LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-17-2013, 05:31 PM   #1
Brambo
LQ Newbie
 
Registered: Jan 2013
Posts: 4

Rep: Reputation: Disabled
When active, iptables drops ALL traffic


Hello,

I have a small server at home running CentOS. However, when I fire up iptables, it drops ALL traffic.. When iptables is shut down, all traffic is allowed. I can't figure out what is going wrong. Only port 80, 20, 21, 22, 443 and 8443 should be allowed in. All other incoming traffic should be blocked.

Here is my iptables config:

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
REJECT     tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset 
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:12443 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:11443 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:11444 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8447 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pcsync-https 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:cddbp-alt 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 
ACCEPT     tcp  --  localhost            anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  [HOSTNAME]      anywhere            tcp dpt:ssh 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:submission 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:urd 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:poppassd 
ACCEPT     tcp  --  localhost            anywhere            tcp dpt:mysql 
ACCEPT     tcp  --  [HOSTNAME]       anywhere            tcp dpt:mysql 
ACCEPT     tcp  --  [HOSTNAME]  anywhere            tcp dpt:mysql 
ACCEPT     tcp  --  [HOSTNAME] anywhere            tcp dpt:mysql 
ACCEPT     tcp  --  [HOSTNAME]  anywhere            tcp dpt:mysql 
ACCEPT     tcp  --  [HOSTNAME]  anywhere            tcp dpt:mysql 
DROP       tcp  --  anywhere             anywhere            tcp dpt:mysql 
ACCEPT     tcp  --  localhost            anywhere            tcp dpt:postgres 
ACCEPT     tcp  --  [HOSTNAME]         anywhere            tcp dpt:postgres 
ACCEPT     tcp  --  [HOSTNAME] anywhere            tcp dpt:postgres 
ACCEPT     tcp  --  [HOSTNAME]  anywhere            tcp dpt:postgres 
ACCEPT     tcp  --  [HOSTNAME]  anywhere            tcp dpt:postgres 
ACCEPT     tcp  --  [HOSTNAME]  anywhere            tcp dpt:postgres 
DROP       tcp  --  anywhere             anywhere            tcp dpt:postgres 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ogs-server 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:glrpc 
DROP       udp  --  anywhere             anywhere            udp dpt:netbios-ns 
DROP       udp  --  anywhere             anywhere            udp dpt:netbios-dgm 
DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
DROP       tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
DROP       udp  --  anywhere             anywhere            udp dpt:openvpn 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            
ACCEPT     icmp --  localhost            anywhere            icmp type 8 code 0 
DROP       icmp --  anywhere             anywhere            icmp type 8 code 0 
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
REJECT     tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset 
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
REJECT     tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset 
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere
Am I doing something wrong here? The rules look good IMHO, but maybe I am over-reading something...

Addendum: I know that these rules allow more traffic than I'd like -- I am planning on finetuning it later. There seems to be a conflict in these rules which I'd like to know.

Thank you,
Bram

Last edited by Brambo; 01-17-2013 at 05:34 PM. Reason: Added addendum
 
Old 01-17-2013, 09:24 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Rule set looks odd. Please attach "/tmp/iptables.txt" output from running 'iptables-save > /tmp/iptables.txt': easier to read.
 
Old 01-18-2013, 03:54 AM   #3
Brambo
LQ Newbie
 
Registered: Jan 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thank you for your reply :-)

Hereby the requested output:

Code:
# Generated by iptables-save v1.4.7 on Fri Jan 18 09:50:38 2013
*nat
:PREROUTING ACCEPT [82267:8879482]
:POSTROUTING ACCEPT [1476:99283]
:OUTPUT ACCEPT [1473:101127]
COMMIT
# Completed on Fri Jan 18 09:50:38 2013
# Generated by iptables-save v1.4.7 on Fri Jan 18 09:50:38 2013
*mangle
:PREROUTING ACCEPT [124135:26459091]
:INPUT ACCEPT [109958:24755714]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [94032:13409849]
:POSTROUTING ACCEPT [94026:13407645]
COMMIT
# Completed on Fri Jan 18 09:50:38 2013
# Generated by iptables-save v1.4.7 on Fri Jan 18 09:50:38 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset 
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 12443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 11443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 11444 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8447 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8880 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT 
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -s [SSH-IP]/32 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j DROP 
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 106 -j ACCEPT 
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT 
-A INPUT -s [INET1]/32 -p tcp -m tcp --dport 3306 -j ACCEPT 
-A INPUT -s [INET2]/32 -p tcp -m tcp --dport 3306 -j ACCEPT 
-A INPUT -s [INET3]/32 -p tcp -m tcp --dport 3306 -j ACCEPT 
-A INPUT -s [INET4]/32 -p tcp -m tcp --dport 3306 -j ACCEPT 
-A INPUT -s [INET5]/32 -p tcp -m tcp --dport 3306 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 3306 -j DROP 
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5432 -j ACCEPT 
-A INPUT -s [INET1]/32 -p tcp -m tcp --dport 5432 -j ACCEPT 
-A INPUT -s [INET2]/32 -p tcp -m tcp --dport 5432 -j ACCEPT 
-A INPUT -s [INET3]/32 -p tcp -m tcp --dport 5432 -j ACCEPT 
-A INPUT -s [INET4]/32 -p tcp -m tcp --dport 5432 -j ACCEPT 
-A INPUT -s [INET5]/32 -p tcp -m tcp --dport 5432 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 5432 -j DROP 
-A INPUT -p tcp -m tcp --dport 9008 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT 
-A INPUT -p udp -m udp --dport 137 -j DROP 
-A INPUT -p udp -m udp --dport 138 -j DROP 
-A INPUT -p tcp -m tcp --dport 139 -j DROP 
-A INPUT -p tcp -m tcp --dport 445 -j DROP 
-A INPUT -p udp -m udp --dport 1194 -j DROP 
-A INPUT -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -p udp -j ACCEPT 
-A INPUT -p tcp -j ACCEPT 
-A INPUT -s 127.0.0.1/32 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j DROP 
-A INPUT -j DROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset 
-A FORWARD -m state --state INVALID -j DROP 
-A FORWARD -i lo -o lo -j ACCEPT 
-A FORWARD -j DROP 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset 
-A OUTPUT -m state --state INVALID -j DROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -j ACCEPT 
COMMIT
# Completed on Fri Jan 18 09:50:38 2013
SSH-ip is the IP of my laptop, inet1 through inet5 are the five different IP addresses....

Last edited by Brambo; 01-18-2013 at 03:56 AM.
 
Old 01-18-2013, 10:10 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
I'm not going to fix this for you but I will tell you how to. In the filter table INPUT chain:
0. remove all lines with src or dst 127.0.0.1/32 (loopback accept implies network),
1. remove the "-p protocol --dport port -j DROP" rules (policy),
2. remove the bare "-j DROP" rule (policy),
3. remove the "-p protocol -j ACCEPT" rules (negates policy).

Then:
0. move all lines with the loopback device to the top of the chain. You need it anyway plus getting the device out of the way means not having to explicitly name remaining devices (unless you got several requiring different rules).
1. move the "RELATED,ESTABLISHED", "--reject-with tcp-reset" and "--state INVALID" lines directly below those. The reason for this order is that Netfilter rules work in a "first match wins" way. Most machines generate a lot of requests themselves and you want to get those performance-wise dealt with quickly.
2. below that create a new "-m state --state NEW -p tcp -m tcp -m multiport --dports 3306,5432 -j TRUSTED" rule and dump your "-s INETn/32" addresses in the "-A TRUSTED" where they only require "-j ACCEPT". Make the last two rules in the TRUSTED chain a "-j LOG" and a "-j RETURN" (or "-j DROP") if you want to keep tabs on requests you miss (or not) from other hosts. The reason is, order and performance-wise similar to the rule above plus these machines have a direct relationship and all require similar access so you can reduce rules by half.
3. below that add your SSH-IP SSH rule and ensure it (and all rules below) got the right "--state NEW "as well.
4. below that add your UDP DNS rule.
5. below that group your "-p tcp -m tcp --dport port -j ACCEPT" rules turning them into a single rule using "-m multiport".
6. below that add your ICMP rule.

Remove all rules from the filter table FORWARD chain and add rules when and if you need to (prolly read the Frozentux Iptables tutorial).
Remove all rules from the filter table OUTPUT chain and set the policy to ACCEPT.

After applying the above post your "fixed" rule set if unsure.
 
Old 01-19-2013, 01:15 PM   #5
Brambo
LQ Newbie
 
Registered: Jan 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thank you for your quick, and rather detailed answer, Unspawn.

So, if I understand it correctly, this will be the 'fixed' ruleset:

Code:
# Generated by iptables-save v1.4.7 on Fri Jan 18 09:50:38 2013
*nat
:PREROUTING ACCEPT [82267:8879482]
:POSTROUTING ACCEPT [1476:99283]
:OUTPUT ACCEPT [1473:101127]
COMMIT
# Completed on Fri Jan 18 09:50:38 2013
# Generated by iptables-save v1.4.7 on Fri Jan 18 09:50:38 2013
*mangle
:PREROUTING ACCEPT [124135:26459091]
:INPUT ACCEPT [109958:24755714]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [94032:13409849]
:POSTROUTING ACCEPT [94026:13407645]
COMMIT
# Completed on Fri Jan 18 09:50:38 2013
# Generated by iptables-save v1.4.7 on Fri Jan 18 09:50:38 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Loopback interface
-A INPUT -i lo -j ACCEPT 
-A FORWARD -i lo -o lo -j ACCEPT 
# First come, first serves
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset 
# SSH
-A INPUT -s [SSH-IP]/32 -p tcp -m tcp --dport 22 -j ACCEPT --state NEW
# DNS
-A INPUT -p udp -m udp --dport 53 -j ACCEPT --state NEW
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT --state NEW
# Allow incoming HTTP, HTTPS and Plesk Panel traffic
-A INPUT -p tcp -m tcp --dports http https 8443 -j ACCEPT --state NEW
# Drop invalid packets
-A INPUT -m state --state INVALID -j DROP --state NEW
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j DROP --state NEW
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Jan 18 09:50:38 2013
 
Old 01-19-2013, 01:32 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Almost. See where this differs from yours, then read back my previous post:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j REJECT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -s [SSH-IP]/32 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW -m multiport --dports 80,443,8443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j DROP
COMMIT
 
Old 01-19-2013, 01:43 PM   #7
Brambo
LQ Newbie
 
Registered: Jan 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
I see that I didn't follow up all your feedback. I forgot to remove the output rules (except for the allow output), and the forward rules.

So this would be the final version, correct:

Code:
*nat
:PREROUTING ACCEPT [82267:8879482]
:POSTROUTING ACCEPT [1476:99283]
:OUTPUT ACCEPT [1473:101127]
COMMIT
*mangle
:PREROUTING ACCEPT [124135:26459091]
:INPUT ACCEPT [109958:24755714]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [94032:13409849]
:POSTROUTING ACCEPT [94026:13407645]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j REJECT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -s [SSH-IP]/32 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW -m multiport --dports 53, 80,443,8443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j DROP
COMMIT
Is there a reason to mention to drop ICMP traffic, because it drops all incoming traffic not explicitly allowd?
 
Old 01-19-2013, 01:53 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by Brambo View Post
I see that I didn't follow up all your feedback. I forgot to remove the output rules (except for the allow output), and the forward rules.
Few other "minor" things that might have kept your rule set from loading but I won't sum it all up.


Quote:
Originally Posted by Brambo View Post
So this would be the final version, correct
Almost: with "--dports" there's comma separated ports, no spaces between them.


Quote:
Originally Posted by Brambo View Post
Is there a reason to mention to drop ICMP traffic, because it drops all incoming traffic not explicitly allowd?
No there isn't. BTW your latest rule set is completely different compared with the first one wrt the amount of open ports and the [INETx] addresses?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic prioritisation using iptables Mayurapriyan Linux - Networking 2 08-07-2012 06:26 AM
Traffic not passing through iptables schapman43 Linux - Networking 1 01-23-2011 11:05 PM
[HELP] redirect traffic to spesific port based on Traffic Content using iptables summersgone Linux - Server 2 06-22-2009 12:26 PM
Iptables, traffic logging burn0ut Linux - Networking 4 12-11-2004 05:08 AM
IPTABLES and PPTP Traffic pssst_yeah_you Linux - Security 2 07-27-2004 06:31 PM


All times are GMT -5. The time now is 06:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration