Re: Help an IPTABLES neophyte please | |
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] | |
Waldher, Travis R wrote:
-----Original Message----- From: Rick Stevens [mailto:ricks@xxxxxxxx] Sent: Thursday, May 08, 2008 10:08 AM To: Getting started with Red Hat Linux Subject: Re: Help an IPTABLES neophyte please Waldher, Travis R wrote:I've got a machine acting as a portal between a public network and a private network. Right now, all you can do is ssh in to the boxfromthe public side, and then do as you please on the private side. You cannot ssh or form any other connection that wasn't initiated by a client on the public side of the machine. Think of it as a roachmotel.Well, I need to be able to pull information from an LDAP server thatison the public network. How do I setup my firewall so that it will first allow outboundtrafficon port 389 (any others?) and second forward any requests itreceivesfrom other machines on the private network on.Hey, Travis! Long time, no speak! If this were a normal machine (one not acting as a router), the wayyouworded the above sounds like the only incoming connections allowed are for ssh (TCP port 22), so you probably have a rule such as: -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT in your ruleset. Assuming that the OUTPUT chain has a default policy of "ACCEPT", you should also have rules such as: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT before the final "-j REJECT" (or "-j DROP") in the input chain. That should allow ANY TCP traffic as long as it was INITIATED from the local machine. If the machine is a router, then we'd probably have to get into specifying the different NICs in the rules (by use of the "-i" parameter). Could you post your current ruleset so we can get a grip on what you have set up? It may be a really simple fix or a simpler ruleset may work. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer rps2@xxxxxxxx - - Hosting Consulting, Inc. - - - - NEWS FLASH! Intelligence of mankind decreasing! Details at... - - uh, when, uh, the little hand is, uh, on the... Aw, NUTS! - ----------------------------------------------------------------------Dang, change jobs? Nerd.com now? LOL
Yup. Nine years after co-founding the company, I simply couldn't take the political crap and gross mismanagement by the executives (except for one guy). I've watched the stock value drop over 75% because of their mismanagement and I couldn't bear to watch my child be murdered by those bastards any longer. One of the other former founders had started this up and needed my help. It wasn't an easy choice, but I'm a MUCH happier camper now!
Here's the script I use to set the firewall. IP's have been modified to protect the innocent
Yes, Sgt. Friday. :-)
#Clean out the IP Tables iptables -F iptables -X #setup default filter policy iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #Allow unlimited traffic on loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #Allow incoming ssh only iptables -A INPUT -p tcp -s 0/0 -d 162.254.180.165 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s 162.254.180.165 -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT # Allow pings iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d 162.254.180.165 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 162.254.180.165 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 0 -s 162.254.180.165 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 8 -s 162.254.180.165 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #Allow FTP #iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT #iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT #Drop all other traffic iptables -A INPUT -i eth0 -j DROP iptables -A OUTPUT -o eth0 -j DROP #Allow the private network to be chatty iptables -A INPUT -i eth1 -s 192.168.1.0/255.255.255.0 -j ACCEPT iptables -A OUTPUT -o eth1 -s 192.168.1.0/255.255.255.0 -j ACCEPT iptables -A INPUT -i eth2 -s 192.168.2.0/255.255.255.128 -j ACCEPT iptables -A OUTPUT -o eth2 -s 192.168.2.0/255.255.255.128 -j ACCEPT #Allow certain pings #iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT #iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT #iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT #iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT Basically I first tell it to drop all traffic, default deny. Then I start opening things back up. This machine is not acting like a router right now. I do need to forward LDAP traffic to the outside now. I want this machine to be wide open on the private network, but very closed off on the public side. Allowing inbound SSH only, no outbound. Allowing outbound LDAP requests, but no inbound.
You didn't say which NICs are on the external and which are on the internal (and I see 3 NICS in your ruleset). However, assuming eth0 is the external and eth1 and eth2 are the internal, then # Permit incoming and outgoing LDAP:// traffic on eth0... iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 389 -m state --state \ ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o eth0 -s 0/0-p tcp --sport 389 -m state --state \ NEW -j ACCEPT # Permit incoming and outgoing LDAPS:// traffic on eth0... iptables -A INPUT -i eth1 -s 0/0 -p tcp -sport 636 -m state --state \ ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o eth0 -s 0/0-p tcp --sport 636 -m state --state \ NEW -j ACCEPT Should be a good basis to start with. Since you have SSH open to the outside world (btw, the first non-privileged port is 1024, not 513), you might want to add some rules to the SSH stuff to prevent brute-force password guessing attacks. Here's a set that blocks a given IP if they try to ssh more than once every 3 minutes. Its enough to block the script kiddies out there: # This rejects ssh attempts more than twice in 180 seconds... # First, mark attempts as part of the "sshattack" group... -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set # Optional: Include this line if you want to log these attacks...#-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck \ --seconds 180 --hitcount 2 -j LOG --log-prefix "SSH REJECT: "
# Finally, reject the connection if more than one attempt is made in 180 # seconds... -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck \ --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset Obviously, change the "--hitcount 2" and "--seconds 180" to whatever you want. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer rps2@xxxxxxxx - - Hosting Consulting, Inc. - - - - Blech! ACKth! Ooop! -- Bill the Cat (Outland) - ---------------------------------------------------------------------- _______________________________________________ Redhat-install-list mailing list Redhat-install-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/redhat-install-list To Unsubscribe Go To ABOVE URL or send a message to: redhat-install-list-request@xxxxxxxxxx Subject: unsubscribe
[Home] [Red Hat Kickstart] [Fedora Users] [Red Hat General] [Red Hat Watch List] [Red Hat Development] [Samba List] [Kernel List] [Kernel Newbies] [Hot Springs] [Yosemite News]