Newbie question about IPtables script
 

I'm having trouble with all traffic being blocked to my server whenever the ipables service is started (which always happens on a reboot). I have not yet altered any of the default values in IPtables, so I am unsure why this is happening.

I am running CentOS 6.3, and just installed the Plesk firewall GUI module, but have not changed the default settings on that either.

I am perfectly willing to do the weeks of work necessary to learn IPTables etc. but for this moment, I'm pretty desperate just to get it to stop blocking everything and locking me out in the meantime.

Can anyone who is knowledgeable about IPTables look at the following "iptables.save" and let me know what is blocking everything, and point me in the right direction?

I'm sure that if I could just get some initial "mentoring" on this, I could take it from there. I just need some guru to hold my hand a bit at first.

So what I have is this:



So what's killing all communication here???

Traffic got filtered due to something (or somebody ;-p) mucking with the default rule set. This is what /etc/sysconfig/iptables looks like out of the box:
It isn't the most strict or secure rule set but it allows HTTP and SSH traffic among other things.

Thanks! That is very helpful...as well as disturbing to see how much it's been messed up.

I basically need to allow:

- web access (port 80, and https)
- SMTP and POP
- SSH
- FTP
- access to port 3306 *only to the server's own IP*, to enable MySQL via localhost only.


I'll see if I can figure out how to do that, but if you want to help me along a bit in accomplishing that, I'd certainly not be apposed to any added help.

I really want to lock things down very well, but not block the vital ports and services.

Also, how do I apply these settings to IPTables? What is the best way?


Thanks again.

Opening a port on iptables is very easy, i am sure that you have already found out how to do it.

I would just wanted to warn you about port 80 and port 22. Be aware of them, there are a tricky ports.

Also using mapped ports, would be better.

Hi J118,

There is noting wrong with your current configuration. it is not connecting to the server due to missing rules. If you add the rules according to your requirement will solve the issue. I have added the rule for ssh, so you can do it your self for the rest of the requirement.
I added the rule no 1 for logging and 4 for ssh in the input chain. Logging will help you to find out, which rules you need to add to the chains. After the configuration, you can remove the logging rule. But if you are new to iptables, I suggest you to try to install APF or Arno's firewall. That will help you to configure firewall for you.

http://www.rfxn.com/projects/advanced-policy-firewall/
http://rocky.eld.leidenuniv.nl/jooml...d=46&Itemid=77

And also please have a look at the following URL's
http://wiki.centos.org/HowTos/Network/IPTables
http://www.thegeekstuff.com/2011/01/...-fundamentals/
http://www.thegeekstuff.com/2011/03/...utbound-rules/

And also if you are playing with remote server, you can add the following rule in the crontab, so iptables will be restarted every 20 minutes.
then add the rules and save the new rules in to a file..
and if you did anything wrong, you will get the access again after 20 minutes and you can edit this file and restore it with the help of

And why would that be? If you say stuff like that then you should also explain why.


...in a way like one would write ipchains rules. Your SSH rule doesn't use --state NEW like it should and with logging you should use state and rate limiting, maybe you forgot the OP uses a DROP policy.


If one is new to iptables the best suggestion is to use the tools the Linux distribution provides (like http://www.centos.org/docs/5/html/5....-iptables.html) and then get acquainted with Netfilter (like reading the standard http://www.frozentux.net/documents/iptables-tutorial/). Tools like Arno's firewall may come in handy after one acquired basic Netfilter knowledge but generally speaking (not LMD, that's actually useful) using RFx tools lead to brain rot for marketing talk it uses to promote its "features" and a false sense of security for the convoluted, old school approach it takes to filtering. After all it's only a layer on top of things and IMNSHO nothing "special".


The "-i lo" and "-o lo" rules already take care of any localhost traffic:

So you believe that leaving port 22 open on a Server with internet connection is absolutely fine??

I really don't think so!! :tisk:

Also have in mind that the OP is not a "Security Guru"!

Instead of trying to 'tisk' me (epic fail BTW) you could have taken my question as a cue to educate the OP about at least using pubkey auth and fail2ban (or point to http://www.linuxquestions.org/questi...tempts-340366/ of you can't or don't want to)...

Hi UnSpawn,
Kindly accept my apology, if anything wrong....Not arguing..... Just want to say my rule will work with out any issue. [Just now I tested that with out giving the state and rate limit]
In the 3rd rule, it is clearly saying that if the tcp flag not set to SYN (and set FIN,RST,PSH,ACK )and the state is new, it will get rejected. So in the next rule, if the packet, which match packets with the SYN flag set, and the ACK,FIN,RST,PSH are unset and state is NEW,it will allow the ssh. So no need to explicitly specify the --state NEW in the rule and if we don't specify the 4th rule, system will not allow ssh.
But I like your rule as the 4th rule rather that me. While writing the rule, I thought about only ssh not any other service...

Arguing based on facts is always good and yes, you're right: I overlooked the TCP flags! My apologies.
OTOH I still would not recommend it as a way to filter access because it allows access based on a single TCP flag and bypasses conntrack which you already use. Until you face new-not-SYN and other problems I'd suggest (simplified, re-ordered):
or easier to troubleshoot missing access:

Replying with attitude doesn't help. Instead of saying "And why would that be? If you say stuff like that then you should also explain why" , you could have say something like, " Good notice LeoPap, perhaps you would like to explain more on the OP about these ports, and why they are risky?"

Cheers,
Leo

OK, this is starting to make sense to me. I actually find this easier to follow than the dumbed-down Plesk Firewall GUI.

(Thanks for all of your responses above!)

One thing I'm having trouble with though is saving the new script so that it's used each time the server restarts (vital).

When I type:

It says:


Performing a:

Gives me:


So what am I doing wrong??

Note: I don't currently have the iptables service running, as it will lock me out. Also, I am doing this all on a remote server via SSH (if that wasn't already obvious). So any misstep will lock me out and shut down my business for anyone buying my products (which would be very bad).

I need to get this new rule-set saved ASAP, as currently, the next time the server restarts I (and everyone else) will be locked out.

Any help would be much appreciated.

It seems to me that the installation was not completed sucesfully.

restorecon is provided by policycoreutils package. You can try uninstalling and re-installing policycoreutils package and see if you get restorecon file under /sbin

Try to run : yum install policycoreutils

Thanks again for the responses!

Wow, really? This is a dedicated virtual server from a major web host (GoDaddy). Why would policycoreutils be missing? I just reprovisioned the server with the latest install of CentOS 6.3 too.

running:

shows that I have policycoreutils 2.0.83 installed properly.

I don't get it. Is this command not in some path it needs to be in? Or am I needing to be in a certain directory before issuing the command?


Doing a:

Finds nothing.

So if I have to uninstall and reinstall that, will I need to reboot the server? (doing so will lock me out if the new script isn't saved)

I just want to proceed carefully, and make sure I know what I'm doing before uninstalling the policycoreutils

To be honest i don't know if you need to restart your server after installing policycoreutils package. Although i don't believe that you will need to restart your server.

I google you problem and every post i met, says that installing policycoreutils package, is the solution to your problem.
So give it a try and let's hope that everything will work fine.

Don't forget to inform us!