Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-12-2007, 02:04 PM
|
#1
|
LQ Newbie
Registered: Jul 2006
Location: Canada
Distribution: Red Hat, CentOS, Fedora
Posts: 11
Rep:
|
iptables, and blocking all but non network traffic
What seems so simple on paper seems to be alot more complex then I thought.
My whole goal is to create an iptable on a server of mine which will block all incoming traffic that is outside the network, but would still allow the server to communicate to the outside world, like a one way window.
Pretty much so far I have
iptables -A INPUT -s 192.168.1.1/24 -j ACCEPT
iptables -A INPUT -p tcp -j ACCEPT
iptables -P INPUT DROP
So, I'm looking at this and thinking to myself I haven't really done anything since people from the outside can still access services since I am allowing tcp.
Is there a way to block all external traffic but still allow the box to have some access to the outside world?
|
|
|
06-12-2007, 02:42 PM
|
#2
|
Member
Registered: Sep 2005
Location: Sri Lanka
Distribution: Fedora (workstations), CentOS (servers), Arch, Mint, Ubuntu, and a few more.
Posts: 441
Rep:
|
You have to specify service by service, which you want to leave open, instead of just letting everything in.
Eg:
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
After you specify what you want to accept you can restrict everything else with something like
Eg:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
"reject-with icmp-host-prohibited" is more graceful than just dropping the packets
Last edited by SkyEye; 06-12-2007 at 02:45 PM.
|
|
|
06-12-2007, 02:52 PM
|
#3
|
LQ Newbie
Registered: Jul 2006
Location: Canada
Distribution: Red Hat, CentOS, Fedora
Posts: 11
Original Poster
Rep:
|
Thank you SkyEye for the reply.
Should have known to specify the allow list on a service/port level rather then all at once. I must have had a brain fart.
Thanks for your help.
|
|
|
06-12-2007, 03:05 PM
|
#4
|
Member
Registered: Sep 2005
Location: Sri Lanka
Distribution: Fedora (workstations), CentOS (servers), Arch, Mint, Ubuntu, and a few more.
Posts: 441
Rep:
|
You are welcome. LQ is here to help.
|
|
|
06-13-2007, 06:46 AM
|
#5
|
Member
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271
Rep:
|
Hello,
There is a module called ip_conntrack (and another called ip_conntrack_ftp) which works to classify traffic into the following states: NEW, ESTABLISHED, RELATED, INVALID. This module (along with the correct rules) will provide you with exactly what you need (man iptables and look for "state").
What you basically want to do is apply a default DROP policy for the INPUT table, then allow outgoing traffic, then allow all incoming traffic that is RELATED or ESTABLISHED. Don't forget to allow ALL traffic FROM/TO the loopback device (127.0.0.1/8) for some services to wrok correctly.
Cheers
|
|
1 members found this post helpful.
|
06-13-2007, 09:11 AM
|
#6
|
LQ Newbie
Registered: Jul 2006
Location: Canada
Distribution: Red Hat, CentOS, Fedora
Posts: 11
Original Poster
Rep:
|
Thanks Notwerk for the reply.
I'll give that a look into.
I found some old iptable scripts on an old server and was looking through that just to help give me an idea where to head off next and I noticed something.
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j ACCEPT
Would it be safe to assume that on that bit it allows all internal subnet traffic to go on it merry way? Since all address in 192.168.1.xxx are source and destination.
Looks to me like it would, but still trying to figure it all out.
|
|
|
06-14-2007, 07:10 AM
|
#7
|
Member
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271
Rep:
|
That's perfectly correct.
Personally, i also prefer to specify the in/out device by adding -o eth0 and -i eth0 to the rules, respectively.
But i guess to each their own
|
|
|
06-14-2007, 09:20 AM
|
#8
|
Member
Registered: Jun 2007
Posts: 359
Rep:
|
Quote:
Originally Posted by Argo
Is there a way to block all external traffic but still allow the box to have some access to the outside world?
|
hi Argo,
maybe this basic can help :
scenario of eth0 as intintf,
and eth1 as extintf :
iptables -A INPUT -i lo -s 127.0.0.1/8 -j ACCEPT
iptables -A INPUT -i <your_intintf> -s <your_intaddr/mask> -j ACCEPT
iptables -A INPUT -i <your_extintf> -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i <your_extintf> -m state ! --state RELATED,ESTABLISHED -j LOG
iptables -A INPUT -i <your_extintf> -m state ! --state RELATED,ESTABLISHED -j DROP
iptables -P INPUT DROP
the purpose of defining the inteface for your incoming traffic is to get easier monitoring and in creating rule definition/troubleshooting.
and remember to always allow loopback traffic (lo) -- otherwise your console will be locked-
HTH,
Cheers.
Last edited by rossonieri#1; 06-14-2007 at 09:23 AM.
|
|
|
06-14-2007, 02:00 PM
|
#9
|
LQ Newbie
Registered: Jul 2006
Location: Canada
Distribution: Red Hat, CentOS, Fedora
Posts: 11
Original Poster
Rep:
|
Excellent, thanks rossonieri#1.
I seem to have everything I need thanks to all your help. So thanks to everyone.
But I have another question that relates to this.
I've been noticing some odd logs appering in my /var/log/samba dir, with these names:
67.119.221.166.log
24.222.130.30.log
etc..
Log contants are:
[2007/06/14 18:50:27, 0] lib/access.c:check_access(328)
Denied connection from (*ip addy*)
Now, these are not part of my network and I went ahead and tried to make some iptable rules to make my samba internal only.
I've searched and tried a few things but to no avail. Heres what I've tried (I have a default policy for DROP btw):
-A FORWARD -p tcp -s 192.168.1.0/255.255.255.0 --dport 137:139 -j ACCEPT
-A FORWARD -p udp -s 192.168.1.0/255.255.255.0 --dport 137:139 -j ACCEPT
####
-I INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 135 -j ACCEPT
-I INPUT -s 192.168.1.0/255.255.255.0 -p udp --dport 137:138 -j ACCEPT
-I INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 139 -j ACCEPT
-I INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 445 -j ACCEPT
-I OUTPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 135 -j ACCEPT
-I OUTPUT -s 192.168.1.0/255.255.255.0 -p udp --dport 137:138 -j ACCEPT
-I OUTPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 139 -j ACCEPT
-I OUTPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 445 -j ACCEPT
###
But this dosen't seem to work as about an hour after I applied them I had an outside.IP.address.log file created. Any ideas would be greatly appericated.
|
|
|
06-14-2007, 02:25 PM
|
#10
|
Member
Registered: Jun 2007
Posts: 359
Rep:
|
OK,
now SAMBA
check your rule which state which interface SAMBA listening for client request -- change to your internal interface.
for the iptables,
just try my previous post - analyze it, and develop again with FORWARD statement :
this is from yours :
-A FORWARD -p tcp -s 192.168.1.0/255.255.255.0 --dport 137:139 -j ACCEPT
-A FORWARD -p udp -s 192.168.1.0/255.255.255.0 --dport 137:139 -j ACCEPT
and change to this :
-A FORWARD -i <intintf> -p tcp -s 192.168.1.0/255.255.255.0 -o <intintf> --dport 137:139 -j ACCEPT
-A FORWARD -i <intintf> -p udp -s 192.168.1.0/255.255.255.0 -o <intintf> --dport 137:139 -j ACCEPT
the log probably still there - but you should see whether your data is going outside or not.
HTH.
Cheers.
Last edited by rossonieri#1; 06-14-2007 at 02:27 PM.
|
|
|
06-15-2007, 06:15 AM
|
#11
|
LQ Newbie
Registered: Jul 2006
Location: Canada
Distribution: Red Hat, CentOS, Fedora
Posts: 11
Original Poster
Rep:
|
Excellent, thanks again Ross. I'll give that a try today.
|
|
|
06-18-2007, 07:42 PM
|
#12
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,863
|
Check out shorewall ... http://www.shorewall.net.
Quote:
Conservatum Follicum: The hair you save may be your own!
|
Last edited by sundialsvcs; 06-18-2007 at 07:43 PM.
|
|
|
All times are GMT -5. The time now is 05:13 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|