LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-09-2002, 07:11 PM   #1
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Rep: Reputation: 30
iptables - I think i have it covered. Can someone tell me if its right


Hi,
Im a newbie to iptables. Can someone please look this over and tell me if im wrong. This is for my mail server.

eth0 = 192.168.2.2 = internet card
eth1 = 192.168.2.3 = internal network card

eth0 should only allow port 25 traffic
eth1 should onlly allow port 110 and port 22 traffic.

This is my iptables.
iptables -P INPUT DROP
iptables -A INPUT -s 192.168.2.2 -p tcp --dport smtp -j ACCEPT
iptables -A INPUT -s 192.168.2.3 -p tcp --dport pop3 -j ACCEPT
iptables -A INPUT -s 192.168.2.3 -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j DROP

I figure that once i get the ports straightened out, then i can worry about syn/icmp stuff. I have to take it one step at a time or else I wont understand what Im doing.
Thanks as always
 
Old 01-10-2002, 12:57 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
IIRC you should need "-i" to specify accepts by interface.
 
Old 01-10-2002, 09:06 AM   #3
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
You'll want to do the following:

eth0 = 212.122.2.2 = internet card
eth1 = 192.168.2.3 = internal network card

iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 -d 212.122.2.2 --dport 25 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp -s 192.168.2.0/24 --sport 1024:65535 -d 192.168.2.3 --dport 22 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp -s 192.168.2.0/24 --sport 1024:65535 -d 192.168.2.3 --dport 110 -j ACCEPT

/Raz
 
Old 01-10-2002, 10:08 AM   #4
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
Thanks guys,
Can you explain one thing to me.
--sport 1024:65535 --> What does this actually do?

I assume its source port from 1024 to 65535.... Im a bit confused.
 
Old 01-10-2002, 11:00 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Its also written as --source-port or could be written as <from IP> <portname|portranges>, in Rusty's ipchains scripts this was known as the variable $UNPRIVPORTS which is aptly named, because this handles an unprivileged portrange, the notation <lowest port>:<highest port> makes it a range.
Only the root user is allowed to bind to ports below 1024, known as the privileged ports, while regular users can't, so basically this rule translates to "allow traffic to my TCP port 25, initiated by regular users".
 
Old 01-10-2002, 04:28 PM   #6
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
What am i doing wrong. Nothing works when i add this. I cannot receive mail. I cannot ssh to 192.168.3.3..

This is my iptables:
./sbin/iptables -P INPUT DROP

./sbin/iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 -d 192.168.3.2 --dport 25 -j ACCEPT

./sbin/iptables -A INPUT -i eth1 -p tcp -s 192.168.3.0/24 --sport 1024:65535 -d 192.168.3.3 --dport 22 -j ACCEPT

./sbin/iptables -A INPUT -i eth1 -p tcp -s 192.168.3.0/24 --sport 1024:65535 -d 192.168.3.3 --dport 110 -j ACCEPT
./sbin/iptables -A INPUT -j DROP

ANy ideas
 
Old 01-10-2002, 06:21 PM   #7
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
Just FYI
eth0 is 192.168.3.2 --> my hardware firewall converts my 207. internet ip to 192.168.3.2

eth1 is 192.168.3.3
Only people allowed to access 192.168.3.3. are 10.0.0.0

Sorry to change the #;s around
 
Old 01-11-2002, 01:09 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
I think I would do best to give you an answer so you can troubleshoot this yourself, add the following lines:

# Make new chain that log's traffic and drops
iptables -A N LOG_DROP
# Add chain
iptables -A LOG_DROP
# Set up logging rule
iptables -A LOG_DROP -j LOG --log-level info --log-prefix "FIREWALL: "
# Finally drop it
iptables -A LOG_DROP -j DROP

now change the "-j DROP"'s to read "-j LOG_DROP", and this way, whenever traffic hits the fw, you'll see what you'll need to adjust.
 
Old 01-11-2002, 03:55 AM   #9
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
ForumKid,

Did you mean to put a "." before the /sbin as that won't work.
Also why don't you change the eth1's nic to a 10.0.0.0 address so the network is easier to understand.

Anyway here's some more info.
flush the chains each time you run the script with these lines.
iptables -F
iptables -X
iptables -F -t nat
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

/sbin/iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 -d
192.168.3.2 --dport 25 -j ACCEPT

/sbin/iptables -A INPUT -i eth1 -p tcp -s 10.0.0.0/24 --sport 1024:65535 -d 192.168.3.3 --dport 22 -j ACCEPT

/sbin/iptables -A INPUT -i eth1 -p tcp -s 10.0.0.0/24 --sport 1024:65535 -d 192.168.3.3 --dport 110 -j ACCEPT

You should also try unSpawn's logging script to see what's happening.

/Raz
 
Old 01-11-2002, 05:39 PM   #10
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
Still having problems. I even made it wide open. The logs dont show any errors.

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dptop3
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
 
Old 01-11-2002, 05:53 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
I would like to recommend you 1)change *all* rules (that is all ACCEPT *and* DENY targets) to include logging as shown below with the DROP targets, 2) tell us verbosely *how* you are testing you can't receive mail and 3) post your full iptables script w/o interpretation and 4) the firewall log with logging on all targets on.

This may be a true mofo to solve, but being the community we are I'm confident we'll get there someway.
 
Old 01-11-2002, 07:11 PM   #12
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
Hey,
I hacked up a few peoples scripts and came up with the below. Im taking it one step at a time. My first problem is that i cannot ssh from 10.0.0.2 to 192.168.3.3
FYI: eth0=192.168.3.2
eth1 = 192.168.3.3
Please see the log below. It looks like its trying to hit eth0 instead of eth1. Its mixing them up for somereason. ANy idea why?
With the script below i can send/receive/read email. SSH is the problem. once thats solved, I will then tighten the bitc* up.
Thanks dude!!


#!/bin/sh


# you set the permission as follow:
# chown root.root scriptname
# chmod 700 scriptname

#=============== Start

# Load the netfilter modules
/sbin/depmod -a
/sbin/modprobe ip_tables

# Set iptable variable path
IPT=/sbin/iptables

# Flush all existing rule
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD

# Set the default policy for forward chain to deny all
$IPT -P FORWARD DENY

# Accept incoming smtp at the dmz
$IPT -A INPUT -p tcp -i eth0 -d 192.168.3.2 --dport 25 -j ACCEPT
#Accept outgoing smtp at the dmz
$IPT -A OUTPUT -p tcp -d 192.168.3.2 --dport 25 -j ACCEPT

#Accept incoming SSH to eth1
$IPT -A INPUT -p tcp -i eth1 -d 192.168.3.3 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 -d 192.168.3.2 --dport 22 -j ACCEPT

# Accept incoming pop3 at the dmz
$IPT -A INPUT -p tcp -i eth0 -d 192.168.3.2 --dport 110 -j ACCEPT
$IPT -A OUTPUT -p tcp -d 192.168.3.2 --dport 110 -j ACCEPT

# Accept all out tcp recived via interface public and private interface
#$IPT -A FORWARD -p tcp -i eth0 -j ACCEPT

# Drop all other traffic in the forward chain
#$IPT -A FORWARD -j DROP
$IPT -A INPUT -j LOG --log-prefix "FIREWALL: "
#============= End


FIREWALL: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:
b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.3.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=29914 DF PROTO=TCP SPT=2612 DPT=22 WINDOW=16212 RES=0x00 ACK PSH URGP=0
Jan 11 20:00:56 mail kernel: FIREWALL: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:
b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.3.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=29915 DF PROTO=TCP SPT=2612 DPT=22 WINDOW=16192 RES=0x00 ACK PSH URGP=0
Jan 11 20:00:56 mail kernel: FIREWALL: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:
b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.3.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=29916 DF PROTO=TCP SPT=2612 DPT=22 WINDOW=16172 RES=0x00 ACK PSH URGP=0
Jan 11 20:00:56 mail kernel: FIREWALL: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:
b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.3.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=29917 DF PROTO=TCP SPT=2612 DPT=22 WINDOW=16152 RES=0x00 ACK PSH URGP=0
Jan 11 20:00:56 mail kernel: FIREWALL: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:
b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.3.3 LEN=40 TOS=0x00 PREC=0x00 TTL=128
ID=29918 DF PROTO=TCP SPT=2612 DPT=22 WINDOW=16088 RES=0x00 ACK URGP=0
 
Old 01-11-2002, 07:25 PM   #13
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
Hi,
Notice that 192.168.3.3 doesnt get resolved to a hostname


/sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere myhost.mydomain.comtcp dpt:smtp
ACCEPT tcp -- anywhere 192.168.3.3 tcp dpt:ssh
ACCEPT tcp -- anywhere myhost.mydomain.comtcp dpt:ssh
ACCEPT tcp -- anywhere myhost.mydomain.comtcp dptop3
LOG all -- anywhere anywhere LOG level warning prefix `FIREWALL: '

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere myhost.mydomain.comtcp dpt:smtp
ACCEPT tcp -- anywhere myhost.mydomain.comtcp dptop3
 
Old 01-12-2002, 01:20 PM   #14
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Original Poster
Rep: Reputation: 30
This seems to be a problem with the nic cars being on the same subnet or something. I have posted a question in the network forum and I will post back here when i figure this out, just in case other people have this problem.
 
Old 01-12-2002, 09:05 PM   #15
Zychior
Member
 
Registered: Jan 2002
Location: Northern Virginia
Distribution: Mandrake 8.1
Posts: 41

Rep: Reputation: 15
First of all I am a newbie to Linux. I just started to play around with it in December. I did however play around with it to design a firewall for a customer of mine using iptables. I just wanted to ask a question. I see that you are using a private address for your example. It even shows a private address for your Internet connection. You may want to use the forward chain if you have a publice address going through nat to a private address. That is how I got it to work for my client. If you would like a sample script I used, just let me know.

- Zychior
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem installing ATI drivers not covered in what I've read KajiFox Linux - Hardware 7 01-06-2009 09:54 AM
Covered, i know: CDRW install under RH9 naloxone Red Hat 2 10-08-2003 06:10 PM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 06:08 AM
GRUB Help! The window partition was covered!!! Rex_chaos Linux - General 2 05-14-2002 08:31 AM
dual boot problem - my scenario has not been covered joy_division Linux - Software 11 04-03-2002 12:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration