LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-30-2006, 02:37 AM   #1
MrSako
Member
 
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185

Rep: Reputation: 30
creating IPtables


im trying to create an iptable using webmin (i could edit the file myself manually if i could figure out which it is)

from my speculation the iptable script is inside /etc/sysconfig

theres 2 very identical files. iptables and iptables.save

from how it looks you modify the iptables fie (i dont know if this is just for webmin or how its supposed ot be done) then it gets "applied" to the iptables.save file and thats the real active iptables script.

heres my iptables file:

# Generated by iptables-save v1.2.11 on Sun Jul 30 01:43:14 2006
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun Jul 30 01:43:14 2006
# Generated by iptables-save v1.2.11 on Sun Jul 30 01:43:14 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i venet0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# allow smtp on TCP port 25
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
COMMIT
# Completed on Sun Jul 30 01:43:14 2006


heres iptables.save:

# Generated by iptables-save v1.2.11 on Sun Jul 30 01:43:14 2006
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun Jul 30 01:43:14 2006
# Generated by iptables-save v1.2.11 on Sun Jul 30 01:43:14 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i venet0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# allow smtp on TCP port 25
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
COMMIT
# Completed on Sun Jul 30 01:43:14 2006


they look exactly the same!

anyway when i clicked the apply button inside the webmin module to apply the settings i got

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Applying iptables firewall rules: iptables-restore: line 41 failed
[FAILED]

im not sure what this means

iptables-restore is in /sbin (which there is also another iptables and iptables.save file there but their not text files meant for editing they appear to be executables or something

any ideas?
 
Old 07-30-2006, 07:48 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
you don't wanna edit any of those files... you wanna create you own iptables script, and then execute it... then you run the iptables-save utility in order to save the new iptables configuration...
 
Old 07-30-2006, 11:56 AM   #3
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
iptables

I found this very useful:

http://iptables-tutorial.frozentux.n...-tutorial.html

Read it from start to finish and bear with it. You'll come out an iptables security monster.

I notice your default policies are all ACCEPT. You usually want to set INPUT and FORWARD to DROP, then open up any resources individually with the chains. For instance I allow SSH connections from my own network but drop every other network attempting to make a connection with these rules:

# Accept SSH connections on the local net, drop all other networks;
#
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s ! 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 22 -j DROP
#

and SMB:

# Accept SMB on the local net only;
#
-A INPUT -d 192.168.8.0/255.255.255.0 -i eth0 -p udp -m udp --dport 137:139 -j ACCEPT
-A INPUT -d ! 192.168.8.0/255.255.255.0 -i eth0 -p udp -m udp --dport 137:139 -j DROP
#

Whenever you find something doesn't work and you want it to, just look up it's port usage in /etc/services and use the above syntax, substituting the ports you need. The ! character negates the rule follwing, i.e. says "NOT 192.168.1.0..." These I drop.

iptables is definitely something every Linux user should get to know. I find apps like shorewall to be a chore. Much easier to edit a file called "iptables" and put it in /etc/sysconfig.
 
Old 07-30-2006, 01:09 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
lots of wierd stuff going-on with your rules... for example:
Quote:
Originally Posted by MrSako
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
that rule is pretty much insane, as it would allow anyone to talk to UDP daemons on your non-root ports by using a source port of 53... these kinda rules might have made sense back in the ipchains days, but iptables with it's connection tracking has made them obsolete... you definitely wanna remove that rule...

if you explain what you want from your iptables, i can provide you with a customized script based on my own... you could then use that as a base for your own future tweaks... the frozen tux tutorial is good (one of the best), but it's overkill for a simple short-term solution...
 
Old 07-30-2006, 01:25 PM   #5
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
win32sux,

quote: "i can provide you with a customized script based on my own... you could then use that as a base for your own future tweaks..."

I have the smootwall configs, my own and a few others. I'd like to add your config to the collection if you're willing.

quote:

" the frozen tux tutorial is good (one of the best), but it's overkill for a simple short-term solution..."

Agreed. I always forget that I never care for quick fixes, rather I understand what's going on completely first.

catworld
 
Old 07-30-2006, 01:40 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by catworld
I have the smootwall configs, my own and a few others. I'd like to add your config to the collection if you're willing.
i'm not sure what a smoothwall config is, sorry... all i use are plain iptables scripts... i've made iptables scripts with hundreds of lines, and i've made some with only a few lines... it depends on the needs at the time... for example, the box i'm using right now only has TWO rules (with the INPUT policy set to DROP):
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
 
Old 07-30-2006, 01:49 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
BTW, here's the script i used to apply those two rules, in case anyone finds it useful (although i doubt it, since it's so simple)... the chain flushing and deleting part is pretty generic, and i use it at the start of almost all my scripts...
Code:
#!/bin/sh

IPT="/sbin/iptables"

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
i usually don't have the OUTPUT policy set to ACCEPT, though... this is just a very relaxed PC i'm using right now...
 
Old 07-30-2006, 05:20 PM   #8
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
configs

Quote:
Originally Posted by win32sux
i'm not sure what a smoothwall config is, sorry... all i use are plain iptables scripts... i've made iptables scripts with hundreds of lines, and i've made some with only a few lines... it depends on the needs at the time... for example, the box i'm using right now only has TWO rules (with the INPUT policy set to DROP):
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
Smoothwall is an excellent firewall:

www.smoothwall.org

I have their default iptables config among my own collection. Of course it's loaded with a lot of good forwarding rules.

I suppose I should be more specific. I'm looking for good, well hardened single host iptables configs but which allow smb, nfs and print on the local net. I have my own config doing this nicely, which I perpetually tweak. But I always appreciate looking at what someone else has done with iptables, especially for stand-alone hosts. If you have a real tight config allowing the above services I'd love to see it, with my thanks in advance.

catworld
 
Old 07-30-2006, 06:59 PM   #9
MrSako
Member
 
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185

Original Poster
Rep: Reputation: 30
i read through the page catworld posted. the thing is im having trouble with IPtables itself now.

when i try to apply changed i get

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 39 failed
[FAILED]

i dont know what to do

i installed iptables using yum and its on CentOS 4
 
Old 07-30-2006, 07:47 PM   #10
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
MrSako,

Line 39 of the iptables file you are attempting to load has a simple typo, most likely. If you "cut and pasted" the file, especially from the internet, this may be not only be the case, but multiple similar cases are probably yet laying in wait to frustrate.

If it isn't a ludicrous number beyond 39 lines in total, why don't you paste your file here and I'll have a look-see. I certainly appreciate the desire for the quick fix, but don't harbor the desire myself. But I do love everyone else's enthusiasm, so lay it on me and I'll see if I can help.

And to this end it would be a help if you could explain a bit further as to what you do/do not want to have happening once your iptables are behaving.

This is absolutely unnecessary, but I'd like to know what place on this fragile planet you are standing upon at the moment, too. I'm around here:

http://terraserver.microsoft.com/ima...X=54&Y=729&W=1

catworld

Quote:
Originally Posted by MrSako
i read through the page catworld posted. the thing is im having trouble with IPtables itself now.

when i try to apply changed i get

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 39 failed
[FAILED]

i dont know what to do

i installed iptables using yum and its on CentOS 4
 
Old 07-31-2006, 03:31 AM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by catworld
Smoothwall is an excellent firewall:

www.smoothwall.org

I have their default iptables config among my own collection. Of course it's loaded with a lot of good forwarding rules.
oh, okay... cool... i knew what smoothwall was, i just didn't know what you were referring to with "smoothwall config"... i imagined it was something smoothwall-specific and non-iptables...

Quote:
I suppose I should be more specific. I'm looking for good, well hardened single host iptables configs but which allow smb, nfs and print on the local net. I have my own config doing this nicely, which I perpetually tweak. But I always appreciate looking at what someone else has done with iptables, especially for stand-alone hosts. If you have a real tight config allowing the above services I'd love to see it, with my thanks in advance.
i'd love to help you tweak your script!! could i please take a look at your current script before doing that?? if you could post your current iptables script it would be great... i'll see if i can improve it a little once you've posted...
 
Old 07-31-2006, 03:37 AM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by MrSako
i read through the page catworld posted. the thing is im having trouble with IPtables itself now.

when i try to apply changed i get

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 39 failed
[FAILED]

i dont know what to do

i installed iptables using yum and its on CentOS 4
like catworld said, let us know about your setup, and exactly what you want your iptables to do, and we will provide you with a working script to get you started with... you will also be able to use the script from the command line, instead of using a webmin module or any other iptables front-end...
 
Old 07-31-2006, 03:57 AM   #13
MrSako
Member
 
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185

Original Poster
Rep: Reputation: 30
it turns out i only get this error when trying to apply rules that include the connection state in the rule

im trying to close all ports except for the ones needed for my servers, which at this time are ports 21 (ftp), 22 (ssh), 25 (SMTP), 80 (http), 110 (POP3), and 10000 (Webmin)

i think i figured it out except for the connection state stuff (i heard yor supposed to accept connections that are related and established or something like that)
 
Old 07-31-2006, 04:05 AM   #14
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by MrSako
it turns out i only get this error when trying to apply rules that include the connection state in the rule

im trying to close all ports except for the ones needed for my servers, which at this time are ports 21 (ftp), 22 (ssh), 25 (SMTP), 80 (http), 110 (POP3), and 10000 (Webmin)

i think i figured it out except for the connection state stuff (i heard yor supposed to accept connections that are related and established or something like that)
you only have one network interface, right?? eth0??
 
Old 07-31-2006, 04:19 AM   #15
sharma.kashyap
Member
 
Registered: Apr 2006
Posts: 41

Rep: Reputation: 15
i got that working by reading a article in the LFY magzine of april of this year. reaad it may also click for u
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
10.0 creating problems with iptables ryedunn Mandriva 1 03-15-2004 01:11 AM
iptables -creating logs chrisfirestar Linux - Security 5 02-13-2004 08:17 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration