iptables doesn't work
hello,
it seems that i'm missing smth simple here. The objective is to let the traffic from and to router and local machine ( static ip ). The log seems not to work and all connections are blocked. Any tips will be appreciated: Code:
#!/bin/sh |
Quote:
|
Quote:
Thank you! but seems that there is smth else : Code:
Table: filter |
Quote:
|
Quote:
Thank you. The discrepancies were because of the silly error in the script, causing the rules not to apply to the firewall. here is the new script and new status output: Code:
#!/bin/sh -x Code:
Table: filter |
I had read your ending DROP rules as policy settings for some reason. My bad. I have the flu. I'm not sure why it's not working. I can't see any reason why it wouldn't. Are you sure you are looking at the right log file? Are you sure 192.168.1.204 is the LAN IP of the box these rules are running on? The 0.0.0.0/0 should catch anything.
This should work: Code:
#!/bin/sh |
Quote:
i did checked that IP is the right one, same with the network mask and the other ( win_host) IP. what if i have a traffic from router and 204 machine goes to the router to the external machine to get the info Here is the new rules and status from the "Status" command. I'm a bit confused with that allow on 0.0 ( see highlighted in bold): Code:
Table: filter Code:
#!/bin/sh -x I really appreciate your help. A few questions : What's with this right below: Quote:
what is with the port 138? - 138 and notice it's "moving " to 137 ? http://www.auditmypc.com/port/udp-port-138.asp Quote:
Quote:
Quote:
|
Quote:
Quote:
Quote:
Code:
iptables -nvL Quote:
Quote:
Quote:
Quote:
|
Quote:
the reason of that question was - the app on the web server is not coded properly - so when i access it from withing the local net it has references to the "external" name. The "pairing": i just thought to group them ( rules ) by the protocol/port, which is not the best idea, but it helps me to understand how each protocol works. i never got through this task in such a detailed way, just used shorewall to do the background work. |
Quote:
Quote:
Quote:
Quote:
Here's a script I've written for you from scratch based on the description you've given above - notice how no --sport rules were necessary, and only one rule for RELATED and ESTABLISHED packets was used per-chain. Also note that the OUTPUT chain contains no matches for packets in state NEW, as your description did not include the server needing to initiate any connections on its own. Code:
#!/bin/sh |
Quote:
Code:
$ipt -A INPUT -p TCP -i eth0 -s $local_net --dport $ssh_port -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT all discussed rules explicitly covered www/s and ssh, but i have to allow the dns, ntp and yum to be able to communicate too. I know i didn't mentioned that explicitly - that is the reason to add "NEW" state in the ourbound connections. thus combining 2 scripts: Code:
#!/bin/sh Does this make sense ? Thank you |
Quote:
Quote:
So basically you'd need to add rules for outgoing SSH connections to your LAN, outgoing HTTP/FTP connections to your WAN, and NTP connections to your WAN. Right? Well, here's an example of how that would look when added to the script: Code:
#!/bin/sh What about NTP? Well, that depends on how you've got NTP set up. Is this box the NTP server for clients on the LAN? Or does it just synchronize for itself and nobody else? What user does your NTP daemon run as? Does it synchronize to a server on the WAN or LAN? |
Quote:
and : the output on 80/22: it will/might have more then just one user-id: i can try to wget or/and ssh to as regular user, might do yum as root and run apache as "apache" user... not sure how that would work.. |
Quote:
Code:
iptables -A OUTPUT -p UDP -o eth0 --dport 123 \ Code:
iptables -A INPUT -p UDP -i eth0 --dport 123 \ Code:
iptables -A INPUT -p UDP -i eth0 --dport 123 --sport 123 \ Quote:
Quote:
Quote:
EDIT: On second thought, having specific rules for root might now be the best approach. I mean, if an attacker gets root you're pretty much screwed anyway (barring mandatory access controls). So I'd probably just replace these rules: Code:
$IPT -A OUTPUT -p TCP -o eth0 --dport 80 \ Code:
$IPT -A OUTPUT -m owner --uid-owner root \ For clarity's sake, here's an example script with all this incorporated: Code:
#!/bin/sh |
I do realize that these type of rules can be kinda tedious to implement when you aren't used to them. So here's a somewhat simpler example. In theory, this script should "just work" for you. Although this example is a lot less tighter than the one above, it still tries to minimize the impact which a user-level server compromise (Apache, for example) would have on the LAN.
Code:
#!/bin/sh |
All times are GMT -5. The time now is 08:35 AM. |