LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Newbie question about IPtables script (https://www.linuxquestions.org/questions/linux-security-4/newbie-question-about-iptables-script-4175445455/)

j118 01-13-2013 06:13 PM

Newbie question about IPtables script
 
I'm having trouble with all traffic being blocked to my server whenever the ipables service is started (which always happens on a reboot). I have not yet altered any of the default values in IPtables, so I am unsure why this is happening.

I am running CentOS 6.3, and just installed the Plesk firewall GUI module, but have not changed the default settings on that either.

I am perfectly willing to do the weeks of work necessary to learn IPTables etc. but for this moment, I'm pretty desperate just to get it to stop blocking everything and locking me out in the meantime.

Can anyone who is knowledgeable about IPTables look at the following "iptables.save" and let me know what is blocking everything, and point me in the right direction?

I'm sure that if I could just get some initial "mentoring" on this, I could take it from there. I just need some guru to hold my hand a bit at first.

So what I have is this:


Code:

# Generated by iptables-save v1.4.7 on Thu Jan 10 17:45:19 2013
*mangle
:PREROUTING ACCEPT [434:24948]
:INPUT ACCEPT [434:24948]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:8609]
:POSTROUTING ACCEPT [7:8609]
COMMIT
# Completed on Thu Jan 10 17:45:19 2013
# Generated by iptables-save v1.4.7 on Thu Jan 10 17:45:19 2013
*filter
:INPUT DROP [425:24480]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i lo -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Thu Jan 10 17:45:19 2013


So what's killing all communication here???

unSpawn 01-13-2013 07:03 PM

Traffic got filtered due to something (or somebody ;-p) mucking with the default rule set. This is what /etc/sysconfig/iptables looks like out of the box:
Code:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

It isn't the most strict or secure rule set but it allows HTTP and SSH traffic among other things.

j118 01-13-2013 11:12 PM

Thanks! That is very helpful...as well as disturbing to see how much it's been messed up.

I basically need to allow:

- web access (port 80, and https)
- SMTP and POP
- SSH
- FTP
- access to port 3306 *only to the server's own IP*, to enable MySQL via localhost only.


I'll see if I can figure out how to do that, but if you want to help me along a bit in accomplishing that, I'd certainly not be apposed to any added help.

I really want to lock things down very well, but not block the vital ports and services.

Also, how do I apply these settings to IPTables? What is the best way?


Thanks again.

LeoPap 01-14-2013 03:42 AM

Opening a port on iptables is very easy, i am sure that you have already found out how to do it.

I would just wanted to warn you about port 80 and port 22. Be aware of them, there are a tricky ports.

Also using mapped ports, would be better.

bijo505 01-14-2013 05:07 AM

Quote:

Originally Posted by j118 (Post 4869299)

Code:

# Generated by iptables-save v1.4.7 on Thu Jan 10 17:45:19 2013
*mangle
:PREROUTING ACCEPT [434:24948]
:INPUT ACCEPT [434:24948]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:8609]
:POSTROUTING ACCEPT [7:8609]
COMMIT
# Completed on Thu Jan 10 17:45:19 2013
# Generated by iptables-save v1.4.7 on Thu Jan 10 17:45:19 2013
*filter
:INPUT DROP [425:24480]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i lo -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Thu Jan 10 17:45:19 2013


Hi J118,

There is noting wrong with your current configuration. it is not connecting to the server due to missing rules. If you add the rules according to your requirement will solve the issue. I have added the rule for ssh, so you can do it your self for the rest of the requirement.
I added the rule no 1 for logging and 4 for ssh in the input chain. Logging will help you to find out, which rules you need to add to the chains. After the configuration, you can remove the logging rule. But if you are new to iptables, I suggest you to try to install APF or Arno's firewall. That will help you to configure firewall for you.

http://www.rfxn.com/projects/advanced-policy-firewall/
http://rocky.eld.leidenuniv.nl/jooml...d=46&Itemid=77

Code:

# Generated by iptables-save v1.3.5 on Mon Jan 14 02:49:03 2013
*filter
:INPUT DROP [1679:575794]
:FORWARD DROP [0:0]
:OUTPUT DROP [34:2378]
-A INPUT -j LOG  # This I added for enable logging.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # This is for enabling ssh request to the server.
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Jan 14 02:49:03 2013

And also please have a look at the following URL's
http://wiki.centos.org/HowTos/Network/IPTables
http://www.thegeekstuff.com/2011/01/...-fundamentals/
http://www.thegeekstuff.com/2011/03/...utbound-rules/

And also if you are playing with remote server, you can add the following rule in the crontab, so iptables will be restarted every 20 minutes.
Code:

*/20 * * * * /etc/rc.d/init.d/iptables restart
then add the rules and save the new rules in to a file..
Code:

iptables-save >/tmp/iptables.txt
and if you did anything wrong, you will get the access again after 20 minutes and you can edit this file and restore it with the help of
Code:

iptables-restore < /tmp/iptables.txt

unSpawn 01-14-2013 06:48 AM

Quote:

Originally Posted by LeoPap (Post 4869516)
I would just wanted to warn you about port 80 and port 22. Be aware of them, there are a tricky ports.
Also using mapped ports, would be better.

And why would that be? If you say stuff like that then you should also explain why.


Quote:

Originally Posted by bijo505 (Post 4869552)
I added the rule no 1 for logging and 4 for ssh in the input chain.

...in a way like one would write ipchains rules. Your SSH rule doesn't use --state NEW like it should and with logging you should use state and rate limiting, maybe you forgot the OP uses a DROP policy.


Quote:

Originally Posted by bijo505 (Post 4869552)
if you are new to iptables, I suggest you to try to install APF or Arno's firewall.

If one is new to iptables the best suggestion is to use the tools the Linux distribution provides (like http://www.centos.org/docs/5/html/5....-iptables.html) and then get acquainted with Netfilter (like reading the standard http://www.frozentux.net/documents/iptables-tutorial/). Tools like Arno's firewall may come in handy after one acquired basic Netfilter knowledge but generally speaking (not LMD, that's actually useful) using RFx tools lead to brain rot for marketing talk it uses to promote its "features" and a false sense of security for the convoluted, old school approach it takes to filtering. After all it's only a layer on top of things and IMNSHO nothing "special".


Quote:

Originally Posted by j118 (Post 4869421)
- web access (port 80, and https)
- SMTP and POP
- SSH
- FTP
- access to port 3306 *only to the server's own IP*, to enable MySQL via localhost only.

The "-i lo" and "-o lo" rules already take care of any localhost traffic:
Code:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state INVALID -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 20:22,80,110,143,993,995,443 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT -m limit --limit 1/s -j LOG --log-prefix "REJECT "
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


LeoPap 01-14-2013 07:06 AM

Quote:

Originally Posted by unSpawn (Post 4869596)
And why would that be? If you say stuff like that then you should also explain why.


So you believe that leaving port 22 open on a Server with internet connection is absolutely fine??

I really don't think so!! :tisk:

Also have in mind that the OP is not a "Security Guru"!

unSpawn 01-14-2013 07:59 AM

Quote:

Originally Posted by LeoPap (Post 4869605)
So you believe that leaving port 22 open on a Server with internet connection is absolutely fine??
I really don't think so!! :tisk:

Instead of trying to 'tisk' me (epic fail BTW) you could have taken my question as a cue to educate the OP about at least using pubkey auth and fail2ban (or point to http://www.linuxquestions.org/questi...tempts-340366/ of you can't or don't want to)...

bijo505 01-14-2013 08:10 AM

Quote:

Originally Posted by unSpawn (Post 4869596)
...in a way like one would write ipchains rules. Your SSH rule doesn't use --state NEW like it should and with logging you should use state and rate limiting, maybe you forgot the OP uses a DROP policy.
[/code]

Hi UnSpawn,
Kindly accept my apology, if anything wrong....Not arguing..... Just want to say my rule will work with out any issue. [Just now I tested that with out giving the state and rate limit]
Code:

-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # This is for enabling ssh request to the server.

In the 3rd rule, it is clearly saying that if the tcp flag not set to SYN (and set FIN,RST,PSH,ACK )and the state is new, it will get rejected. So in the next rule, if the packet, which match packets with the SYN flag set, and the ACK,FIN,RST,PSH are unset and state is NEW,it will allow the ssh. So no need to explicitly specify the --state NEW in the rule and if we don't specify the 4th rule, system will not allow ssh.
But I like your rule as the 4th rule rather that me. While writing the rule, I thought about only ssh not any other service...
Code:

iptables -t filter -I INPUT 4 -m state --state NEW -m tcp -p tcp -m multiport --dports 20:22,80,110,143,993,995,443 -j ACCEPT

unSpawn 01-14-2013 08:36 AM

Quote:

Originally Posted by bijo505 (Post 4869636)
Not arguing (..) In the 3rd rule, it is clearly saying that if the tcp flag not set to SYN (and set FIN,RST,PSH,ACK )and the state is new, it will get rejected. So in the next rule, if the packet, which match packets with the SYN flag set, and the ACK,FIN,RST,PSH are unset and state is NEW,it will allow the ssh. So no need to explicitly specify the --state NEW in the rule.

Arguing based on facts is always good and yes, you're right: I overlooked the TCP flags! My apologies.
OTOH I still would not recommend it as a way to filter access because it allows access based on a single TCP flag and bypasses conntrack which you already use. Until you face new-not-SYN and other problems I'd suggest (simplified, re-ordered):
Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 1/s -j LOG --log-prefix "IN_allowed "
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
# etc, etc.

or easier to troubleshoot missing access:
Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -m limit --limit 1/s -j LOG --log-prefix "IN_denied "
-A INPUT -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
# etc, etc.


LeoPap 01-14-2013 08:59 AM

Quote:

Originally Posted by unSpawn (Post 4869627)
Instead of trying to 'tisk' me (epic fail BTW) you could have taken my question as a cue to educate the OP about at least using pubkey auth and fail2ban (or point to http://www.linuxquestions.org/questi...tempts-340366/ of you can't or don't want to)...

Replying with attitude doesn't help. Instead of saying "And why would that be? If you say stuff like that then you should also explain why" , you could have say something like, " Good notice LeoPap, perhaps you would like to explain more on the OP about these ports, and why they are risky?"

Cheers,
Leo

j118 01-14-2013 10:02 AM

OK, this is starting to make sense to me. I actually find this easier to follow than the dumbed-down Plesk Firewall GUI.

(Thanks for all of your responses above!)

One thing I'm having trouble with though is saving the new script so that it's used each time the server restarts (vital).

When I type:

Code:

# /sbin/service iptables save
It says:

Code:

iptables: Saving firewall rules to /etc/sysconfig/iptables: /etc/init.d/iptables: line 268: restorecon: command not found
                                                          [FAILED]


Performing a:

Code:

# locate iptables
Gives me:

Code:

/bin/iptables-xml
/etc/rc.d/init.d/iptables
/etc/rc.d/rc0.d/K92iptables
/etc/rc.d/rc1.d/K92iptables
/etc/rc.d/rc2.d/S08iptables
/etc/rc.d/rc3.d/S08iptables
/etc/rc.d/rc4.d/S08iptables
/etc/rc.d/rc5.d/S08iptables
/etc/rc.d/rc6.d/K92iptables
/etc/sysconfig/iptables-config
/sbin/iptables
/sbin/iptables-multi
/sbin/iptables-restore
/sbin/iptables-save
/usr/share/doc/iptables-1.4.7
/usr/share/doc/iptables-1.4.7/COPYING
/usr/share/doc/iptables-1.4.7/INCOMPATIBILITIES
/usr/share/doc/iptables-1.4.7/INSTALL
/usr/share/man/man8/iptables-restore.8.gz
/usr/share/man/man8/iptables-save.8.gz
/usr/share/man/man8/iptables-xml.8.gz
/usr/share/man/man8/iptables.8.gz


So what am I doing wrong??

Note: I don't currently have the iptables service running, as it will lock me out. Also, I am doing this all on a remote server via SSH (if that wasn't already obvious). So any misstep will lock me out and shut down my business for anyone buying my products (which would be very bad).

I need to get this new rule-set saved ASAP, as currently, the next time the server restarts I (and everyone else) will be locked out.

Any help would be much appreciated.

LeoPap 01-14-2013 10:08 AM

It seems to me that the installation was not completed sucesfully.

restorecon is provided by policycoreutils package. You can try uninstalling and re-installing policycoreutils package and see if you get restorecon file under /sbin

Try to run : yum install policycoreutils

j118 01-14-2013 10:39 AM

Thanks again for the responses!

Wow, really? This is a dedicated virtual server from a major web host (GoDaddy). Why would policycoreutils be missing? I just reprovisioned the server with the latest install of CentOS 6.3 too.

running:

Code:

# yum info
shows that I have policycoreutils 2.0.83 installed properly.

I don't get it. Is this command not in some path it needs to be in? Or am I needing to be in a certain directory before issuing the command?


Doing a:

Code:

# locate restorecon
Finds nothing.

So if I have to uninstall and reinstall that, will I need to reboot the server? (doing so will lock me out if the new script isn't saved)

I just want to proceed carefully, and make sure I know what I'm doing before uninstalling the policycoreutils

LeoPap 01-14-2013 10:43 AM

To be honest i don't know if you need to restart your server after installing policycoreutils package. Although i don't believe that you will need to restart your server.

I google you problem and every post i met, says that installing policycoreutils package, is the solution to your problem.
So give it a try and let's hope that everything will work fine.

Don't forget to inform us!


All times are GMT -5. The time now is 04:55 AM.