LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-31-2006, 04:28 AM   #16
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380

Quote:
Originally Posted by MrSako
im trying to close all ports except for the ones needed for my servers, which at this time are ports 21 (ftp), 22 (ssh), 25 (SMTP), 80 (http), 110 (POP3), and 10000 (Webmin)
then all you need to do is add one rule to the script i posted:
Code:
#!/bin/sh

IPT="/sbin/iptables"

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p TCP -i eth0 -m multiport --dports \
21,22,25,80,110,10000 -m state --state NEW -j ACCEPT
after executing this script, do a:
Code:
/sbin/service iptables save
and then you should be good to go, AFAICT...

http://kbase.redhat.com/faq/FAQ_44_954.shtm

to check that the rules are "sticking", just reboot and then do a:
Code:
iptables -L -v -n
you should see something like this:
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           multiport dports 21,22,25,80,110,10000 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Last edited by win32sux; 07-31-2006 at 06:44 AM.
 
Old 07-31-2006, 01:41 PM   #17
MrSako
Member
 
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185

Original Poster
Rep: Reputation: 30
i beleive my network interface is venet0

i have two IPs (venet0:0 and venet0:1) so i guess my interface would be just venet0
 
Old 07-31-2006, 11:52 PM   #18
MrSako
Member
 
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185

Original Poster
Rep: Reputation: 30
i want to try this script out but i think my external hardware might be venet0 (or venet0:0) and i dont wanna lcok myself out. (this is on a VPS im rneting i dont have physical access to the server only via shell and webmin)
 
Old 08-01-2006, 08:40 AM   #19
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by MrSako
i want to try this script out but i think my external hardware might be venet0 (or venet0:0) and i dont wanna lcok myself out. (this is on a VPS im rneting i dont have physical access to the server only via shell and webmin)
what i would do then is cron a script to clear all my rules and chains like in 20 minutes just in case... so if i lock myselft out i know i'll just have to wait 20 minutes before i can get back in... it's just a suggestion and if you use it make sure you test it beforehand...
Code:
#!/bin/sh

IPT="/sbin/iptables"

$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
 
Old 08-01-2006, 02:55 PM   #20
MrSako
Member
 
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185

Original Poster
Rep: Reputation: 30
i created that cronjob but how do i know if it works?
 
Old 08-01-2006, 03:06 PM   #21
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by MrSako
i created that cronjob but how do i know if it works?
run some pointless rules or whatever, and then check they are active with:
Code:
iptables -L
then wait for the cronjob to kick-in, and again do a:
Code:
iptables -L
there should be no rules and the policies should all be ACCEPT...
 
Old 08-01-2006, 04:36 PM   #22
MrSako
Member
 
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185

Original Poster
Rep: Reputation: 30
instead of your configuration for the iptables to test out the cronjob i did one where i had done it before and i knew i could still log into the server via ssh

anyway the cronjob didnt work but i used ssh to login to root and do this:

[root@vps ~]# iptables -P INPUT ACCEPT
[root@vps ~]# iptables -P OUTPUT ACCEPT


is it possible to do this in a cronjob? ie

su root
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

as the cronjob script
 
Old 08-01-2006, 04:55 PM   #23
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by MrSako
instead of your configuration for the iptables to test out the cronjob i did one where i had done it before and i knew i could still log into the server via ssh

anyway the cronjob didnt work but i used ssh to login to root and do this:

[root@vps ~]# iptables -P INPUT ACCEPT
[root@vps ~]# iptables -P OUTPUT ACCEPT


is it possible to do this in a cronjob? ie

su root
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

as the cronjob script
yes, you can cron any script you want... but croning all scripts is the same procedure, so if you couldn't get mine to work it's fair to assume you won't get yours to work either... what does the line in your crontab look like??

EDIT: wait, i just noticed your "su root" thing... why are you doing that?? are you using your non-root crontab for this?? if so, that's likely why it won't work... you need to use root's crontab...

Last edited by win32sux; 08-01-2006 at 04:57 PM.
 
Old 08-01-2006, 05:36 PM   #24
MrSako
Member
 
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185

Original Poster
Rep: Reputation: 30
i did a chmod +x to the script file for the cronjob i got this though

[root@vps local]# /usr/local/cron-iptables
: bad interpreter: No such file or directory


i tried making a cronjob with the commands i described but i got this..

/bin/sh: iptables: command not found
/bin/sh: iptables: command not found

this is the command i set for being the cron job (i set it to run as root, i forgo about that so theres no need to be su)

iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT


id rather figure out whats not working about iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT becasue i know doing this in the SSH works fine (i typed it just like that into my SSH client with no error)

Last edited by MrSako; 08-01-2006 at 05:37 PM.
 
Old 08-01-2006, 06:01 PM   #25
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by MrSako
i did a chmod +x to the script file for the cronjob i got this though

[root@vps local]# /usr/local/cron-iptables
: bad interpreter: No such file or directory


i tried making a cronjob with the commands i described but i got this..

/bin/sh: iptables: command not found
/bin/sh: iptables: command not found

this is the command i set for being the cron job (i set it to run as root, i forgo about that so theres no need to be su)

iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT


id rather figure out whats not working about iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT becasue i know doing this in the SSH works fine (i typed it just like that into my SSH client with no error)
in your crontab, you need to use absolute pathnames...

notice how in my script "/sbin/iptables" is used instead of "iptables"...

Last edited by win32sux; 08-01-2006 at 06:09 PM.
 
Old 08-01-2006, 06:13 PM   #26
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
To my mind, this is one job you have to run as root, iptables is invisible to the user. The webmin cron interface has a "run as" option, but I'm not sure it won't hang awaiting a root pass in the background, i.e. fail if yoy select "run as root."
 
Old 08-01-2006, 06:17 PM   #27
MrSako
Member
 
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185

Original Poster
Rep: Reputation: 30
ok i got the cron to work. just i cant get the scrip to execute now..

[root@vps local]# ls
bin gamecreate include lib man share teamspeak
etc games iptables_script libexec sbin src webmin
[root@vps local]# chmod +x iptables_script
[root@vps local]# ./iptable_script
-bash: ./iptable_script: No such file or directory
[root@vps local]# /usr/local/iptables_script
: bad interpreter: No such file or directory


i tried the full patth the second time just to ry it

i did ls and i see the file right there i dont understand
 
Old 08-01-2006, 06:19 PM   #28
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by catworld
To my mind, this is one job you have to run as root, iptables is invisible to the user.
it's not invisible at all, in fact it's in non-root users' paths... they have access to the binary, they will just get a permissions error when they run it...
Code:
win32sux@carly:~$ whoami
win32sux
win32sux@carly:~$ iptables -L
iptables v1.3.3: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
win32sux@carly:~$

Last edited by win32sux; 08-01-2006 at 06:20 PM.
 
Old 08-01-2006, 06:24 PM   #29
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by MrSako
[root@vps local]# chmod +x iptables_script
[root@vps local]# ./iptable_script
okay this is because you misspelled the script's name...

Quote:
-bash: ./iptable_script: No such file or directory
[root@vps local]# /usr/local/iptables_script
: bad interpreter: No such file or directory
this looks like your shebang (#!/bin/sh) isn't set right...

i seriously recommend that you use my cleanup script from post #19 instead of just two rules which do nothing but set policies...

Last edited by win32sux; 08-01-2006 at 06:26 PM.
 
Old 08-01-2006, 06:25 PM   #30
MrSako
Member
 
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by win32sux
okay this is because you misspelled the script's name...


this looks like your shebang (#!/bin/sh) isn't set right...

how do i make it "set right"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
10.0 creating problems with iptables ryedunn Mandriva 1 03-15-2004 01:11 AM
iptables -creating logs chrisfirestar Linux - Security 5 02-13-2004 08:17 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration