LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   creating IPtables (https://www.linuxquestions.org/questions/linux-security-4/creating-iptables-469034/)

MrSako 07-30-2006 01:37 AM

creating IPtables
 
im trying to create an iptable using webmin (i could edit the file myself manually if i could figure out which it is)

from my speculation the iptable script is inside /etc/sysconfig

theres 2 very identical files. iptables and iptables.save

from how it looks you modify the iptables fie (i dont know if this is just for webmin or how its supposed ot be done) then it gets "applied" to the iptables.save file and thats the real active iptables script.

heres my iptables file:

# Generated by iptables-save v1.2.11 on Sun Jul 30 01:43:14 2006
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun Jul 30 01:43:14 2006
# Generated by iptables-save v1.2.11 on Sun Jul 30 01:43:14 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i venet0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# allow smtp on TCP port 25
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
COMMIT
# Completed on Sun Jul 30 01:43:14 2006


heres iptables.save:

# Generated by iptables-save v1.2.11 on Sun Jul 30 01:43:14 2006
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun Jul 30 01:43:14 2006
# Generated by iptables-save v1.2.11 on Sun Jul 30 01:43:14 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i venet0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# allow smtp on TCP port 25
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
COMMIT
# Completed on Sun Jul 30 01:43:14 2006


they look exactly the same!

anyway when i clicked the apply button inside the webmin module to apply the settings i got

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Applying iptables firewall rules: iptables-restore: line 41 failed
[FAILED]

im not sure what this means

iptables-restore is in /sbin (which there is also another iptables and iptables.save file there but their not text files meant for editing they appear to be executables or something

any ideas?

win32sux 07-30-2006 06:48 AM

you don't wanna edit any of those files... you wanna create you own iptables script, and then execute it... then you run the iptables-save utility in order to save the new iptables configuration...

catworld 07-30-2006 10:56 AM

iptables
 
I found this very useful:

http://iptables-tutorial.frozentux.n...-tutorial.html

Read it from start to finish and bear with it. You'll come out an iptables security monster.

I notice your default policies are all ACCEPT. You usually want to set INPUT and FORWARD to DROP, then open up any resources individually with the chains. For instance I allow SSH connections from my own network but drop every other network attempting to make a connection with these rules:

# Accept SSH connections on the local net, drop all other networks;
#
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s ! 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 22 -j DROP
#

and SMB:

# Accept SMB on the local net only;
#
-A INPUT -d 192.168.8.0/255.255.255.0 -i eth0 -p udp -m udp --dport 137:139 -j ACCEPT
-A INPUT -d ! 192.168.8.0/255.255.255.0 -i eth0 -p udp -m udp --dport 137:139 -j DROP
#

Whenever you find something doesn't work and you want it to, just look up it's port usage in /etc/services and use the above syntax, substituting the ports you need. The ! character negates the rule follwing, i.e. says "NOT 192.168.1.0..." These I drop.

iptables is definitely something every Linux user should get to know. I find apps like shorewall to be a chore. Much easier to edit a file called "iptables" and put it in /etc/sysconfig.

win32sux 07-30-2006 12:09 PM

lots of wierd stuff going-on with your rules... for example:
Quote:

Originally Posted by MrSako
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT

that rule is pretty much insane, as it would allow anyone to talk to UDP daemons on your non-root ports by using a source port of 53... these kinda rules might have made sense back in the ipchains days, but iptables with it's connection tracking has made them obsolete... you definitely wanna remove that rule...

if you explain what you want from your iptables, i can provide you with a customized script based on my own... you could then use that as a base for your own future tweaks... the frozen tux tutorial is good (one of the best), but it's overkill for a simple short-term solution...

catworld 07-30-2006 12:25 PM

win32sux,

quote: "i can provide you with a customized script based on my own... you could then use that as a base for your own future tweaks..."

I have the smootwall configs, my own and a few others. I'd like to add your config to the collection if you're willing.

quote:

" the frozen tux tutorial is good (one of the best), but it's overkill for a simple short-term solution..."

Agreed. I always forget that I never care for quick fixes, rather I understand what's going on completely first.

catworld

win32sux 07-30-2006 12:40 PM

Quote:

Originally Posted by catworld
I have the smootwall configs, my own and a few others. I'd like to add your config to the collection if you're willing.

i'm not sure what a smoothwall config is, sorry... all i use are plain iptables scripts... i've made iptables scripts with hundreds of lines, and i've made some with only a few lines... it depends on the needs at the time... for example, the box i'm using right now only has TWO rules (with the INPUT policy set to DROP):
Code:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT


win32sux 07-30-2006 12:49 PM

BTW, here's the script i used to apply those two rules, in case anyone finds it useful (although i doubt it, since it's so simple)... the chain flushing and deleting part is pretty generic, and i use it at the start of almost all my scripts...
Code:

#!/bin/sh

IPT="/sbin/iptables"

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

i usually don't have the OUTPUT policy set to ACCEPT, though... this is just a very relaxed PC i'm using right now... :)

catworld 07-30-2006 04:20 PM

configs
 
Quote:

Originally Posted by win32sux
i'm not sure what a smoothwall config is, sorry... all i use are plain iptables scripts... i've made iptables scripts with hundreds of lines, and i've made some with only a few lines... it depends on the needs at the time... for example, the box i'm using right now only has TWO rules (with the INPUT policy set to DROP):
Code:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT


Smoothwall is an excellent firewall:

www.smoothwall.org

I have their default iptables config among my own collection. Of course it's loaded with a lot of good forwarding rules.

I suppose I should be more specific. I'm looking for good, well hardened single host iptables configs but which allow smb, nfs and print on the local net. I have my own config doing this nicely, which I perpetually tweak. But I always appreciate looking at what someone else has done with iptables, especially for stand-alone hosts. If you have a real tight config allowing the above services I'd love to see it, with my thanks in advance.

catworld

MrSako 07-30-2006 05:59 PM

i read through the page catworld posted. the thing is im having trouble with IPtables itself now.

when i try to apply changed i get

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 39 failed
[FAILED]

i dont know what to do

i installed iptables using yum and its on CentOS 4

catworld 07-30-2006 06:47 PM

MrSako,

Line 39 of the iptables file you are attempting to load has a simple typo, most likely. If you "cut and pasted" the file, especially from the internet, this may be not only be the case, but multiple similar cases are probably yet laying in wait to frustrate.

If it isn't a ludicrous number beyond 39 lines in total, why don't you paste your file here and I'll have a look-see. I certainly appreciate the desire for the quick fix, but don't harbor the desire myself. But I do love everyone else's enthusiasm, so lay it on me and I'll see if I can help.

And to this end it would be a help if you could explain a bit further as to what you do/do not want to have happening once your iptables are behaving.

This is absolutely unnecessary, but I'd like to know what place on this fragile planet you are standing upon at the moment, too. I'm around here:

http://terraserver.microsoft.com/ima...X=54&Y=729&W=1

catworld

Quote:

Originally Posted by MrSako
i read through the page catworld posted. the thing is im having trouble with IPtables itself now.

when i try to apply changed i get

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 39 failed
[FAILED]

i dont know what to do

i installed iptables using yum and its on CentOS 4


win32sux 07-31-2006 02:31 AM

Quote:

Originally Posted by catworld
Smoothwall is an excellent firewall:

www.smoothwall.org

I have their default iptables config among my own collection. Of course it's loaded with a lot of good forwarding rules.

oh, okay... cool... i knew what smoothwall was, i just didn't know what you were referring to with "smoothwall config"... i imagined it was something smoothwall-specific and non-iptables...

Quote:

I suppose I should be more specific. I'm looking for good, well hardened single host iptables configs but which allow smb, nfs and print on the local net. I have my own config doing this nicely, which I perpetually tweak. But I always appreciate looking at what someone else has done with iptables, especially for stand-alone hosts. If you have a real tight config allowing the above services I'd love to see it, with my thanks in advance.
i'd love to help you tweak your script!! could i please take a look at your current script before doing that?? if you could post your current iptables script it would be great... i'll see if i can improve it a little once you've posted...

win32sux 07-31-2006 02:37 AM

Quote:

Originally Posted by MrSako
i read through the page catworld posted. the thing is im having trouble with IPtables itself now.

when i try to apply changed i get

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 39 failed
[FAILED]

i dont know what to do

i installed iptables using yum and its on CentOS 4

like catworld said, let us know about your setup, and exactly what you want your iptables to do, and we will provide you with a working script to get you started with... you will also be able to use the script from the command line, instead of using a webmin module or any other iptables front-end...

MrSako 07-31-2006 02:57 AM

it turns out i only get this error when trying to apply rules that include the connection state in the rule

im trying to close all ports except for the ones needed for my servers, which at this time are ports 21 (ftp), 22 (ssh), 25 (SMTP), 80 (http), 110 (POP3), and 10000 (Webmin)

i think i figured it out except for the connection state stuff (i heard yor supposed to accept connections that are related and established or something like that)

win32sux 07-31-2006 03:05 AM

Quote:

Originally Posted by MrSako
it turns out i only get this error when trying to apply rules that include the connection state in the rule

im trying to close all ports except for the ones needed for my servers, which at this time are ports 21 (ftp), 22 (ssh), 25 (SMTP), 80 (http), 110 (POP3), and 10000 (Webmin)

i think i figured it out except for the connection state stuff (i heard yor supposed to accept connections that are related and established or something like that)

you only have one network interface, right?? eth0??

sharma.kashyap 07-31-2006 03:19 AM

i got that working by reading a article in the LFY magzine of april of this year. reaad it may also click for u


All times are GMT -5. The time now is 11:56 PM.