LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-26-2007, 08:24 PM   #1
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Rep: Reputation: 31
iptables - how to filter internal nat'd address


Hi there,

We have changed our router setup, and our server that was once protected by our router firewall is now in a dmz type of setup.

How do I setup iptables to work with an internal ip, that gets forwarded from and external ip. Do I filter by just the port? Or just the internal or external ip w/ the port?

Any good references?
 
Old 06-26-2007, 08:46 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
What iptables are you refering to? The iptables on the server itself?
 
Old 06-26-2007, 08:56 PM   #3
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
Yes the program "iptables".

I usually use firewall builder to create the rules.
Usually the ips are external static. So it's easy.

This one has an internal ip of 192.168.X.X

Where do I go from here?

Last edited by neocontrol; 06-26-2007 at 08:59 PM.
 
Old 06-26-2007, 09:03 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
What services are running on the box? It's basically just a matter of filtering incoming packets that aren't destined to any of those services, and also preventing any outgoing connections (unless you need the box to establish connections for some reason).
 
Old 06-26-2007, 09:23 PM   #5
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
I don't care what goes out of the box, i usually let everything out.

What I need in, is 22, 25, 80, 443

Everything else, I just want dropped.
 
Old 06-26-2007, 09:32 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by neocontrol
I don't care what goes out of the box, i usually let everything out.
Wow, that sucks.

Quote:
What I need in, is 22, 25, 80, 443

Everything else, I just want dropped.
Cool, then something like this should work fine:
Code:
iptables -P INPUT DROP

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p TCP -m multiport --dports 22,25,80,443 \
-m state --state NEW -j ACCEPT
You'd need to add to it if you want to restrict connections in some way. Like, say for example you don't want to allow fellow machines on the DMZ to connect to the server, etc.

Last edited by win32sux; 06-26-2007 at 09:36 PM.
 
Old 06-26-2007, 09:37 PM   #7
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
Can you tell me why I wouldn't want to let everything out? There are only two people who "do" anything on the box, which is me and the boss. Is there another reason why I wouldn't want to have that?

Last edited by neocontrol; 06-26-2007 at 09:43 PM.
 
Old 06-26-2007, 09:45 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by neocontrol
Can you tell me why I wouldn't let anything out? There are only two people who "do" anything on the box, which is me and the boss. Is there another reason why I wouldn't want to have that?
Sure, I can give you an example: Let's say your Apache daemon gets cracked, but the cracker is not able to achieve privilage escalation. If you have firewalled outgoing connections, the damage will be somewhat contained, as she won't be able to connect to other machines on your DMZ/LAN/WAN. But if you had no outgoing firewall rules, she can now use her non-root privilages as a launchpad for other cyber attacks on your DMZ/LAN/WAN.

The point is, if there is no reason for your server to start connections on its own, then you can have your firewall make sure that doesn't happen. And you can also have it let you know whenever something on the server does indeed try to establish an outgoing connection.
Code:
iptables -P OUTPUT DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "

Last edited by win32sux; 06-26-2007 at 10:04 PM.
 
Old 06-26-2007, 10:08 PM   #9
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
Good point....

Sorry to be such a newb at this...

How do you stop the external connections? This wouldn't stop other connections such as port 80 from going out then would it?
 
Old 06-26-2007, 10:20 PM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
The example I posted would prevent any outgoing connections from being made, and it would log whenever an attempt to establish one is made. This has no effect on incoming connections, as they will be served well thanks to the OUTPUT rule allowing outgoing packets of states RELATED/ESTABLISHED. We just don't want any packets that are *not* RELATED/ESTABLISHED to exit the box, unless we made exceptions for them.

Last edited by win32sux; 06-26-2007 at 10:21 PM.
 
Old 06-26-2007, 10:25 PM   #11
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
excellant. this takes care of my short term problem. I guess I need to go learn how to do all this one my own now. I really appreciate, thanks a lot.
 
Old 06-26-2007, 10:30 PM   #12
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
You're very welcome. If you need any more help with this let us know.
 
Old 07-03-2007, 06:19 AM   #13
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
Looks like I'll take you up on your offer.....

Here's my current rules:

</code>
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "
iptables -A INPUT -j LOG --log-prefix "OUTPUT DROP: "
iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 2401 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 3306 -s xxx.xxx.xxx.xxx -j ACCEPT
</code>

I need this to be able to connect to an external server that is used for a databases. I thought just putting line 3: in there, that it'd be able to connect externaly, but it doesn't allow it. Also I do need this server to send out emails and that is not working.

Am I way off base here with these rules? Or just missing something?

The rules work fine for the most part though, when you do an nmap, only ports 22, 25 (closed for some reason), 80, 443, 2401 show up.

I am able to connect to all those ports, minus 25. I just can't get out from the server.

Thanks,
 
Old 07-03-2007, 11:02 AM   #14
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
Okay, got the mysql issue straightened out, so far.

Here's the updated IPTABLES.

<code>
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "
iptables -A INPUT -j LOG --log-prefix "OUTPUT DROP: "
iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 2401 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -s <mysql_server> -j ACCEPT

iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
</code>

It seems to have fixed the mysql problem, but I'm left with the sendmail not sending messages out. They are going straight to /var/spool/clientmqueue/ Also, when I do an nmap, it shows that port 25 - closed. How can I open this up to allow mail out.
 
Old 07-03-2007, 03:02 PM   #15
rg.viza
Member
 
Registered: Aug 2006
Posts: 73

Rep: Reputation: 15
Quote:
Originally Posted by win32sux
Sure, I can give you an example: Let's say your Apache daemon gets cracked, but the cracker is not able to achieve privilage escalation. If you have firewalled outgoing connections, the damage will be somewhat contained, as she won't be able to connect to other machines on your DMZ/LAN/WAN. But if you had no outgoing firewall rules, she can now use her non-root privilages as a launchpad for other cyber attacks on your DMZ/LAN/WAN.

The point is, if there is no reason for your server to start connections on its own, then you can have your firewall make sure that doesn't happen. And you can also have it let you know whenever something on the server does indeed try to establish an outgoing connection.
Code:
iptables -P OUTPUT DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
default deny 4tw!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[ urgent]Packet filter using Source MAC address aashish.verma Programming 5 06-03-2006 02:54 AM
Packet filter using MAC Address aashish.verma Linux - Networking 1 05-30-2006 07:41 AM
Route to NAT'd address doublejoon Linux - Networking 1 01-18-2006 12:29 PM
iptables + IP + MAC filter varun_saa Mandriva 1 04-30-2005 06:16 AM
Need to filter devices out from a firewall by MAC address bhenry Linux - Security 3 10-07-2004 11:29 PM


All times are GMT -5. The time now is 01:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration