LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-28-2007, 09:09 PM   #1
Tom Douglas
Member
 
Registered: Jun 2007
Posts: 90

Rep: Reputation: 15
iptables simple jumps


Hello, guys!

I'm trying to modify iptables on both Fedora 7 and Fedora 8 boxes. My ultimate objective is to screen a set of IP addresses (labeled IP-Input), followed by screening a set of ports (labeled Port-Input).

Just to keep things simple here, I'm trying to jump to IP-Input directly (Line 3 below), then jump from Line 3 to Port-Input on Line 4. When I restart iptables, a failure message points to Line 4. What am I doing wrong here???

I eliminate any referances to IP-Input and seems to work OK.

/etc/sysconfig/iptables has these excerpts....

:INPUT ACCEPT [0:0]
:IP-Input - [0:0]
-A INPUT -j Port-Input
-A IP-Input -j Port-Input # Line of error
:Port-Input - [0:0]
-A Port-Input -i lo -j ACCEPT
-A Port-Input -i eth+ -j ACCEPT

I did learn from this website how to log access attempts -- really useful!

Thanks much!

Tom D.
 
Old 12-28-2007, 10:02 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Tom Douglas View Post
:INPUT ACCEPT [0:0]
:IP-Input - [0:0]
-A INPUT -j Port-Input
-A IP-Input -j Port-Input # Line of error
:Port-Input - [0:0]
-A Port-Input -i lo -j ACCEPT
-A Port-Input -i eth+ -j ACCEPT
I would think the problem is that you are asking for a jump to a chain that doesn't exist yet at that moment. BTW, are you manually editing your iptables config file? If so, why? FWIW, here's a couple examples based on what you said:

Example 1
Code:
$IPT -N FILTER_BAD_IPS
$IPT -N FILTER_BAD_PORTS

$IPT -A FILTER_BAD_IPS -s 123.123.123.123 -j DROP
$IPT -A FILTER_BAD_IPS -s 234.234.234.234 -j DROP
$IPT -A FILTER_BAD_IPS -s 345.345.345.345 -j DROP

$IPT -A FILTER_BAD_PORTS -p TCP --dport 123 -j DROP
$IPT -A FILTER_BAD_PORTS -p TCP --dport 234 -j DROP
$IPT -A FILTER_BAD_PORTS -p TCP --dport 345 -j DROP

$IPT -A INPUT -j FILTER_BAD_IPS
$IPT -A INPUT -j FILTER_BAD_PORTS

Example 2
Code:
$IPT -N CHECK_BAD_IPS
$IPT -N FILTER_BAD_PORTS
$IPT -N FILTER_BAD_COMBOS

$IPT -A CHECK_BAD_IPS -s 123.123.123.123 -j FILTER_BAD_PORTS
$IPT -A CHECK_BAD_IPS -s 234.234.234.234 -j FILTER_BAD_PORTS
$IPT -A CHECK_BAD_IPS -s 345.345.345.345 -j FILTER_BAD_PORTS

$IPT -A FILTER_BAD_PORTS -p TCP --dport 123 -j DROP
$IPT -A FILTER_BAD_PORTS -p TCP --dport 234 -j DROP
$IPT -A FILTER_BAD_PORTS -p TCP --dport 345 -j DROP

$IPT -A FILTER_BAD_COMBOS -j CHECK_BAD_IPS

$IPT -A INPUT -j FILTER_BAD_COMBOS
Both examples assume you have your INPUT policy set to ACCEPT. So any packet which doesn't get sent to DROP by one of the rules will get sent to ACCEPT by the policy. In the first example, a packet will need to be either from a bad IP address OR destined for an unauthorized port in order for it to be filtered. In the second example, a packet will need to be both from a bad IP address AND destined for an unauthorized port. If you have any questions just ask.

Last edited by win32sux; 12-28-2007 at 10:47 PM.
 
Old 12-31-2007, 09:21 AM   #3
Tom Douglas
Member
 
Registered: Jun 2007
Posts: 90

Original Poster
Rep: Reputation: 15
Quote:
I would think the problem is that you are asking for a jump to a chain that doesn't exist yet at that moment.
So I'd need to define from the command prompt? ...As opposed to putting it directly into iptables?

Quote:
are you manually editing your iptables config file? If so, why?
I'm manually editing iptables because I haven't found the file that "IPT -A FILTER_BAD_IPS -s...", etc. go to. I know that the resulting iptable can be listed (iptable -L). I suppose I could set up a script to have run upon boot.

Is editing the iptables file itself not the correct way? Wouldn't the command line entries get purged every time I restart iptables? I'd want to hang on to them.

Quote:
$IPT -N FILTER_BAD_IPS
$IPT -N FILTER_BAD_PORTS

$IPT -A FILTER_BAD_IPS -s 123.123.123.123 -j DROP
$IPT -A FILTER_BAD_IPS -s 234.234.234.234 -j DROP
...
This example looks like we're DROPing specific IP addresses -- is this true?

I need to ACCEPT very few specific IP addresses on my private LAN, and DROP the rest. Just because I'm paranoid.

Tom D.
 
Old 12-31-2007, 10:16 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Tom Douglas View Post
So I'd need to define from the command prompt? ...As opposed to putting it directly into iptables?

I'm manually editing iptables because I haven't found the file that "IPT -A FILTER_BAD_IPS -s...", etc. go to.
When you execute iptables commands, they only change your active configuration - no file is edited.

Quote:
I know that the resulting iptable can be listed (iptable -L).
Yes, you view your active configuration like that.

Quote:
I suppose I could set up a script to have run upon boot.
You could, but you don't need to - see below.

Quote:
Is editing the iptables file itself not the correct way? Wouldn't the command line entries get purged every time I restart iptables? I'd want to hang on to them.
The kosher way of going about this is to use iptables to set everything up the way you want it (active configuration). Then, once you know you have everything set right, you proceed to save the active configuration so that it will be loaded automatically every startup. To save your configuration you can use either of these two commands:
Code:
service iptables save
Code:
iptables-save > /etc/sysconfig/iptables
Both of these commands will properly populate your config file.

IMHO you should never manually edit the configuration file - no matter what any tutorial might say.

Quote:
This example looks like we're DROPing specific IP addresses -- is this true?
Yes, we are sending to DROP any packets with those source addresses.

Quote:
I need to ACCEPT very few specific IP addresses on my private LAN, and DROP the rest.
I assume this means you want to allow incoming connections from certain IPs on your LAN - while denying any incoming connections from any other IPs. This can be done as follows.
Code:
$IPT -P INPUT DROP
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
This example above denies any incoming connections whatsoever. We are only sending to ACCEPT packets which are in state RELATED or ESTABLISHED - essentially, packets which are a part of existing connections (or separate connections which were required). Any packets which are not in either of those states will get sent to DROP when they run into the chain's policy. So we basically just need to make ACCEPT rules for the IPs we wish to make exceptions for:
Code:
$IPT -P INPUT DROP
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s 192.168.1.123 -m state --state NEW -j ACCEPT
$IPT -A INPUT -s 192.168.1.234 -m state --state NEW -j ACCEPT
Now there are two IPs which are allowed to start connections to us. When these IPs try to start a connection with us, their first packets will be of state NEW (and will be sent to ACCEPT) - their subsequent packets (of a particular connection) will be either of state RELATED or ESTABLISHED (and will be sent to ACCEPT). Any non-local packets (regardless of source address) of state INVALID will get sent to DROP by our policy, since they won't match any rule.

Quote:
Just because I'm paranoid.
Welcome to the club!

Last edited by win32sux; 12-31-2007 at 10:40 AM.
 
Old 01-01-2008, 01:01 PM   #5
Tom Douglas
Member
 
Registered: Jun 2007
Posts: 90

Original Poster
Rep: Reputation: 15
Thanks for that great tutorial. Looks like it's well worth my pondering over. Much appreciated.

Quote:
Code:
:INPUT ACCEPT [0:0]
:IP-Input - [0:0]
-A INPUT -j Port-Input
-A IP-Input -j Port-Input # Line of error
:Port-Input - [0:0]
-A Port-Input -i lo -j ACCEPT
-A Port-Input -i eth+ -j ACCEPT
I would think the problem is that you are asking for a jump to a chain that doesn't exist yet at that moment.
Yes, you are right about that. I moved that one label up and the whole mess now works....problem solved.

Code:
:INPUT ACCEPT [0:0]
:IP-Input - [0:0]
:Port-Input - [0:0]  # <-- Label relocated here
-A INPUT -j Port-Input
-A IP-Input -j Port-Input
#:Port-Input - [0:0]  <-- Label was here
-A Port-Input -i lo -j ACCEPT
-A Port-Input -i eth+ -j ACCEPT
Thanks a bunch! Happy New 2008!

Tom D.
 
Old 01-05-2008, 11:24 AM   #6
Tom Douglas
Member
 
Registered: Jun 2007
Posts: 90

Original Poster
Rep: Reputation: 15
Now that I have iptables running to pass a few specific IP addresses, I find that addresses 0.0.0.0 and 255.255.255.255 are being rejected. I suspect this is coming from my WinXP machine.

Are these supposed to be useful addresses?

Should I be expecting 192.168.1.0 and 192.168.1.255 for broadcast and unicast? I'm not passing these in iptables I'm not showing these bouncing either.

Tom D.
 
Old 01-05-2008, 11:40 AM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Tom Douglas View Post
Now that I have iptables running to pass a few specific IP addresses, I find that addresses 0.0.0.0 and 255.255.255.255 are being rejected. I suspect this is coming from my WinXP machine.

Are these supposed to be useful addresses?

Should I be expecting 192.168.1.0 and 192.168.1.255 for broadcast and unicast? I'm not passing these in iptables I'm not showing these bouncing either.
We need to see your active configuration in order to know what is happening.

Please post the output of:
Code:
iptables -nvL
Also post a few relevant samples from the log file if possible. Thanks.

PS: It's pretty common to get broadcasts in your log file - many people just filter them out with a DROP rule in order to avoid clutter. That is, of course, unless you actually need them. That said, the "0.0.0.0" seems pretty interesting.

Last edited by win32sux; 01-05-2008 at 11:42 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help me with Iptables (simple) spyxx7us Linux - Security 8 12-04-2007 09:26 AM
Simple iptables quesiton cbidwell Linux - Security 4 02-18-2007 05:24 AM
Time jumps by 1 day for an hour, then jumps back on RH 9? dieyouspammer Red Hat 3 04-07-2006 01:18 PM
simple Iptables line enrique_arong Linux - Networking 1 06-09-2004 08:14 AM
Simple iptables help- Newbie ldahn Linux - Networking 3 03-06-2003 10:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration