LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-13-2002, 11:02 AM   #1
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Rep: Reputation: 30
iptables - I added a second nic and cannot ssh to it. Log shows a potential problem.


However when the firewall is off, SSH works beautiful. Im trying to ssh from 10.0.0.2 to 192.168.1.2. My log below shows that the SSH connection is trying to goto eth0 for 192.168.1.2. It shouldbe going to eth1.
THanks as always

ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:02:B3:28:80:5C
inet addr:192.168.3.2 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:764 errors:0 dropped:0 overruns:0 frame:0
TX packets:648 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:22 Base address:0xec80

eth1 Link encap:Ethernet HWaddr 00:B00:B0:22:9B
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:23 errors:0 dropped:0 overruns:22 carrier:0
collisions:0 txqueuelen:100
Interrupt:16 Base address:0xccc0

iptables***************************
#!/bin/sh


# you set the permission as follow:
# chown root.root scriptname
# chmod 700 scriptname

#=============== Start

# Load the netfilter modules
/sbin/depmod -a
/sbin/modprobe ip_tables

# Set iptable variable path
IPT=/sbin/iptables

echo -n "Loading Firewall Rules....."

#Flush all existing rules
$IPT -F
$IPT -X
$IPT -F -t nat

#Set default policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

#Set-up the "firewall-chain" rules
$IPT -N firewall
$IPT -A firewall -m limit --limit 20/minute -j LOG --log-level warning --log-prefix "FIREWALL: "
$IPT -A firewall -j DROP

#Accept Ourselves
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT

#Drop any bad flags
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L1: "
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L3: "

#Block ping
$IPT -A INPUT -i eth0 -s 0/0 -d 192.168.3.2 -p icmp --icmp-type echo-request -j DROP

#Drop traceroute packets
$IPT -A INPUT -i eth0 -s 0/0 -d 192.168.3.2 -p udp --dport 33435:33525 -j DROP

#Stuff to drop syn floods
#$IPT -N syn-flood
#$IPT -A syn-flood -m limit --limit 1/s --limit-burst 10 -j RETURN
#$IPT -A syn-flood -j LOG --log-level warning --log-prefix "FIREWALL: SYN Flood Stopped: "
#$IPT -A syn-flood -j DROP
#$IPT -A INPUT -p tcp --syn -j syn-flood

#State matching stuff - to accept related and established connections
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Accept SSH
$IPT -A INPUT -i eth0 -s 10.0.0.2 -p tcp -d 192.168.3.2 --dport 22 -j ACCEPT
$IPT -A INPUT -i eth1 -s 10.0.0.2 -p tcp -d 192.168.1.2 --dport 22 -j ACCEPT
$IPT -A INPUT -i eth1 -s 0/0 -p tcp -d 0/0 --dport 22 -j ACCEPT

#Accept incoming SMTP requests
$IPT -A INPUT -i eth0 -s 0/0 -p tcp -d 192.168.3.2 --dport 25 -j ACCEPT

#Accept POP3 requests
$IPT -A INPUT -i eth0 -s 10.0.0.2 -p tcp -d 192.168.3.2 --dport 110 -j ACCEPT

#Accept Samba
$IPT -A INPUT -i eth0 -s 10.0.0.2 -p tcp -d 192.168.3.2 --dport 137:139 -j ACCEPT
$IPT -A INPUT -i eth0 -s 10.0.0.2 -p udp -d 192.168.3.2 --dport 137:139 -j ACCEPT

#Accept Domain Name Server stuff..
#$IPT -A INPUT -i eth0 -s 198.6.1.4/24 -p tcp -d 0/0 --dport 53 -j ACCEPT
#$IPT -A INPUT -i eth0 -s 198.6.1.5/24 -p udp -d 0/0 --dport 53 -j ACCEPT

#Send everything else to the firewall chain - DENY it and LOG it.
#$IPT -A INPUT -p tcp --syn -j firewall
#$IPT -A INPUT -p udp -j firewall
$IPT -A INPUT -j LOG
echo "DONE"

LOG*********************
kernel: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.1.2 LEN=48
TOS=0x00 PREC=0x00 TTL=128 ID=29663 DF PROTO=TCP SPT=2207 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 11:54:45 mail kernel: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.1.2 LEN=48
TOS=0x00 PREC=0x00 TTL=128 ID=29664 DF PROTO=TCP SPT=2207 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 11:54:51 mail kernel: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.1.2 LEN=48
TOS=0x00 PREC=0x00 TTL=128 ID=29685 DF PROTO=TCP SPT=2207 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0
 
Old 01-13-2002, 11:03 AM   #2
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
THis also showed up in my log:
Jan 13 11:56:20 mail kernel: IN=eth1 OUT= MAC= SRC=192.168.1.2 DST=192.168.1.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF P
ROTO=UDP SPT=138 DPT=138 LEN=221
Jan 13 11:56:20 mail kernel: IN=eth1 OUT= MAC= SRC=192.168.1.2 DST=192.168.1.255 LEN=233 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF P
ROTO=UDP SPT=138 DPT=138 LEN=213
 
Old 01-13-2002, 12:58 PM   #3
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
Well if anyone has this problem, i took the -i out of the ssh rule and works like a charm.
Thanks
 
Old 01-14-2002, 05:07 AM   #4
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
The log is showing you a Bcast request from a Samba service to the subnet from the ip address of: 192.168.1.2

I don't really understand your network layout as it seems overly complicated. i.e your using an internal class A to talk to an internal call C address with a default gateway that also uses an internal IP address.

But if you took the -i out and it worked, then it sounds like the connection for the 10.0.0.0/24 network is on the wrong card or hub/switch.
also do a netstat -natp and see if shhd is bound to both cards or eth1 is routing to eth0.

/Raz
 
Old 01-14-2002, 07:35 AM   #5
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
Servers are all 192.168.x.x
Workstations are all 10.0.0.x

So Im talking from the inside 10.0.0.x to servers on 192.168.x.x

I added another nic to my server so that i could tighten up my iptables. I would like to make the second nic on my server 10.0.0.x but from what I have learned, nics on a server must all be on the same mask ie 255.255.255.0. If I make the second nic 10.0.0.x (255.0.0.0) this will not work.

Workstations are all on my inside network connected via a switch. So my second nic on my server is plugged into my switch.

Im not a networking guru, but sounds pretty simple to me.
But dont laugh...Im still learning

So maybe -i wont work because of the switch is working for 10.0.0.x and 192.168.1.2.

Tanks for your help
 
Old 01-14-2002, 10:04 PM   #6
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
tcp 0 0 192.168.1.2:22 0.0.0.0:* LISTEN 644/sshd

Thats the only entry for ssh
So its bound to 192.168.1.2. Still not sure why the -i doesnt work. Is it possible that eth1 is really eth0 and eth0 is really eth1?

ifconfig - a
eth0 Link encap:Ethernet HWaddr 00:02:B3:28:80:5C
inet addr:192.168.3.2 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3004 errors:0 dropped:0 overruns:0 frame:0
TX packets:2577 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:22 Base address:0xec80

eth1 Link encap:Ethernet HWaddr 00:B00:B0:22:9B
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:76 errors:0 dropped:0 overruns:21 carrier:0
collisions:0 txqueuelen:100
Interrupt:16 Base address:0xccc0

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

Thanks
 
Old 01-15-2002, 09:05 AM   #7
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
That's your problem.
It's only bound to one of the cards, so when you tell the firewall to allow only the interface to ip it doesn't work.

It only works because the system routes from the interface that's bound.

change your sshd config script file
default is:
/usr/local/etc/sshd_config

add the lines
ListenAddress 192.168.3.2
ListenAddress 192.168.1.2
#ListenAddress 0.0.0.0
#ListenAddress ::

Then restart sshd.

/Raz
 
Old 01-15-2002, 04:32 PM   #8
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
well Raz................you da man!! Worked just as you have stated. Let me ask you one final question on this.
I can now use -i eth0 and -i eth1 in my iptables.
1) Is is better to have ssh running on both cards and use the -i in the iptables to control it just to the inside.
2) Only run ssh on the inside and then dont use -i in iptables.

I ask this because in thread: http://www.linuxquestions.org/questi...threadid=11299
you state------->
The lines like this will allow external people to fake internal ip sourced packets to your system, as your accepting from -s and not to a particular network card.

$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
$IPT -A INPUT -s 192.168.4.0/24 -p udp --destination-port 53 -j ACCEPT

To do it correctly you need two network cards, the first with the outside ip, the second with your internal ip.

Then only accept to the internal card.

example:
$IPT -A INPUT -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
"eth0 being the external interface."
 
Old 01-15-2002, 04:46 PM   #9
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
One more thing. If ssh is only running on the inside nic, the spoofer would have to be on the inside network to fake an ip address and get in.
COrrect?
 
Old 01-16-2002, 04:28 AM   #10
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
ok lets see if I get this right.

If you don't need to access sshd from a different location on the internet, then I would only allow it to bind to the card that is connected to your internal network hub/switch.

Then on the firewall I would still use -i for the internal nic to allow access to port 22 from the local address ranges you use.
Then on the firewalls second card that's connected to your hardware NAT box, I would add a line that logged any port 22 requests to that device "-i" and drops from any source, including internal IP addresses ranges.

That's the safes why to do it. "unless your network is 802.11b"

basically use the -i option to stop any unwanted packets accessing your external internet interface and spoofing them to your accepted internal interface.

/Raz
 
Old 01-17-2002, 07:36 PM   #11
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
Hey,
One more question. I edited my sshd_config and changed it to only listen on 192.168.1.2.
My problem is this. If I add -i eth1 to my iptables, i cannot SSH, If i change the -i eth1 to -i eth0, it works as its suppossed to. eth1 is 192.168.1.2. Any idea why this would happen.

ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:02:B3:28:80:5C
inet addr:192.168.3.2 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1422 errors:0 dropped:0 overruns:0 frame:0
TX packets:1215 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:22 Base address:0xec80

eth1 Link encap:Ethernet HWaddr 00:B00:B0:22:9B
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:16 Base address:0xccc0

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

netstat -natp shows:
tcp 0 0 192.168.1.2:22 0.0.0.0:* LISTEN 896/sshd

Thanks dude!
 
Old 01-18-2002, 08:30 AM   #12
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
What's the address range of the systems that now can't connect to the ssh port?

Also post the iptables lines that you entered.

Can the client systems talk to the 192.168.1.2 address, i.e ping.

/Raz
 
Old 01-18-2002, 09:13 AM   #13
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
This doesnt work
$IPT -A INPUT -i eth1 -s 10.0.0.2 -p tcp -d 192.168.1.2 --dport 22 -j ACCEPT


Address 10.0.0.2 cannot connect when i add -i eth1. If i change it to -i eth0 it works!!

10.0.0.2 has full communication with 192.168.1.2 as far as ping/pop3/samba.

But the sames goes for pop3/samba. If i change it to -i eth1 it doesnt work

Right now i have the below and this works:
$IPT -A INPUT -s 10.0.0.2 -p tcp -d 192.168.1.2 --dport 22 -j ACCEPT

Thanks for your time Raz
BTW - The faster the women the better!!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables; ACK/SYN/etc; understand the bits, and potential firewall entries TheLinuxDuck Linux - Security 2 10-18-2011 09:17 PM
Added new NIC, now FreeBSD hangs Gsee *BSD 3 10-18-2004 09:17 PM
Failing to log into ssh via ldap auth. Pam Problem? cehlers Linux - Security 1 10-10-2004 07:55 AM
Iptables log problem _kossak_ Linux - Security 1 09-10-2003 01:31 PM
added second nic to network at home now cannot connect to internet gonus Linux - Networking 12 08-23-2002 09:56 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration