Applying iptables rules / don't seem to work once I change them
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Applying iptables rules / don't seem to work once I change them
Okay, I think I am retarded when it comes to iptables. I modified Plesk's standard iptables config script file, just to have the basics there. Now it looks like this:
Code:
#!/bin/sh
set -e
echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j DROP
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A OUTPUT -j DROP
/sbin/iptables -A FORWARD -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /usr/local/psa/var/modules/firewall/ip_forward.active
chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active
All great and exciting. And now I don't know how to save it or apply it. If I run the script it runs just fine, and when I do iptables -L it shows my new rules. But does that mean that those rules are already applied to the server, or not? When I nmap it, there are still bagillion of ports open. I read on this forum that I have to do this: iptables-save > /etc/sysconfig/iptables, but that doesn't seem to work... Any help or ideas will be appreciated...
If you do iptables --list, that shows the current rule set -- there's no separate "apply" step needed.
Quote:
or not? When I nmap it, there are still bagillion of ports open.
Your ruleset will pass ports 80 and 443, so these will appear open. But it's also passing everything from the loopback -- are you nmapping from localhost or from a remote host?
plpl303, I am scanning from a remote machine, my own computer. I don't know much about iptables, just modified Plesk's firewall to pass minimum traffic...
billymayday, this one is hosted on mediatemple's centos, not sure of version. here's output of iptables -l:
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
DROP icmp -- anywhere anywhere icmp type 8 code 0
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
by the way, i just noticed that accept anywhere anywhere rule above http on input. Is that supposed to be there??!
since your policy is drop (you're only doubling up, so no harm as such)
Can you show that nmap output (run it from an external machine if possible)?
Actual version will be in /etc/redhat-release, but knowing it's CentOS is enough.
I have basic firewall running, then from rc.local, call a script that flushes the tables and enters new rules (much like yours, but somewhat more of them). There are various ways to do it on RH distros, but I find this simple, portable, etc.
here's just a sample output for: "nmap -T Aggressive -A -v .com"
I don't know what's going on anymore, every time it seems to find a random huge number of open ports. I am scanning from my own computer, which is a remote one for that ip... what are all these open ports?!
Code:
Starting Nmap 4.68 ( http://nmap.org ) at 2008-10-20 22:14 Central Daylight Time
Initiating Ping Scan at 22:14
Scanning xx.xx.xx.xx [2 ports]
Completed Ping Scan at 22:14, 0.76s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:14
Completed Parallel DNS resolution of 1 host. at 22:14, 0.25s elapsed
Initiating SYN Stealth Scan at 22:14
Scanning .com (xx.xx.xx.xx) [1715 ports]
Discovered open port 22/tcp on xx.xx.xx.xx
Discovered open port 554/tcp on xx.xx.xx.xx
Discovered open port 25/tcp on xx.xx.xx.xx
Discovered open port 389/tcp on xx.xx.xx.xx
Discovered open port 1723/tcp on xx.xx.xx.xx
Discovered open port 443/tcp on xx.xx.xx.xx
Discovered open port 21/tcp on xx.xx.xx.xx
Discovered open port 3389/tcp on xx.xx.xx.xx
Discovered open port 636/tcp on xx.xx.xx.xx
Discovered open port 256/tcp on xx.xx.xx.xx
Discovered open port 80/tcp on xx.xx.xx.xx
Discovered open port 53/tcp on xx.xx.xx.xx
Discovered open port 113/tcp on xx.xx.xx.xx
Discovered open port 542/tcp on xx.xx.xx.xx
Discovered open port 1984/tcp on xx.xx.xx.xx
Discovered open port 202/tcp on xx.xx.xx.xx
Discovered open port 32773/tcp on xx.xx.xx.xx
Discovered open port 2042/tcp on xx.xx.xx.xx
SYN Stealth Scan Timing: About 46.91% done; ETC: 22:15 (0:00:34 remaining)
Discovered open port 37/tcp on xx.xx.xx.xx
Discovered open port 266/tcp on xx.xx.xx.xx
SYN Stealth Scan Timing: About 33.59% done; ETC: 22:17 (0:02:12 remaining)
Increasing send delay for xx.xx.xx.xx from 0 to 5 due to 13 out of 32 dropped probes since last increase.
Discovered open port 7201/tcp on xx.xx.xx.xx
Discovered open port 1364/tcp on xx.xx.xx.xx
Increasing send delay for xx.xx.xx.xx from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Discovered open port 1472/tcp on xx.xx.xx.xx
Discovered open port 691/tcp on xx.xx.xx.xx
SYN Stealth Scan Timing: About 17.93% done; ETC: 22:33 (0:15:18 remaining)
Discovered open port 777/tcp on xx.xx.xx.xx
Discovered open port 7937/tcp on xx.xx.xx.xx
Discovered open port 46/tcp on xx.xx.xx.xx
Discovered open port 2105/tcp on xx.xx.xx.xx
Discovered open port 546/tcp on xx.xx.xx.xx
Warning: Giving up on port early because retransmission cap hit.
Discovered open port 388/tcp on xx.xx.xx.xx
Discovered open port 366/tcp on xx.xx.xx.xx
Discovered open port 7070/tcp on xx.xx.xx.xx
Discovered open port 421/tcp on xx.xx.xx.xx
Discovered open port 973/tcp on xx.xx.xx.xx
...
this is really weird, i scanned it again, and it shows 1715 ports open... ports like pcanywhere (65301), Elite (31337), subseven (27374) and a whole bunch of others. Have I been hacked? MediaTemple refuses to help since they say it's a dedicated virtual and not their concern...
could it be somehow that the firewall simply lets thru a lot of the packets? because i don't even think the server is running all the programs nmap lists, like vnc or pcanywhere. those are not even installed...
yeah, that's a loopback rule, and that line that you recommended does bad stuff to server - request times out, or it can't connect....
Ah, well if the system is a server then you would want the rules to pass traffic to come before the deny rule, since iptables applies them in order top to bottom, for the most part.
So would this (or something like it) do what you want?
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -j REJECT
The first rule says "pass any traffic that is related to an existing connection or part of an existing connection
The second says "pass any traffic that is destined for the web server port (80)"
The third says "pass any traffic destined for port 443"
The fourth says "reject any incoming connection attempt" (but since we've already passed 80 and 443 and any established connections, those packets should continue to be passed through).
plpl303, netstat -taup shows only 10 or so of the processes listening to ports - the ones that i know are supposed to be there, like pop3, ssh, plesk, and all of those. it doesn't show, or mention, any of the hundreds that nmap shows as "open". i don't know why the rules don't work, since i am basically modifying plesk's standard rules by commenting out a few incoming ones that are allowed...
ahhh. i am kinda a newbie when it comes to networking, and retarded when it comes to security. what is nic? the machine that this is hosted on is a dedicated virtual on mediatemple host... i have no idea what they have.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.