Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-26-2007, 08:24 PM
|
#1
|
Member
Registered: Jul 2005
Posts: 273
Rep:
|
iptables - how to filter internal nat'd address
Hi there,
We have changed our router setup, and our server that was once protected by our router firewall is now in a dmz type of setup.
How do I setup iptables to work with an internal ip, that gets forwarded from and external ip. Do I filter by just the port? Or just the internal or external ip w/ the port?
Any good references?
|
|
|
06-26-2007, 08:46 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
What iptables are you refering to? The iptables on the server itself?
|
|
|
06-26-2007, 08:56 PM
|
#3
|
Member
Registered: Jul 2005
Posts: 273
Original Poster
Rep:
|
Yes the program "iptables".
I usually use firewall builder to create the rules.
Usually the ips are external static. So it's easy.
This one has an internal ip of 192.168.X.X
Where do I go from here?
Last edited by neocontrol; 06-26-2007 at 08:59 PM.
|
|
|
06-26-2007, 09:03 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
What services are running on the box? It's basically just a matter of filtering incoming packets that aren't destined to any of those services, and also preventing any outgoing connections (unless you need the box to establish connections for some reason).
|
|
|
06-26-2007, 09:23 PM
|
#5
|
Member
Registered: Jul 2005
Posts: 273
Original Poster
Rep:
|
I don't care what goes out of the box, i usually let everything out.
What I need in, is 22, 25, 80, 443
Everything else, I just want dropped.
|
|
|
06-26-2007, 09:32 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by neocontrol
I don't care what goes out of the box, i usually let everything out.
|
Wow, that sucks.
Quote:
What I need in, is 22, 25, 80, 443
Everything else, I just want dropped.
|
Cool, then something like this should work fine:
Code:
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -m multiport --dports 22,25,80,443 \
-m state --state NEW -j ACCEPT
You'd need to add to it if you want to restrict connections in some way. Like, say for example you don't want to allow fellow machines on the DMZ to connect to the server, etc.
Last edited by win32sux; 06-26-2007 at 09:36 PM.
|
|
|
06-26-2007, 09:37 PM
|
#7
|
Member
Registered: Jul 2005
Posts: 273
Original Poster
Rep:
|
Can you tell me why I wouldn't want to let everything out? There are only two people who "do" anything on the box, which is me and the boss. Is there another reason why I wouldn't want to have that?
Last edited by neocontrol; 06-26-2007 at 09:43 PM.
|
|
|
06-26-2007, 09:45 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by neocontrol
Can you tell me why I wouldn't let anything out? There are only two people who "do" anything on the box, which is me and the boss. Is there another reason why I wouldn't want to have that?
|
Sure, I can give you an example: Let's say your Apache daemon gets cracked, but the cracker is not able to achieve privilage escalation. If you have firewalled outgoing connections, the damage will be somewhat contained, as she won't be able to connect to other machines on your DMZ/LAN/WAN. But if you had no outgoing firewall rules, she can now use her non-root privilages as a launchpad for other cyber attacks on your DMZ/LAN/WAN.
The point is, if there is no reason for your server to start connections on its own, then you can have your firewall make sure that doesn't happen. And you can also have it let you know whenever something on the server does indeed try to establish an outgoing connection.
Code:
iptables -P OUTPUT DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
Last edited by win32sux; 06-26-2007 at 10:04 PM.
|
|
|
06-26-2007, 10:08 PM
|
#9
|
Member
Registered: Jul 2005
Posts: 273
Original Poster
Rep:
|
Good point....
Sorry to be such a newb at this...
How do you stop the external connections? This wouldn't stop other connections such as port 80 from going out then would it?
|
|
|
06-26-2007, 10:20 PM
|
#10
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
The example I posted would prevent any outgoing connections from being made, and it would log whenever an attempt to establish one is made. This has no effect on incoming connections, as they will be served well thanks to the OUTPUT rule allowing outgoing packets of states RELATED/ESTABLISHED. We just don't want any packets that are *not* RELATED/ESTABLISHED to exit the box, unless we made exceptions for them.
Last edited by win32sux; 06-26-2007 at 10:21 PM.
|
|
|
06-26-2007, 10:25 PM
|
#11
|
Member
Registered: Jul 2005
Posts: 273
Original Poster
Rep:
|
excellant. this takes care of my short term problem. I guess I need to go learn how to do all this one my own now. I really appreciate, thanks a lot.
|
|
|
06-26-2007, 10:30 PM
|
#12
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
You're very welcome. If you need any more help with this let us know.
|
|
|
07-03-2007, 06:19 AM
|
#13
|
Member
Registered: Jul 2005
Posts: 273
Original Poster
Rep:
|
Looks like I'll take you up on your offer.....
Here's my current rules:
</code>
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "
iptables -A INPUT -j LOG --log-prefix "OUTPUT DROP: "
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 2401 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 3306 -s xxx.xxx.xxx.xxx -j ACCEPT
</code>
I need this to be able to connect to an external server that is used for a databases. I thought just putting line 3: in there, that it'd be able to connect externaly, but it doesn't allow it. Also I do need this server to send out emails and that is not working.
Am I way off base here with these rules? Or just missing something?
The rules work fine for the most part though, when you do an nmap, only ports 22, 25 (closed for some reason), 80, 443, 2401 show up.
I am able to connect to all those ports, minus 25. I just can't get out from the server.
Thanks,
|
|
|
07-03-2007, 11:02 AM
|
#14
|
Member
Registered: Jul 2005
Posts: 273
Original Poster
Rep:
|
Okay, got the mysql issue straightened out, so far.
Here's the updated IPTABLES.
<code>
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "
iptables -A INPUT -j LOG --log-prefix "OUTPUT DROP: "
iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 2401 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -s <mysql_server> -j ACCEPT
iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
</code>
It seems to have fixed the mysql problem, but I'm left with the sendmail not sending messages out. They are going straight to /var/spool/clientmqueue/ Also, when I do an nmap, it shows that port 25 - closed. How can I open this up to allow mail out.
|
|
|
07-03-2007, 03:02 PM
|
#15
|
Member
Registered: Aug 2006
Posts: 74
Rep:
|
Quote:
Originally Posted by win32sux
Sure, I can give you an example: Let's say your Apache daemon gets cracked, but the cracker is not able to achieve privilage escalation. If you have firewalled outgoing connections, the damage will be somewhat contained, as she won't be able to connect to other machines on your DMZ/LAN/WAN. But if you had no outgoing firewall rules, she can now use her non-root privilages as a launchpad for other cyber attacks on your DMZ/LAN/WAN.
The point is, if there is no reason for your server to start connections on its own, then you can have your firewall make sure that doesn't happen. And you can also have it let you know whenever something on the server does indeed try to establish an outgoing connection.
Code:
iptables -P OUTPUT DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
|
default deny 4tw!
|
|
|
All times are GMT -5. The time now is 10:41 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|