LinuxQuestions.org

LinuxQuestions.org (http://www.linuxquestions.org/questions/index.php)
-   Linux - Security (http://www.linuxquestions.org/questions/forumdisplay.php?f=4)
-   -   When active, iptables drops ALL traffic (http://www.linuxquestions.org/questions/showthread.php?t=4175446081)

Brambo 01-17-2013 04:31 PM

When active, iptables drops ALL traffic
 
Hello,

I have a small server at home running CentOS. However, when I fire up iptables, it drops ALL traffic.. When iptables is shut down, all traffic is allowed. I can't figure out what is going wrong. Only port 80, 20, 21, 22, 443 and 8443 should be allowed in. All other incoming traffic should be blocked.

Here is my iptables config:

Code:

Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
REJECT    tcp  --  anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP      all  --  anywhere            anywhere            state INVALID
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:12443
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:11443
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:11444
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:8447
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:pcsync-https
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:cddbp-alt
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:http
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:https
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ftp
ACCEPT    tcp  --  localhost            anywhere            tcp dpt:ssh
ACCEPT    tcp  --  [HOSTNAME]      anywhere            tcp dpt:ssh
DROP      tcp  --  anywhere            anywhere            tcp dpt:ssh
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:submission
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:smtp
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:urd
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:pop3
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:pop3s
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:imap
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:imaps
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:poppassd
ACCEPT    tcp  --  localhost            anywhere            tcp dpt:mysql
ACCEPT    tcp  --  [HOSTNAME]      anywhere            tcp dpt:mysql
ACCEPT    tcp  --  [HOSTNAME]  anywhere            tcp dpt:mysql
ACCEPT    tcp  --  [HOSTNAME] anywhere            tcp dpt:mysql
ACCEPT    tcp  --  [HOSTNAME]  anywhere            tcp dpt:mysql
ACCEPT    tcp  --  [HOSTNAME]  anywhere            tcp dpt:mysql
DROP      tcp  --  anywhere            anywhere            tcp dpt:mysql
ACCEPT    tcp  --  localhost            anywhere            tcp dpt:postgres
ACCEPT    tcp  --  [HOSTNAME]        anywhere            tcp dpt:postgres
ACCEPT    tcp  --  [HOSTNAME] anywhere            tcp dpt:postgres
ACCEPT    tcp  --  [HOSTNAME]  anywhere            tcp dpt:postgres
ACCEPT    tcp  --  [HOSTNAME]  anywhere            tcp dpt:postgres
ACCEPT    tcp  --  [HOSTNAME]  anywhere            tcp dpt:postgres
DROP      tcp  --  anywhere            anywhere            tcp dpt:postgres
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ogs-server
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:glrpc
DROP      udp  --  anywhere            anywhere            udp dpt:netbios-ns
DROP      udp  --  anywhere            anywhere            udp dpt:netbios-dgm
DROP      tcp  --  anywhere            anywhere            tcp dpt:netbios-ssn
DROP      tcp  --  anywhere            anywhere            tcp dpt:microsoft-ds
DROP      udp  --  anywhere            anywhere            udp dpt:openvpn
ACCEPT    udp  --  anywhere            anywhere            udp dpt:domain
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:domain
ACCEPT    udp  --  anywhere            anywhere           
ACCEPT    tcp  --  anywhere            anywhere           
ACCEPT    icmp --  localhost            anywhere            icmp type 8 code 0
DROP      icmp --  anywhere            anywhere            icmp type 8 code 0
DROP      all  --  anywhere            anywhere           

Chain FORWARD (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
REJECT    tcp  --  anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP      all  --  anywhere            anywhere            state INVALID
ACCEPT    all  --  anywhere            anywhere           
DROP      all  --  anywhere            anywhere           

Chain OUTPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
REJECT    tcp  --  anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP      all  --  anywhere            anywhere            state INVALID
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere

Am I doing something wrong here? The rules look good IMHO, but maybe I am over-reading something...

Addendum: I know that these rules allow more traffic than I'd like -- I am planning on finetuning it later. There seems to be a conflict in these rules which I'd like to know.

Thank you,
Bram

unSpawn 01-17-2013 08:24 PM

Rule set looks odd. Please attach "/tmp/iptables.txt" output from running 'iptables-save > /tmp/iptables.txt': easier to read.

Brambo 01-18-2013 02:54 AM

Thank you for your reply :-)

Hereby the requested output:

Code:

# Generated by iptables-save v1.4.7 on Fri Jan 18 09:50:38 2013
*nat
:PREROUTING ACCEPT [82267:8879482]
:POSTROUTING ACCEPT [1476:99283]
:OUTPUT ACCEPT [1473:101127]
COMMIT
# Completed on Fri Jan 18 09:50:38 2013
# Generated by iptables-save v1.4.7 on Fri Jan 18 09:50:38 2013
*mangle
:PREROUTING ACCEPT [124135:26459091]
:INPUT ACCEPT [109958:24755714]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [94032:13409849]
:POSTROUTING ACCEPT [94026:13407645]
COMMIT
# Completed on Fri Jan 18 09:50:38 2013
# Generated by iptables-save v1.4.7 on Fri Jan 18 09:50:38 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 11443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 11444 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8447 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8880 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s [SSH-IP]/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 106 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s [INET1]/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s [INET2]/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s [INET3]/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s [INET4]/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s [INET5]/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -s [INET1]/32 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -s [INET2]/32 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -s [INET3]/32 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -s [INET4]/32 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -s [INET5]/32 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5432 -j DROP
-A INPUT -p tcp -m tcp --dport 9008 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 445 -j DROP
-A INPUT -p udp -m udp --dport 1194 -j DROP
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -j ACCEPT
-A INPUT -p tcp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j DROP
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i lo -o lo -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Jan 18 09:50:38 2013

SSH-ip is the IP of my laptop, inet1 through inet5 are the five different IP addresses....

unSpawn 01-18-2013 09:10 AM

I'm not going to fix this for you but I will tell you how to. In the filter table INPUT chain:
0. remove all lines with src or dst 127.0.0.1/32 (loopback accept implies network),
1. remove the "-p protocol --dport port -j DROP" rules (policy),
2. remove the bare "-j DROP" rule (policy),
3. remove the "-p protocol -j ACCEPT" rules (negates policy).

Then:
0. move all lines with the loopback device to the top of the chain. You need it anyway plus getting the device out of the way means not having to explicitly name remaining devices (unless you got several requiring different rules).
1. move the "RELATED,ESTABLISHED", "--reject-with tcp-reset" and "--state INVALID" lines directly below those. The reason for this order is that Netfilter rules work in a "first match wins" way. Most machines generate a lot of requests themselves and you want to get those performance-wise dealt with quickly.
2. below that create a new "-m state --state NEW -p tcp -m tcp -m multiport --dports 3306,5432 -j TRUSTED" rule and dump your "-s INETn/32" addresses in the "-A TRUSTED" where they only require "-j ACCEPT". Make the last two rules in the TRUSTED chain a "-j LOG" and a "-j RETURN" (or "-j DROP") if you want to keep tabs on requests you miss (or not) from other hosts. The reason is, order and performance-wise similar to the rule above plus these machines have a direct relationship and all require similar access so you can reduce rules by half.
3. below that add your SSH-IP SSH rule and ensure it (and all rules below) got the right "--state NEW "as well.
4. below that add your UDP DNS rule.
5. below that group your "-p tcp -m tcp --dport port -j ACCEPT" rules turning them into a single rule using "-m multiport".
6. below that add your ICMP rule.

Remove all rules from the filter table FORWARD chain and add rules when and if you need to (prolly read the Frozentux Iptables tutorial).
Remove all rules from the filter table OUTPUT chain and set the policy to ACCEPT.

After applying the above post your "fixed" rule set if unsure.

Brambo 01-19-2013 12:15 PM

Thank you for your quick, and rather detailed answer, Unspawn.

So, if I understand it correctly, this will be the 'fixed' ruleset:

Code:

# Generated by iptables-save v1.4.7 on Fri Jan 18 09:50:38 2013
*nat
:PREROUTING ACCEPT [82267:8879482]
:POSTROUTING ACCEPT [1476:99283]
:OUTPUT ACCEPT [1473:101127]
COMMIT
# Completed on Fri Jan 18 09:50:38 2013
# Generated by iptables-save v1.4.7 on Fri Jan 18 09:50:38 2013
*mangle
:PREROUTING ACCEPT [124135:26459091]
:INPUT ACCEPT [109958:24755714]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [94032:13409849]
:POSTROUTING ACCEPT [94026:13407645]
COMMIT
# Completed on Fri Jan 18 09:50:38 2013
# Generated by iptables-save v1.4.7 on Fri Jan 18 09:50:38 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Loopback interface
-A INPUT -i lo -j ACCEPT
-A FORWARD -i lo -o lo -j ACCEPT
# First come, first serves
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
# SSH
-A INPUT -s [SSH-IP]/32 -p tcp -m tcp --dport 22 -j ACCEPT --state NEW
# DNS
-A INPUT -p udp -m udp --dport 53 -j ACCEPT --state NEW
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT --state NEW
# Allow incoming HTTP, HTTPS and Plesk Panel traffic
-A INPUT -p tcp -m tcp --dports http https 8443 -j ACCEPT --state NEW
# Drop invalid packets
-A INPUT -m state --state INVALID -j DROP --state NEW
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j DROP --state NEW
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Jan 18 09:50:38 2013


unSpawn 01-19-2013 12:32 PM

Almost. See where this differs from yours, then read back my previous post:
Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j REJECT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -s [SSH-IP]/32 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW -m multiport --dports 80,443,8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j DROP
COMMIT


Brambo 01-19-2013 12:43 PM

I see that I didn't follow up all your feedback. I forgot to remove the output rules (except for the allow output), and the forward rules.

So this would be the final version, correct:

Code:

*nat
:PREROUTING ACCEPT [82267:8879482]
:POSTROUTING ACCEPT [1476:99283]
:OUTPUT ACCEPT [1473:101127]
COMMIT
*mangle
:PREROUTING ACCEPT [124135:26459091]
:INPUT ACCEPT [109958:24755714]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [94032:13409849]
:POSTROUTING ACCEPT [94026:13407645]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j REJECT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -s [SSH-IP]/32 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW -m multiport --dports 53, 80,443,8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j DROP
COMMIT

Is there a reason to mention to drop ICMP traffic, because it drops all incoming traffic not explicitly allowd?

unSpawn 01-19-2013 12:53 PM

Quote:

Originally Posted by Brambo (Post 4873618)
I see that I didn't follow up all your feedback. I forgot to remove the output rules (except for the allow output), and the forward rules.

Few other "minor" things that might have kept your rule set from loading but I won't sum it all up.


Quote:

Originally Posted by Brambo (Post 4873618)
So this would be the final version, correct

Almost: with "--dports" there's comma separated ports, no spaces between them.


Quote:

Originally Posted by Brambo (Post 4873618)
Is there a reason to mention to drop ICMP traffic, because it drops all incoming traffic not explicitly allowd?

No there isn't. BTW your latest rule set is completely different compared with the first one wrt the amount of open ports and the [INETx] addresses?


All times are GMT -5. The time now is 11:12 PM.