Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
07-30-2006, 02:37 AM
|
#1
|
Member
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185
Rep:
|
creating IPtables
im trying to create an iptable using webmin (i could edit the file myself manually if i could figure out which it is)
from my speculation the iptable script is inside /etc/sysconfig
theres 2 very identical files. iptables and iptables.save
from how it looks you modify the iptables fie (i dont know if this is just for webmin or how its supposed ot be done) then it gets "applied" to the iptables.save file and thats the real active iptables script.
heres my iptables file:
# Generated by iptables-save v1.2.11 on Sun Jul 30 01:43:14 2006
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun Jul 30 01:43:14 2006
# Generated by iptables-save v1.2.11 on Sun Jul 30 01:43:14 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i venet0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# allow smtp on TCP port 25
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
COMMIT
# Completed on Sun Jul 30 01:43:14 2006
heres iptables.save:
# Generated by iptables-save v1.2.11 on Sun Jul 30 01:43:14 2006
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun Jul 30 01:43:14 2006
# Generated by iptables-save v1.2.11 on Sun Jul 30 01:43:14 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i venet0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# allow smtp on TCP port 25
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
COMMIT
# Completed on Sun Jul 30 01:43:14 2006
they look exactly the same!
anyway when i clicked the apply button inside the webmin module to apply the settings i got
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Applying iptables firewall rules: iptables-restore: line 41 failed
[FAILED]
im not sure what this means
iptables-restore is in /sbin (which there is also another iptables and iptables.save file there but their not text files meant for editing they appear to be executables or something
any ideas?
|
|
|
07-30-2006, 07:48 AM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
you don't wanna edit any of those files... you wanna create you own iptables script, and then execute it... then you run the iptables-save utility in order to save the new iptables configuration...
|
|
|
07-30-2006, 11:56 AM
|
#3
|
Member
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198
Rep:
|
iptables
I found this very useful:
http://iptables-tutorial.frozentux.n...-tutorial.html
Read it from start to finish and bear with it. You'll come out an iptables security monster.
I notice your default policies are all ACCEPT. You usually want to set INPUT and FORWARD to DROP, then open up any resources individually with the chains. For instance I allow SSH connections from my own network but drop every other network attempting to make a connection with these rules:
# Accept SSH connections on the local net, drop all other networks;
#
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s ! 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 22 -j DROP
#
and SMB:
# Accept SMB on the local net only;
#
-A INPUT -d 192.168.8.0/255.255.255.0 -i eth0 -p udp -m udp --dport 137:139 -j ACCEPT
-A INPUT -d ! 192.168.8.0/255.255.255.0 -i eth0 -p udp -m udp --dport 137:139 -j DROP
#
Whenever you find something doesn't work and you want it to, just look up it's port usage in /etc/services and use the above syntax, substituting the ports you need. The ! character negates the rule follwing, i.e. says "NOT 192.168.1.0..." These I drop.
iptables is definitely something every Linux user should get to know. I find apps like shorewall to be a chore. Much easier to edit a file called "iptables" and put it in /etc/sysconfig.
|
|
|
07-30-2006, 01:09 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
lots of wierd stuff going-on with your rules... for example:
Quote:
Originally Posted by MrSako
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
|
that rule is pretty much insane, as it would allow anyone to talk to UDP daemons on your non-root ports by using a source port of 53... these kinda rules might have made sense back in the ipchains days, but iptables with it's connection tracking has made them obsolete... you definitely wanna remove that rule...
if you explain what you want from your iptables, i can provide you with a customized script based on my own... you could then use that as a base for your own future tweaks... the frozen tux tutorial is good (one of the best), but it's overkill for a simple short-term solution...
|
|
|
07-30-2006, 01:25 PM
|
#5
|
Member
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198
Rep:
|
win32sux,
quote: "i can provide you with a customized script based on my own... you could then use that as a base for your own future tweaks..."
I have the smootwall configs, my own and a few others. I'd like to add your config to the collection if you're willing.
quote:
" the frozen tux tutorial is good (one of the best), but it's overkill for a simple short-term solution..."
Agreed. I always forget that I never care for quick fixes, rather I understand what's going on completely first.
catworld
|
|
|
07-30-2006, 01:40 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by catworld
I have the smootwall configs, my own and a few others. I'd like to add your config to the collection if you're willing.
|
i'm not sure what a smoothwall config is, sorry... all i use are plain iptables scripts... i've made iptables scripts with hundreds of lines, and i've made some with only a few lines... it depends on the needs at the time... for example, the box i'm using right now only has TWO rules (with the INPUT policy set to DROP):
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
|
|
|
07-30-2006, 01:49 PM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
BTW, here's the script i used to apply those two rules, in case anyone finds it useful (although i doubt it, since it's so simple)... the chain flushing and deleting part is pretty generic, and i use it at the start of almost all my scripts...
Code:
#!/bin/sh
IPT="/sbin/iptables"
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
i usually don't have the OUTPUT policy set to ACCEPT, though... this is just a very relaxed PC i'm using right now...
|
|
|
07-30-2006, 05:20 PM
|
#8
|
Member
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198
Rep:
|
configs
Quote:
Originally Posted by win32sux
i'm not sure what a smoothwall config is, sorry... all i use are plain iptables scripts... i've made iptables scripts with hundreds of lines, and i've made some with only a few lines... it depends on the needs at the time... for example, the box i'm using right now only has TWO rules (with the INPUT policy set to DROP):
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
|
Smoothwall is an excellent firewall:
www.smoothwall.org
I have their default iptables config among my own collection. Of course it's loaded with a lot of good forwarding rules.
I suppose I should be more specific. I'm looking for good, well hardened single host iptables configs but which allow smb, nfs and print on the local net. I have my own config doing this nicely, which I perpetually tweak. But I always appreciate looking at what someone else has done with iptables, especially for stand-alone hosts. If you have a real tight config allowing the above services I'd love to see it, with my thanks in advance.
catworld
|
|
|
07-30-2006, 06:59 PM
|
#9
|
Member
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185
Original Poster
Rep:
|
i read through the page catworld posted. the thing is im having trouble with IPtables itself now.
when i try to apply changed i get
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 39 failed
[FAILED]
i dont know what to do
i installed iptables using yum and its on CentOS 4
|
|
|
07-30-2006, 07:47 PM
|
#10
|
Member
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198
Rep:
|
MrSako,
Line 39 of the iptables file you are attempting to load has a simple typo, most likely. If you "cut and pasted" the file, especially from the internet, this may be not only be the case, but multiple similar cases are probably yet laying in wait to frustrate.
If it isn't a ludicrous number beyond 39 lines in total, why don't you paste your file here and I'll have a look-see. I certainly appreciate the desire for the quick fix, but don't harbor the desire myself. But I do love everyone else's enthusiasm, so lay it on me and I'll see if I can help.
And to this end it would be a help if you could explain a bit further as to what you do/do not want to have happening once your iptables are behaving.
This is absolutely unnecessary, but I'd like to know what place on this fragile planet you are standing upon at the moment, too. I'm around here:
http://terraserver.microsoft.com/ima...X=54&Y=729&W=1
catworld
Quote:
Originally Posted by MrSako
i read through the page catworld posted. the thing is im having trouble with IPtables itself now.
when i try to apply changed i get
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 39 failed
[FAILED]
i dont know what to do
i installed iptables using yum and its on CentOS 4
|
|
|
|
07-31-2006, 03:31 AM
|
#11
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by catworld
Smoothwall is an excellent firewall:
www.smoothwall.org
I have their default iptables config among my own collection. Of course it's loaded with a lot of good forwarding rules.
|
oh, okay... cool... i knew what smoothwall was, i just didn't know what you were referring to with "smoothwall config"... i imagined it was something smoothwall-specific and non-iptables...
Quote:
I suppose I should be more specific. I'm looking for good, well hardened single host iptables configs but which allow smb, nfs and print on the local net. I have my own config doing this nicely, which I perpetually tweak. But I always appreciate looking at what someone else has done with iptables, especially for stand-alone hosts. If you have a real tight config allowing the above services I'd love to see it, with my thanks in advance.
|
i'd love to help you tweak your script!! could i please take a look at your current script before doing that?? if you could post your current iptables script it would be great... i'll see if i can improve it a little once you've posted...
|
|
|
07-31-2006, 03:37 AM
|
#12
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by MrSako
i read through the page catworld posted. the thing is im having trouble with IPtables itself now.
when i try to apply changed i get
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 39 failed
[FAILED]
i dont know what to do
i installed iptables using yum and its on CentOS 4
|
like catworld said, let us know about your setup, and exactly what you want your iptables to do, and we will provide you with a working script to get you started with... you will also be able to use the script from the command line, instead of using a webmin module or any other iptables front-end...
|
|
|
07-31-2006, 03:57 AM
|
#13
|
Member
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185
Original Poster
Rep:
|
it turns out i only get this error when trying to apply rules that include the connection state in the rule
im trying to close all ports except for the ones needed for my servers, which at this time are ports 21 (ftp), 22 (ssh), 25 (SMTP), 80 (http), 110 (POP3), and 10000 (Webmin)
i think i figured it out except for the connection state stuff (i heard yor supposed to accept connections that are related and established or something like that)
|
|
|
07-31-2006, 04:05 AM
|
#14
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by MrSako
it turns out i only get this error when trying to apply rules that include the connection state in the rule
im trying to close all ports except for the ones needed for my servers, which at this time are ports 21 (ftp), 22 (ssh), 25 (SMTP), 80 (http), 110 (POP3), and 10000 (Webmin)
i think i figured it out except for the connection state stuff (i heard yor supposed to accept connections that are related and established or something like that)
|
you only have one network interface, right?? eth0??
|
|
|
07-31-2006, 04:19 AM
|
#15
|
Member
Registered: Apr 2006
Posts: 41
Rep:
|
i got that working by reading a article in the LFY magzine of april of this year. reaad it may also click for u
|
|
|
All times are GMT -5. The time now is 01:23 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|