Help an IPTABLES neophyte please

Rick Stevens ricks at nerd.com
Fri May 9 16:54:21 UTC 2008 

Waldher, Travis R wrote:
>> -----Original Message-----
>> From: Rick Stevens [mailto:ricks at nerd.com]
>> Sent: Thursday, May 08, 2008 10:08 AM
>> To: Getting started with Red Hat Linux
>> Subject: Re: Help an IPTABLES neophyte please
>>
>> Waldher, Travis R wrote:
>>> I've got a machine acting as a portal between a public network and a
>>> private network.  Right now, all you can do is ssh in to the box
> from
>>> the public side, and then do as you please on the private side.  You
>>> cannot ssh or form any other connection that wasn't initiated by a
>>> client on the public side of the machine.  Think of it as a roach
>> motel.
>>>
>>>
>>> Well, I need to be able to pull information from an LDAP server that
>> is
>>> on the public network.
>>>
>>>
>>>
>>> How do I setup my firewall so that it will first allow outbound
>> traffic
>>> on port 389 (any others?) and second forward any requests it
> receives
>>> from other machines on the private network on.
>> Hey, Travis!  Long time, no speak!
>>
>> If this were a normal machine (one not acting as a router), the way
> you
>> worded the above sounds like the only incoming connections allowed are
>> for ssh (TCP port 22), so you probably have a rule such as:
>>
>> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
>>
>> in your ruleset.  Assuming that the OUTPUT chain has a default policy
>> of "ACCEPT", you should also have rules such as:
>>
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> before the final "-j REJECT" (or "-j DROP") in the input chain.  That
>> should allow ANY TCP traffic as long as it was INITIATED from the
>> local machine.
>>
>> If the machine is a router, then we'd probably have to get into
>> specifying the different NICs in the rules (by use of the "-i"
>> parameter).
>>
>> Could you post your current ruleset so we can get a grip on what you
>> have set up?  It may be a really simple fix or a simpler ruleset may
>> work.
>>
>> ----------------------------------------------------------------------
>> - Rick Stevens, Systems Engineer                       rps2 at nerd.com -
>> - Hosting Consulting, Inc.                                           -
>> -                                                                    -
>> -   NEWS FLASH! Intelligence of mankind decreasing!  Details at...   -
>> -     uh, when, uh, the little hand is, uh, on the...  Aw, NUTS!     -
>> ----------------------------------------------------------------------
> 
> Dang, change jobs?  Nerd.com now? LOL

Yup.  Nine years after co-founding the company, I simply couldn't take
the political crap and gross mismanagement by the executives (except for
one guy).  I've watched the stock value drop over 75% because of their
mismanagement and I couldn't bear to watch my child be murdered by those
bastards any longer.  One of the other former founders had started this
up and needed my help.  It wasn't an easy choice, but I'm a MUCH happier
camper now!

> Here's the script I use to set the firewall.  IP's have been modified to
> protect the innocent

Yes, Sgt. Friday.  :-)

> #Clean out the IP Tables
> iptables -F
> iptables -X
> 
> #setup default filter policy
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> 
> #Allow unlimited traffic on loopback
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> #Allow incoming ssh only
> iptables -A INPUT -p tcp -s 0/0 -d 162.254.180.165 --sport 513:65535
> --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s 162.254.180.165 -d 0/0 --sport 22 --dport
> 513:65535 -m state --state ESTABLISHED -j ACCEPT
> 
> # Allow pings
> iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d 162.254.180.165 -m
> state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 162.254.180.165 -m
> state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -p icmp --icmp-type 0 -s 162.254.180.165 -d 0/0 -m
> state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -p icmp --icmp-type 8 -s 162.254.180.165 -d 0/0 -m
> state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> #Allow FTP
> #iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
> ACCEPT
> #iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED
> -j ACCEPT
> 
> #Drop all other traffic
> iptables -A INPUT -i eth0 -j DROP
> iptables -A OUTPUT -o eth0 -j DROP
> 
> #Allow the private network to be chatty
> iptables -A INPUT -i eth1 -s 192.168.1.0/255.255.255.0 -j ACCEPT
> iptables -A OUTPUT -o eth1 -s 192.168.1.0/255.255.255.0 -j ACCEPT
> iptables -A INPUT -i eth2 -s 192.168.2.0/255.255.255.128 -j ACCEPT
> iptables -A OUTPUT -o eth2 -s 192.168.2.0/255.255.255.128 -j ACCEPT
> 
> #Allow certain pings
> #iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
> #iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> #iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> #iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j
> ACCEPT
> 
> Basically I first tell it to drop all traffic, default deny.  Then I
> start opening things back up.  This machine is not acting like a router
> right now.  I do need to forward LDAP traffic to the outside now.
> 
> I want this machine to be wide open on the private network, but very
> closed off on the public side.  Allowing inbound SSH only, no outbound.
> Allowing outbound LDAP requests, but no inbound.

You didn't say which NICs are on the external and which are on the
internal (and I see 3 NICS in your ruleset).  However, assuming eth0 is
the external and eth1 and eth2 are the internal, then

# Permit incoming and outgoing LDAP:// traffic on eth0...
iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 389 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -s 0/0-p tcp --sport 389 -m state --state \
NEW -j ACCEPT
# Permit incoming and outgoing LDAPS:// traffic on eth0...
iptables -A INPUT -i eth1 -s 0/0 -p tcp -sport 636 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -s 0/0-p tcp --sport 636 -m state --state \
NEW -j ACCEPT

Should be a good basis to start with.  Since you have SSH open to the
outside world (btw, the first non-privileged  port is 1024, not 513),
you might want to add some rules to the SSH stuff to prevent brute-force
password guessing attacks.  Here's a set that blocks a given IP if they
try to ssh more than once every 3 minutes.  Its enough to block the
script kiddies out there:

# This rejects ssh attempts more than twice in 180 seconds...
# First, mark attempts as part of the "sshattack" group...
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
# Optional: Include this line if you want to log these attacks...
#-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck \ 
--seconds 180 --hitcount 2 -j LOG --log-prefix "SSH REJECT: "
# Finally, reject the connection if more than one attempt is made in 180
# seconds...
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck \
--seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset

Obviously, change the "--hitcount 2" and "--seconds 180" to whatever you
want.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                       rps2 at nerd.com -
- Hosting Consulting, Inc.                                           -
-                                                                    -
-           Blech!  ACKth!  Ooop!  -- Bill the Cat (Outland)         -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list