LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-01-2007, 02:20 PM   #16
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371

Quote:
Originally Posted by eponymous
Wow! Damn, thats some nice security . Perfect. Thanks!

Also how do I allow web traffic, simply add a port 80 rule?
yup... just stick it in there before the LOG rule...
Code:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT
Quote:
How would one allow all OUTBOUND traffic?
change the OUTPUT chain's policy to ACCEPT at the top of the script (you should then remove all the OUTPUT rules)... like:
Code:
#!/bin/sh

IPT="/usr/local/bin/iptables"

LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"

ADMIN_IP1="192.168.1.2"
ADMIN_IP2="200.100.100.140"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

# NETBIOS Name Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 137 \
-m state --state NEW -j ACCEPT

# NETBIOS Datagram Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 138 \
-m state --state NEW -j ACCEPT

# NETBIOS session service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 139 \
-m state --state NEW -j ACCEPT

# Microsoft Naked CIFS:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 445 \
-m state --state NEW -j ACCEPT

# BitTorrent (and MSN file transfers):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 6881:6999 \
-m state --state NEW -j ACCEPT

# SSH2 Daemon (ADMIN #1):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP1 --dport 22 \
-m state --state NEW -j ACCEPT

# SSH2 Daemon (ADMIN #2):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP2 --dport 22 \
-m state --state NEW -j ACCEPT

# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "
Quote:
I may have confused you/myself. I do need to be able to access things like IRC, MSN, FTP, HTTP etc from the machine, as its not only a server, but a desktop machine running Gaim etc.
well the easiest thing to do in such a case would be to set the OUTPUT policy to ACCEPT, as above... the more secure alternative is to add an OUTPUT rule for each thing you need to use... sorta like this:
Code:
#!/bin/sh

IPT="/usr/local/bin/iptables"

LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"

ADMIN_IP1="192.168.1.2"
ADMIN_IP2="200.100.100.140"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

# NETBIOS Name Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 137 \
-m state --state NEW -j ACCEPT

# NETBIOS Datagram Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 138 \
-m state --state NEW -j ACCEPT

# NETBIOS session service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 139 \
-m state --state NEW -j ACCEPT

# Microsoft Naked CIFS:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 445 \
-m state --state NEW -j ACCEPT

# BitTorrent (and MSN file transfers):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 6881:6999 \
-m state --state NEW -j ACCEPT

# SSH2 Daemon (ADMIN #1):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP1 --dport 22 \
-m state --state NEW -j ACCEPT

# SSH2 Daemon (ADMIN #2):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP2 --dport 22 \
-m state --state NEW -j ACCEPT

# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Pings:
$IPT -A OUTPUT -p ICMP -o $LAN_IFACE --icmp-type 8 \
-m state --state NEW -j ACCEPT

# DNS:
$IPT -A OUTPUT -p UDP -o $LAN_IFACE --dport 53 \
-m state --state NEW -j ACCEPT

# HTTP:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

# HTTPS:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 443 \
-m state --state NEW -j ACCEPT

# FTP:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 21 \
-m state --state NEW -j ACCEPT

# IRC:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 6667 \
-m state --state NEW -j ACCEPT

# Gaim:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 1863 \
-m state --state NEW -j ACCEPT

# BitTorrent:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 6881:6999 \
-m state --state NEW -j ACCEPT

# Log all other packets before sending them to DROP:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
if your iptables has support for the multiport match, then you could specify multiple ports on one rule, greatly simplifying your script, like:
Code:
#!/bin/sh

IPT="/usr/local/bin/iptables"

LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"

ADMIN_IP1="192.168.1.2"
ADMIN_IP2="200.100.100.140"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET -m multiport \
--dport 137,138 -m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET -m multiport \
--dport 139,445,6881:6999 -m state --state NEW -j ACCEPT

# SSH2 Daemon (ADMIN #1):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP1 --dport 22 \
-m state --state NEW -j ACCEPT

# SSH2 Daemon (ADMIN #2):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP2 --dport 22 \
-m state --state NEW -j ACCEPT

# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

$IPT -A OUTPUT -p ICMP -o $LAN_IFACE --icmp-type 8 \
-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p UDP -o $LAN_IFACE --dport 53 \
-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p TCP -o $LAN_IFACE -m multiport \
--dport 80,443,21,6667,1863,6881:6999 -m state --state NEW -j ACCEPT

# Log all other packets before sending them to DROP:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
Quote:
I'd be happy making individual rules for each application if its better to do that?
yes, it's the more secure option... but it's also the less friendly, of course...

Quote:
Also, just to be sure, when I run iptables -L I get this:

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Can you explain what these mean?

Thanks a lot!
well, to get a better idea of what's going-on i suggest you use this command instead:
Code:
iptables -L -v -n
it will give you more info such as which interface the rules apply to, etc... but basically what you posted is: the first line says that packets with a state of RELATED or ESTABLISHED are to be sent to ACCEPT... we need to do this because since our policy is set to DROP, which blocks all packets, we need to allow packets which are parts of connections that have already been established or that are parts of directly related connections... the second lines is sending all packets to ACCEPT, most likely because it's the rule for the loopback interface, and we trust ourselves...

look at table 7.1 here: http://iptables-tutorial.frozentux.n...USERLANDSTATES

you *did* read that tutorial, right??

Last edited by win32sux; 01-01-2007 at 02:27 PM.
 
Old 01-01-2007, 02:49 PM   #17
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 77

Original Poster
Rep: Reputation: 15
Thanks! Yea I had a quick scan through, but I didn' have the time to fully read it as I have to revise for an exam!
 
Old 01-04-2007, 11:13 AM   #18
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 77

Original Poster
Rep: Reputation: 15
Hey. win32sux, I dont suppose you managed to sort out how to do implement OpenVPN into the firewall?

Thanks.
 
Old 01-04-2007, 03:33 PM   #19
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Maybe the OpenVPN FAQ: http://openvpn.net/faq.html and other hints like http://www.linuxjournal.com/article/7949, http://www.linuxhorizon.ro/openvpn-brief.html or http://christoph.fuchs.cc/openvpn/ could guide you. Or postpone until you have the time to read.
 
Old 01-05-2007, 03:15 PM   #20
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by eponymous
Hey. win32sux, I dont suppose you managed to sort out how to do implement OpenVPN into the firewall?
no, not yet... my laptop did arrive, but i need to finish getting the basic linux stuff set-up before thinking about my VPN and stuff... i do know that the cool thing about OpenVPN is that you only need to use one port, though...

Last edited by win32sux; 01-05-2007 at 09:08 PM.
 
Old 01-05-2007, 05:13 PM   #21
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 77

Original Poster
Rep: Reputation: 15
I think im just gonna use:

Code:
# BitTorrent (and MSN file transfers):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 6881:6999 \
-m state --state NEW -j ACCEPT

$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 6881 -j DNAT --to 10.8.0.6:6881
To forward BitTorrent traffic down my VPN to my connected client (i.e. on another machine somewhere on hte net)
However, doesnt that first IPTABLES rule (which I got form your post), only allow BiTorrent traffic from my local network? Which would be useless?

Also can you see any inherent security problems with this rule?

Thanks!
 
Old 01-08-2007, 02:20 PM   #22
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 77

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by eponymous
I think im just gonna use:

Code:
# BitTorrent (and MSN file transfers):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 6881:6999 \
-m state --state NEW -j ACCEPT

$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 6881 -j DNAT --to 10.8.0.6:6881
To forward BitTorrent traffic down my VPN to my connected client (i.e. on another machine somewhere on hte net)
However, doesnt that first IPTABLES rule (which I got form your post), only allow BiTorrent traffic from my local network? Which would be useless?

Also can you see any inherent security problems with this rule?

Thanks!

Damn, this rule doesnt work. I cant even get web browsing to work.

I've "echo 1 > /proc/sys/net/ipv4/ip_forward" 'ed, and added the following rules as reccomended by OpenVPN's FAQ.

Rules added:
Code:
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT

# Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT

# Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT
Just when I connect to my server, I cannot browse the web. I know OpenVPN is set up correctly, as I used to be able to browse websites with my old firewall config.

Thanks for any help.
 
Old 01-08-2007, 05:22 PM   #23
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
well, that's one of the reasons the LOG rules are there... check your logs to see which packets are getting sent to DROP...
 
Old 01-10-2007, 04:45 PM   #24
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 77

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux
well, that's one of the reasons the LOG rules are there... check your logs to see which packets are getting sent to DROP...

I tried a ping to www.google.com from my VPN client while connected and the packets are definitely being dropped.

Im not sure where to go from here though. I've added rules to allow traffic in from the VPN and also for traffic to be forwarded to other devices (as in the OpenVPN FAQ).

Thanks.

Last edited by eponymous; 01-10-2007 at 04:49 PM.
 
Old 01-11-2007, 03:48 PM   #25
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 77

Original Poster
Rep: Reputation: 15
Having looked at my logs a bit more closely I'm thinking the packets aren't being dropped, but aren't actually reaching the server.

I connected to my VPN server, and tried to go to www.google.com in the browser.

The logs show no port 80 drops.

I have also got

Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
in my iptables config file.
 
Old 01-18-2007, 03:59 PM   #26
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 77

Original Poster
Rep: Reputation: 15
Read post below:

Last edited by eponymous; 01-20-2007 at 06:00 PM.
 
Old 01-20-2007, 06:00 PM   #27
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 77

Original Poster
Rep: Reputation: 15
win32sux, have you had a chance to look over OpenVPN with IPTables yet?

I've been trying all sorts and I'm at a dead loss.

Thanks.

When I ping www.google.com from my machine (10.8.0.6) which is conencted to the VPN Server (10.8.0.1), I get the following in my logs:

Code:
Jan 20 23:43:52 TuxServer OUTPUT DROP: IN= OUT=eth0 SRC=192.168.0.4 DST=192.168.0.255 LEN=244 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=224 
Jan 20 23:43:52 TuxServer OUTPUT DROP: IN= OUT=tun0 SRC=10.8.0.1 DST=10.8.0.255 LEN=244 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=224 
Jan 20 23:43:57 TuxServer OUTPUT DROP: IN= OUT=eth0 SRC=10.8.0.1 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 
Jan 20 23:43:57 TuxServer OUTPUT DROP: IN= OUT=tun0 SRC=10.8.0.1 DST=10.8.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
However, I can ping the VPN server (10.8.0.1) fine.

Please can someone help me with this, it's driving me insane :P

I just need to know which rule to put in my IPTables script to get this working.

Thanks.
 
  


Reply

Tags
firewall, iptables, openvpn, secure, security, vpn


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
safe script parameters Guttorm Programming 1 03-04-2005 12:19 PM
is this firewall rule safe? melinda_sayang Linux - Security 1 12-21-2004 07:44 AM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 09:15 PM
static ip, netgear firewall, & ssh forwarded - safe? BrianK Linux - Security 3 01-18-2004 09:10 PM
just want to be sure my Iptables script is safe enought Half_Elf Linux - Security 3 08-02-2003 03:34 PM


All times are GMT -5. The time now is 06:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration