Lokkit doesn't allow me to setup specific source addresses to restrict comms to either.
Lokkit isn't really useful for setting up anything but fairly basic firewalls. If you need more complex rules, then you really need to use iptables directly.
Then again, today is the first day I've ever looked at a set of IPTABLES rules - so as stated I apologize for being so clueless.
No need to apologize. We've all been clueless about it at some point and iptables syntanx isn't very straight forward.
The best way to get an idea of the state of the firewall is to use "iptables -n -L -v" (you'll see why in a sec.)
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
(THIS SEEMS TO SAY ALLOW EVERYTHING INBOUND FROM ETH0)
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
(MY BOX IS NOT A ROUTER, ALTHOUGH IT DOES HAVE TWO ETH INTERFACES
ONLY ONE IS ACTIVE)
What is going on here with the INPUT and FORWARD chains is that lokkit creates a custom user-defined chain called "RH-Firewall-1-INPUT" which is where lokkit does all the packet filtering. For the packets to get passed to this filtering chain, the above rules are basically taking all INPUT and FORWARD packets (all incoming packets) and loads them all into the top of the RH-Firewall-1-INPUT chain. The packets then move through that chain and are compared to all the rules in that chain and are dropped/accepted/etc to each of the rules.
Code:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(WHAT'S UP WITH THIS - NO OUTBOUND PACKETS ALLOWED ?)
Since the default rule for the OUTPUT chain is ACCEPT (see the part that says "policy ACCEPT " above), all outbound packets will allowed out. So basically no egress filtering is done, which isn't the most secure thing in the world, but does prevent the firewall from interfering with applications you are running.
Code:
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
(DOESN'T THIS RULE ALLOW EVERYTHING ?)
If you do the iptables -n -L -v command, I'm pretty sure you'll see that this rule applies only to the loopback adapter interface which should be only handling local traffic on the machine.
Code:
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:12 41
REJECT all -- anywhere anywhere reject-with icmp-hos t-prohibited
The first rule in this block of rules allows icmp (ping) traffic, which you may or may not want. There in bold is the rule for nessus. Your actually only allowing NEW connections, but the line before it allows all ESTABLISHED and RELATED traffic, so that should do the trick. So up to this point, you've only allowed ping, some ipv6 traffic, traffic you initiate and nessus traffic. The last rule is going to reject any other inbound traffic. Bear in mind that REJECT is not the samething as drop, so your machine will technically respond to incoming traffic (it will respond with an icmp host-prohibited message), which again may not be what you want.
As far as limiting the nessus traffic to 2 source IPs goes. I don't think lokkit can do that, but the iptables rules would be fairly straight forward:
iptables -I INPUT -s X.X.X.X -p tcp --dport 1241 -j ACCEPT
where X.X.X.X is the IP you want to allow. You can then remove the lokkit rule you've added.
