LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Input on IPTables (https://www.linuxquestions.org/questions/linux-security-4/input-on-iptables-876810/)

andy.l 04-24-2011 12:38 PM
Input on IPTables
 
Hi
Can anyone please give me som efeedback on this Netfilter/IPTables rules. Not quitre sure if I've gotten it right:
Code:
#enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#Network definitions
#internet#######################################################################################################################
internet_iface="eth0"
#DMZ############################################################################################################################
dmz_iface="eth1"
dmz_ip="192.168.10.1"
dmz_httpserver="192.168.10.2"
dmz_net="192.168.10.0/24"
#Lan############################################################################################################################
lan_iface="eth2"
lan_IP="192.168.20.1"
lan_net="192.168.20.0/24"
#standard rules  best practice to deny by default###################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
################################################################################################################################
#INPUT Rules
# ping 2 firewall
$IPTABLES -A INPUT -p ICMP -s $lan_net -i $lan_iface --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p ICMP -s $lan_net -i $lan_iface --icmp-type 11 -j ACCEPT
#SSH 2 firewall
$IPTABLES -A INPUT -p tcp  -s $lan_net -i $lan_iface  --dport 22 -j ACCEPT
#Internet 2 firewall
################################################################################################################################
#Forward rules
#dmz access
$IPTABLES -A FORWARD -p tcp -i $dmz_iface -o $internet_iface -d ftp.no.debian.org --dport 80 -j allowed
#lan til webserver
$IPTABLES -A FORWARD -p tcp -i $lan_iface -o $dmz_iface -d $dmz_httpserver --dport 80 -j allowed
#lan til internet
$IPTABLES -A FORWARD -p tcp -i $lan_iface -o $internet_iface -j allowed
#internet tilgang til webserver
$IPTABLES -A FORWARD -p tcp -i $internet_iface -o $dmz_iface -d $dmz_httpserver --dport 80 -j allowed
################################################################################################################################
#output rules
IPTABLES -A OUTPUT -p ICMP  -o $lan_iface --icmp-type 8 -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP -o $lan_iface  --icmp-type 11 -j ACCEPT
IPTABLES -A OUTPUT -p ICMP  -o $dmz_iface --icmp-type 8 -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP -o $dmz_iface  --icmp-type 11 -j ACCEPT

################################################################################################################################
#NAT rules
#Internet access to http in DMZ from internet
$IPTABLES -t nat -A PREROUTING -p TCP -i $internet_iface --dport 80 -j DNAT --to-destination $dmz_httpserver
#Masquerade rules
$IPTABLES -t nat -A POSTROUTING -o $internet_iface -s $lan_iface -d 0/0 -J MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $internet_iface -s $dmz_iface -d 0/0 -J MASQUERADE
/Andy

corp769 04-24-2011 02:25 PM
Before I go giving my thoughts about this script, have you tried it yourself to see if works out the way you scripted it?

andy.l 04-24-2011 03:18 PM
Well actually I've tried a couple of times, and I'm anable to get the script to load. I've done some alterations as well:
Code:
#enable IP forwarding
#echo "1" > /proc/sys/net/ipv4/ip_forward
#Define the iptables variable
#iptables="/sbin/iptables"
#Network definitions
#internet#######################################################################################################################
internet_iface="eth0"
internet_ip="10.0.2.15"
#DMZ############################################################################################################################
dmz_iface="eth1"
dmz_ip="192.168.10.1"
dmz_httpserver="192.168.10.2"
dmz_net="192.168.10.0/24"
#Lan############################################################################################################################
lan_iface="eth2"
lan_IP="192.168.20.1"
lan_net="192.168.20.0/24"
#standard rules  best practice to deny by default###################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
################################################################################################################################
#INPUT Rules
# ping 2 firewall
$IPTABLES -A INPUT -p ICMP -s $lan_net -i $lan_iface --icmp-type echo-request -j ACCEPT
#SSH 2 firewall
$IPTABLES -A INPUT -p tcp  -s $lan_net -i $lan_iface  --dport 22 -j ACCEPT
#Internet 2 firewall
################################################################################################################################
#Forward rules
#dmz access
$IPTABLES -A FORWARD -p tcp -i $dmz_iface -o $internet_iface -d ftp.no.debian.org --dport 80 -j allowed
#lan til webserver
$IPTABLES -A FORWARD -p tcp -i $lan_iface -o $dmz_iface -d $dmz_httpserver --dport 80 -j allowed
#lan til internet
$IPTABLES -A FORWARD -p tcp -i $lan_iface -o $internet_iface -j allowed
#internet tilgang til webserver
$IPTABLES -A FORWARD -p tcp -i $internet_iface -o $dmz_iface -d $dmz_httpserver --dport 80 -j allowed
#Pint 2 webserver
$IPTABLES -A FORWARD -p ICMP -s $lan_net -i $lan_iface -o $dmz_iface -d $dmz_httpserver --icmp-type echo-request -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -s $dmz_net -i $dmz_iface -o $lan_iface  --icmp-type echo-reply -j ACCEPT
################################################################################################################################
#output rules
#ping reply
$IPTABLES -A OUTPUT -p ICMP  -o $lan_iface  --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP  -o $lan_iface  --icmp-type echo-reply -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP  -o $dmz_iface  --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP  -o $dmz_iface  --icmp-type echo-reply -j ACCEPT

################################################################################################################################
#NAT rules
#Internet access to http in DMZ from internet
$IPTABLES -t nat -A PREROUTING -p TCP -i $internet_iface --dport 80 -j DNAT --to-destination $dmz_httpserver
#Masquerade rules
$IPTABLES -t nat -A POSTROUTING -o $internet_iface -s $lan_iface -d 0/0 -J MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $internet_iface -s $dmz_iface -d 0/0 -J MASQUERADE
When i run the command ipfilter-restore IPFilterMod.txt i get an error saying: Line 7 failed.

/Andy

corp769 04-24-2011 03:29 PM
Try uncommenting the line that defines the path to iptables, that might have something to do with it.

andy.l 04-24-2011 04:34 PM
still no luck.
I now that the syntax on the rules as correct since I've been able to type them in manually and that worked.

/Andy.

corp769 04-24-2011 04:35 PM
Just to rule out the simple things, you have the file chmod'd to execute, and you have #!/bin/bash at the top of your script, correct?

salasi 04-24-2011 06:55 PM
Quote:
Originally Posted by andy.l (Post 4334764)

When i run the command ipfilter-restore IPFilterMod.txt i get an error saying: Line 7 failed.

/Andy
This is a shell script to generate your iptables rules; it should run as a shell script, rather than being 'restored'. 'restore' and 'save' are complements and should be used as a pair. And corp has beaten me to the comment about the #!/bin/bash.

slimm609 04-24-2011 09:36 PM
iptables="/sbin/iptables"
$IPTABLES


you use lowercase to declare it then use uppercase to call the variable. Case does matter

andy.l 04-25-2011 02:22 PM
Finnally I got the script up and running and have only a few more questions. Thank you all for valuable input:-)
At the top I have default DROP for all chains. But how can i achieve to only drop traffic on the internet interface (eth0) and on the lan(eth2) and DMZ(eth1) REJECT not allowed traffic?

The script now looks like this:
Code:
#!/bin/bash
#Flush current rules
iptables -F

#standard rules  stopper alt default uten en lyd###################
iptables -P INPUT  DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP
################################################################################################################################
#INPUT Rules
# ping 2 firewall
iptables -A INPUT -p ICMP -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p ICMP -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 --icmp-type echo-reply -j ACCEPT
#SSH 2 firewall
iptables -A INPUT -p tcp  -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 --dport 22 -m state --state NEW -j ACCEPT
#Internet 2 firewall
################################################################################################################################
#Forward rules
#dmz access 2 debianupdate
iptables -A FORWARD -p tcp -s 192.168.10.2 -i eth1 -o eth0 -d 128.39.3.170 --dport 80 -j ACCEPT
#Svar from debianupdate
iptables -A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -m state --state ESTABLISHED,RELATED -j ACCEPT
#lan 2 webserver
iptables -A FORWARD -p tcp -s 192.168.20.0/24 -i eth2 -o eth1 -d 192.168.10.2 --dport 80 -j ACCEPT
#webserver back 2  lan
iptables -A FORWARD -i eth1 -o eth2 -d 192.168.20.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#lan 2 internet
iptables -A FORWARD -p tcp -s 192.168.20.0/24 -i eth2 -o eth0 -j ACCEPT
# 2 LAN fro, internett
iptables -A FORWARD -i eth0 -o eth2 -d 192.168.20.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#internet 2 webserver
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.10.2 --dport 80 -j ACCEPT
#Ping 2 webserver
iptables -A FORWARD -p ICMP -s 192.168.20.0/24 -i eth2 -o eth1 -d 192.168.10.2 --icmp-type echo-request -j ACCEPT
#Ping reply from  webserver
iptables -A FORWARD -p ICMP -s 192.168.10.2 -i eth1 -o eth2 -d 192.168.20.0/24 --icmp-type echo-reply -j ACCEPT
################################################################################################################################
#output rules
#ping reply so FW can send ping
iptables -A OUTPUT -p ICMP  -s 192.168.20.1 -o eth2  -d 192.168.20.0/24 --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p ICMP  -s 192.168.20.1 -o eth2  -d 192.168.20.0/24 --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p ICMP  -s 192.168.10.1 -o eth1  -d 192.168.10.0/24 --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p ICMP  -s 192.168.10.1 -o eth1  -d 192.168.10.0/24 --icmp-type echo-reply -j ACCEPT
#SSH reply from input chaing
iptables -A OUTPUT -s 192.168.20.1 -o eth2 -d 192.168.20.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

################################################################################################################################
#NAT rules
#Internet access to http in DMZ from internet
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 80 -j DNAT --to-destination 192.168.10.2
#Masquerade rules
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.20.0/24 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.10.0/24 -d 0/0 -j MASQUERADE

/sbin/iptables-save

andy.l 04-25-2011 02:36 PM
would the addition of these rules solve this?:
Code:
# reject internal traffic
iptables -A INPUT -i eth2 -j REJECT
iptables -A INPUT -i eth1 -j REJECT

#reject traffic between DMZ and LAN
iptables -A FORWARD -i eth2 -o eth1 -j REJECT
iptables -A FORWARD -i eth1 -o eth2 -J REJECT
#reject now allowed outbund
iptables -A FORWARD -i eth2 -o eth0 -j REJECT
iptables -A FORWARD -i eth1 -o eth0 -J REJECT
/Andy.l

corp769 04-25-2011 05:31 PM
As per the security side, I would rather drop than reject the traffic. That is my only two cents ;)

andy.l 04-26-2011 01:45 AM
I totally agree with you, but on the external interface the defualt rule is to drop

Code:
#standard rules  drop default ###################
iptables -P INPUT  DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP
but i then override by doing REJECT on DMZ (eth1) and LAN(eth2). This is a part of the spesifiaction:
Code:
# reject internal traffic
iptables -A INPUT -i eth2 -j REJECT
iptables -A INPUT -i eth1 -j REJECT

#reject traffic between DMZ and LAN
iptables -A FORWARD -i eth2 -o eth1 -j REJECT
iptables -A FORWARD -i eth1 -o eth2 -j REJECT
#reject not allowed outbund
iptables -A FORWARD -i eth2 -o eth0 -j REJECT
iptables -A FORWARD -i eth1 -o eth0 -j REJECT
/Andy

andy.l 04-26-2011 04:09 PM
But the script in generall, anyone who can see anything that you consider "wrong" or flawed that will cause the ruleset not to work

/Andy

corp769 04-26-2011 06:14 PM
Well let me ask from your point of view; Does it work for you? What all else do you want it to do?


All times are GMT -5. The time now is 08:32 AM.