Applying iptables rules / don't seem to work once I change them

jonwondering · 10-20-2008, 07:31 PM

Okay, I think I am retarded when it comes to iptables. I modified Plesk's standard iptables config script file, just to have the basics there. Now it looks like this:

Code:

#!/bin/sh

set -e

echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j DROP

/sbin/iptables -A INPUT -j DROP

/sbin/iptables -A OUTPUT -j DROP

/sbin/iptables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /usr/local/psa/var/modules/firewall/ip_forward.active
chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active

All great and exciting. And now I don't know how to save it or apply it. If I run the script it runs just fine, and when I do iptables -L it shows my new rules. But does that mean that those rules are already applied to the server, or not? When I nmap it, there are still bagillion of ports open. I read on this forum that I have to do this: iptables-save > /etc/sysconfig/iptables, but that doesn't seem to work... Any help or ideas will be appreciated...

Thanks.

plpl303 · 10-20-2008, 08:09 PM

If you do iptables --list, that shows the current rule set -- there's no separate "apply" step needed.

Quote:

or not? When I nmap it, there are still bagillion of ports open.

Your ruleset will pass ports 80 and 443, so these will appear open. But it's also passing everything from the loopback -- are you nmapping from localhost or from a remote host?

billymayday · 10-20-2008, 08:10 PM

It depends on your distro, which you haven't mentioned.

Can you also show iptables -L and the output of nmap? I don't even have a bagzillion ports, let alone open ones.

jonwondering · 10-20-2008, 08:28 PM

plpl303, I am scanning from a remote machine, my own computer. I don't know much about iptables, just modified Plesk's firewall to pass minimum traffic...

billymayday, this one is hosted on mediatemple's centos, not sure of version. here's output of iptables -l:

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
REJECT     tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset 
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
DROP       icmp --  anywhere             anywhere            icmp type 8 code 0 
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
REJECT     tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset 
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
REJECT     tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset 
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere

by the way, i just noticed that accept anywhere anywhere rule above http on input. Is that supposed to be there??!

plpl303 · 10-20-2008, 08:51 PM

Quote:

Originally Posted by jonwondering

ACCEPT tcp -- anywhere anywhere tcp dpt:http

Ah, but try

iptables --list --verbose

I suspect this one is the one for the loopback interface, since that rule is being added right after the --state INVALID rule.

In other words, if you see something like

1000 110K ACCEPT all -- lo any anywhere anywhere

then it's a loopback-only rule.

Oh, you might also try replacing

/sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset

with

/sbin/iptables -A INPUT -p tcp -m state --state NEW -j REJECT --reject-with tcp-reset

jonwondering · 10-20-2008, 09:04 PM

yeah, that's a loopback rule, and that line that you recommended does bad stuff to server - request times out, or it can't connect....

billymayday · 10-20-2008, 09:44 PM

You shouldn't need

Quote:

/sbin/iptables -A INPUT -j DROP

/sbin/iptables -A OUTPUT -j DROP

/sbin/iptables -A FORWARD -j DROP

since your policy is drop (you're only doubling up, so no harm as such)

Can you show that nmap output (run it from an external machine if possible)?

Actual version will be in /etc/redhat-release, but knowing it's CentOS is enough.

I have basic firewall running, then from rc.local, call a script that flushes the tables and enters new rules (much like yours, but somewhat more of them). There are various ways to do it on RH distros, but I find this simple, portable, etc.

jonwondering · 10-20-2008, 10:25 PM

here's just a sample output for: "nmap -T Aggressive -A -v .com"
I don't know what's going on anymore, every time it seems to find a random huge number of open ports. I am scanning from my own computer, which is a remote one for that ip... what are all these open ports?!

Code:

Starting Nmap 4.68 ( http://nmap.org ) at 2008-10-20 22:14 Central Daylight Time
Initiating Ping Scan at 22:14
Scanning xx.xx.xx.xx [2 ports]
Completed Ping Scan at 22:14, 0.76s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:14
Completed Parallel DNS resolution of 1 host. at 22:14, 0.25s elapsed
Initiating SYN Stealth Scan at 22:14
Scanning .com (xx.xx.xx.xx) [1715 ports]
Discovered open port 22/tcp on xx.xx.xx.xx
Discovered open port 554/tcp on xx.xx.xx.xx
Discovered open port 25/tcp on xx.xx.xx.xx
Discovered open port 389/tcp on xx.xx.xx.xx
Discovered open port 1723/tcp on xx.xx.xx.xx
Discovered open port 443/tcp on xx.xx.xx.xx
Discovered open port 21/tcp on xx.xx.xx.xx
Discovered open port 3389/tcp on xx.xx.xx.xx
Discovered open port 636/tcp on xx.xx.xx.xx
Discovered open port 256/tcp on xx.xx.xx.xx
Discovered open port 80/tcp on xx.xx.xx.xx
Discovered open port 53/tcp on xx.xx.xx.xx
Discovered open port 113/tcp on xx.xx.xx.xx
Discovered open port 542/tcp on xx.xx.xx.xx
Discovered open port 1984/tcp on xx.xx.xx.xx
Discovered open port 202/tcp on xx.xx.xx.xx
Discovered open port 32773/tcp on xx.xx.xx.xx
Discovered open port 2042/tcp on xx.xx.xx.xx
SYN Stealth Scan Timing: About 46.91% done; ETC: 22:15 (0:00:34 remaining)
Discovered open port 37/tcp on xx.xx.xx.xx
Discovered open port 266/tcp on xx.xx.xx.xx
SYN Stealth Scan Timing: About 33.59% done; ETC: 22:17 (0:02:12 remaining)
Increasing send delay for xx.xx.xx.xx from 0 to 5 due to 13 out of 32 dropped probes since last increase.
Discovered open port 7201/tcp on xx.xx.xx.xx
Discovered open port 1364/tcp on xx.xx.xx.xx
Increasing send delay for xx.xx.xx.xx from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Discovered open port 1472/tcp on xx.xx.xx.xx
Discovered open port 691/tcp on xx.xx.xx.xx
SYN Stealth Scan Timing: About 17.93% done; ETC: 22:33 (0:15:18 remaining)
Discovered open port 777/tcp on xx.xx.xx.xx
Discovered open port 7937/tcp on xx.xx.xx.xx
Discovered open port 46/tcp on xx.xx.xx.xx
Discovered open port 2105/tcp on xx.xx.xx.xx
Discovered open port 546/tcp on xx.xx.xx.xx
Warning: Giving up on port early because retransmission cap hit.
Discovered open port 388/tcp on xx.xx.xx.xx
Discovered open port 366/tcp on xx.xx.xx.xx
Discovered open port 7070/tcp on xx.xx.xx.xx
Discovered open port 421/tcp on xx.xx.xx.xx
Discovered open port 973/tcp on xx.xx.xx.xx
...

jonwondering · 10-21-2008, 09:36 AM

this is really weird, i scanned it again, and it shows 1715 ports open... ports like pcanywhere (65301), Elite (31337), subseven (27374) and a whole bunch of others. Have I been hacked? MediaTemple refuses to help since they say it's a dedicated virtual and not their concern...

jonwondering · 10-21-2008, 09:42 AM

could it be somehow that the firewall simply lets thru a lot of the packets? because i don't even think the server is running all the programs nmap lists, like vnc or pcanywhere. those are not even installed...

plpl303 · 10-21-2008, 09:07 PM

Quote:

Originally Posted by jonwondering

yeah, that's a loopback rule, and that line that you recommended does bad stuff to server - request times out, or it can't connect....

Ah, well if the system is a server then you would want the rules to pass traffic to come before the deny rule, since iptables applies them in order top to bottom, for the most part.

So would this (or something like it) do what you want?

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -j REJECT

The first rule says "pass any traffic that is related to an existing connection or part of an existing connection
The second says "pass any traffic that is destined for the web server port (80)"
The third says "pass any traffic destined for port 443"
The fourth says "reject any incoming connection attempt" (but since we've already passed 80 and 443 and any established connections, those packets should continue to be passed through).

plpl303 · 10-21-2008, 09:10 PM

What does

netstat -taup

show? Does netstat think there are open ports? Does it know anything about the programs that are supposedly holding them open?

jonwondering · 10-22-2008, 09:08 AM

plpl303, netstat -taup shows only 10 or so of the processes listening to ports - the ones that i know are supposed to be there, like pop3, ssh, plesk, and all of those. it doesn't show, or mention, any of the hundreds that nmap shows as "open". i don't know why the rules don't work, since i am basically modifying plesk's standard rules by commenting out a few incoming ones that are allowed...

billymayday · 10-22-2008, 02:23 PM

I take it you only have one NIC on this machine?

jonwondering · 10-22-2008, 04:32 PM

ahhh. i am kinda a newbie when it comes to networking, and retarded when it comes to security. what is nic? the machine that this is hosted on is a dedicated virtual on mediatemple host... i have no idea what they have.