LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-08-2004, 06:33 AM   #1
mparkhurs
LQ Newbie
 
Registered: Jun 2004
Posts: 5

Rep: Reputation: 0
iptables doesn't like me.


Hello,

I've spent the night writting a shell script to use iptables.

I wrote a list of what I wanted it to do, and then went about writting it, this is the list:

GOALS OF FIREWALL:
-------------------

1. Allow SSH connections on port 22.

2. Allow samba connactions on port 137, and 139; only to: 192.168.117.1/24 meaning all IP address that start with 192.168.117.

3. Allow NAIM, Mozilla, and FTP to all work. (FTP for downloading from a computer, not accepting connections.

4. Do not accept any IMCP connections at ALL.

5. No not accept any connections besides the above.

Then I wrote it:

#!/bin/bash


#Clear Everything up
iptables -F
iptables -X
iptables -Z

#Nothing goes anywhere without permission
iptables -P DROP INPUT
iptables -P DROP FORWARD
iptables -P DROP OUTPUT

#INPUT CHAIN

#Accept everything inside the network.
iptables -A INPUT -j ACCEPT -p all --source-port 192.168.117.0/24

#No ICMP requests.
iptables -A INPUT -P icmp -j drop

#Make SSH work
iptables -A INPUT -j ACCEPT -p tcp --destination-port 22

#Enable SAMBA
iptables -A INPUT -j ACCEPT -p tcp -s 192.168.117.0/24 --destination-port 137
iptables -A INPUT -j ACCEPT -p tcp -s 192.168.117.0/24 --destination-port 139

#Accept HTTP and HTTPS and FTP (Established via OUTPUT chains)
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -p tcp



#OUTPUT CHAIN


#Accept everything inside the network.
iptables -A OUTPUT -j ACCEPT -p all --destination-port 192.168.117.0/24
#Go to websites using HTTP and HTTPS, use FTP too.
iptables -A OUTPUT -j ACCEPT -m state --state NEW -p tcp --destination-port 80 --source-port 1024:65535
iptables -A OUTPUT -j ACCEPT -m state --state NEW -p tcp --destination-port 443 --source-port 1024:65535
iptables -A OUTPUT -j ACCEPT -m state --state NEW -p tcp --destination-port 21 --source-port 1024:65535

Network info:
192.168.117.1 is the router.
192.168.117.20 is my static lan ip.
255.255.255.0 is the subnet.

Here's the problem:

It doesn't work.... It seems like it is ignoring the ACCEPT rules, and just dropping everything that comes or goes. After running the script, SSH stopped working. I went over to the computer (It's a desktop I plan on using for an ssh account, and a samba server for music.) and had to flush everything and change the policies back to ACCEPT.

Any idea what is wrong here?

Thanks,
Mike
 
Old 06-08-2004, 07:34 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
A few things I noticed:


Pretty much all of your OUTPUT rules are limited to the state NEW. Well, that is only going to work for a packet or two then the packets will be ESTBLISHED and RELATED. I would change all of those rules to

--state NEW, ESTBLISHED, RELATED

I would also allow loopback on your INPUT chain. A lot of stuff doesn't work without it.

iptables -A INPUT -i lo -j ACCEPT

Now for the input tables.... It looks like you have a lot of typos and those could cause trouble.



Code:
iptables -A INPUT -j ACCEPT -p all --source-port 192.168.117.0/24
IP addresses aren't ports. That should be -s 192.168.117.0/24.

Code:
iptables -A INPUT -P icmp -j drop
The lower case DROP may be causing an issue as well. Also, this rule is kind of a moot point since you're dropping everything by default on the INPUT chain. It really doesn't hurt, but you also don't need it unless you are getting a lot of ICMP connection attempts and want to drop them early.

At least at this stage, you might try logging packets to see where they are being dropped. That might help point out problematic rules.
 
Old 06-08-2004, 11:45 AM   #3
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Code:
iptables -A OUTPUT -j ACCEPT -m state --state NEW -p tcp --destination-port 80 --source-port 1024:65535
After looking at this again, these rules seem very odd to me, particularly the --source-port bit. For example, this rule suggests that your web server is putting out data with a port somewhere between port 102 and 65535. Since it is heading for port 80, you would need to have some sort of re-direction of the packet and I don't see anything like that. Are you running your services on non-standard ports? If so, how are you handling the port forwarding? If you are running services on the standard ports, then I bet the --sorce-port filters are screwing things up. I'd remove them and see what happens.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
An error occured getting IPtables status from the command /etc/rc.d/init.d/iptables s CrazyMAzeY Linux - Newbie 10 08-12-2010 05:25 AM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 02:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 06:08 AM
iptables book wich one can you pll recomment to be an iptables expert? linuxownt Linux - General 2 06-26-2003 04:38 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration