Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm currently researching into iptables in a bid to secure my server (debian sarge 2.4), right now it is wide open, but behind my router.
Anyway, i was using this site as a guide - http://www.iptablesrocks.org/ which gives a ruleset to import into iptables, i did that fine, SSH and http etc were fine ( i was SSHing in from win xp).
However when booting into Fedora core 4 it hangs on the mounting NFS filesystems, i figure the new iptable rules are blocking the NFS connection.
so i googled around for NFS ports and with that and rpcinfo -p i got the ports for mountd, portmapper, nfs. i added these into the ruleset and imported it, below is the modified ruleset
Code:
#The NAT portion of the ruleset. Used for Network Address Transalation.
#Usually not needed on a typical web server, but it's there if you need it.
*nat
:PREROUTING ACCEPT [127173:7033011]
:POSTROUTING ACCEPT [31583:2332178]
:OUTPUT ACCEPT [32021:2375633]
COMMIT
#The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.
#This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
#The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports.
#We will also enable logging of all dropped requests.
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOG_DROP - [0:0]
:LOG_ACCEPT - [0:0]
:icmp_packets - [0:0]
#First, we cover the INPUT rules, or the rules for incoming requests.
#Note how at the end we log any incoming packets that are not accepted.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2219 -j ACCEPT
-A INPUT -p udp -m udp --dport 2219 -j ACCEPT
#uncomment the next line if you are running Spamassassin on your server
-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 59000 -j ACCEPT
-A INPUT -p udp -m udp --dport 59000 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG_DROP
#Next, we cover the OUTPUT rules, or the rules for all outgoing traffic.
#Note how at the end we log any outbound packets that are not accepted.
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
#uncomment the next line if you are running Spamassassin on your server
#-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG_DROP
#Here we have 2 sets of logging rules. One for dropped packets to log all dropped requests and one for accepted packets, should we wish to log any accepted requesets.
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options
-A LOG_DROP -j DROP
-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " --log-tcp-options --log-ip-options
-A LOG_ACCEPT -j ACCEPT
#And finally, a rule to deal with ICMP requests. We drop all ping requests except from our own server.
# Make sure you replace 1.2.3.4 with the IP address of your server.
-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -s 192.168.1.101 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT
Having done this and rebooting fedora, it still hangs at boot up, so i am guessing i still need to add more rules (NFS works fine when all ports are open)
Can anyone shed some light on my problem?? ammendments to the above rules etc?
If you already have a firewall in front of your server then it won't be open to the rest of the world, but It never hurts to have extra security.
I only have limited knowledge of iptables myself but by the looks of the script and I also had a quick look at the site, it's not a very well written script.
Firstly you only use postroute and preroute chains when you have 2 network interfaces, you need 2 networks to route basically. Secondly they have written
many rules when you can have done the same in problably a 1/4 of the rules, and also be easier to understand.
Since this is a server on your local network it would be safe to say that you trust all machines on your network, is the nfs only accessable to your local network and not from the internet?
I wrote a little script to help some else here so I will post it again and edit it for you it should do the trick.
# allow connections internal network
$IPTABLES -A INPUT -i eth0 -s $NETID -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow all other established or related only ( Anything not from your network)
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# The rest we will log and drop
$IPTABLES -A INPUT -i eth0 -j LOGDROP
#######################################################################
exit 0
# End of Script
#######################################################################
Sorry forgot to tell you to make a script out of it so you can forget about the iptables-restore or iptables-save.
By making a script it will always be there and load everytime you restart the machine no need to saved or restore.
First create a file called rc.firewall in the /etc/rc.d directory, paste the contents now make the file executable by changing the permissions on it
type as root in the command line:
chmod 755 /etc/rc.d/rc.firewall
Basically everything in the /etc/rc.d directory should be executed at boot time, but I have found for my fedora core 4 it
doesn't. If this happens for you place this line in your /etc/rc.d/rc.local and it will execute for sure at boot time:
/etc/rc.d/rc.firewall
To see what rules have been loaded just type at the prompt:
iptables -L
And it will list them out and then you know their loaded
Also I forgot to load the modules for the script so I've made an adjustment use this one instead, this maybe the reason for
the errors. Sometimes the line that has the errors is not always the actual line that is the cause. Also make sure you create the file in linux
and not in windows, windows has a habbit of putting errors in the script which can cause all sorts of headaches like errors when executing the script.
# allow connections internal network
$IPTABLES -A INPUT -i eth0 -s $NETID -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow all other established or related only ( Anything not from your network)
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# The rest we will log and drop
$IPTABLES -A INPUT -i eth0 -j LOGDROP
#######################################################################
exit 0
# End of Script
#######################################################################
From the look of that it seems to me everything is still open wide, atleast the script i had before to open everything while i worked is still in effect?
From the look of that it seems to me everything is still open wide, atleast the script i had before to open everything while i worked is still in effect?
The firewall is only open to everything on your network, because your network is trusted, however anything from outside the network cannot connect to
the server. The ipt_state module handles this, this is where you get the rule with the -m state --state ESTABLISHED,RELATED. Anything from the internet
cannot reach your server anyway, the only way it can reach it is if you have portforwarding on your router and redirecting an outside port to the server directly.
Quote:
From the look of that it seems to me everything is still open wide, atleast the script i had before to open everything while i worked is still in effect?
If your rules are still in effect you will need to delete them and let the script do the work for you, otherwise you will have to sets of rules running everytime you
bootup.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
