iptables question on input rules to various subnets
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is an issue I'm having at work and won't be able to post a full output till early next week.
Let me just say that the previous admin was using the INPUT chain to assign rules to computers on a case-by-case basis. Well people and computers come and go, along with DHCP reservations, so this is making it very hard to manage.
I tried to add a whole subnet under INPUT, however the end users still can't get access and I noticed that there were two INPUT Chains for those subnets and thought maybe the traffic was hitting the INPUT chain and then once it had a match was forwarded to the those subnet rules... I'm still learning about IPTables here.
thanks
Last edited by JockVSJock; 07-02-2015 at 06:14 PM.
I don't know about others but I prefer 'iptables-save' output to look at.
One more vote for 'iptables-save'. If your rules are generated from a bash script, posting the script is fine, too. iptables -S is ok, but, oddly, iptables -L (which is what most people go for, presumably 'L' sounding like 'list') is wholly inadequate, and just leads to confusion.
Any output is code and should be posted in code tags. Just easier to read.
The other thing to note is that we get loads of '...and what does this rule do...'. This is usually an unanswerable question (except in the trivial sense that a match rule matches with something, a drop rule drops something, etc) without the context of the rest of the relevant rules. The easiest thing is usually just to post the whole shebang, some people are, probably understandably, nervous about this. If you need to obfuscate addresses, just do it and say 'w.x.y.z is address of DNS server' or whatever seems relevant.
from the man page
Code:
-L, --list [chain]
List all rules in the selected chain. If no chain is selected, all chains are listed. Like every other iptables command, it applies to the specified table (filter is the default), so NAT
rules get listed by
iptables -t nat -n -L
Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be
atomically listed and zeroed. The exact output is affected by the other arguments given. The exact rules are suppressed until you use
iptables -L -v
-S, --list-rules [chain]
Print all rules in the selected chain. If no chain is selected, all chains are printed like iptables-save. Like every other iptables command, it applies to the specified table (filter is
the default).
Ok, here is the full IPTable ruleset for the server that I'm having issues with:
Again, my main goal is to prevent having to enter in ip addresses for individual machines under INPUT rules, especially when people are coming and going along with DHCP leases.
I want to be able to assign a whole subnet (156) and anyone in that subnet will be able to SSH into this server.
There are two rules under INPUT
Code:
-A INPUT -j INPUT-156-SUBNET
-A INPUT -j INPUT-220-SUBNET
I'm thinking that these are forwarding traffic into these subnets of 156 and 220, however I'm not totally sure.
Code:
# Generated by iptables-save v1.3.5 on Mon Jul 6 08:25:14 2015
*nat
:PREROUTING ACCEPT [435042:42940729]
:POSTROUTING ACCEPT [59973:3749655]
:OUTPUT ACCEPT [76816:4848931]
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 6 08:25:14 2015
# Generated by iptables-save v1.3.5 on Mon Jul 6 08:25:14 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:INPUT-156-SUBNET - [0:0]
:INPUT-220-SUBNET - [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -p udplite -j DROP
-A INPUT -s 143.83.156.0/255.255.252.0 -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 143.83.140.XX -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 143.83.140.XX -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 143.83.220.X -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 143.83.220.X -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 143.83.221.XXX -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 143.83.221.XXX -p tcp -m multiport --ports 443,1521,1158,5560 -j ACCEPT
-A INPUT -s 143.83.158.XXX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT
-A INPUT -s 143.83.156.XX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT
-A INPUT -s 143.83.156.XX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT
-A INPUT -s 143.83.157.XX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT
-A INPUT -s 143.83.159.XXX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT
-A INPUT -s 143.83.220.XXX -p tcp -m multiport --ports 22,1521 -j ACCEPT
-A INPUT -s 143.83.220.XX -p tcp -m tcp --dport 8505:8535 -j ACCEPT
-A INPUT -s 143.83.220.XX -p tcp -m tcp --dport 8400:8404 -j ACCEPT
-A INPUT -s 143.83.220.XX -p tcp -m tcp --dport 8505:8535 -j ACCEPT
-A INPUT -s 143.83.220.XX -p tcp -m tcp --dport 8400:8404 -j ACCEPT
-A INPUT -s 143.83.220.XX -p tcp -m tcp -j ACCEPT
-A INPUT -s 143.83.220.XX -p tcp -m tcp -j ACCEPT
-A INPUT -s 128.44.113.XX -p tcp -m multiport --ports 80,443,591,8443 -j ACCEPT
-A INPUT -s 143.83.220.XXX -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 143.83.220.XXX -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 143.83.220.XXX -p tcp -m tcp --dport 9898 -j ACCEPT
-A INPUT -s 143.83.220.XXX -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -s 143.83.221.XXX -p tcp -m tcp --dport 5560 -j ACCEPT
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 5560 -j ACCEPT
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 5560 -j ACCEPT
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 5560 -j ACCEPT
-A INPUT -s 143.83.221.XXX -p tcp -m tcp --dport 1158 -j ACCEPT
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 1158 -j ACCEPT
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 1158 -j ACCEPT
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 1158 -j ACCEPT
-A INPUT -s 143.83.221.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.220.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.220.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.159.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.159.XX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.159.XX -p tcp -m tcp --dport 1521 -j ACCEPT
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -j INPUT-156-SUBNET
-A INPUT -j INPUT-220-SUBNET
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -s 127.0.0.1 -p tcp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j RH-Firewall-1-INPUT
-A FORWARD -d 127.0.0.1 -p tcp -j ACCEPT
-A FORWARD -o lo -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -d 127.0.0.1 -p tcp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j DROP
-A OUTPUT -d 143.83.221.XXX -p tcp -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -j ACCEPT
-A OUTPUT -d 143.83.220.XX -p tcp -m tcp --dport 8505:8535 -j ACCEPT
-A OUTPUT -d 143.83.220.XX -p tcp -m tcp --dport 8400:8404 -j ACCEPT
-A OUTPUT -d 143.83.220.XX -p tcp -m tcp --dport 8505:8535 -j ACCEPT
-A OUTPUT -d 143.83.220.XX -p tcp -m tcp --dport 8400:8404 -j ACCEPT
-A OUTPUT -d 143.83.220.XX -p tcp -m tcp -j ACCEPT
-A OUTPUT -d 143.83.220.XX -p tcp -m tcp -j ACCEPT
-A OUTPUT -d 128.44.113.XX -p tcp -m multiport --ports 80,443,591,8443 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p udp -m udp --dport 32769 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 32803 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p udp -m udp --dport 2049 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 2049 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p udp -m udp --dport 892 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 892 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p udp -m udp --dport 662 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 662 -j ACCEPT
-A OUTPUT -d 143.83.221.XXX -p udp -m udp --dport 32769 -j ACCEPT
-A OUTPUT -d 143.83.221.XXX -p tcp -m tcp --dport 32803 -j ACCEPT
-A OUTPUT -d 143.83.221.XXX -p udp -m udp --dport 2049 -j ACCEPT
-A OUTPUT -d 143.83.221.XXX -p tcp -m tcp --dport 2049 -j ACCEPT
-A OUTPUT -d 143.83.221.XXX -p udp -m udp --dport 892 -j ACCEPT
-A OUTPUT -d 143.83.221.XXX -p tcp -m tcp --dport 892 -j ACCEPT
-A OUTPUT -d 143.83.221.XXX -p udp -m udp --dport 662 -j ACCEPT
-A OUTPUT -d 143.83.221.XXX -p tcp -m tcp --dport 662 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p udp -m udp --dport 111 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 111 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 9898 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p udp -m udp --dport 514 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 60 -j ACCEPT
-A OUTPUT -d 143.83.158.XXX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT
-A OUTPUT -d 143.83.156.XX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT
-A OUTPUT -d 143.83.156.XX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT
-A OUTPUT -d 143.83.157.XX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT
-A OUTPUT -d 143.83.159.XXX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 1521 -j ACCEPT
-A OUTPUT -d 143.83.159.XX -p tcp -m tcp --dport 1521 -j ACCEPT
-A OUTPUT -d 143.83.157.XX -p tcp -m tcp --dport 1521 -j ACCEPT
-A OUTPUT -d 143.83.157.XX -p tcp -m tcp --dport 1521 -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j DROP
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p udp -m udp --dport 32769 -j ACCEPT
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p tcp -m tcp --dport 32769 -j ACCEPT
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p udp -m udp --dport 32803 -j ACCEPT
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p tcp -m tcp --dport 32803 -j ACCEPT
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p udp -m udp --dport 892 -j ACCEPT
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p tcp -m tcp --dport 892 -j ACCEPT
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p udp -m udp --dport 662 -j ACCEPT
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p tcp -m tcp --dport 662 -j ACCEPT
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p udp -m udp --dport 111 -j ACCEPT
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p udp -m udp --dport 32769 -j ACCEPT
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p tcp -m tcp --dport 32769 -j ACCEPT
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p udp -m udp --dport 32803 -j ACCEPT
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p tcp -m tcp --dport 32803 -j ACCEPT
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p udp -m udp --dport 892 -j ACCEPT
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p tcp -m tcp --dport 892 -j ACCEPT
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p udp -m udp --dport 662 -j ACCEPT
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p tcp -m tcp --dport 662 -j ACCEPT
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p udp -m udp --dport 111 -j ACCEPT
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p tcp -m tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jul 6 08:25:14 2015
I'm sorry to say but that filter table rule set is a complete mess:
- there's a DROP policy and then somebody drops udplite protocol anyway?..
- about the only rule using -m state is RELATED,ESTABLISHED in RH-Firewall-1-INPUT,
- the line above the final REJCT in RH-Firewall-1-INPUT allows TCP/22 to ALL (basically neutralizing all the TCP/22 access rules above),
- somebody uses -m multiport in some places and then in some not AND for the same source IP range,
- then there's multiple duplicate rules for the same source IP range,
- and somebody defined INPUT-156-SUBNET rules in the most inefficient way (instead use "-A INPUT -m conntrack --ctstate NEW -s 143.83.156.0/255.255.252.0 -j INPUT-156-SUBNET" then you only need one -m multiport rule per UDP/TCP protocol in the INPUT-156-SUBNET chain).
I would very much urge you to clean up your rule set first. If you don't want to do that (for reasons unfathomable) then the easiest, quickest way to debug this and understand traversal is to have a "-j LOG" rule precede any DROP or REJECT rules.
I'm sorry to say but that filter table rule set is a complete mess:
- there's a DROP policy and then somebody drops udplite protocol anyway?..
- about the only rule using -m state is RELATED,ESTABLISHED in RH-Firewall-1-INPUT,
- the line above the final REJCT in RH-Firewall-1-INPUT allows TCP/22 to ALL (basically neutralizing all the TCP/22 access rules above),
- somebody uses -m multiport in some places and then in some not AND for the same source IP range,
- then there's multiple duplicate rules for the same source IP range,
- and somebody defined INPUT-156-SUBNET rules in the most inefficient way (instead use "-A INPUT -m conntrack --ctstate NEW -s 143.83.156.0/255.255.252.0 -j INPUT-156-SUBNET" then you only need one -m multiport rule per UDP/TCP protocol in the INPUT-156-SUBNET chain).
I would very much urge you to clean up your rule set first. If you don't want to do that (for reasons unfathomable) then the easiest, quickest way to debug this and understand traversal is to have a "-j LOG" rule precede any DROP or REJECT rules.
Thanks for looking at this.
I do want to clean up this ruleset, it is a mess and unmanageable. I'm just not sure where to start and I'm still learning IPTables. Do you have any recommendations?
Read https://www.frozentux.net/documents/iptables-tutorial/, then post your cleaned up rule set (removing duplicate rules and combining same range different port numbers with -m multiport) and adding "-j LOG" rules and we'll correct / add / explain. Deal?
You're welcome. Removing duplicate rules and combining same range different port numbers with -m multiport should be a task done in max half an hour. Post your results when you're ready and we'll commence.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.