Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In your first code block, you're setting chain policies, so the -P is fine. In the second code block, you're creating actual rules, so you don't use -P anymore. You need to either append (-A) or insert (-I) the rules. See man iptables for more info.
Well I tried that as well and added the following rules:
Forward:
Code:
#reject all other traffic not explisit allowed between DMZ and LAN
iptables -A FORWARD -p ALL -s 192.168.20.0/24 -i eth2 -o eth1 -j REJECT
iptables -A FORWARD -p ALL -s 192.168.10.0/24 -i eth1 -o eth2 -j REJECT
#eject all other traffic not explisit allowed outbound from lan and dmz
iptables -A FORWARD -p ALL -s 192.168.20.0/24 -i eth2 -o eth0 -j REJECT
iptables -A FORWARD -p ALL -s 192.168.10.0/24 -i eth1 -o eth0 -j REJECT
And input:
Code:
# reject internal traffic in on eth2 and eth1 instead of deafault drop
iptables -A INPUT -p ALL -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 -j REJECT
iptables -A INPUT -p ALL -s 192.168.10.0/24 -i eth1 -d 192.168.10.1 -j REJECT
As a controll I tried to telnet to the firewall on IP 192.168.20.1 from IP 192.168.20.2, and didn't get any error messages. Only a generic message saying:
#standard rules stopper alt default uten en lyd###################
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
################################################################################################################################
#INPUT Rules
# ping 2 firewall from Officenett siden officenett skal kunne pinge FW
iptables -A INPUT -p ICMP -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 --icmp-type echo-request -j ACCEPT
#Ping reply from officenett 2 firewall siden vi skal kunne pinge fra FW
iptables -A INPUT -p ICMP -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 --icmp-type echo-reply -j ACCEPT
#ping reply 2 firewall from DMZ siden vi skal kunne pinge og få svar fra servere i DMZ på firewall
iptables -A INPUT -p ICMP -s 192.168.10.0/24 -i eth1 -d 192.168.10.1 --icmp-type echo-reply -j ACCEPT
#SSH 2 firewall siden vi skal kunne SSH inn på boksen fra officenett
iptables -A INPUT -p tcp -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 --dport 22 -j ACCEPT
#DNS incomming on WAN interface.NB! Ikke en del av oppgaven men gjorde kommunikasjon mot ftp.no.debian.org via fqdn mulig
iptables -A INPUT -p udp -s 0/0 -i eth0 --sport 53 -j ACCEPT
#Internet 2 firewall
# reject internal traffic in on eth2 and eth1 instead of deafault drop
iptables -A INPUT -p ALL -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 -j REJECT
iptables -A INPUT -p ALL -s 192.168.10.0/24 -i eth1 -d 192.168.10.1 -j REJECT
I can't see anything wrong there (relevant to the issue at hand, at least). Could you add a LOG rule to the end of the INPUT chain then check the log file for evidence that the packet is getting sent to DROP by the policy?
Code:
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "
Otherwise, the problem would seem to lie somewhere else. You're sure that host 192.168.20.1 was going in through eth2, right? I ask because if it wasn't, then that would mean a DROP would be used instead of a REJECT.
So I addef the following at the end of my INPUT rules:
Code:
#Internet 2 firewall
# reject internal traffic in on eth2 and eth1 instead of deafault drop
iptables -A INPUT -j LOG
iptables -A INPUT -p ALL -s 192.168.70.0/24 -i eth2 -d 192.168.70.1 -j REJECT
iptables -A INPUT -p ALL -s 192.168.10.0/24 -i eth1 -d 192.168.10.1 -j REJECT
So this actually allows the firewall to send out port-unreachable messages in response for the packages that are rejected. When no rules are in place (as for eth0, WAN interface) the default policy of drop will take effect and packages will be silently dropped.
Any feedback to this conclusion?
So this actually allows the firewall to send out port-unreachable messages in response for the packages that are rejected. When no rules are in place (as for eth0, WAN interface) the default policy of drop will take effect and packages will be silently dropped.
Any feedback to this conclusion?
/Andy.l
Your conclusion makes perfect sense.
I would just add that you don't really need to do any ICMP matching here. As long as you're matching packets in state RELATED, you'll be fine. I had actually assumed you were matching both RELATED and ESTABLISHED. Using these state matches in the OUTPUT chain is usually a better idea than specifying a protocol/port/code/etc, as it prevents arbitrarily-generated packets from exiting.
Practically speaking, you could get rid of those two rules with a single one like:
Code:
iptables -A OUTPUT -m state --state RELATED -j ACCEPT
You could also just add the RELATED match to each of the two rules if you wanna keep them.
Personally, I prefer to just kill two birds with one stone:
Code:
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.