LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Applying iptables rules / don't seem to work once I change them (https://www.linuxquestions.org/questions/linux-newbie-8/applying-iptables-rules-don%27t-seem-to-work-once-i-change-them-677919/)

jonwondering 10-20-2008 08:31 PM

Applying iptables rules / don't seem to work once I change them
 
Okay, I think I am retarded when it comes to iptables. I modified Plesk's standard iptables config script file, just to have the basics there. Now it looks like this:
Code:

#!/bin/sh

set -e

echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j DROP

/sbin/iptables -A INPUT -j DROP

/sbin/iptables -A OUTPUT -j DROP

/sbin/iptables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /usr/local/psa/var/modules/firewall/ip_forward.active
chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active

All great and exciting. And now I don't know how to save it or apply it. If I run the script it runs just fine, and when I do iptables -L it shows my new rules. But does that mean that those rules are already applied to the server, or not? When I nmap it, there are still bagillion of ports open. I read on this forum that I have to do this: iptables-save > /etc/sysconfig/iptables, but that doesn't seem to work... Any help or ideas will be appreciated...

Thanks.

plpl303 10-20-2008 09:09 PM

If you do iptables --list, that shows the current rule set -- there's no separate "apply" step needed.

Quote:

or not? When I nmap it, there are still bagillion of ports open.
Your ruleset will pass ports 80 and 443, so these will appear open. But it's also passing everything from the loopback -- are you nmapping from localhost or from a remote host?

billymayday 10-20-2008 09:10 PM

It depends on your distro, which you haven't mentioned.

Can you also show iptables -L and the output of nmap? I don't even have a bagzillion ports, let alone open ones.

jonwondering 10-20-2008 09:28 PM

plpl303, I am scanning from a remote machine, my own computer. I don't know much about iptables, just modified Plesk's firewall to pass minimum traffic...

billymayday, this one is hosted on mediatemple's centos, not sure of version. here's output of iptables -l:

Code:

Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
REJECT    tcp  --  anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP      all  --  anywhere            anywhere            state INVALID
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:http
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:https
DROP      icmp --  anywhere            anywhere            icmp type 8 code 0
DROP      all  --  anywhere            anywhere           

Chain FORWARD (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
REJECT    tcp  --  anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP      all  --  anywhere            anywhere            state INVALID
ACCEPT    all  --  anywhere            anywhere           
DROP      all  --  anywhere            anywhere           

Chain OUTPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
REJECT    tcp  --  anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP      all  --  anywhere            anywhere            state INVALID
ACCEPT    all  --  anywhere            anywhere           
DROP      all  --  anywhere            anywhere

by the way, i just noticed that accept anywhere anywhere rule above http on input. Is that supposed to be there??!

plpl303 10-20-2008 09:51 PM

Quote:

Originally Posted by jonwondering (Post 3317075)
ACCEPT tcp -- anywhere anywhere tcp dpt:http

Ah, but try

iptables --list --verbose


I suspect this one is the one for the loopback interface, since that rule is being added right after the --state INVALID rule.

In other words, if you see something like

1000 110K ACCEPT all -- lo any anywhere anywhere


then it's a loopback-only rule.


Oh, you might also try replacing

/sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset

with

/sbin/iptables -A INPUT -p tcp -m state --state NEW -j REJECT --reject-with tcp-reset

jonwondering 10-20-2008 10:04 PM

yeah, that's a loopback rule, and that line that you recommended does bad stuff to server - request times out, or it can't connect.... :(

billymayday 10-20-2008 10:44 PM

You shouldn't need

Quote:

/sbin/iptables -A INPUT -j DROP

/sbin/iptables -A OUTPUT -j DROP

/sbin/iptables -A FORWARD -j DROP

since your policy is drop (you're only doubling up, so no harm as such)

Can you show that nmap output (run it from an external machine if possible)?

Actual version will be in /etc/redhat-release, but knowing it's CentOS is enough.

I have basic firewall running, then from rc.local, call a script that flushes the tables and enters new rules (much like yours, but somewhat more of them). There are various ways to do it on RH distros, but I find this simple, portable, etc.

jonwondering 10-20-2008 11:25 PM

here's just a sample output for: "nmap -T Aggressive -A -v .com"
I don't know what's going on anymore, every time it seems to find a random huge number of open ports. I am scanning from my own computer, which is a remote one for that ip... what are all these open ports?!

Code:

Starting Nmap 4.68 ( http://nmap.org ) at 2008-10-20 22:14 Central Daylight Time
Initiating Ping Scan at 22:14
Scanning xx.xx.xx.xx [2 ports]
Completed Ping Scan at 22:14, 0.76s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:14
Completed Parallel DNS resolution of 1 host. at 22:14, 0.25s elapsed
Initiating SYN Stealth Scan at 22:14
Scanning .com (xx.xx.xx.xx) [1715 ports]
Discovered open port 22/tcp on xx.xx.xx.xx
Discovered open port 554/tcp on xx.xx.xx.xx
Discovered open port 25/tcp on xx.xx.xx.xx
Discovered open port 389/tcp on xx.xx.xx.xx
Discovered open port 1723/tcp on xx.xx.xx.xx
Discovered open port 443/tcp on xx.xx.xx.xx
Discovered open port 21/tcp on xx.xx.xx.xx
Discovered open port 3389/tcp on xx.xx.xx.xx
Discovered open port 636/tcp on xx.xx.xx.xx
Discovered open port 256/tcp on xx.xx.xx.xx
Discovered open port 80/tcp on xx.xx.xx.xx
Discovered open port 53/tcp on xx.xx.xx.xx
Discovered open port 113/tcp on xx.xx.xx.xx
Discovered open port 542/tcp on xx.xx.xx.xx
Discovered open port 1984/tcp on xx.xx.xx.xx
Discovered open port 202/tcp on xx.xx.xx.xx
Discovered open port 32773/tcp on xx.xx.xx.xx
Discovered open port 2042/tcp on xx.xx.xx.xx
SYN Stealth Scan Timing: About 46.91% done; ETC: 22:15 (0:00:34 remaining)
Discovered open port 37/tcp on xx.xx.xx.xx
Discovered open port 266/tcp on xx.xx.xx.xx
SYN Stealth Scan Timing: About 33.59% done; ETC: 22:17 (0:02:12 remaining)
Increasing send delay for xx.xx.xx.xx from 0 to 5 due to 13 out of 32 dropped probes since last increase.
Discovered open port 7201/tcp on xx.xx.xx.xx
Discovered open port 1364/tcp on xx.xx.xx.xx
Increasing send delay for xx.xx.xx.xx from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Discovered open port 1472/tcp on xx.xx.xx.xx
Discovered open port 691/tcp on xx.xx.xx.xx
SYN Stealth Scan Timing: About 17.93% done; ETC: 22:33 (0:15:18 remaining)
Discovered open port 777/tcp on xx.xx.xx.xx
Discovered open port 7937/tcp on xx.xx.xx.xx
Discovered open port 46/tcp on xx.xx.xx.xx
Discovered open port 2105/tcp on xx.xx.xx.xx
Discovered open port 546/tcp on xx.xx.xx.xx
Warning: Giving up on port early because retransmission cap hit.
Discovered open port 388/tcp on xx.xx.xx.xx
Discovered open port 366/tcp on xx.xx.xx.xx
Discovered open port 7070/tcp on xx.xx.xx.xx
Discovered open port 421/tcp on xx.xx.xx.xx
Discovered open port 973/tcp on xx.xx.xx.xx
...


jonwondering 10-21-2008 10:36 AM

this is really weird, i scanned it again, and it shows 1715 ports open... ports like pcanywhere (65301), Elite (31337), subseven (27374) and a whole bunch of others. Have I been hacked? MediaTemple refuses to help since they say it's a dedicated virtual and not their concern...

jonwondering 10-21-2008 10:42 AM

could it be somehow that the firewall simply lets thru a lot of the packets? because i don't even think the server is running all the programs nmap lists, like vnc or pcanywhere. those are not even installed...

plpl303 10-21-2008 10:07 PM

Quote:

Originally Posted by jonwondering (Post 3317093)
yeah, that's a loopback rule, and that line that you recommended does bad stuff to server - request times out, or it can't connect.... :(

Ah, well if the system is a server then you would want the rules to pass traffic to come before the deny rule, since iptables applies them in order top to bottom, for the most part.


So would this (or something like it) do what you want?

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -j REJECT

The first rule says "pass any traffic that is related to an existing connection or part of an existing connection
The second says "pass any traffic that is destined for the web server port (80)"
The third says "pass any traffic destined for port 443"
The fourth says "reject any incoming connection attempt" (but since we've already passed 80 and 443 and any established connections, those packets should continue to be passed through).

plpl303 10-21-2008 10:10 PM

What does

netstat -taup

show? Does netstat think there are open ports? Does it know anything about the programs that are supposedly holding them open?

jonwondering 10-22-2008 10:08 AM

plpl303, netstat -taup shows only 10 or so of the processes listening to ports - the ones that i know are supposed to be there, like pop3, ssh, plesk, and all of those. it doesn't show, or mention, any of the hundreds that nmap shows as "open". i don't know why the rules don't work, since i am basically modifying plesk's standard rules by commenting out a few incoming ones that are allowed...

billymayday 10-22-2008 03:23 PM

I take it you only have one NIC on this machine?

jonwondering 10-22-2008 05:32 PM

ahhh. i am kinda a newbie when it comes to networking, and retarded when it comes to security. what is nic? the machine that this is hosted on is a dedicated virtual on mediatemple host... i have no idea what they have.


All times are GMT -5. The time now is 01:08 PM.