iptables for a server in colo NAT/PAT

capri_guy84 · 05-17-2013, 08:02 PM

I cannot connect with the below IPTables ruleset. Can someone proofread and point any mistakes?

My server is behind a firewall that does a PAT & NAT to the LAN address.

Code:

Internet IP: 68.1.1.23
Port: 10022

Server LAN IP: 10.1.1.23
port: 22

Allowed Internet IPs:  131.1.1.23, 132.1.1.23

/etc/sysconfig/iptables

Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -j RH-Firewall-1-INPUT

# ALLOW SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# ALLOW SNMP
-A INPUT -p tcp -m tcp --dport 161 -j ACCEPT
# ALLOW DNS query
-A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# ALLOW ICMP
-A INPUT -p icmp -m icmp --icmp-type 8 -m recent --update --seconds 2 --hitcount 1 --name DEFAULT --rsource -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m recent --set --name DEFAULT --rsource

# BLOCK certain IP/Subnets
-A INPUT -s 10.2.1.254/8 -p icmp -j DROP

# DROP local ip spoofing
-A INPUT -s 127.0.0.0/8 -i !lo -j DROP
# Force SYN packet check
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Force Fragments pkts check
-A INPUT -f -j DROP
# LOG & DROP smurf attacks
-A INPUT -p icmp --icmp-type echo-request -m recent --set
-A INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 2 --hitcount 1 -j LOG --log-prefix "IN_icmp"  --log-level 4
-A INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 2 --hitcount 1 -j DROP
# DROP invalid tcp flags & log
#-A INPUT -m state --state INVALID -j LOG --log-prefix "IN_inv" --log-level 4
#-A INPUT -m state --state INVALID -j DROP
#-A OUTPUT -m state --state INVALID -j LOG --log-prefix "OUT_inv" --log-level 4
#-A OUTPUT -m state --state INVALID -j DROP
# DROP tcp flags that don't make sense
-A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp --tcp-flags PSH,ACK PSH -j DROP
-A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# DROP XMAS pkts
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# DROP NULL pkts
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
COMMIT

Thanks!

unSpawn · 05-18-2013, 03:24 AM

You're running a default filter table INPUT chain DROP policy without explicitly allowing certain IP addresses to connect. I suggest you
0) run the default filter table INPUT chain ACCEPT policy, and
1) group your "bad traffic" rules, and
2) explicitly configure certain IP addresses to connect to certain ports, and
3) configure any IP addresses to connect to ports that need to be publicly available (that may be DNS if your machine is authoritative for one or more domains but definitely not SNMP), and
4) make a -j LOG rule precede all individual -j DROP or -j REJECT rules, and
5) end the filter table INPUT chain with a generic "-j DROP" rule.
The change of policy, rearranging rules and adding logging rules facilitate debugging so you should see where or what you block that you shouldn't. Then post your rule set for review again (that's actual 'iptables-save' output, not the static /etc/sysconfig/iptables).