topic Re: iptables question in Operating System - Linux

iptables question

Jeffrey S. Sims — Wed, 10 Jul 2002 17:26:48 GMT

I have RedHat 7.2 installed with 2.4.18 Kernel build with iptables support. I am trying to setup a firewall using iptables (getting away from ipchains) but seem to have a few problems.

It appears that the default policy of DROP overrules any exceptions I put in. For example, if I set the default policy for both input and output to drop then enter the following iptables commands.

iptables -A INPUT -i eth0 -p tcp -d 192.168.1.253 --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.253 --sport 22 -j ACCEPT

I cannot ssh to the server (192.168.1.253)after entering these rules. sshd is running and the server is listening on port 22. Any ideas?

--Anxiously awaits some light shed on this for me

Re: iptables question

Stuart Browne — Wed, 10 Jul 2002 21:47:23 GMT

Dumb question that needs to be asked. What's the IP address of the interface 'eth0' ?

The other thing which I've found is that IPTables usually likes the '-j' flag earlier in the command line. It does have a different effect on some rules, but if you can list the chains back, and they all look ok (iptables -nvL), then that won't be it.

Re: iptables question

Jeffrey S. Sims — Wed, 10 Jul 2002 22:39:47 GMT

the IP is 192.168.1.253

The iptables --list works fine and lists both rules. I am basically wanting to allow any incoming ssh request (to this machine)

I am attempting to ssh from another machine on the 192.168.1.xx network.

Re: iptables question

Mark Fenton — Thu, 11 Jul 2002 00:02:35 GMT

Jeffery,

Some thoughts:

1) I have been using shorewall as the basis of my firewall (www.shorewall.org or search for it on freshmeat.net) and have found it to be a superior script, and reasonably easy to configure.

2) You verified from the /var/log/messages that the packets are indeed being dropped by the policy rule.

3) Even if you don't use shorewall, the author operates an email list that discusses cool hacks with iptables. Could be of interest.

hth
Mark

Re: iptables question

Trever Furnish — Thu, 25 Jul 2002 14:38:31 GMT

Have you tried logging the packets affected by each rule? Basicly either log everything or precede each rule with an identical rule except that the target is LOG instead of ACCEPT.

For example:
/sbin/iptables -A INPUT -m state --state NEW -i ! eth1 -j LOG
/sbin/iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT

It gets logged into the kern.* category, if I remember correctly (big if). Probably need to add something like:
kern.* /var/log/kernel

...to /etc/syslog.conf and restart syslog if you want to save the log messages (maybe not, don't take my word on that - test for yourself).

If you do that, either don't leave it there permanently or go ahead and add something to logrotate's config to make sure you don't end up with /var/log/kernel growing indefinitely. Something such as a file in /etc/lograte.d called kernel with contents such as:
/var/log/kernel {
compress
missingok
notifempty
daily
rotate 14
sharedscripts
prerotate
true
endscript
postrotate
true
endscript
}

...which would keep at least 14 days of log files but no more than 14 files.

Once you have the traffic logged you should be able to see source/dest info to make sure it's what you're expecting...

Also, perhaps it's enough to specify your source networks instead of your source interface? Depends on your situation.

Re: iptables question

Stuart Browne — Thu, 25 Jul 2002 22:47:52 GMT

iptables -I INPUT -j ACCEPT -i eth0 -p tcp -d 192.168.1.253 --dport 22
iptables -I OUTPUT -j ACCEPT -m state --state RELAETD,ACCEPTED

Try those two, along with some logging (as mentioned in the previous post), and see where you get.

Re: iptables question

Jeffrey S. Sims — Fri, 26 Jul 2002 16:50:50 GMT

Trevor, thanks for the suggestions. Those would have worked but I had already found an answer at http://www.antionline.com/showthread.php?s=&threadid=230338

In case you haven't been there it is a great tutorial oh IPtables walking you through writing your rules.

Thought I would pass it along