topic Re: IPTABLES in Operating System - Linux

IPTABLES

Piotr Kirklewski — Mon, 11 Jun 2007 07:44:14 GMT

Hi there

It's a web server

If I remove the rule nr 1 then the access to webpage is being blocked. And I dont know why, as the rule nr 4 says to allow tcp at port 80?
I just want to block any ssh trafic except my computers ip adress.

Can enyone help ?

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.1 192.168.0.2 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:69 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:69 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3306 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5555 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8002 state NEW
DROP all -- 0.0.0.0/0 0.0.0.0/0

Re: IPTABLES

Bill Thorsteinson — Mon, 11 Jun 2007 07:57:00 GMT

Try running iptables -L
Rule 1 should apply to the loopback device (lo)
Without it you may have lots of problems with
network based services.
Rules 2 and 4 should apply to (eth0) and allow
the web server to run.
Rule 1 may break internal services used by the
web server.

I use the shoreline firewall (shorewall) to
configure my firewall. It also provides nice
status services to check the state of the
firewall.

Re: IPTABLES

Steven E. Protter — Mon, 11 Jun 2007 08:27:09 GMT

Shalom,

Your results are expected.

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Default policy is drop, which is overridden by the ACCEPT all policy.

So I'm kind of wondering what the point here is.

Anyway, lets take the current policy and make it work.

Lets say the local lan is 192.168.0.0 network. Lets aslo say its a Class C. netmask 255.255.255.0

Lets say your external IP address is 66.102.55.104, also class C.

iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -s 66.102.55.104 -j DROP

The rest of your rules,as inconsistent as they are will work. iptables is read top down, once a rule match is found it stops checking.

SEP

Re: IPTABLES

Piotr Kirklewski — Mon, 11 Jun 2007 08:55:36 GMT

When I'll do:

sudo /sbin/iptables -R INPUT 1 -i lo -j ACCEPT

then I'm loosing the connection with the server.

:(

Re: IPTABLES

Piotr Kirklewski — Mon, 11 Jun 2007 09:50:20 GMT

I will explain one more time what Im trying to do:

1.ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 - if I remove this rule the webpage gets bloked.

2. ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED - I want keep every established and related to it connection.

3.ACCEPT tcp -- 81.xxx.xxx.xxx 217.xxx.xxx.xxx tcp dpt:22 state NEW - Accept ssh connections from my office to the remote directory where the server is located.

4.ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW - to accept every connection from the internet to the web server using http.

5.ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW - Accept https connections to this server.

...

And so on with other protocols.

I've put this firs rule (to accept all) becase people couldn't open the webpage.

I want to drop all conections of all types EXCEPT those listed.

But as soon as I remove the Accept all rool at the firs possition - my webpage gets bloked.

Cheers

Re: IPTABLES

Ivan Ferreira — Mon, 11 Jun 2007 10:26:33 GMT

I suggest you to use a script to build the firewall rules, like rc.firewall or http://www.fwbuilder.org/

You have to add rules for accept everything from localhost and its interfaces, or you will be blocking yourself and you will have a lot of problems with network services.

Re: IPTABLES

Ivan Ferreira — Mon, 11 Jun 2007 10:29:18 GMT

See this page also:

http://easyfwgen.morizot.net/gen/index.php

Re: IPTABLES

Steven E. Protter — Mon, 11 Jun 2007 12:34:51 GMT

Shalom,

I think your approach is wrong.

http://www.fs-security.com/

Site is down for me write now. Its available in many fedora yum repos.

SEP

Re: IPTABLES

Heironimus — Mon, 11 Jun 2007 12:46:54 GMT

You should always go back to the original iptables rules when you're looking at a problem. The output you paste looks like it's from "iptables -L", which does not display the complete rules. You need to add a "-v" if you want to see the full rules.

Personally, I prefer to go look at my iptables shell script or the output from iptables-save instead. I usually don't care about the counters and I find the original iptables commands just as easy to read, especially if they're in a file with comments.

Re: IPTABLES

Piotr Kirklewski — Tue, 12 Jun 2007 03:16:35 GMT

Chain INPUT (policy DROP 61 packets, 5349 bytes)
pkts bytes target prot opt in out source destination
3 144 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW

Ok

So My question is why ssh is rejected in this situation? SSHD is up and running as soon as I'll do:

iptables -I INPUT -j ACCEPT averythink works fine, but obviously id dont like this rule.

Cheers

Re: IPTABLES

Stuart Browne — Tue, 12 Jun 2007 05:12:37 GMT

What's your OUTPUT chain look like?

Re: IPTABLES

Steven E. Protter — Tue, 12 Jun 2007 06:55:53 GMT

Shalom,

This is tough to learn, espcially in a hurry. It literally took me years to learn the subtlties here. Take a look at my past questions.

Firestarter has a GUI, you point you click you have a firewall. I really recommend it for beginners.

SEP

Re: IPTABLES

Piotr Kirklewski — Tue, 12 Jun 2007 07:52:36 GMT

The server is in remote location.
I don't have graphic environment.

I've partialy solved the problem.

The thing is you have to spicify the interface -i eth0 (but the rea server has eth0 + eth0:0). Then on testng machine everythink works fine.But not at the real server. Problem with eth0:0?

real server iptables - webpage blocked,ssh-ok,ping-ok
==========================================
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
ACCEPT tcp -- 81.xxx.xxx.xxx 217.xxx.xxx.xxx tcp dpt:22 state RELATED,ESTABLISHED
ACCEPT tcp -- 81.xxx.xxx.xxx 217.xxx.xxx.xxx tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3306 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3306 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5555 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5555 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8002 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8002 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9001 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9001 state NEW
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW

==========================================
On the testing machine I have apache instaled and several rules in iptables:

testing machine - everything works fine
==========================================
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW

Everythink works fine.
The only one difference betwen those machines is the virtual (eth0:0) interface on the web server.

I can ping it,ssh is working but I can't open the webpage.

I have to do that with iptables

Thanks

Re: IPTABLES

Piotr Kirklewski — Tue, 12 Jun 2007 07:57:31 GMT

Chain OUTPUT (policy ACCEPT 181 packets, 13459 bytes)
pkts bytes target prot opt in out source destination
987K 522M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
96M 131G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

Re: IPTABLES

Piotr Kirklewski — Tue, 12 Jun 2007 12:38:57 GMT

Finaly it works:

Chain INPUT (policy DROP 443 packets, 52393 bytes)
num pkts bytes target prot opt in out source destination
1 5009 1448K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 1685 365K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state RELATED,ESTABLISHED
4 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
5 2083 161K ACCEPT tcp -- eth0 * 81.150.xxx.xxx 217.174.xxx.xxx tcp dpt:22 state RELATED,ESTABLISHED
6 4 192 ACCEPT tcp -- eth0 * 81.150.xxx.xxx 217.174.xxx.xxx tcp dpt:22 state NEW
7 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state RELATED,ESTABLISHED
8 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
9 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state RELATED,ESTABLISHED
10 1 71 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
11 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state RELATED,ESTABLISHED
12 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
13 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state RELATED,ESTABLISHED
14 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW
15 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 state RELATED,ESTABLISHED
16 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 state NEW
17 17 1292 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
18 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW
19 188K 12M ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 state RELATED,ESTABLISHED
20 356 21360 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 state NEW
21 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3306 state RELATED,ESTABLISHED
22 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3306 state NEW
23 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5555 state RELATED,ESTABLISHED
24 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5555 state NEW
25 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8002 state RELATED,ESTABLISHED
26 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8002 state NEW
27 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9001 state RELATED,ESTABLISHED
28 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9001 state NEW
29 0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
30 4527 272K ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
31 0 0 ACCEPT tcp -- eth0 * 217.xxx.xxx.xxx 217.xxx.xxx.xxx tcp dpt:22 state RELATED,ESTABLISHED
32 0 0 ACCEPT tcp -- eth0 * 217.xxx.xxx.xxx 217.xxx.xxx.xxx tcp dpt:22 state NEW

Re: IPTABLES

Piotr Kirklewski — Tue, 12 Jun 2007 12:43:30 GMT

closed