LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Need help in ipTables script (https://www.linuxquestions.org/questions/linux-security-4/need-help-in-iptables-script-813390/)

alee 06-10-2010 12:30 PM
Need help in ipTables script
 
I have a small network within the organization. For simplicity, consider i have 3 systems.

System 1: 192.168.1.10 - acting as webserver
System 2: 192.168.1.1 - acting as firwall
Webserver and firewall are connected through eth1 interface

System 3: 192.168.2.10 - any radnom system which is connected to firewall through eth0 interface. The eth0 on firewall machine (system 2) is configured with the ip 192.168.2.1)

I have added following command to let the traffic go throught eth0 to eth1
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
Everything is working fine, each system can ping each otehr.

Now, I want to incorporate some firewall rules.
1: System 1 (webserver) can only access firewall through SSH.
2: Ping to any machine is disabled.
3: Any traffic from eth0 to eth1 is allowed only when it is for ssh, pop3, http or https.

For these things i configured following iptables script
Code:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -p tcp -s 192.168.1.10 -d 192.168.1.1 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j LOG --log-prefix "SSH " --log-level 4
-A INPUT -p tcp -s 192.168.1.10 -d 192.168.1.1 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -s 192.168.1.1  -d 192.168.1.10 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

### ALLOWING SSH, HTTP, HTTPS, POP3 ACCESS AND LOGGING ###
-A FORWARD -s 0/0 -i eth1 -d 192.168.1.10 -o eth0 -p TCP -m multiport --dports 80,443,110,22 -j LOG --log-prefix "80,443,110,22 " --log-level 4
-A FORWARD -s 0/0 -i eth1 -d 192.168.1.10 -o eth0 -p TCP -m multiport --dports 80,443,110,22 -j ACCEPT
-A FORWARD -d 0/0 -o eth1 -s 192.168.1.10 -i eth0 -p TCP -m state --state ESTABLISHED -j ACCEPT

### DROPPING ALL OTHER PACKETS AND LOGGING ###
-A INPUT -j LOG --log-prefix "DROP " --log-level 4
-A INPUT -j DROP
-A OUTPUT -j DROP

COMMIT
Now the thing is, its not working the way I want to. If i enabled last lines (drop all packets), Pings to all machines are stopped and i even can't access webserver on eth1 from any of the machine from eht0. I am trying to go thourh different iptables tutorial but i can't figure out what i am doing wrong. Could someone guide me here.

Jim Bengtson 06-10-2010 01:47 PM
I'm no expert but I think you have it backwards. Put the last four lines (counting the comment) at the BEGINNING of the script, so that the first thing it does is drop all packets. Then follow with the rules that enable packets on specific ports to/from specific IP addresses.

alee 06-10-2010 05:09 PM
I can try that tomorrow but i will wait unless i get some comment from some iptables expert. Thanks anyways.

anomie 06-10-2010 05:41 PM
@alee: At a glance, I think you're missing some important rules:

Code:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
The first two allow connections to "keep state" after the initial handshake completes. The third allows all loopback traffic.

To allow all icmp traffic:

Code:
-A INPUT -p icmp -j ACCEPT
Note that you can restrict this by icmp type (e.g. echo-request). See the iptables(8) manpages.

---

@Jim Bengtson: You may be thinking of a different packet filtering firewall (like PF). The iptables/netfilter processing is "first match wins".

alee 06-11-2010 02:32 PM
okay, I have made following changes to my script but still I can't achieve the desired result

Code:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

### DROPPING ALL OTHER PACKETS AND LOGGING ###
-A INPUT -j LOG --log-prefix "DROP " --log-level 4
-A INPUT -j DROP
-A OUTPUT -j DROP


-A INPUT -p tcp -s 192.168.1.10 -d 192.168.1.1 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j LOG --log-prefix "SSH " --log-level 4
-A INPUT -p tcp -s 192.168.1.10 -d 192.168.1.1 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -p tcp -s 192.168.1.1  -d 192.168.1.10 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

### ALLOWING SSH, HTTP, HTTPS, POP3 ACCESS AND LOGGING ###
-A FORWARD -s 0/0 -i eth1 -d 192.168.1.10 -o eth0 -p TCP -m multiport --dports 80,443,110,22 -j LOG --log-prefix "80,443,110,22 " --log-level 4
-A FORWARD -s 0/0 -i eth1 -d 192.168.1.10 -o eth0 -p TCP -m multiport --dports 80,443,110,22 -j ACCEPT
-A FORWARD -d 0/0 -o eth1 -s 192.168.1.10 -i eth0 -p TCP -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

COMMIT
is the order of rules is wrong? or wat? I am stuck :s

anomie 06-11-2010 03:10 PM
So you made those changes and then loaded the new rules?

I'm not sure how other folks manage their rulesets, but I think it would be best to not edit /etc/sysconfig/iptables directly. (Notice the commented text at the top to that effect.)

As one example of how you might better manage your ruleset, you could keep a bash script that flushes / loads chains when run, a la:
Code:
#!/bin/bash

# When finished editing and testing, remember to run:
#  $ sudo /etc/init.d/iptables save

cmd='/sbin/iptables'

# flush
${cmd} -F

##### INPUT CHAIN #####

# standard stuff - loopback and stateful
${cmd} -A INPUT -i lo -j ACCEPT
${cmd} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow in ssh
${cmd} -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# allow in https
${cmd} -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

# allow pings in
${cmd} -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

# default deny!
${cmd} -A INPUT -j DROP

##### OUTPUT CHAIN #####

#

##### FORWARD CHAIN #####

# just DROP everything by policy
${cmd} -P FORWARD DROP

exit 0
-------

Troubleshooting your borked ruleset (i.e. the topic of this thread) is another story. Are you familiar with tcpdump and/or do you have a cursory understanding about IP, TCP, and UDP? If so, I have a couple suggestions. If not, I don't have an easy approach (short of hand holding).

alee 06-11-2010 04:01 PM
I would be happy to read those suggestions.

alee 06-11-2010 04:04 PM
okay, this might be a silly question. but i just checked

Code:
vi /etc/init.d/iptables
and it opened a file with lots of code. I am not sure now. should i put your shared code in that file and run it (how?) or should i overwrite the content of the file i opened above with your shared code :s

I am not a pro in linux either :$

anomie 06-12-2010 12:06 PM
Do not edit /etc/init.d/iptables in any way.

Here's a sample starting point for you. I whipped this together and it is completely untested. (i.e. Use at your own risk.) It relies on a couple assumptions on my part, and on snippets from the ruleset you posted.

Code:
#!/bin/bash

# When finished editing and testing, remember to run:
#  $ sudo /etc/init.d/iptables save

cmd='/sbin/iptables'


# set policies so that we don't get accidentally locked out
for I in INPUT OUTPUT FORWARD ; do
  ${cmd} -P ${I} ACCEPT
done

# flush
${cmd} -F


##### INPUT CHAIN #####

# standard stuff - loopback and stateful
${cmd} -A INPUT -i lo -j ACCEPT
${cmd} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow in ssh
${cmd} -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 \
  -s 192.168.1.10 -d 192.168.1.1 -j ACCEPT

# allow pings in
${cmd} -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

# default deny!
${cmd} -A INPUT -j DROP


##### FORWARD CHAIN #####

# standard stuff - stateful
${cmd} -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

${cmd} -A FORWARD -s 0/0 -i eth1 -d 192.168.1.10 -o eth0 -p TCP \
  -m multiport --dports 80,443,110,22 -j LOG --log-prefix "80,443,110,22 " \
  --log-level 4
${cmd} -A FORWARD -s 0/0 -i eth1 -d 192.168.1.10 -o eth0 -p TCP \
  -m multiport --dports 80,443,110,22 -j ACCEPT
${cmd} -A FORWARD -d 0/0 -o eth1 -s 192.168.1.10 -i eth0 -p TCP \
  -m state --state ESTABLISHED -j ACCEPT

# default deny!
${cmd} -A FORWARD -j DROP



exit 0
Save/run that script as root:
Code:
# chmod 700 fw-rules.bash
# ./fw-rules.bash
If it produces no errors, next run:
Code:
# /etc/init.d/iptables save
That's it. You've activated and saved your ruleset. Any time you want to make changes, edit fw-rules.bash and repeat the above steps.

-------

If you're still not getting the behavior you'd expect, in future posts include the output of iptables -nvL or iptables-save for others to review.

alee 06-15-2010 11:59 AM
with little modification, it worked. Thanks :)


All times are GMT -5. The time now is 05:20 PM.