[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: iptables problem



tamer amr wrote:
hi i want to check the error and the recommendadtions in my iptables rules
here is Chain INPUT (policy DROP)
  target     prot opt source               destination
this line you don't want because will grant access to every newly started communication
  ACCEPT     all  --  anywhere             anywhere            state NEW
These are good
  ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
  ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http
  ACCEPT     tcp  --  anywhere             anywhere            tcp spt:imap
You might want to check if your name server uses standard 53 port for comunication. I use bind and I know you can force it to use only standard port for communication
  ACCEPT     tcp  --  anywhere             anywhere            tcp spt:domain
You are sure you want public ip's to access bootps? you might want to further restrict to source ip net range
  ACCEPT     tcp  --  anywhere             anywhere            tcp spt:bootps
  ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https
Logging rule should be last so to catch only packets that do not conform to any rule.
  LOG        all  --  anywhere             anywhere            LOG level warning
Here you can merge the next two rules into just one: *iptables -A INPUT -p tcp --sport 25 -j ACCEPT*
  ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:smtp
  ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp state NEW
I think the next rule was wrote by a configuration wizard but it doesn't make sense in this config. It should be deleted and let chain policy have it's way with unmatched packets so far
  DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination
  ACCEPT     all  --  anywhere             anywhere
  ACCEPT     all  --  anywhere             anywhere
Why do you want to drop this port?
  DROP       tcp  --  anywhere             anywhere            tcp spt:31337 dpt:31337
Chain OUTPUT (policy ACCEPT)
I allready told you. As long as you have accept policy on the chain it's useless to specific further accept rules.
  target     prot opt source               destination
  ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
  ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
  ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
  ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
  ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state RELATED,ESTABLISHED
  ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:smtp
  DROP       tcp  --  anywhere             anywhere            tcp spt:31337 dpt:31337
 __________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

I think you should do something else. You should erase all your existing rules and start your own. Take a pen and a paper and write down all services on the machine. Then for each an every service write the policy for local and external ips. Then use the table to create your rules. I get the feeling that you didn't quite got the grasp of filtering and so you should start from 0. Say I have a server that runs services for web, mail, domain, time and is also a gateway (I will use masquerading for the last although you can use plain NAT). Start writing down services and identify ports used for them:

mail (25)
http(80)
https(443)
domain (53)
time(123)
masquerading

Next write down how they should be accessed:
Services
	WAN
	LAN
mail (tcp 25)
	accesible
	accesible
domain (tcp&udp 53)
	accesible
	accesible
http (tcp 80)
	accesible
	accesible
https (tcp 443)
	accesible
	not accesible
time (udp 123)
	not accesible
	accesible
masquerading
	not accesible
	accesible


This is how your table should look like.
Next based on this table write your rules:

#Give some credits to Lord of Gore <lordofgore logsoftgrup ro> :))
#First I will define some variables to make the script more portable:
localnet=192.168.1.0/24
localip=192.168.1.1
externalip=55.66.77.88
externalinterface=eth0
localinterface=eth1
ipt=/sbin/iptables

#first let's tidy up
$ipt -F INPUT
$ipt -F OUTPUT
$ipt -F FORWARD
$ipt -t nat -F PREROUTING
$ipt -t nat -F POSTROUTING

#here I set the policy for the input chain
$ipt -P INPUT DROP
#first of all I want to allow comunication for my server's software
$ipt -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
#next I will allow communication for mail from external and internal net (this means everyone)
$ipt -A INPUT -s 0.0.0.0/0 -p tcp --dport 25 -j ACCEPT
#allow domain from everywhere
$ipt -A INPUT -s 0.0.0.0/0 -p tcp --dport 53 -j ACCEPT
$ipt -A INPUT -s 0.0.0.0/0 -p udp --dport 53 -j ACCEPT
#allow http from everywhere
$ipt -A INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT
#allow https only from outside. I can't wite down all world ips in my script so I will REJECT local ips. I will REJECT because I don't want my machines to wait for timeout
$ipt -A INPUT -s $localnet -p tcp --dport 443 -i $localinterface -j REJECT
#time accesible only from local net
$ipt -A INPUT -s $localnet -p udp --dport 123 -i $localinterface -j ACCEPT
#all packets that do not match rules so far will be logged:
$ipt -A INPUT -j LOG --log-prefix "chain INPUT"

#next is FORWARD
$ipt -P FORWARD DROP
#accept forwarding originating only from localnet
$ipt -A FORWARD -s $localnet -j ACCEPT
#accept connection matching packets
$ipt -A FORWARD -s 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#and of course logging for debuging and other purposes:
$ipt -A FORWARD -j LOG --log-prefix "chain FWD"

#Although in strict environments same should be done with output chain I will consider this as not being an strict environment :)
$ipt -P OUTPUT ACCEPT
#masquerading is done in a single line
$ipt -t nat -A POSTROUTING -s $localnet -o $externalinterface -j MASQUERADE
#enable forwarding:
echo "1">/proc/sys/net/ipv4/ip_forward

#all this you can paste inside a file chmod +x and use it at startup to enable filtering and masquerading

Now everything should work fine. If it doesn't check the logs and see what packets are blocked then modify or add rules.
This is *not* a tutorial :)
Check out for tutorials on google.
There are quite a few. I'd write another one but I'm not sure if there's any room left for it... :) I should tell you that I learned how to use iptables *only* from the man page. If you know how TCP/IP works and read the iptables man page then you shouldn't have any problems. I suspect that you have problems with TCP/IP also. Maybe you should read about it before starting with iptables.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]