carlosruiz |
01-30-2005 05:49 AM |
Iptables script problem
Hello all, i am having a problem with a iptables script, i hope someone can help me understand, here is the problem:
in my script i have this line:
iptables -A INPUT -s 192.168.0.0/16 -j DROP
which after running the script closes all connections to the server from 192.168.123.0/24, after commenting this line I can connect to the server, so the question is, why:
iptables -A INPUT -s 192.168.0.0/16 -j DROP is blocking 192.168.123.0/24, I am running debian 3.1 with 2.6.8 kernel,
Thank you all
here is the script:
Code:
# --- HOSTINGHACKS.NET/FIREWALL.SH ---
# IPTABLES FIREWALL SCRIPT FOR A
# WEBHOSTING SERVER. \\\!!////
# ( @ @ )
# __________o000......000o____________
# ____] [_____] [_____] [_____] [_____] [_
# __] [_____] [_____] [_____] [_____] [___
# ____] [_____] [_____] [_____] [_____] [_
# note: if you remove any variables here,
# make sure to remove them in the script body.
# The back-slash "\" may be used as the last
# character to continue the directive onto the next line.
# There must be no other characters or
# white space between the back-slash and
# the end of the line.
#!/bin/sh
iptables -F
# --- eth0
NET=192.168.123.3
# --- Development machines (allow SSH from these):
DEV_1=192.168.123.0/24
DEV_2=192.168.1.0/24
DEV_3=192.168.0.0/24
# --- DNS Secondaries (allow zone xfers to these):
ZONE_XFR_1=192.168.123.97
ZONE_XFR_2=192.168.1.97
ZONE_XFR_3=192.168.100.10
ZONE_XFR_4=192.168.0.165
# --- Time Servers --- (allow NTP queries to these):
TIME_SERVER=128.100.100.128
# --- Resolvers - (allow DNS queries to these):
DNS_1=206.13.28.12
DNS_2=206.13.31.12
# --- MX servers (allow email out to these):
MX_1=172.16.0.33
MX_2=172.16.10.0/24
MX_3=151.164.30.28
# --- A port for the control panel and webmail to run on:
CP_PORT=2081
WEBMAIL_PORT=1081
# --- load the ipconntrack module or ftp will fail
modprobe ip_conntrack_ftp
#---------------------------------------------------------------
# --- If a packet doesn't match the policy is to drop it
#---------------------------------------------------------------
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
#---------------------------------------------------------------
# --- Accept to the LOOPBACK
#---------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#---------------------------------------------------------------
# --- Bad Address tables ---
#---------------------------------------------------------------
###############################################################
###############################################################
###############################################################
iptables -A INPUT -s 192.168.0.0/255.255.0.0 -j DROP
###############################################################
###############################################################
###############################################################
iptables -A INPUT -s 10.0.0.0/255.0.0.0 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -p ! udp -j DROP
#---------------------------------------------------------------
# FRAGMENTS can be overlapped, and the interpretation of
# fragments presents a potential security risk.
# A valid packet can also fragment if larger than allowed by some
# router along the path. Here we choose to log and deny all fragments.
#----------------------------------------------------------------
iptables -A INPUT -f -j LOG --log-level 7 --log-prefix "TCP FRAGMENT: "
iptables -A INPUT -f -j DROP
#-----------------------------------------------------------------
# --- STEALTH SCANS ---
# --- Many FIN,SYN,RST,PSH,ACK,URG combinations are obvious forgeries.
#-------------------------------------------------------------------------- #
# --- SYN,RST,ACK flags --- #
# Any TCP packet which is not a part of an established connection falls into#
# one of three categories: (1) connection handshake, (2) stray resend, or #
# (3) invalid. See table below: #
# #
# SYN RST ACK What it means Action #
# =========== ============= ======= #
# 0 0 0 invalid logdrop #
# 0 0 1 strayresend(?) ok = --tcp-flags SYN,RST,ACK ACK #
# 0 1 0 stray resend DROP = --tcp-flags SYN,RST,ACK RST #
# 0 1 1 stray resend DROP #
# 1 0 0 conn attempt ok #
# 1 0 1 conn response ok #
# 1 1 0 invalid logdrop #
# 1 1 1 invalid logdrop #
# #
# some examples of valid traffic: #
# --tcp-flags SYN,RST,ACK ACK -> ssh communication in and out. #
# --tcp-flags SYN,RST RST -> mail servers closing a connection #
# --tcp-flags SYN,RST,ACK SYN -> browser connect to http service #
#-------------------------------------------------------------------------- #
# --- LOG and DROP bad SYN,RST,ACK combos with prejudice:
iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK NONE -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS1 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS2 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST,ACK NONE -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS3 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS4 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST,ACK NONE -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#--------------------------------------------------------------------------
# --- More bad FIN,SYN,RST,PSH,ACK,URG combos:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS5 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS6 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS7 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS8 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS9 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS10 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS11 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS12 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-level 7 \
--log-prefix "BAD-FLAGS13 : " --log-tcp-options --log-tcp-sequence --log-ip-options
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG \
--log-level 7 --log-prefix "BAD-FLAGS14 : " --log-tcp-options --log-tcp-sequence \
--log-ip-options
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG \
--log-level 7 --log-prefix "BAD-FLAGS15 : " --log-tcp-options --log-tcp-sequence \
--log-ip-options
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG \
--log-level 7 --log-prefix "BAD-FLAGS16 : " --log-tcp-options --log-tcp-sequence \
--log-ip-options
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-level 7 --log-prefix "BAD-FLAGS17 : " --log-tcp-options --log-tcp-sequence \
--log-ip-options
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#---------------------------------------------------------------
# --- Suspicous IP addresses - monitor and/or drop
#---------------------------------------------------------------
# --- this guy hits me with ACK,RST every 20 minutes or so
iptables -A INPUT -p tcp -s 64.164.160.154 -d $NET -j LOG --log-level 7 \
--log-prefix "WATCH! :"
iptables -A OUTPUT -p tcp -s $NET -d 64.164.160.154 -j LOG --log-level 7 \
--log-prefix "WATCH! :"
iptables -A INPUT -p tcp -s 64.164.160.154 -d $NET -j DROP
#----------------------------------------------------------------
# Allow HTTP
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j LOG --log-level 7 \
--log-prefix "PORT-80-PROBLEM: "
#----------------------------------------------------------------
# Allow HTTPS
#---------------------------------------------------------------
#iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp --dport 443 -j LOG --log-level 7 \
#--log-prefix "PORT-443-PROBLEM : "
#----------------------------------------------------------------
# Allow SMTP
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j LOG --log-level 7 --log-prefix "PORT-25-PROBLEM : "
#-----------------------------------------------------------------
# UDP in to DNS(53) ok
# TCP packets to/from Secondaries ok (needed for zone xfers)
#-----------------------------------------------------------------
iptables -A INPUT -p udp -s 0/0 -d $NET --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -s $NET -d 0/0 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_1 -d $NET --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_2 -d $NET --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_3 -d $NET --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $ZONE_XFR_4 -d $NET --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_1 --dport 1023:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_2 --dport 1023:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_3 --dport 1023:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $ZONE_XFR_4 --dport 1023:65535 -j ACCEPT
#****************************************************************************
#----------------------------------------------------------------
# --- Allow Outbound Connections
# --- *** SECURITY RISKS ***
#---------------------------------------------------------------
#---------------------------------------
# --- allow DNS queries to anywhere in the world:
# ---------------------------------------
iptables -A OUTPUT -p udp -s $NET -d $DNS_1 --sport 1024:65535 --dport 53 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -s $NET -d $DNS_2 --sport 1024:65535 --dport 53 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# iptables -A OUTPUT -p udp --sport 1024:65535 --dport 53 -m state \
# --state NEW,ESTABLISHED -j LOG --log-level 7 --log-prefix "OTHER-DNS : "
iptables -A OUTPUT -p udp -s $NET -d 0/0 --sport 1024:65535 --dport 53 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
### iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -m state \
### --state ESTABLISHED,RELATED -j LOG --log-level 7 --log-prefix "_DNS-IN_ : "
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#-------------------------------------------
# --- allow NTP packets to query specified public time servers:
#-------------------------------------------
iptables -A OUTPUT -p udp -s $NET -d $TIME_SERVER --sport 123 --dport 123 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -s $NET -d $TIME_SERVER \
-m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 7 \
--log-prefix "_TIME-OUT_ : "
iptables -A INPUT -p udp -s $TIME_SERVER -d $NET --sport 123 --dport 123 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -s $TIME_SERVER -d $NET \
-m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 7 \
--log-prefix "_TIME-IN_ : "
#-------------------------------------------
# --- allow SMTP packets out to specified MX servers:
#-------------------------------------------
iptables -A OUTPUT -p tcp -s $NET -d $MX_1 --sport 1024:65535 --dport 25 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s $MX_1 -d $NET --sport 25 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $MX_2 --sport 1024:65535 --dport 25 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s $MX_2 -d $NET --sport 25 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -s $NET -d $MX_3 --sport 1024:65535 --dport 25 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s $MX_3 -d $NET --sport 25 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#-------------------------------------------
# --- Other outbound connections - log and allow
#-------------------------------------------
iptables -A OUTPUT -m state --state NEW -j LOG \
--log-level 7 --log-prefix "OUTBOUND-CONNECT : " --log-tcp-options --log-ip-options
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
### iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################################
# --- I don't host websites outside of the United States
# --- so there is no reason for 'GEO-REMOTE IP-addresses'
# --- to connect to ftp, ssh or the control panel from anywhere
# --- but North America.
#####################################################################
#
# start dropping remote geographic ip's - but first log them.
#iptables -A INPUT -s 61.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 202.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 203.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 210.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 211.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 218.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 219.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#iptables -A INPUT -s 220.0.0.0/8 -d 0/0 -j LOG --log-level 7 \
#--log-prefix "GEO-REMOTE IP : "
#
iptables -A INPUT -s 61.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 202.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 203.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 210.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 211.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 218.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 219.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 220.0.0.0/8 -d 0/0 -j DROP
#----------------------------------------------------------------
# POP & Secure-POP (110, 995)
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j LOG --log-level 7 \
--log-prefix "PORT-110-PROBLEM : "
iptables -A INPUT -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j LOG --log-level 7 \
--log-prefix "PORT-995-PROBLEM : "
#---------------------------------------------------------------
# --- SSH - log + allow (from specific networks only)
# --- A dialup can usually be limited to /16 subnet
#---------------------------------------------------------------
iptables -A INPUT -p tcp --syn --dport 22 -j LOG --log-prefix "SSH SYN "
iptables -A INPUT -p tcp -s $DEV_1 -d 0/0 --dport 22 -m state \
--state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $DEV_2 -d 0/0 --dport 22 -m state \
--state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $DEV_3 -d 0/0 --dport 22 -m state \
--state NEW,ESTABLISHED -j ACCEPT
#---------------------------------------------------------------
# --- FTP --- make sure that the ip_conntrack_ftp module is loaded
#---------------------------------------------------------------
#
# --------------INITIAL CONNECT-------------------
#
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 --dport 1024:65535 \
-m state --state NEW,ESTABLISHED -j ACCEPT
# --------------PASSIVE IN --------------------
iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
# ----------------PASV OUT--------------------
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#------------------ACTIVE------------------------------
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# --- Accept connections to the WEBCP control panel ---
#---------------------------------------------------------------
iptables -A INPUT -p tcp --sport 1024:65535 --dport $CP_PORT \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport $CP_PORT --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#----------------------------------------------------------------
# Allow WebMail
#---------------------------------------------------------------
iptables -A INPUT -p tcp --sport 1024:65535 --dport $WEBMAIL_PORT \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport $WEBMAIL_PORT --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# --- ICMP response - The RFCs say to allow ICMP responses
# --- So be prepared to break the rules if you go into stealth mode
#---------------------------------------------------------------
iptables -A INPUT -p icmp -s $DEV_1 -d $NET -j ACCEPT
#---------------------------------------------------------------
# --- Allow the server to ping out to the world
#---------------------------------------------------------------
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
#---------------------------------------------------------------
# --- Drop all other ICMP
#---------------------------------------------------------------
iptables -A INPUT -p icmp -s 0/0 -d $NET -j DROP
#----------------------------------------------------------------
# --- Allow inbound packets if established (wget, lynx, etc.)
#---------------------------------------------------------------
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# reject every other SYN - (Redundant but no harm done)
#---------------------------------------------------------------
#iptables -A INPUT -p tcp --syn -j DROP
|