iptables rules

Support for security such as Firewalls and securing linux
Post Reply
stephan
Posts: 17
Joined: 2006/09/07 01:05:48
Contact:

iptables rules

Post by stephan » 2006/10/05 09:47:47

Hi everyone,

I have removed APF and I'm just trying to configure iptables on it's own.

I am typing this:

iptables -F
iptables -X
iptables -Z
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -N SSHSCAN
iptables -A INPUT -p tcp --dport 22 -m state -state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent -set -name SSH
iptables -A SSHSCAN -m recent -update -seconds 300 -hitcount 3 -name SSH -j DROP

iptables-save > /etc/sysconfig/iptables-config


Does that look ok? It should work right?

I did it, then rebooted and couldn't get in via SSH on port 9999, although everything else worked...

Can anyone see a flaw in what I wrote?

Thanks

NedSlider
Forum Moderator
Posts: 2890
Joined: 2005/10/28 13:11:50
Location: UK

iptables rules

Post by NedSlider » 2006/10/05 10:13:23

[quote]
iptables -N SSHSCAN
iptables -A INPUT -p tcp --dport 22 -m state -state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent -set -name SSH
iptables -A SSHSCAN -m recent -update -seconds 300 -hitcount 3 -name SSH -j DROP
[/quote]

This section of your chain (NEW, or otherwise) is never going to be processed as it comes after the rule on line 7 to accept ALL TCP connections to port 22.

If you want TCP connections on port 22 to be processed by the SSHSCAN chain, then this should be defined towards the start of your INPUT chain and you should remove the the rule on line 7.

Have you set sshd to listen on port 9999 if that's the port you want it to use? And if so, why are you still accepting connections on port 22?

Hope that helps,

Ned

stephan
Posts: 17
Joined: 2006/09/07 01:05:48
Contact:

Re: iptables rules

Post by stephan » 2006/10/05 10:47:22

Oops, you're right.

iptables -F
iptables -X
iptables -Z
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -N SSHSCAN
iptables -A INPUT -p tcp --dport 9999 -m state -state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent -set -name SSH
iptables -A SSHSCAN -m recent -update -seconds 300 -hitcount 3 -name SSH -j DROP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP


iptables-save > /etc/sysconfig/iptables-config

I guess that's ok? To be honest (as you may be able to tell), I have only used the basics of iptables really...


When I got locked out of the server earlier, I hadn't put in the bit that limited SSH access, so I'm not sure why I couldn't get in.


I have removed the ACCEPT for port 9999, also for port 22, as that's not in use, and moved the rate limiting SSH code up a bit.

Thanks for your help. If you are still following this thread, do you think it's looking ok now?

I have a plan to write a small script that clears all iptables rules every 10 minutes so that I won't get locked out again. My plan is to make something like this:

iptables -F
iptables -X
iptables -Z
iptables-save > /etc/sysconfig/iptables-config

and use it as a cron.

I think that's right, right? I really wish I had a test server right now!

stephan
Posts: 17
Joined: 2006/09/07 01:05:48
Contact:

Re: iptables rules

Post by stephan » 2006/10/05 12:55:39

Ok, this is a lame post (my last one).

I've had a little bit of practise and I've cut it down a bit:

iptables -F
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP


and the cron for testing:

iptables -F
service iptables stop


I'll post more if I get good results.


[update : the cron didn't work, I think it needed the full paths. The firewall is working other than that :-) and I've had enough of messing with it for today!]

NedSlider
Forum Moderator
Posts: 2890
Joined: 2005/10/28 13:11:50
Location: UK

Re: iptables rules

Post by NedSlider » 2006/10/05 16:53:08

Good to hear you got the firewall working - IMHO everyone should learn iptables/netfilter as it's such a flexible and powerful system :-)

A couple of suggestions. You can condense the following back into 1 rule if you like

iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp

Could just be

iptables -A INPUT -i eth0 -p all -m state --state ESTABLISHED -j ACCEPT

and you may want to add RELATED packets to the stateful inspection?

Also, if you set the default policy for the INPUT chain to DROP, you can also do away with the last line.

Can I ask what sort of setting this machine is being used in - desktop, server etc?

Looks like you're running pop3 on port 110 and a proxy on port 3128. You may want to consider limiting access to those services to certain IP addresses or ranges, or do you particularly want them accessible to all?

stephan
Posts: 17
Joined: 2006/09/07 01:05:48
Contact:

Re: iptables rules

Post by stephan » 2006/10/05 17:04:35

Thanks for your continued help :-D

You are right, it makes sense to learn it. I was hoping I could cut and paste a few things and get it running faster, but that's the wrong way to go about it, and I know it is!

The computer is a server, it used to have the APF firewall, but although that was working fine, I wanted to remove it because I knew iptables was running underneath and did want to learn a little more. I also didn't like that APF wouldn't auto-update itself through yum. Everything else on the server is maintained using yum, so I thought it was neater this way. On a server, I guess it's best never to change anything so as to keep it up as much as possible (bar necessary upgrades), but it's not critical, the websites on it are just for my own stuff.

The proxy is kept switched off, but I sometimes switch it on (limited just to my IP through /etc/squid/squid.conf) and use it to access a few urls then switch it off again.

The other ports need to be open to everyone I think. I could limit 110 to my IP, but I might travel in the near future.

I have replaced that line (3 lines into 1).

I'll keep working on it.

It's weird, I couldn't actually find that many websites which have a list of rules like this. I suppose everyone has different situations. I'll update this post probably if I make any more changes, so people can make use of it if applicable.

Thanks

NedSlider
Forum Moderator
Posts: 2890
Joined: 2005/10/28 13:11:50
Location: UK

Re: iptables rules

Post by NedSlider » 2006/10/05 18:22:15

Iptables is actually pretty easy to learn if you just want to do the basics. I wrote a short tutorial here:

http://forums.pcper.com/showthread.php?t=411670

I'm no expert, but this tutorial will give you the basic syntax for what's possible and provide examples you can modify for your own purposes.

Anyway, you may like to limit access to the proxy, pop3 and SSH servers to only your ip address or subnet (or other trusted IP addresses that are authorized to access those services). This will stop folks scanning, finding and abusing these services. Security through obscurity works well with firewalls, and it's generally better practice to simply not advertise a service than to advertise it but not allow access by limiting through the service config file (as you've done with squid). The same goes with pop3 or any other service (ssh etc).

For example, if you wanted to limit access to your squid server to only your private LAN ip address range, you could use something like this:

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 3128 -j ACCEPT

You can use -s to specify the source IP address (eg, 192.168.0.10) or you can specify the whole subnet (192.168.0.x) as in the example above.

By limiting access to just known/trusted IP address(es), you will prevent port scanners from detecting you're running the service and drawing attention to yourself. This is particularly useful for services such as SSH where if you have open access, you'll get stacks of attempts to logon as root by guessing the root password. Far better to just drop all packets other than those from authorized IP addresses.

stephan
Posts: 17
Joined: 2006/09/07 01:05:48
Contact:

Re: iptables rules

Post by stephan » 2006/10/06 00:34:26

Cool. thanks :-)

Post Reply

Return to “CentOS 4 - Security Support”