LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-12-2007, 02:04 PM   #1
Argo
LQ Newbie
 
Registered: Jul 2006
Location: Canada
Distribution: Red Hat, CentOS, Fedora
Posts: 11

Rep: Reputation: 0
iptables, and blocking all but non network traffic


What seems so simple on paper seems to be alot more complex then I thought.

My whole goal is to create an iptable on a server of mine which will block all incoming traffic that is outside the network, but would still allow the server to communicate to the outside world, like a one way window.

Pretty much so far I have
iptables -A INPUT -s 192.168.1.1/24 -j ACCEPT
iptables -A INPUT -p tcp -j ACCEPT
iptables -P INPUT DROP



So, I'm looking at this and thinking to myself I haven't really done anything since people from the outside can still access services since I am allowing tcp.

Is there a way to block all external traffic but still allow the box to have some access to the outside world?
 
Old 06-12-2007, 02:42 PM   #2
SkyEye
Member
 
Registered: Sep 2005
Location: Sri Lanka
Distribution: Fedora (workstations), CentOS (servers), Arch, Mint, Ubuntu, and a few more.
Posts: 441

Rep: Reputation: 40
You have to specify service by service, which you want to leave open, instead of just letting everything in.

Eg:
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

After you specify what you want to accept you can restrict everything else with something like
Eg:
-A INPUT -j REJECT --reject-with icmp-host-prohibited

"reject-with icmp-host-prohibited" is more graceful than just dropping the packets

Last edited by SkyEye; 06-12-2007 at 02:45 PM.
 
Old 06-12-2007, 02:52 PM   #3
Argo
LQ Newbie
 
Registered: Jul 2006
Location: Canada
Distribution: Red Hat, CentOS, Fedora
Posts: 11

Original Poster
Rep: Reputation: 0
Thank you SkyEye for the reply.

Should have known to specify the allow list on a service/port level rather then all at once. I must have had a brain fart.

Thanks for your help.
 
Old 06-12-2007, 03:05 PM   #4
SkyEye
Member
 
Registered: Sep 2005
Location: Sri Lanka
Distribution: Fedora (workstations), CentOS (servers), Arch, Mint, Ubuntu, and a few more.
Posts: 441

Rep: Reputation: 40
You are welcome. LQ is here to help.
 
Old 06-13-2007, 06:46 AM   #5
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 31
Hello,

There is a module called ip_conntrack (and another called ip_conntrack_ftp) which works to classify traffic into the following states: NEW, ESTABLISHED, RELATED, INVALID. This module (along with the correct rules) will provide you with exactly what you need (man iptables and look for "state").

What you basically want to do is apply a default DROP policy for the INPUT table, then allow outgoing traffic, then allow all incoming traffic that is RELATED or ESTABLISHED. Don't forget to allow ALL traffic FROM/TO the loopback device (127.0.0.1/8) for some services to wrok correctly.

Cheers
 
1 members found this post helpful.
Old 06-13-2007, 09:11 AM   #6
Argo
LQ Newbie
 
Registered: Jul 2006
Location: Canada
Distribution: Red Hat, CentOS, Fedora
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks Notwerk for the reply.

I'll give that a look into.

I found some old iptable scripts on an old server and was looking through that just to help give me an idea where to head off next and I noticed something.

-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j ACCEPT


Would it be safe to assume that on that bit it allows all internal subnet traffic to go on it merry way? Since all address in 192.168.1.xxx are source and destination.

Looks to me like it would, but still trying to figure it all out.
 
Old 06-14-2007, 07:10 AM   #7
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 31
That's perfectly correct.

Personally, i also prefer to specify the in/out device by adding -o eth0 and -i eth0 to the rules, respectively.

But i guess to each their own
 
Old 06-14-2007, 09:20 AM   #8
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
Quote:
Originally Posted by Argo
Is there a way to block all external traffic but still allow the box to have some access to the outside world?
hi Argo,

maybe this basic can help :
scenario of eth0 as intintf,
and eth1 as extintf :

iptables -A INPUT -i lo -s 127.0.0.1/8 -j ACCEPT
iptables -A INPUT -i <your_intintf> -s <your_intaddr/mask> -j ACCEPT
iptables -A INPUT -i <your_extintf> -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i <your_extintf> -m state ! --state RELATED,ESTABLISHED -j LOG
iptables -A INPUT -i <your_extintf> -m state ! --state RELATED,ESTABLISHED -j DROP
iptables -P INPUT DROP

the purpose of defining the inteface for your incoming traffic is to get easier monitoring and in creating rule definition/troubleshooting.
and remember to always allow loopback traffic (lo) -- otherwise your console will be locked-

HTH,

Cheers.

Last edited by rossonieri#1; 06-14-2007 at 09:23 AM.
 
Old 06-14-2007, 02:00 PM   #9
Argo
LQ Newbie
 
Registered: Jul 2006
Location: Canada
Distribution: Red Hat, CentOS, Fedora
Posts: 11

Original Poster
Rep: Reputation: 0
Excellent, thanks rossonieri#1.

I seem to have everything I need thanks to all your help. So thanks to everyone.

But I have another question that relates to this.

I've been noticing some odd logs appering in my /var/log/samba dir, with these names:
67.119.221.166.log
24.222.130.30.log
etc..

Log contants are:
[2007/06/14 18:50:27, 0] lib/access.c:check_access(328)
Denied connection from (*ip addy*)

Now, these are not part of my network and I went ahead and tried to make some iptable rules to make my samba internal only.

I've searched and tried a few things but to no avail. Heres what I've tried (I have a default policy for DROP btw):
-A FORWARD -p tcp -s 192.168.1.0/255.255.255.0 --dport 137:139 -j ACCEPT
-A FORWARD -p udp -s 192.168.1.0/255.255.255.0 --dport 137:139 -j ACCEPT
####
-I INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 135 -j ACCEPT
-I INPUT -s 192.168.1.0/255.255.255.0 -p udp --dport 137:138 -j ACCEPT
-I INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 139 -j ACCEPT
-I INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 445 -j ACCEPT
-I OUTPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 135 -j ACCEPT
-I OUTPUT -s 192.168.1.0/255.255.255.0 -p udp --dport 137:138 -j ACCEPT
-I OUTPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 139 -j ACCEPT
-I OUTPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 445 -j ACCEPT
###

But this dosen't seem to work as about an hour after I applied them I had an outside.IP.address.log file created. Any ideas would be greatly appericated.
 
Old 06-14-2007, 02:25 PM   #10
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
OK,
now SAMBA

check your rule which state which interface SAMBA listening for client request -- change to your internal interface.

for the iptables,
just try my previous post - analyze it, and develop again with FORWARD statement :
this is from yours :
-A FORWARD -p tcp -s 192.168.1.0/255.255.255.0 --dport 137:139 -j ACCEPT
-A FORWARD -p udp -s 192.168.1.0/255.255.255.0 --dport 137:139 -j ACCEPT


and change to this :

-A FORWARD -i <intintf> -p tcp -s 192.168.1.0/255.255.255.0 -o <intintf> --dport 137:139 -j ACCEPT
-A FORWARD -i <intintf> -p udp -s 192.168.1.0/255.255.255.0 -o <intintf> --dport 137:139 -j ACCEPT

the log probably still there - but you should see whether your data is going outside or not.

HTH.

Cheers.

Last edited by rossonieri#1; 06-14-2007 at 02:27 PM.
 
Old 06-15-2007, 06:15 AM   #11
Argo
LQ Newbie
 
Registered: Jul 2006
Location: Canada
Distribution: Red Hat, CentOS, Fedora
Posts: 11

Original Poster
Rep: Reputation: 0
Excellent, thanks again Ross. I'll give that a try today.
 
Old 06-18-2007, 07:42 PM   #12
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,863
Blog Entries: 4

Rep: Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995
Check out shorewall ... http://www.shorewall.net.

Quote:
Conservatum Follicum: The hair you save may be your own!

Last edited by sundialsvcs; 06-18-2007 at 07:43 PM.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables blocking traffic JJX Linux - Networking 4 11-07-2005 05:36 AM
blocking Network Broadcast using IPtables ! stakhous Linux - Security 3 01-18-2005 02:16 PM
Blocking traffic fugzi Linux - Networking 2 12-04-2004 03:31 PM
shorewall/iptables stopping all network traffic scuzzman Mandriva 6 09-07-2004 04:10 PM
Iptables blocking all traffic on other NIC spede Linux - Security 3 05-05-2004 05:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:13 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration