LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-24-2011, 12:38 PM   #1
andy.l
Member
 
Registered: Feb 2007
Location: Scandinavia
Distribution: Centos/Redhat
Posts: 97

Rep: Reputation: 15
Question Input on IPTables


Hi
Can anyone please give me som efeedback on this Netfilter/IPTables rules. Not quitre sure if I've gotten it right:
Code:
#enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#Network definitions
#internet#######################################################################################################################
internet_iface="eth0"
#DMZ############################################################################################################################
dmz_iface="eth1"
dmz_ip="192.168.10.1"
dmz_httpserver="192.168.10.2"
dmz_net="192.168.10.0/24"
#Lan############################################################################################################################
lan_iface="eth2"
lan_IP="192.168.20.1"
lan_net="192.168.20.0/24"
#standard rules  best practice to deny by default###################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
################################################################################################################################
#INPUT Rules 
# ping 2 firewall
$IPTABLES -A INPUT -p ICMP -s $lan_net -i $lan_iface --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p ICMP -s $lan_net -i $lan_iface --icmp-type 11 -j ACCEPT
#SSH 2 firewall
$IPTABLES -A INPUT -p tcp  -s $lan_net -i $lan_iface  --dport 22 -j ACCEPT
#Internet 2 firewall
################################################################################################################################
#Forward rules
#dmz access
$IPTABLES -A FORWARD -p tcp -i $dmz_iface -o $internet_iface -d ftp.no.debian.org --dport 80 -j allowed
#lan til webserver
$IPTABLES -A FORWARD -p tcp -i $lan_iface -o $dmz_iface -d $dmz_httpserver --dport 80 -j allowed
#lan til internet
$IPTABLES -A FORWARD -p tcp -i $lan_iface -o $internet_iface -j allowed
#internet tilgang til webserver
$IPTABLES -A FORWARD -p tcp -i $internet_iface -o $dmz_iface -d $dmz_httpserver --dport 80 -j allowed
################################################################################################################################
#output rules
IPTABLES -A OUTPUT -p ICMP  -o $lan_iface --icmp-type 8 -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP -o $lan_iface  --icmp-type 11 -j ACCEPT
IPTABLES -A OUTPUT -p ICMP  -o $dmz_iface --icmp-type 8 -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP -o $dmz_iface  --icmp-type 11 -j ACCEPT

################################################################################################################################
#NAT rules
#Internet access to http in DMZ from internet
$IPTABLES -t nat -A PREROUTING -p TCP -i $internet_iface --dport 80 -j DNAT --to-destination $dmz_httpserver
#Masquerade rules
$IPTABLES -t nat -A POSTROUTING -o $internet_iface -s $lan_iface -d 0/0 -J MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $internet_iface -s $dmz_iface -d 0/0 -J MASQUERADE
/Andy
 
Old 04-24-2011, 02:25 PM   #2
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
Before I go giving my thoughts about this script, have you tried it yourself to see if works out the way you scripted it?
 
Old 04-24-2011, 03:18 PM   #3
andy.l
Member
 
Registered: Feb 2007
Location: Scandinavia
Distribution: Centos/Redhat
Posts: 97

Original Poster
Rep: Reputation: 15
Well actually I've tried a couple of times, and I'm anable to get the script to load. I've done some alterations as well:
Code:
#enable IP forwarding
#echo "1" > /proc/sys/net/ipv4/ip_forward
#Define the iptables variable
#iptables="/sbin/iptables"
#Network definitions
#internet#######################################################################################################################
internet_iface="eth0"
internet_ip="10.0.2.15"
#DMZ############################################################################################################################
dmz_iface="eth1"
dmz_ip="192.168.10.1"
dmz_httpserver="192.168.10.2"
dmz_net="192.168.10.0/24"
#Lan############################################################################################################################
lan_iface="eth2"
lan_IP="192.168.20.1"
lan_net="192.168.20.0/24"
#standard rules  best practice to deny by default###################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
################################################################################################################################
#INPUT Rules 
# ping 2 firewall
$IPTABLES -A INPUT -p ICMP -s $lan_net -i $lan_iface --icmp-type echo-request -j ACCEPT
#SSH 2 firewall
$IPTABLES -A INPUT -p tcp  -s $lan_net -i $lan_iface  --dport 22 -j ACCEPT
#Internet 2 firewall
################################################################################################################################
#Forward rules
#dmz access
$IPTABLES -A FORWARD -p tcp -i $dmz_iface -o $internet_iface -d ftp.no.debian.org --dport 80 -j allowed
#lan til webserver
$IPTABLES -A FORWARD -p tcp -i $lan_iface -o $dmz_iface -d $dmz_httpserver --dport 80 -j allowed
#lan til internet
$IPTABLES -A FORWARD -p tcp -i $lan_iface -o $internet_iface -j allowed
#internet tilgang til webserver
$IPTABLES -A FORWARD -p tcp -i $internet_iface -o $dmz_iface -d $dmz_httpserver --dport 80 -j allowed
#Pint 2 webserver
$IPTABLES -A FORWARD -p ICMP -s $lan_net -i $lan_iface -o $dmz_iface -d $dmz_httpserver --icmp-type echo-request -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -s $dmz_net -i $dmz_iface -o $lan_iface  --icmp-type echo-reply -j ACCEPT
################################################################################################################################
#output rules
#ping reply
$IPTABLES -A OUTPUT -p ICMP  -o $lan_iface  --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP  -o $lan_iface  --icmp-type echo-reply -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP  -o $dmz_iface  --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p ICMP  -o $dmz_iface  --icmp-type echo-reply -j ACCEPT

################################################################################################################################
#NAT rules
#Internet access to http in DMZ from internet
$IPTABLES -t nat -A PREROUTING -p TCP -i $internet_iface --dport 80 -j DNAT --to-destination $dmz_httpserver
#Masquerade rules
$IPTABLES -t nat -A POSTROUTING -o $internet_iface -s $lan_iface -d 0/0 -J MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $internet_iface -s $dmz_iface -d 0/0 -J MASQUERADE
When i run the command ipfilter-restore IPFilterMod.txt i get an error saying: Line 7 failed.

/Andy
 
Old 04-24-2011, 03:29 PM   #4
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
Try uncommenting the line that defines the path to iptables, that might have something to do with it.
 
Old 04-24-2011, 04:34 PM   #5
andy.l
Member
 
Registered: Feb 2007
Location: Scandinavia
Distribution: Centos/Redhat
Posts: 97

Original Poster
Rep: Reputation: 15
still no luck.
I now that the syntax on the rules as correct since I've been able to type them in manually and that worked.

/Andy.
 
Old 04-24-2011, 04:35 PM   #6
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
Just to rule out the simple things, you have the file chmod'd to execute, and you have #!/bin/bash at the top of your script, correct?
 
Old 04-24-2011, 06:55 PM   #7
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
Quote:
Originally Posted by andy.l View Post

When i run the command ipfilter-restore IPFilterMod.txt i get an error saying: Line 7 failed.

/Andy
This is a shell script to generate your iptables rules; it should run as a shell script, rather than being 'restored'. 'restore' and 'save' are complements and should be used as a pair. And corp has beaten me to the comment about the #!/bin/bash.
 
Old 04-24-2011, 09:36 PM   #8
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
iptables="/sbin/iptables"
$IPTABLES


you use lowercase to declare it then use uppercase to call the variable. Case does matter
 
1 members found this post helpful.
Old 04-25-2011, 02:22 PM   #9
andy.l
Member
 
Registered: Feb 2007
Location: Scandinavia
Distribution: Centos/Redhat
Posts: 97

Original Poster
Rep: Reputation: 15
Finnally I got the script up and running and have only a few more questions. Thank you all for valuable input:-)
At the top I have default DROP for all chains. But how can i achieve to only drop traffic on the internet interface (eth0) and on the lan(eth2) and DMZ(eth1) REJECT not allowed traffic?

The script now looks like this:
Code:
#!/bin/bash
#Flush current rules
iptables -F

#standard rules  stopper alt default uten en lyd###################
iptables -P INPUT   DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP
################################################################################################################################
#INPUT Rules 
# ping 2 firewall
iptables -A INPUT -p ICMP -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p ICMP -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 --icmp-type echo-reply -j ACCEPT
#SSH 2 firewall
iptables -A INPUT -p tcp  -s 192.168.20.0/24 -i eth2 -d 192.168.20.1 --dport 22 -m state --state NEW -j ACCEPT
#Internet 2 firewall
################################################################################################################################
#Forward rules
#dmz access 2 debianupdate
iptables -A FORWARD -p tcp -s 192.168.10.2 -i eth1 -o eth0 -d 128.39.3.170 --dport 80 -j ACCEPT
#Svar from debianupdate
iptables -A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -m state --state ESTABLISHED,RELATED -j ACCEPT
#lan 2 webserver
iptables -A FORWARD -p tcp -s 192.168.20.0/24 -i eth2 -o eth1 -d 192.168.10.2 --dport 80 -j ACCEPT
#webserver back 2  lan
iptables -A FORWARD -i eth1 -o eth2 -d 192.168.20.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#lan 2 internet
iptables -A FORWARD -p tcp -s 192.168.20.0/24 -i eth2 -o eth0 -j ACCEPT
# 2 LAN fro, internett
iptables -A FORWARD -i eth0 -o eth2 -d 192.168.20.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#internet 2 webserver
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.10.2 --dport 80 -j ACCEPT
#Ping 2 webserver
iptables -A FORWARD -p ICMP -s 192.168.20.0/24 -i eth2 -o eth1 -d 192.168.10.2 --icmp-type echo-request -j ACCEPT
#Ping reply from  webserver
iptables -A FORWARD -p ICMP -s 192.168.10.2 -i eth1 -o eth2 -d 192.168.20.0/24 --icmp-type echo-reply -j ACCEPT
################################################################################################################################
#output rules
#ping reply so FW can send ping
iptables -A OUTPUT -p ICMP  -s 192.168.20.1 -o eth2  -d 192.168.20.0/24 --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p ICMP  -s 192.168.20.1 -o eth2  -d 192.168.20.0/24 --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p ICMP  -s 192.168.10.1 -o eth1  -d 192.168.10.0/24 --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p ICMP  -s 192.168.10.1 -o eth1  -d 192.168.10.0/24 --icmp-type echo-reply -j ACCEPT
#SSH reply from input chaing
iptables -A OUTPUT -s 192.168.20.1 -o eth2 -d 192.168.20.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

################################################################################################################################
#NAT rules
#Internet access to http in DMZ from internet
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 80 -j DNAT --to-destination 192.168.10.2
#Masquerade rules
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.20.0/24 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.10.0/24 -d 0/0 -j MASQUERADE

/sbin/iptables-save
 
Old 04-25-2011, 02:36 PM   #10
andy.l
Member
 
Registered: Feb 2007
Location: Scandinavia
Distribution: Centos/Redhat
Posts: 97

Original Poster
Rep: Reputation: 15
would the addition of these rules solve this?:
Code:
# reject internal traffic
iptables -A INPUT -i eth2 -j REJECT
iptables -A INPUT -i eth1 -j REJECT

#reject traffic between DMZ and LAN
iptables -A FORWARD -i eth2 -o eth1 -j REJECT
iptables -A FORWARD -i eth1 -o eth2 -J REJECT
#reject now allowed outbund
iptables -A FORWARD -i eth2 -o eth0 -j REJECT
iptables -A FORWARD -i eth1 -o eth0 -J REJECT
/Andy.l
 
Old 04-25-2011, 05:31 PM   #11
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
As per the security side, I would rather drop than reject the traffic. That is my only two cents
 
Old 04-26-2011, 01:45 AM   #12
andy.l
Member
 
Registered: Feb 2007
Location: Scandinavia
Distribution: Centos/Redhat
Posts: 97

Original Poster
Rep: Reputation: 15
I totally agree with you, but on the external interface the defualt rule is to drop

Code:
#standard rules  drop default ###################
iptables -P INPUT   DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP
but i then override by doing REJECT on DMZ (eth1) and LAN(eth2). This is a part of the spesifiaction:
Code:
# reject internal traffic
iptables -A INPUT -i eth2 -j REJECT
iptables -A INPUT -i eth1 -j REJECT

#reject traffic between DMZ and LAN
iptables -A FORWARD -i eth2 -o eth1 -j REJECT
iptables -A FORWARD -i eth1 -o eth2 -j REJECT
#reject not allowed outbund
iptables -A FORWARD -i eth2 -o eth0 -j REJECT
iptables -A FORWARD -i eth1 -o eth0 -j REJECT
/Andy
 
Old 04-26-2011, 04:09 PM   #13
andy.l
Member
 
Registered: Feb 2007
Location: Scandinavia
Distribution: Centos/Redhat
Posts: 97

Original Poster
Rep: Reputation: 15
But the script in generall, anyone who can see anything that you consider "wrong" or flawed that will cause the ruleset not to work

/Andy
 
Old 04-26-2011, 06:14 PM   #14
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
Well let me ask from your point of view; Does it work for you? What all else do you want it to do?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables -- How do I enable the input chain? trewsfan Linux - Networking 3 08-25-2006 04:54 AM
Iptables question? What is this? :RH-Firewall-1-INPUT - [0:0] abcampa Linux - Security 3 05-09-2005 12:44 PM
Newbie iptables INPUT question new@linux Linux - Security 6 03-08-2005 10:42 AM
iptables -P INPUT DROP question yvesg Linux - Networking 2 06-21-2004 05:18 PM
iptables question on INPUT DROP ForumKid Linux - Security 3 02-12-2002 09:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration