iptables - I think i have it covered. Can someone tell me if its right

ForumKid · 01-09-2002, 07:11 PM

Hi,
Im a newbie to iptables. Can someone please look this over and tell me if im wrong. This is for my mail server.

eth0 = 192.168.2.2 = internet card
eth1 = 192.168.2.3 = internal network card

eth0 should only allow port 25 traffic
eth1 should onlly allow port 110 and port 22 traffic.

This is my iptables.
iptables -P INPUT DROP
iptables -A INPUT -s 192.168.2.2 -p tcp --dport smtp -j ACCEPT
iptables -A INPUT -s 192.168.2.3 -p tcp --dport pop3 -j ACCEPT
iptables -A INPUT -s 192.168.2.3 -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j DROP

I figure that once i get the ports straightened out, then i can worry about syn/icmp stuff. I have to take it one step at a time or else I wont understand what Im doing.
Thanks as always

unSpawn · 01-10-2002, 12:57 AM

IIRC you should need "-i" to specify accepts by interface.

raz · 01-10-2002, 09:06 AM

You'll want to do the following:

eth0 = 212.122.2.2 = internet card
eth1 = 192.168.2.3 = internal network card

iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 -d 212.122.2.2 --dport 25 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp -s 192.168.2.0/24 --sport 1024:65535 -d 192.168.2.3 --dport 22 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp -s 192.168.2.0/24 --sport 1024:65535 -d 192.168.2.3 --dport 110 -j ACCEPT

/Raz

ForumKid · 01-10-2002, 10:08 AM

Thanks guys,
Can you explain one thing to me.
--sport 1024:65535 --> What does this actually do?

I assume its source port from 1024 to 65535.... Im a bit confused.

unSpawn · 01-10-2002, 11:00 AM

Its also written as --source-port or could be written as <from IP> <portname|portranges>, in Rusty's ipchains scripts this was known as the variable $UNPRIVPORTS which is aptly named, because this handles an unprivileged portrange, the notation <lowest port>:<highest port> makes it a range.
Only the root user is allowed to bind to ports below 1024, known as the privileged ports, while regular users can't, so basically this rule translates to "allow traffic to my TCP port 25, initiated by regular users".

ForumKid · 01-10-2002, 04:28 PM

What am i doing wrong. Nothing works when i add this. I cannot receive mail. I cannot ssh to 192.168.3.3..

This is my iptables:
./sbin/iptables -P INPUT DROP

./sbin/iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 -d 192.168.3.2 --dport 25 -j ACCEPT

./sbin/iptables -A INPUT -i eth1 -p tcp -s 192.168.3.0/24 --sport 1024:65535 -d 192.168.3.3 --dport 22 -j ACCEPT

./sbin/iptables -A INPUT -i eth1 -p tcp -s 192.168.3.0/24 --sport 1024:65535 -d 192.168.3.3 --dport 110 -j ACCEPT
./sbin/iptables -A INPUT -j DROP

ANy ideas

ForumKid · 01-10-2002, 06:21 PM

Just FYI
eth0 is 192.168.3.2 --> my hardware firewall converts my 207. internet ip to 192.168.3.2

eth1 is 192.168.3.3
Only people allowed to access 192.168.3.3. are 10.0.0.0

Sorry to change the #;s around

unSpawn · 01-11-2002, 01:09 AM

I think I would do best to give you an answer so you can troubleshoot this yourself, add the following lines:

# Make new chain that log's traffic and drops
iptables -A N LOG_DROP
# Add chain
iptables -A LOG_DROP
# Set up logging rule
iptables -A LOG_DROP -j LOG --log-level info --log-prefix "FIREWALL: "
# Finally drop it
iptables -A LOG_DROP -j DROP

now change the "-j DROP"'s to read "-j LOG_DROP", and this way, whenever traffic hits the fw, you'll see what you'll need to adjust.

raz · 01-11-2002, 03:55 AM

ForumKid,

Did you mean to put a "." before the /sbin as that won't work.
Also why don't you change the eth1's nic to a 10.0.0.0 address so the network is easier to understand.

Anyway here's some more info.
flush the chains each time you run the script with these lines.
iptables -F
iptables -X
iptables -F -t nat
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

/sbin/iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 -d
192.168.3.2 --dport 25 -j ACCEPT

/sbin/iptables -A INPUT -i eth1 -p tcp -s 10.0.0.0/24 --sport 1024:65535 -d 192.168.3.3 --dport 22 -j ACCEPT

/sbin/iptables -A INPUT -i eth1 -p tcp -s 10.0.0.0/24 --sport 1024:65535 -d 192.168.3.3 --dport 110 -j ACCEPT

You should also try unSpawn's logging script to see what's happening.

/Raz

ForumKid · 01-11-2002, 05:39 PM

Still having problems. I even made it wide open. The logs dont show any errors.

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt

op3
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

unSpawn · 01-11-2002, 05:53 PM

I would like to recommend you 1)change *all* rules (that is all ACCEPT *and* DENY targets) to include logging as shown below with the DROP targets, 2) tell us verbosely *how* you are testing you can't receive mail and 3) post your full iptables script w/o interpretation and 4) the firewall log with logging on all targets on.

This may be a true mofo to solve, but being the community we are I'm confident we'll get there someway.

ForumKid · 01-11-2002, 07:11 PM

Hey,
I hacked up a few peoples scripts and came up with the below. Im taking it one step at a time. My first problem is that i cannot ssh from 10.0.0.2 to 192.168.3.3
FYI: eth0=192.168.3.2
eth1 = 192.168.3.3
Please see the log below. It looks like its trying to hit eth0 instead of eth1. Its mixing them up for somereason. ANy idea why?
With the script below i can send/receive/read email. SSH is the problem. once thats solved, I will then tighten the bitc* up.
Thanks dude!!

#!/bin/sh

# you set the permission as follow:
# chown root.root scriptname
# chmod 700 scriptname

#=============== Start

# Load the netfilter modules
/sbin/depmod -a
/sbin/modprobe ip_tables

# Set iptable variable path
IPT=/sbin/iptables

# Flush all existing rule
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD

# Set the default policy for forward chain to deny all
$IPT -P FORWARD DENY

# Accept incoming smtp at the dmz
$IPT -A INPUT -p tcp -i eth0 -d 192.168.3.2 --dport 25 -j ACCEPT
#Accept outgoing smtp at the dmz
$IPT -A OUTPUT -p tcp -d 192.168.3.2 --dport 25 -j ACCEPT

#Accept incoming SSH to eth1
$IPT -A INPUT -p tcp -i eth1 -d 192.168.3.3 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 -d 192.168.3.2 --dport 22 -j ACCEPT

# Accept incoming pop3 at the dmz
$IPT -A INPUT -p tcp -i eth0 -d 192.168.3.2 --dport 110 -j ACCEPT
$IPT -A OUTPUT -p tcp -d 192.168.3.2 --dport 110 -j ACCEPT

# Accept all out tcp recived via interface public and private interface
#$IPT -A FORWARD -p tcp -i eth0 -j ACCEPT

# Drop all other traffic in the forward chain
#$IPT -A FORWARD -j DROP
$IPT -A INPUT -j LOG --log-prefix "FIREWALL: "
#============= End

FIREWALL: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:
b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.3.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=29914 DF PROTO=TCP SPT=2612 DPT=22 WINDOW=16212 RES=0x00 ACK PSH URGP=0
Jan 11 20:00:56 mail kernel: FIREWALL: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:
b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.3.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=29915 DF PROTO=TCP SPT=2612 DPT=22 WINDOW=16192 RES=0x00 ACK PSH URGP=0
Jan 11 20:00:56 mail kernel: FIREWALL: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:
b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.3.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=29916 DF PROTO=TCP SPT=2612 DPT=22 WINDOW=16172 RES=0x00 ACK PSH URGP=0
Jan 11 20:00:56 mail kernel: FIREWALL: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:
b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.3.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=29917 DF PROTO=TCP SPT=2612 DPT=22 WINDOW=16152 RES=0x00 ACK PSH URGP=0
Jan 11 20:00:56 mail kernel: FIREWALL: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:
b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.3.3 LEN=40 TOS=0x00 PREC=0x00 TTL=128
ID=29918 DF PROTO=TCP SPT=2612 DPT=22 WINDOW=16088 RES=0x00 ACK URGP=0

ForumKid · 01-11-2002, 07:25 PM

Hi,
Notice that 192.168.3.3 doesnt get resolved to a hostname

/sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere myhost.mydomain.comtcp dpt:smtp
ACCEPT tcp -- anywhere 192.168.3.3 tcp dpt:ssh
ACCEPT tcp -- anywhere myhost.mydomain.comtcp dpt:ssh
ACCEPT tcp -- anywhere myhost.mydomain.comtcp dpt

op3
LOG all -- anywhere anywhere LOG level warning prefix `FIREWALL: '

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere myhost.mydomain.comtcp dpt:smtp
ACCEPT tcp -- anywhere myhost.mydomain.comtcp dpt

op3

ForumKid · 01-12-2002, 01:20 PM

This seems to be a problem with the nic cars being on the same subnet or something. I have posted a question in the network forum and I will post back here when i figure this out, just in case other people have this problem.

Zychior · 01-12-2002, 09:05 PM

First of all I am a newbie to Linux. I just started to play around with it in December. I did however play around with it to design a firewall for a customer of mine using iptables. I just wanted to ask a question. I see that you are using a private address for your example. It even shows a private address for your Internet connection. You may want to use the forward chain if you have a publice address going through nat to a private address. That is how I got it to work for my client. If you would like a sample script I used, just let me know.

- Zychior