LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-25-2005, 03:32 PM   #1
TheLinuxDuck
Member
 
Registered: Sep 2002
Location: Tulsa, OK
Distribution: Slack, baby!
Posts: 349

Rep: Reputation: 33
Strange IPTABLES issue


Along with some other rules (after these two), I've got two rules in my iptables list:
1. Allow connects to all ports from internal IP's.
2. Deny all connections to specific specific ports.

Here are the rules:
Code:
iptables -A FORWARD -p tcp -m tcp -s 196.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp -m multiport -j DROP --dports 21,22,23
Yet, I'm getting IP's -- disallowed by the firwall mind you -- connecting to the ssh (22) port. How is it possible? The firewall works and I've verified this, but yet IP's can connect to these ports anyway. Anyone have any clues?

Thanks!
 
Old 04-25-2005, 04:23 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,535

Rep: Reputation: 148Reputation: 148
Two possible reasons:
1. The rules are for FORWARD. Where do you connect? To the machine with iptables or another one behind NAT?
2. Rules order is important. iptables -L and see their order.
 
Old 04-25-2005, 04:45 PM   #3
TheLinuxDuck
Member
 
Registered: Sep 2002
Location: Tulsa, OK
Distribution: Slack, baby!
Posts: 349

Original Poster
Rep: Reputation: 33
Quote:
Originally posted by Mara
2. Rules order is important. iptables -L and see their order.
The order is correct. Limited allows followed by a full deny. (=

Quote:
1. The rules are for FORWARD. Where do you connect? To the machine with iptables or another one behind NAT?
You know, I must confess, I hadn't paid much attention to the FORWARD/INPUT/OUTPUT portion of it. And now I understand why it's not working.. because FORWARD is for packets going through the box, but these packets are destined for the box itself, which means that it needs to be INPUT.

Der.

Thanks for pointing out the snake under my nose. (=
 
Old 04-26-2005, 10:40 AM   #4
TheLinuxDuck
Member
 
Registered: Sep 2002
Location: Tulsa, OK
Distribution: Slack, baby!
Posts: 349

Original Poster
Rep: Reputation: 33
Just thought I'd post a followup, in case someone else was having troubles
with packets getting through and not sure how to fix it.

Mara's suggestions were right on track. Once I changed the table to INPUT
from FORWARD, everything works fantastic.

The machine is a virtual email/web/ssh server with a public IP, we'll say
"212.211.210.209", hosting several domains. I wanted to disallow all
traffic to special ports (ftp, ssh, telnet, ssh-mail (465, 993, 995)), except
for traffic coming from our NAT firewall (meaning, all computers on the
LAN side of the NAT firewall, we'll say "212.211.210.1" are allowed
to access the public server on the special ports, but noone else is.

A simple diagram:

192.168.1.1 -> firewall NAT (212.211.210.1)
192.168.1.2 -> firewall NAT (212.211.210.1)
192.168.1.3 -> firewall NAT (212.211.210.1)

firewall NAT (212.211.210.1) -> public router (212.211.210.2)

public router (212.211.210.2) -> internet
public router (212.211.210.2) -> email/web/ssh server (212.211.210.209)

And since the firewall NAT is NATing all internal (192.168) traffic and causing
it to appear as though it is coming directly from the firewall NAT, we only allow
connections to the special ports from the firewall NAT box.

Here's the core of the iptables firewall rules on the email/web/ssh server (not
the firewall NAT, that is a separate machine):

Quote:
# first, we establish a chain called "drop_kick", which logs all dropped packets
# and boots them. Remember, LOG is non-terminating! That's why we DROP
# afterward.
#
iptables -A drop_kick -j LOG --log-level info --log-prefix "Firewall: "
iptables -A drop_kick -j DROP

# Next, we allow traffic from the firewall NAT to all ports. This is a terminating
# rule, as are most.
#
iptables -A INPUT -p tcp -m tcp -s 212.211.210.1 -j ACCEPT

# Just flat out refuse invalid packets
#
iptables -A INPUT -m state --state INVALID -j drop_kick

# Then, kill any traffic going to the special ports. If we get to here, then the
# packet was not coming from the firewall NAT.
#
iptables -A INPUT -p tcp -m tcp -m multiport -j drop_kick --dports 21,22,23,465,993,995
I am still quite an amateur when it comes to iptables, and could probably do
this a much better way, but this does work. And since I don't run services on
other ports (aside from web stuff), I don't worry about filtering those ports.

If anyone has suggestions for improvement, please post it! I'd be happy to
learn better ways and the suggestions could also teach others!
 
Old 04-27-2005, 07:44 AM   #5
johnnydangerous
Member
 
Registered: Jan 2005
Location: Sofia, Bulgaria
Distribution: Fedora Core 4 Rawhide
Posts: 431

Rep: Reputation: 30
well you can have much more than 3 lines in your IPT like TCP packet flags verification, SYN for new connections, existing-established with SYN and ACK flag.... basic anti-IP-spoofing etc.
 
Old 04-27-2005, 07:44 AM   #6
johnnydangerous
Member
 
Registered: Jan 2005
Location: Sofia, Bulgaria
Distribution: Fedora Core 4 Rawhide
Posts: 431

Rep: Reputation: 30
I don'y know why but my firewall.conf ended up at more than 600 lines... with just basic traffic filtering
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
strange FTP issue tanmaya Linux - Networking 2 05-23-2005 07:15 AM
Strange Dial up issue Dillius Linux - Networking 1 05-08-2005 02:17 PM
strange c issue exvor Programming 8 01-29-2005 02:23 PM
help me on a strange issue. newpenguin Linux - General 11 10-06-2002 03:42 PM
Strange sound issue UKer Slackware 1 09-21-2002 09:52 AM


All times are GMT -5. The time now is 11:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration