an iptables project im working on

Sharaz · 06-08-2005, 01:44 PM

iptables project

i am working on my first major iptables project. i have a fairly good understanding of how the rules and chains and tables work, but im obviously missing someting. my servers are safely hidden behind a cisco pix 515, and each has a static nat to an internet ip. each service on each box, has an access_list entry to exose the port to the net. before my firewall project, everything worked perfect.

my goal, is to configure the iptables on my servers, to be as if they were sitting directly on the public internet. i made a nice long commented script, as general as possible, to be used on all servers (and i just comment out what i dont need on each server). here is what it looks like:

Code:

#!/bin/bash
iptables --flush

# Allow Related and Established Traffic
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow Localhost, and ICMP from local LAN
iptables -A INPUT -p icmp -s x.x.0.0/16 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Trusted Networks
# SSH port
iptables -A INPUT -p tcp -s x.x.0.0/16 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.x.0/24 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.x.0/24 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.0.0/16 --dport 22 -j ACCEPT
# Webmin port
iptables -A INPUT -p tcp -s x.x.0.0/16 --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.x.x --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.x.0/24 --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.x.0/24 --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.0.0/16 --dport 10000 -j ACCEPT
#
# Shane's IP
# iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT
#
# Allowed Services
# Allow http and https
iptables -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
# Allow FTP
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
# Allow DNS
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# Allow Mail Services SMTP and POP3
# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
# iptables -A INPUT -p tcp --dport 110 -j ACCEPT
# Allow MySQL
# iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
# Allow Samba from local x.x. network
# iptables -A INPUT -p tcp -s x.x.0.0/16 --dport 137:139 -j ACCEPT
# Allow DHCP requests
# iptables -A INPUT -p tcp --dport 68 -j ACCEPT
# Allow SNMP From Local Network
iptables -A INPUT -p udp -s x.x.0.0/16 --dport 161 -j ACCEPT
#
# Block Specific IPs from any access
iptables -A INPUT -s 67.166.208.69 -j DROP
#
# Block Everything Else all ports
iptables -A INPUT -j DROP
#
# Rules for outbound traffic
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

as you can see, its quite a simple iptables config, nothing crazy. inbound traffic only. my last 2 lines are there just because, everything that is currently working still works without them, and the broken items are still broken if they are there or not. httpd is working, smtp, pop3, dhcp dns, snmp are all working normall. ftp is giving me the fits.

originally (before i decided to sit down with this project), i had iptables configured only to manage ports 22 and 10000, and nothing else was blocked. ftp connections inbound thru my cisco pix had no trouble, with any ftp client. now that i have iptables running, ftp is timing out. i suspect my ftp problem comes from the data session, that the server sends the port to connect to back to the client, and the client obviously cant get there. im positive the pix firewall is not my problem, becuase i sent this same firewall script to a box that *does* sit right on the internet, and it gets the same behavior.

can someone tell me what im doing wrong, either with my entire config or with ftp rules? i would really appreciate any help or pointers.

thanks,
jonathan

mhallbiai · 06-08-2005, 02:14 PM

the problem comes when using PASV ftp (i believe). i had to open 20:21,50000:55000 and configure my ftp server to use the 50000:55000 port range for connections.

hope this helps

win32sux · 06-08-2005, 02:17 PM

Sharaz, do you have the ip_conntrack_ftp module loaded??

mhallbiai · 06-08-2005, 02:26 PM

for the server that i have running i do not load the conntrack_ftp module.

win32sux · 06-08-2005, 02:29 PM

Quote:

Originally posted by mhallbiai
for the server that i have running i do not load the conntrack_ftp module.

and that's why you have to open all those ports...

connection tracking eliminates the need to open a bunch of ports like you had to do back in the ipchains days...

mhallbiai · 06-08-2005, 02:43 PM

win32sux, sorry, didnt realize you were posing that ? to sharaz

Sharaz · 06-08-2005, 05:03 PM

THANK YOU!!! that was it!!

i knew it was going to boil down to someting along those lines. i believe my cisco pix is intelligent enough to discern the returning/related traffic, and forwards it back to my ftp server as its supposed to be. BUT, now that i have 'drop all' enabled at the ftp server in question, this was the missing piece of my puzzle.

my test box that is on directly on the internet, as well as my production web and ftp boxes, are now behaving perfectly.

now, my next quesiton is, what is the proper method/best practice of loading this module at boot?

win32sux · 06-08-2005, 06:49 PM

Quote:

Originally posted by Sharaz
what is the proper method/best practice of loading this module at boot?

depends on your distro (which are you using?)... in slackware you just load it from your firewall script... but generally speaking on any distro you should be fine by adding the "/sbin/modprobe ip_conntrack_ftp" to your rc.local or similar startup file... however, your distro might have a "special" file to place the modules you wanna load...

win32sux · 06-08-2005, 06:51 PM

BTW, is it really necessary to open port 20/TCP?? i would imagine opening port 21/TCP would be enough (to start the connection) and the connection tracking would recognize the port 20 packets as "RELATED"... is that not the case??

Sharaz · 06-09-2005, 08:48 AM

probably. ive been doing 20:21 from so long ago. my first experience with firewalls was with ipchains, and it only seemed to work with 20:21. and im sure even my first iptables went the same, thus my current behavior to do it without quesiton.

however, ill try port 21 only, and see how it goes!

Sharaz · 06-09-2005, 09:26 AM

port 21 only worked, exactly as expected. thank you all, youve made my day!!

my next question is, how can i get NFS working now?