LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-10-2010, 01:30 PM   #1
alee
LQ Newbie
 
Registered: May 2008
Posts: 28

Rep: Reputation: 15
Need help in ipTables script


I have a small network within the organization. For simplicity, consider i have 3 systems.

System 1: 192.168.1.10 - acting as webserver
System 2: 192.168.1.1 - acting as firwall
Webserver and firewall are connected through eth1 interface

System 3: 192.168.2.10 - any radnom system which is connected to firewall through eth0 interface. The eth0 on firewall machine (system 2) is configured with the ip 192.168.2.1)

I have added following command to let the traffic go throught eth0 to eth1
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
Everything is working fine, each system can ping each otehr.

Now, I want to incorporate some firewall rules.
1: System 1 (webserver) can only access firewall through SSH.
2: Ping to any machine is disabled.
3: Any traffic from eth0 to eth1 is allowed only when it is for ssh, pop3, http or https.

For these things i configured following iptables script
Code:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -p tcp -s 192.168.1.10 -d 192.168.1.1 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j LOG --log-prefix "SSH " --log-level 4
-A INPUT -p tcp -s 192.168.1.10 -d 192.168.1.1 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -s 192.168.1.1  -d 192.168.1.10 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

### ALLOWING SSH, HTTP, HTTPS, POP3 ACCESS AND LOGGING ###
-A FORWARD -s 0/0 -i eth1 -d 192.168.1.10 -o eth0 -p TCP -m multiport --dports 80,443,110,22 -j LOG --log-prefix "80,443,110,22 " --log-level 4
-A FORWARD -s 0/0 -i eth1 -d 192.168.1.10 -o eth0 -p TCP -m multiport --dports 80,443,110,22 -j ACCEPT
-A FORWARD -d 0/0 -o eth1 -s 192.168.1.10 -i eth0 -p TCP -m state --state ESTABLISHED -j ACCEPT

### DROPPING ALL OTHER PACKETS AND LOGGING ###
-A INPUT -j LOG --log-prefix "DROP " --log-level 4
-A INPUT -j DROP
-A OUTPUT -j DROP

COMMIT
Now the thing is, its not working the way I want to. If i enabled last lines (drop all packets), Pings to all machines are stopped and i even can't access webserver on eth1 from any of the machine from eht0. I am trying to go thourh different iptables tutorial but i can't figure out what i am doing wrong. Could someone guide me here.
 
Old 06-10-2010, 02:47 PM   #2
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
I'm no expert but I think you have it backwards. Put the last four lines (counting the comment) at the BEGINNING of the script, so that the first thing it does is drop all packets. Then follow with the rules that enable packets on specific ports to/from specific IP addresses.
 
Old 06-10-2010, 06:09 PM   #3
alee
LQ Newbie
 
Registered: May 2008
Posts: 28

Original Poster
Rep: Reputation: 15
I can try that tomorrow but i will wait unless i get some comment from some iptables expert. Thanks anyways.
 
Old 06-10-2010, 06:41 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
@alee: At a glance, I think you're missing some important rules:

Code:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
The first two allow connections to "keep state" after the initial handshake completes. The third allows all loopback traffic.

To allow all icmp traffic:

Code:
-A INPUT -p icmp -j ACCEPT
Note that you can restrict this by icmp type (e.g. echo-request). See the iptables(8) manpages.

---

@Jim Bengtson: You may be thinking of a different packet filtering firewall (like PF). The iptables/netfilter processing is "first match wins".

Last edited by anomie; 06-10-2010 at 06:43 PM.
 
Old 06-11-2010, 03:32 PM   #5
alee
LQ Newbie
 
Registered: May 2008
Posts: 28

Original Poster
Rep: Reputation: 15
okay, I have made following changes to my script but still I can't achieve the desired result

Code:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

### DROPPING ALL OTHER PACKETS AND LOGGING ###
-A INPUT -j LOG --log-prefix "DROP " --log-level 4
-A INPUT -j DROP
-A OUTPUT -j DROP


-A INPUT -p tcp -s 192.168.1.10 -d 192.168.1.1 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j LOG --log-prefix "SSH " --log-level 4
-A INPUT -p tcp -s 192.168.1.10 -d 192.168.1.1 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -p tcp -s 192.168.1.1  -d 192.168.1.10 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

### ALLOWING SSH, HTTP, HTTPS, POP3 ACCESS AND LOGGING ###
-A FORWARD -s 0/0 -i eth1 -d 192.168.1.10 -o eth0 -p TCP -m multiport --dports 80,443,110,22 -j LOG --log-prefix "80,443,110,22 " --log-level 4
-A FORWARD -s 0/0 -i eth1 -d 192.168.1.10 -o eth0 -p TCP -m multiport --dports 80,443,110,22 -j ACCEPT
-A FORWARD -d 0/0 -o eth1 -s 192.168.1.10 -i eth0 -p TCP -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

COMMIT
is the order of rules is wrong? or wat? I am stuck :s
 
Old 06-11-2010, 04:10 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
So you made those changes and then loaded the new rules?

I'm not sure how other folks manage their rulesets, but I think it would be best to not edit /etc/sysconfig/iptables directly. (Notice the commented text at the top to that effect.)

As one example of how you might better manage your ruleset, you could keep a bash script that flushes / loads chains when run, a la:
Code:
#!/bin/bash

# When finished editing and testing, remember to run: 
#   $ sudo /etc/init.d/iptables save

cmd='/sbin/iptables'

# flush
${cmd} -F

##### INPUT CHAIN #####

# standard stuff - loopback and stateful
${cmd} -A INPUT -i lo -j ACCEPT
${cmd} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow in ssh 
${cmd} -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# allow in https
${cmd} -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

# allow pings in
${cmd} -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

# default deny!
${cmd} -A INPUT -j DROP

##### OUTPUT CHAIN #####

# 

##### FORWARD CHAIN #####

# just DROP everything by policy
${cmd} -P FORWARD DROP

exit 0
-------

Troubleshooting your borked ruleset (i.e. the topic of this thread) is another story. Are you familiar with tcpdump and/or do you have a cursory understanding about IP, TCP, and UDP? If so, I have a couple suggestions. If not, I don't have an easy approach (short of hand holding).
 
Old 06-11-2010, 05:01 PM   #7
alee
LQ Newbie
 
Registered: May 2008
Posts: 28

Original Poster
Rep: Reputation: 15
I would be happy to read those suggestions.
 
Old 06-11-2010, 05:04 PM   #8
alee
LQ Newbie
 
Registered: May 2008
Posts: 28

Original Poster
Rep: Reputation: 15
okay, this might be a silly question. but i just checked

Code:
vi /etc/init.d/iptables
and it opened a file with lots of code. I am not sure now. should i put your shared code in that file and run it (how?) or should i overwrite the content of the file i opened above with your shared code :s

I am not a pro in linux either :$
 
Old 06-12-2010, 01:06 PM   #9
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Do not edit /etc/init.d/iptables in any way.

Here's a sample starting point for you. I whipped this together and it is completely untested. (i.e. Use at your own risk.) It relies on a couple assumptions on my part, and on snippets from the ruleset you posted.

Code:
#!/bin/bash

# When finished editing and testing, remember to run: 
#   $ sudo /etc/init.d/iptables save

cmd='/sbin/iptables'


# set policies so that we don't get accidentally locked out
for I in INPUT OUTPUT FORWARD ; do
  ${cmd} -P ${I} ACCEPT
done

# flush
${cmd} -F


##### INPUT CHAIN #####

# standard stuff - loopback and stateful
${cmd} -A INPUT -i lo -j ACCEPT
${cmd} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow in ssh 
${cmd} -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 \
  -s 192.168.1.10 -d 192.168.1.1 -j ACCEPT

# allow pings in
${cmd} -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

# default deny!
${cmd} -A INPUT -j DROP


##### FORWARD CHAIN #####

# standard stuff - stateful
${cmd} -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

${cmd} -A FORWARD -s 0/0 -i eth1 -d 192.168.1.10 -o eth0 -p TCP \ 
  -m multiport --dports 80,443,110,22 -j LOG --log-prefix "80,443,110,22 " \
  --log-level 4
${cmd} -A FORWARD -s 0/0 -i eth1 -d 192.168.1.10 -o eth0 -p TCP \ 
  -m multiport --dports 80,443,110,22 -j ACCEPT
${cmd} -A FORWARD -d 0/0 -o eth1 -s 192.168.1.10 -i eth0 -p TCP \
  -m state --state ESTABLISHED -j ACCEPT

# default deny!
${cmd} -A FORWARD -j DROP



exit 0
Save/run that script as root:
Code:
# chmod 700 fw-rules.bash
# ./fw-rules.bash
If it produces no errors, next run:
Code:
# /etc/init.d/iptables save
That's it. You've activated and saved your ruleset. Any time you want to make changes, edit fw-rules.bash and repeat the above steps.

-------

If you're still not getting the behavior you'd expect, in future posts include the output of iptables -nvL or iptables-save for others to review.

Last edited by anomie; 06-12-2010 at 01:10 PM.
 
1 members found this post helpful.
Old 06-15-2010, 12:59 PM   #10
alee
LQ Newbie
 
Registered: May 2008
Posts: 28

Original Poster
Rep: Reputation: 15
with little modification, it worked. Thanks
 
  


Reply

Tags
script


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables-save, iptables-restore, how to set up them in some script sarajevo Linux - Networking 1 03-25-2008 12:39 AM
Iptables (with masq) troubleshooting, very simple script attached script and logs. xinu Linux - Networking 13 11-01-2007 05:19 AM
Yet another iptables script Cron Linux - Networking 0 03-12-2005 12:11 PM
IPTABLES script help closer Linux - Networking 18 11-04-2002 10:48 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM


All times are GMT -5. The time now is 08:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration