iptables problem
Lord of Gore
lordofgore at logsoftgrup.ro
Wed Dec 20 15:48:22 UTC 2006
tamer amr wrote:
> hi i want to check the error and the recommendadtions in my iptables rules
>
> here is
>
> Chain INPUT (policy DROP)
> target prot opt source destination
>
this line you don't want because will grant access to every newly
started communication
> ACCEPT all -- anywhere anywhere state NEW
>
These are good
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp spt:http
> ACCEPT tcp -- anywhere anywhere tcp spt:imap
>
You might want to check if your name server uses standard 53 port for
comunication. I use bind and I know you can force it to use only
standard port for communication
> ACCEPT tcp -- anywhere anywhere tcp spt:domain
>
You are sure you want public ip's to access bootps? you might want to
further restrict to source ip net range
> ACCEPT tcp -- anywhere anywhere tcp spt:bootps
> ACCEPT tcp -- anywhere anywhere tcp spt:https
>
Logging rule should be last so to catch only packets that do not conform
to any rule.
> LOG all -- anywhere anywhere LOG level warning
>
Here you can merge the next two rules into just one: *iptables -A INPUT
-p tcp --sport 25 -j ACCEPT*
> ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:smtp
> ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW
>
I think the next rule was wrote by a configuration wizard but it doesn't
make sense in this config. It should be deleted and let chain policy
have it's way with unmatched packets so far
> DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
>
Why do you want to drop this port?
> DROP tcp -- anywhere anywhere tcp spt:31337 dpt:31337
>
> Chain OUTPUT (policy ACCEPT)
>
I allready told you. As long as you have accept policy on the chain it's
useless to specific further accept rules.
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp dpt:http
> ACCEPT tcp -- anywhere anywhere tcp dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp dpt:https
> ACCEPT tcp -- anywhere anywhere tcp spt:http state RELATED,ESTABLISHED
> ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:smtp
> DROP tcp -- anywhere anywhere tcp spt:31337 dpt:31337
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
I think you should do something else. You should erase all your existing
rules and start your own. Take a pen and a paper and write down all
services on the machine. Then for each an every service write the policy
for local and external ips. Then use the table to create your rules. I
get the feeling that you didn't quite got the grasp of filtering and so
you should start from 0.
Say I have a server that runs services for web, mail, domain, time and
is also a gateway (I will use masquerading for the last although you can
use plain NAT). Start writing down services and identify ports used for
them:
mail (25)
http(80)
https(443)
domain (53)
time(123)
masquerading
Next write down how they should be accessed:
Services
WAN
LAN
mail (tcp 25)
accesible
accesible
domain (tcp&udp 53)
accesible
accesible
http (tcp 80)
accesible
accesible
https (tcp 443)
accesible
not accesible
time (udp 123)
not accesible
accesible
masquerading
not accesible
accesible
This is how your table should look like.
Next based on this table write your rules:
#Give some credits to Lord of Gore <lordofgore at logsoftgrup.ro> :))
#First I will define some variables to make the script more portable:
localnet=192.168.1.0/24
localip=192.168.1.1
externalip=55.66.77.88
externalinterface=eth0
localinterface=eth1
ipt=/sbin/iptables
#first let's tidy up
$ipt -F INPUT
$ipt -F OUTPUT
$ipt -F FORWARD
$ipt -t nat -F PREROUTING
$ipt -t nat -F POSTROUTING
#here I set the policy for the input chain
$ipt -P INPUT DROP
#first of all I want to allow comunication for my server's software
$ipt -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
#next I will allow communication for mail from external and internal net
(this means everyone)
$ipt -A INPUT -s 0.0.0.0/0 -p tcp --dport 25 -j ACCEPT
#allow domain from everywhere
$ipt -A INPUT -s 0.0.0.0/0 -p tcp --dport 53 -j ACCEPT
$ipt -A INPUT -s 0.0.0.0/0 -p udp --dport 53 -j ACCEPT
#allow http from everywhere
$ipt -A INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT
#allow https only from outside. I can't wite down all world ips in my
script so I will REJECT local ips. I will REJECT because I don't want my
machines to wait for timeout
$ipt -A INPUT -s $localnet -p tcp --dport 443 -i $localinterface -j REJECT
#time accesible only from local net
$ipt -A INPUT -s $localnet -p udp --dport 123 -i $localinterface -j ACCEPT
#all packets that do not match rules so far will be logged:
$ipt -A INPUT -j LOG --log-prefix "chain INPUT"
#next is FORWARD
$ipt -P FORWARD DROP
#accept forwarding originating only from localnet
$ipt -A FORWARD -s $localnet -j ACCEPT
#accept connection matching packets
$ipt -A FORWARD -s 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#and of course logging for debuging and other purposes:
$ipt -A FORWARD -j LOG --log-prefix "chain FWD"
#Although in strict environments same should be done with output chain I
will consider this as not being an strict environment :)
$ipt -P OUTPUT ACCEPT
#masquerading is done in a single line
$ipt -t nat -A POSTROUTING -s $localnet -o $externalinterface -j MASQUERADE
#enable forwarding:
echo "1">/proc/sys/net/ipv4/ip_forward
#all this you can paste inside a file chmod +x and use it at startup to
enable filtering and masquerading
Now everything should work fine. If it doesn't check the logs and see
what packets are blocked then modify or add rules.
This is *not* a tutorial :)
Check out for tutorials on google.
There are quite a few. I'd write another one but I'm not sure if there's
any room left for it... :)
I should tell you that I learned how to use iptables *only* from the man
page. If you know how TCP/IP works and read the iptables man page then
you shouldn't have any problems.
I suspect that you have problems with TCP/IP also. Maybe you should read
about it before starting with iptables.
More information about the redhat-list
mailing list