Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm currently dealing with a problem that has had me flummoxed for some time. I have a server in my office running Debian Etch that is acting as our gateway to the net. eth0 is pointing outwards, while eth1 points to our internal network. Among other things, I have ssh server installed on the box. Feeling a bit too lazy to grok iptables, I used bastille to configure NAT and firewall stuff. When answering the questions, I told it to allow access to port 22 on both interfaces, but I can only ssh into the box from the internal network. When I run the shields-up scan at grc.com, it shows all ports as being closed. I used iptables-save to get a list of the rules that bastille generated, and have provided them below. If anyone could give some advice for this situation, that would be great.
Code:
# Generated by iptables-save v1.3.6 on Thu Apr 26 09:33:35 2007
*mangle
:PREROUTING ACCEPT [68456280:39102080846]
:INPUT ACCEPT [14704884:7271324045]
:FORWARD ACCEPT [53675363:31822713624]
:OUTPUT ACCEPT [17804234:20335949857]
:POSTROUTING ACCEPT [71522409:52163641491]
COMMIT
# Completed on Thu Apr 26 09:33:35 2007
# Generated by iptables-save v1.3.6 on Thu Apr 26 09:33:35 2007
*nat
:PREROUTING ACCEPT [940353:80125177]
:POSTROUTING ACCEPT [33161:2192843]
:OUTPUT ACCEPT [54612:4264714]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Apr 26 09:33:35 2007
# Generated by iptables-save v1.3.6 on Thu Apr 26 09:33:35 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [377131:805845614]
:INT_IN - [0:0]
:INT_OUT - [0:0]
:PAROLE - [0:0]
:PUB_IN - [0:0]
:PUB_OUT - [0:0]
-A INPUT -d 127.0.0.0/255.0.0.0 -i ! lo -p tcp -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 224.0.0.0/240.0.0.0 -j DROP
-A INPUT -i eth0 -j DROP
-A INPUT -i eth0 -j DROP
-A INPUT -i eth0 -j PUB_IN
-A INPUT -i eth1 -j INT_IN
-A INPUT -i eth2 -j INT_IN
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 0.0.0.255/0.0.0.255 -o eth0 -p tcp -m tcp --dport 137:139 -j DROP
-A FORWARD -d 0.0.0.255/0.0.0.255 -o eth0 -p udp -m udp --dport 137:139 -j DROP
-A FORWARD -o eth0 -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o eth0 -j PUB_OUT
-A OUTPUT -o eth1 -j INT_OUT
-A OUTPUT -o eth2 -j INT_OUT
-A INT_IN -p tcp -m tcp --dport 22 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 138 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 139 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 445 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 67 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 1598 -j PAROLE
-A INT_IN -p tcp -m tcp --dport 3306 -j PAROLE
-A INT_IN -p udp -m udp --dport 22 -j ACCEPT
-A INT_IN -p udp -m udp --dport 138 -j ACCEPT
-A INT_IN -p udp -m udp --dport 139 -j ACCEPT
-A INT_IN -p udp -m udp --dport 445 -j ACCEPT
-A INT_IN -p udp -m udp --dport 67 -j ACCEPT
-A INT_IN -p udp -m udp --dport 1598 -j ACCEPT
-A INT_IN -p udp -m udp --dport 3306 -j ACCEPT
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A PUB_IN -d 192.168.0.0/255.255.0.0 -j DROP
-A PUB_IN -s 192.168.0.0/255.255.0.0 -j DROP
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE
-A PUB_IN -p udp -m udp --dport 22 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 23 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 21 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 143 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 110 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 79 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 111 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 512 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 513 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 98 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p udp -m udp --dport 31337 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p icmp -m icmp --icmp-type 8 -m state --state INVALID,NEW -m limit --limit 5/sec --limit-burst 8 -j LOG --log-prefix "audit"
-A PUB_IN -p icmp -j DROP
-A PUB_IN -j DROP
-A PUB_OUT -j ACCEPT
COMMIT
# Completed on Thu Apr 26 09:33:35 2007
-A INPUT -d 127.0.0.0/255.0.0.0 -i ! lo -p tcp -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 224.0.0.0/240.0.0.0 -j DROP
-A INPUT -i eth0 -j DROP
-A INPUT -i eth0 -j DROP
-A INPUT -i eth0 -j PUB_IN
-A INPUT -i eth1 -j INT_IN
-A INPUT -i eth2 -j INT_IN
-A INPUT -j DROP
after a quick look, it would seem to me that those two rules in bold are the issue... they are sending to DROP any packets coming-into eth0 (which i assume is your external interface) before they can get sent to PUB_IN... if this is correct, then simply deleting those two rules should do the trick, as your PUB_IN has a rule for port 22 (ssh)... try by executing these commands:
Code:
iptables -D INPUT -i eth0 -j DROP
iptables -D INPUT -i eth0 -j DROP
it's the same command twice, as you have the same rule repeated so you need to do it twice to kill them both... if this fixes your issue then replace the old config with the new using iptables-save...
Well, that did the trick. Thanks for your help win32sux. Would you happen to know how I could change settings within bastille so that I wouldn't have to use these two commands every time the iptables rules were loaded?
Well, that did the trick. Thanks for your help win32sux. Would you happen to know how I could change settings within bastille so that I wouldn't have to use these two commands every time the iptables rules were loaded?
no, i don't know how to do it from bastille... but can't you just replace your old config with your new ruleset?? like for example:
Code:
iptables-save > /etc/sysconfig/iptables
(or wherever your configuration is stored)
that should allow for everything to be automatic at startup...
I could just disable bastille-firewall and take the contents of iptables-save and make a startup script for it, but then I'd loose the ability to modify firewall rules inside the program. I could manually edit the settings file for bastille, but I haven't been able to figure it out so far. If nothing else, I can modify the /etc/init.d/bastille-firewall script by tailing those two commands to the end, where the "start" function is invoked.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.