LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices


Reply
  Search this Thread
Old 06-20-2007, 06:30 PM   #1
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Rep: Reputation: 15
iptable rules for new VPS


I am trying to set the rules manually for a new unmanaged VPS

Currently I would like to allow ports 80 and 22 open and prevent any other input connections.

Code:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j REJECT

/etc/init.d/iptables save
/etc/init.d/iptables restart
But this prevented even the nameserver! The strange thing is that adding this line before the reject line
Code:
iptables -A INPUT -s [nameserverIP] -j ACCEPT
did not solve the problem!! I am allowing everything from it, yet I can not reach the net.

So my questions are:

Do I need to include "iptables -A INPUT -j REJECT"? If so, how can I handle the nameserver problem?? This could be obvious but not for me.

P.S. I do not want to use frontends.

Last edited by piforever; 06-20-2007 at 06:32 PM.
 
Old 06-21-2007, 09:49 AM   #2
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
anybody??!!
 
Old 06-21-2007, 10:17 AM   #3
rupertwh
Member
 
Registered: Sep 2006
Location: Munich, Germany
Distribution: Debian / Ubuntu
Posts: 297

Rep: Reputation: 49
Quote:
Originally Posted by piforever
But this prevented even the nameserver! [...]

iptables -A INPUT -s [nameserverIP] -j ACCEPT
did not solve the problem!! I am allowing everything from it, yet I can not reach the net.
If you added that rule after the REJECT rule, it won't have any effect, as everything is rejected already.

But instead of allowing *everything* from some nameserver, you probably rather want to add an INPUT rule such as:
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
(This will also allow e.g. all necessary ICMP traffic)

Quote:
Originally Posted by piforever
Do I need to include "iptables -A INPUT -j REJECT"?
Yes. There is little point in setting up a firewall if you don't drop/reject anything. Alternatively you could just let fall through to a DROP-policy.

So a reasonable minimum setup for your INPUT chain would be:
Code:
iptables --flush INPUT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -j REJECT
(The icmp line makes sure you are also pingable, which can be a nuisance otherwise)
 
Old 06-21-2007, 11:35 AM   #4
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Thank you for your reply....

*EDITED*

Last edited by piforever; 06-21-2007 at 01:08 PM.
 
Old 06-21-2007, 12:37 PM   #5
rupertwh
Member
 
Registered: Sep 2006
Location: Munich, Germany
Distribution: Debian / Ubuntu
Posts: 297

Rep: Reputation: 49
I forgot: You probably first (right after the flush) want to allow all input traffic on local interface:
Code:
iptables -A INPUT -i lo -j ACCEPT
Not doing so will break any software that relies on using it.
 
Old 06-22-2007, 05:49 AM   #6
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by rupertwh
I forgot: You probably first (right after the flush) want to allow all input traffic on local interface:
Code:
iptables -A INPUT -i lo -j ACCEPT
Not doing so will break any software that relies on using it.
This will be permenant in my configurations??
 
Old 06-22-2007, 10:09 AM   #7
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Hi,

psyBnc over SSH and also samba over SSH did not work till I added thses two lines
Code:
/sbin/iptables -I INPUT -s 127.0.0.1 -j ACCEPT
/sbin/iptables -I INPUT -s [my_public_IP] -j ACCEPT
For SAMBA over SSH to work I can do this
Code:
/sbin/iptables -I INPUT -p udp -m multiport -s 127.0.0.1 --destination-port 137,138 -j ACCEPT
/sbin/iptables -I INPUT -p tcp -m multiport -s 127.0.0.1 --destination-port 139,445 -j ACCEPT
But I thought this way is better
Code:
/sbin/iptables -I INPUT -s 127.0.0.1 -j ACCEPT
So my final rules are like this
Code:
iptables --flush INPUT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s [my_public_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -j REJECT
Let us say I can live with allowing 127.0.0.1 and [my_public_IP], is this wrong?? Any security threats??!!!

P.S. I am using SAMBA and psyBnc over SSH because I do not want to open any ports to the public. I tunnel my psyBnc and SAMBA activities through my VPS, I use putty and its dynamic socks proxy feature, so in that case no ports are open to the others.

Last edited by piforever; 06-22-2007 at 10:15 AM.
 
Old 06-22-2007, 12:23 PM   #8
rupertwh
Member
 
Registered: Sep 2006
Location: Munich, Germany
Distribution: Debian / Ubuntu
Posts: 297

Rep: Reputation: 49
Quote:
Originally Posted by piforever
But I thought this way is better
Code:
/sbin/iptables -I INPUT -s 127.0.0.1 -j ACCEPT
Allowing anything on the local interface (-i lo) would have taken care of that and possibly from having to allow anything from your own public ip. I don't know, though, if samba over ssh introduces any weirdness which requires you to explicitly allow traffic from your own public ip. (If you do, then you'll have to start thinking about IP spoofing.)
You might also want to add a LOG rule, so that you can see what gets stuck in your firewall.

So then you'd have
Code:
iptables --flush INPUT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "INPUT: "
iptables -A INPUT -j REJECT
 
Old 06-22-2007, 04:32 PM   #9
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Everything you said is CORRECT

This rule
Code:
/sbin/iptables -A INPUT -i lo -j ACCEPT
Replaced these 2 rules
Code:
/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -s [my_public_IP] -j ACCEPT
And now I can browse my smaba shares and also I can connect to my psyBnc w/o opening any ports to the public!! All through SSH.

I have a question regarding this line
Code:
/sbin/iptables -A INPUT -i lo -j ACCEPT
My FW now looks like this
Code:
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
A like me will read it like this
Quote:
Allow Everything from Any IP to Any Local IP
I know it does not mean that, but why it looks strange?!!
 
Old 06-22-2007, 05:06 PM   #10
rupertwh
Member
 
Registered: Sep 2006
Location: Munich, Germany
Distribution: Debian / Ubuntu
Posts: 297

Rep: Reputation: 49
Quote:
Originally Posted by piforever
My FW now looks like this
Code:
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
A like me will read it like this

I know it does not mean that, but why it looks strange?!!
Yes, but if you add '-v' when listing firewall rules, you can see that the rule applies only to the local interface:
Code:
jodel:~# iptables -L INPUT -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
67297 9307K ACCEPT     0    --  lo     any     anywhere             anywhere        
...
 
Old 06-22-2007, 07:02 PM   #11
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Thank you for your help and your thorough explanation
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTable rules RecoilUK Linux - Security 1 05-27-2005 07:25 PM
Remove iptable rules greenthing Linux - Networking 11 03-03-2005 08:15 AM
Verifying IPTable rules... Ateo Linux - Networking 1 02-02-2005 03:33 PM
Help with IPtable Rules aqoliveira Linux - Security 3 12-10-2003 10:00 AM
Iptable rules for Gnutella al_erola Linux - Security 5 03-06-2002 03:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora

All times are GMT -5. The time now is 09:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration