allow traffic originating internally
ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 -p tcp -i eth1
That rule allows all tcp traffic out. With ipchains, packets traverse a chain until they they match a rule. If that rule has a -j (the letter "jay") option, it stops traversing the chain at that point. So you need to put the above rule after any rules that block any tcp packets. Alternatively, if you want a default REJECT policy on your output chain, you can just enumerate what is acceptable to leave your machine and let the REJECT policy handle the rest.
 
Old 12-26-2008, 11:00 PM   #5
active
LQ Newbie
 
Registered: Dec 2008
Posts: 9

Original Poster
Rep: Reputation: 0
You are right I completely missed out that rules which you have rightly indicated.
Your rule
ipchains -A output -j DENY -p tcp --dport 25 completely blocks out any smtp connection through port 25, but I am also not able to selectively unblock a particular ip so that it establish a connection on port 25. i.e if I want to unblock this 192.168.10.51 ip, your rule
ipchains -A output -j ACCEPT -p tcp --dport 25 -d 192.168.10.51

is not working (I have placed this rule before deny rule).

Tnx
 
Old 12-27-2008, 05:46 AM   #6
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I don't see the problem. If you can't figure it out yourself maybe you should post your updated set of rules for me and others to take a look at.

But first, let me suggest some troubleshooting tips that might help you.

If you (as root) use the command

Code:
ipchains -nvL <optional name of chain> | less
the first two columns of the output will list the number of packets (1st column) along with the byte count (2nd column) of the packets that matched the rule. This might help you troubleshoot problems you have. I have only used this on desktop systems that have a small number of packets to consider. Perhaps its usefulness decreases on a busy server. I have no experience with that so I can't comment.

The other thing that might help in troubleshooting problems is to add rules (selected for their potential effectiveness in helping you troubleshoot!) that log. Be aware, that both for logging or simply looking at packet/byte counts, the rule does not have to have a -j (jump) option. So, for example, if you want to log all outgoing tcp packets that have a destination port of 25 that are still traversing the chain at the point you put the rule, you could:

Code:
ipchains -A output -p tcp --dport 25 -l
I expressed this using -A. For temporary insertion of rules for troubleshooting, -I (capital "eye") might be more useful. And don't forget about using the option --line-number with -L to figure out where you need to insert rules to help you with troubleshooting.
 
Old 12-27-2008, 06:15 AM   #7
active
LQ Newbie
 
Registered: Dec 2008
Posts: 9

Original Poster
Rep: Reputation: 0
Tried troubleshooting there was too many info to analyse
Here is my updated rules.As you can see i have placed the smtp related rules above

# allow traffic originating internally
ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 -p tcp -i eth1


Your rule for blocking works fine and successfully block all outgoing smtp port25.
Purpose half server but not able to unblock from these two ip's which is essentially to send out mails

To your info i am not fully proficient with ipchains and do the needfull by being specific
tnx


#!/bin/sh

# Flush Rules
ipchains -F forward
ipchains -F output
ipchains -F input

# Set default to deny all
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY

#ICMP REDIRECT PROTECTION
#possible alteration of routing tables if left open
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
/bin/echo "0" > ${interface}
done

#IP_SPOOFING PROTECTION
#assymettirc routed packets will fail
#who cares anyways
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done

# Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# FTP masq
#/sbin/modprobe ip_masq_ftp


# Add Rules
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT

# prevent spoofed packets from outside
ipchains -A input -s 192.168.5.0/24 -i eth1 -j DENY -l
ipchains -A input -s 127.0.0.0/8 -i ! lo -j DENY -l

# DENY DNS from outside
ipchains -A input -j DENY -l -s 0/0 -d 88.88.88.88 53:53 -p udp -i eth1

#SMTP Blocked except a few IP's
ipchains -A output -j ACCEPT -p tcp --dport 25 -d 192.168.5.51
ipchains -A output -j ACCEPT -p tcp --dport 25 -d 192.168.5.52
ipchains -A output -j DENY -p tcp --dport 25


# first add list of blocked addresses from file
for bad_addr in `cat /root/firewall/blacklist | awk '{ print $2 }'`; do
ipchains -A input -j DENY -l -s $bad_addr -d 88.88.88.88/32 -p all -i eth1
ipchains -A input -j DENY -l -s 192.168.5.0/24 -d $bad_addr -p all -i eth0
done

# Ping
# we need to ping outside
ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 -p icmp --icmp-type echo-reply -i eth1
ipchains -A output -j ACCEPT -d 0/0 -p icmp --icmp-type echo-request -i eth1

# but outside cannot ping us )
ipchains -A input -j DENY -s 0/0 -d 88.88.88.88/32 -p icmp --icmp-type echo-request -i eth1
ipchains -A output -j DENY -d 0/0 -p icmp --icmp-type echo-reply -i eth1

# allow ping from internal network
ipchains -A output -j ACCEPT -s 0/0 -d 192.168.5.0/24 -p icmp -i eth0
ipchains -A input -j ACCEPT -s 192.168.5.0/24 -d 0/0 -p icmp -i eth0

# VOIP
# Allow udp to ciscoata UDP ports 69, 5060,5061,5062 10000-10800
# dont know the server from which traffic originates.
# That stupid idiot at the VOIP provider doesn't know himself. @&&#o1e
ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 -p udp -i eth0

#ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 69:69 -p udp -i eth0
#ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 5060:5062 -p udp -i eth0
#ipchains -A input -j ACCEPT -s 192.168.5.6/32 -d 0/0 10000:11500 -p udp -i eth0
ipchains -A output -j ACCEPT -p udp -i eth0

ipchains -A input -j ACCEPT -s 0/0 -p udp -i eth1
#ipchains -A input -j ACCEPT -s 0/0 69:69 -p udp -i eth1
#ipchains -A input -j ACCEPT -s 0/0 5060:5062 -p udp -i eth1
#ipchains -A input -j ACCEPT -s 0/0 10000:11500 -p udp -i eth1
ipchains -A output -j ACCEPT -p udp -i eth1

# Accept all but port 21 to 23 to and from internal net
# matrix genesis and neo allows all
# Im the goddamn sysadmin.
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.3 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.50 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.51 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.150 -d 0/0 21:23 -i eth0
#ipchains -A input -j ACCEPT -p tcp -s 192.168.5.10 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.15 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.9 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.25 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -s 192.168.5.0/24 -d 0/0 -i eth0
ipchains -A output -j ACCEPT -s 0/0 -d 192.168.5.0/24 -i eth0


# allow traffic originating internally
ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 -p tcp -i eth1
ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 -p tcp ! -y -i eth1

# DNS
ipchains -A output -j ACCEPT -s 88.88.88.88/32 -d 0/0 53:53 -p udp -i eth1
ipchains -A input -j ACCEPT -s 0/0 53:53 -d 88.88.88.88/32 -p udp -i eth1

# Forward /Masq internal network
for host_addr in `cat /root/firewall/hostlist`; do
ipchains -A forward -j MASQ -s $host_addr -d 0.0.0.0/0
done

ipchains -A forward -s 192.168.5.0/24 -d 0.0.0.0/0 -j MASQ

ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 80:80 -p tcp -i eth1
ipchains -A output -j ACCEPT -s 88.88.88.88/32 80:80 -d 0/0 -p tcp ! -y -i eth1

ipchains -A input -j ACCEPT -s 0/0 -d 88.88.88.88/32 110:110 -p tcp -i eth1
ipchains -A output -j ACCEPT -s 88.88.88.88/32 110:110 -d 0/0 -p tcp ! -y -i eth1
 
Old 12-27-2008, 10:05 AM   #8
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I'm sorry, I don't see the problem with the script. Unless ... the IP addresses you are trying to allow SMTP to aren't included in your blacklist, are they? I also wondered whether you really wanted to masquerade traffic that was going out eth0, but I don't think that could cause this problem. (Of course, I can and do make mistakes.)

Maybe somebody else can spot the error. Other than that, the only thing I know is to to troubleshoot.

If I were trying to troubleshoot this, the first thing I would check is to make sure the packets I was trying to send were matching on the ACCEPT statement for the relevant IP address. If your seeing a bunch of packets matching and aren't sure if any are your test packets, patch in another rule (before the others) that must also match the source address from the machine your are testing from. If I saw the packets getting ACCEPTed, I would use tcpdump to see if those packets left the machine, and if so, whether a response came back. Somewhere, I would see some packets "get lost" that I wasn't expecting. I would then use tcpdump and/or test firewall rules to try to bisect the problem down to where they were getting lost. Sorry, that is all I know to suggest.

I don't think this has anything to do with your SMTP problem, but I did spot what I believe is another problem in your script:

Quote:
Originally Posted by active View Post
# Accept all but port 21 to 23 to and from internal net
# matrix genesis and neo allows all
# Im the goddamn sysadmin.
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.3 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.50 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.51 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.150 -d 0/0 21:23 -i eth0
#ipchains -A input -j ACCEPT -p tcp -s 192.168.5.10 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.15 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.9 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -p tcp -s 192.168.5.25 -d 0/0 21:23 -i eth0
ipchains -A input -j ACCEPT -s 192.168.5.0/24 -d 0/0 -i eth0
ipchains -A output -j ACCEPT -s 0/0 -d 192.168.5.0/24 -i eth0

The rule I highlighted in red makes the rules above it immaterial. Perhaps you meant to have a rule immediately above it that REJECTED or DENIED all tcp/21:23 from 192.168.5.0/24?

EDIT: If you do decide to not masquerade the packets going out eth0, you will need to add a rule on the forward to chain to accept the return packets.

EDIT2: After thinking about this more, I am confused. Do I understand correctly that this is about machines on your LAN sending packets to SMTP servers on your LAN? If so, why are those packets going through this machine in the first place? (I.e coming in eth0 and then going back out eth0?)

Last edited by blackhole54; 12-27-2008 at 10:22 AM.
 
  


Reply

Tags
ipchains, smtp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPChains Rules parikrama Linux - Security 9 03-19-2004 09:23 PM
ipchains forwarding rules scheidel21 Linux - Networking 0 01-20-2004 07:37 AM
clearing up ipchains rules antken Linux - Networking 6 11-04-2002 03:26 PM
Direct connect and Ipchains FredrikN Linux - Networking 11 11-27-2001 04:05 AM
Viruses, ipchains, dynamic rules, rules with regular expressions marktaff Linux - Security 2 09-25-2001 04:01 AM


All times are GMT -5. The time now is 02:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration