iptables

[dschuett]

Hi, This is my first go at iptables... I have my own linux box set up as a router/firewall.

eth0 is the external set geting the isp address using dhcp)
eth1 is the internal nic that is handing out ip addresses using dhcp3 through a switch that has client pc's on it.

First I want to make sure that the client pc's can reach the internet through ehth0 on the router.

I would also like to have everything from the outside network dropped, and only ports 22 and 8080 accessible from the outside network.

Does the following iptables script look correct and secure? - I am not too sure on the order of things...

#!/bin/sh

IPT=/sbin/iptables

$IPT -F

#policies

$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
$IPT -P FORWARD DROP

#allowed inputs
$IPT -A INPUT --in-interface lo -j ACCEPT

#allowed responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPT-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i eth1 -o eth0 -j ACCEPT

#allow ports
$IPT -A INPUT -p tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -p tcp --dport 2020 -j ACCEPT
$IPT -A INPUT -s localhost -p tcp --dport 3306 -j ACCEPT

[Lazydog]

You have to keep in mind the difference between INPUT/OUTPUT and FORWARD. The first will only affect the traffic that for the firewall. FORWARD will only affect traffic that is passing through the firewall.

So now what I would need to know is where are ports 22 and 8080 stopping? On the firewall (bad Idea) or on a system inside your network? Normally you want nothing from the internet to have access to the firewall.

One other thing to point out is ESTABLISHED,RELATED are useless without having NEW Rules to post information into the firewall's tracking DB. Without the NEW rules you are only doing port/IP firewall and not connection based as ESTABLISHED,RELATED require to function.

OK, after the above question are answered we can talk about your firewall.

[dschuett]

You have to keep in mind the difference between INPUT/OUTPUT and FORWARD. The first will only affect the traffic that for the firewall. FORWARD will only affect traffic that is passing through the firewall.

So now what I would need to know is where are ports 22 and 8080 stopping? On the firewall (bad Idea) or on a system inside your network? Normally you want nothing from the internet to have access to the firewall.

One other thing to point out is ESTABLISHED,RELATED are useless without having NEW Rules to post information into the firewall's tracking DB. Without the NEW rules you are only doing port/IP firewall and not connection based as ESTABLISHED,RELATED require to function.

OK, after the above question are answered we can talk about your firewall.

ports 22 and 8080 are on the firewall itself...is that really a bad idea? if so i can definitely change things around...however this I would like to get this working for now. I have updated my firewall to this:

#!/bin/sh

IPT=/sbin/iptables

$IPT -F

#policies

$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT <-- i had to change this to accept or nothing would pass through from my clients to the internet.

#allowed inputs
$IPT -A INPUT --in-interface lo -j ACCEPT

#allowed responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPT-A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT <-- added NEW and removed the line ($IPT -A FORWARD -i eth1 -o eth0 -j ACCEPT)


#allow ports
$IPT -A INPUT -p tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -s localhost -p tcp --dport 3306 -j ACCEPT

EVERYTHING seems to be working just fine except i can not reach my webserver on 8080 nor can i ssh into the box on port 22 - And i haven't tried port 3306 from the local machine??? Any ideas?

Thanks for you help!

[dschuett]

I also just noticed that i cannot ping the gateway (eth1 - 192.168.0.201) from the client machine, but i am getting an address from eht1 dhcp3-server and it is showing the correct gateway of 192.168.0.201. I can reach the internet just fine and all...why can't i ping the gateway? is that an iptables rule as well?

[Lazydog]

ports 22 and 8080 are on the firewall itself...is that really a bad idea? if so i can definitely change things around...however this I would like to get this working for now. I have updated my firewall to this:

This is my opinion and opinions are a plenty. I never run anything on the firewall for the simple fact that should any service become compromised your firewall is now useless as they will have control over it.

$IPT -P FORWARD ACCEPT <-- i had to change this to accept or nothing would pass through from my clients to the internet.

Big mistake. This is the same as not having a firewall as everything is allowed through because you have no drop rules on the FORWARD chain.

EVERYTHING seems to be working just fine except i can not reach my webserver on 8080 nor can i ssh into the box on port 22 - And i haven't tried port 3306 from the local machine??? Any ideas?

Yes. You don't have any rules that allow connection to the firewall on those ports.

I also just noticed that i cannot ping the gateway (eth1 - 192.168.0.201) from the client machine, but i am getting an address from eht1 dhcp3-server and it is showing the correct gateway of 192.168.0.201. I can reach the internet just fine and all...why can't i ping the gateway? is that an iptables rule as well?

Yep.

How about trying the following firewall and let me know if it works:

Code:

#!/bin/sh

iptables -F
iptables -z
iptables -x


#policies
#########
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP


#allowed inputs to the firewall from the LAN only
#################################################
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptnbles -A INPUT -i eth1 -m state --state NEW -p tcp --dport 22 -j ACCEPT
iptnbles -A INPUT -i eth1 -m state --state NEW -p tcp --dport 8080 -j ACCEPT
iptnbles -A INPUT -i eth1 -m state --state NEW -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
iptables -A INPUT -j DROP


#allowed internet traffic
#########################
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -j DROP


#masqerade all traffic leaving to the internet
##############################################
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

I changed things around some. The only traffic allowed onto the firewall is from the LAN (i.e., -i eth1). If you are serving web pages to the internet then you have to amend the rules to allow the traffic in.

Since you only have 2 interfaces there is no real need to make the ESTABLISHED,RELATED rules interface bound. In fact I normal only setup the ESTABLISHED,RELATED rules this way as if the New connect was allowed to begin with then there is no reason not to allowed the followup traffic.

Have a look at this THREAD where I talk with another member about firewalls. In my first post I give him a link to the Tutorial for iptables and in my last post I talk about a proper way to build a firewall.

[dschuett]

Thank you so much for this!

I haven't been able to try this yet because I am at work, and I don't want to break my connection and not be able to bring it back up if the rules don't work.

However, I do have a web server running on this machine so i WOULD need external access to port 8080 as well as 22 ssh.

Yes. You don't have any rules that allow connection to the firewall on those ports.

I infact did have those ports open, I found out it was just a dns issue that wasn't resoving (since i was trying to connect via dns instead of ip)

I completely understand the face that having the default FORWARD policy set to ACCEPT is unsafe...but without doing so I can not reach the internet from the client machines.

Here is what I have working at the moment...the only bad thing is that the the default FORWARD policy is set to ACCEPT. Because like i said, otherwise client computers can't get to the internet...

!/bin/bash

IPT=/sbin/iptables

$IPT -F
$IPT -t nat -F

#polices
$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT

#allow all on loopback
$IPT -A INPUT --in-interface lo -j ACCEPT

#allow responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPT -A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#allow only certain icmp
# 0 => echo reply
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
# 3 => Destination Unreachable
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
# 11 => Time Exceeded
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
# 8 => Echo
# avoid ping flood
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

#allow ports
$IPT -A INPUT -p tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -s localhost -p tcp --dport 3306 -j ACCEPT

exit 0


I would be more than happy to try your script once I get home, but it is important that the ports I have above are available from the internet (eth0). Would you be kind enough to make those modifications?

Thanks again!

[Lazydog]

Give a man a fish he eats once.
Teach a man to fish he eats always.

I have provided you with more then enough information that you should be able to figure this out. If you cannot then you should not be configuring a client machine as you do not have the skills required for the task at hand.

I will say one thing though, your FORWARD rule is useless because the Police is ACCEPT. Thus allowing anyone into the network and if the machine on the inside are not protected they could well be already compromised.

[dschuett]

Give a man a fish he eats once.
Teach a man to fish he eats always.

I have provided you with more then enough information that you should be able to figure this out. If you cannot then you should not be configuring a client machine as you do not have the skills required for the task at hand.

I will say one thing though, your FORWARD rule is useless because the Police is ACCEPT. Thus allowing anyone into the network and if the machine on the inside are not protected they could well be already compromised.

Obviously I don't have the skills at hand, or else I wouldn't be in this forum asking for help. I'm here to learn...not to receive arrogant comments. I got plenty of help on a different forum. Thanks anyways.

[Lazydog]

You are not asking for help you are asking for someone to hold your hand and do your work. There is a difference. Asking for help and getting shown where the answers are so you can read up on the subject and learn is HELP.

So I have shown your what you need to know to sustain yourself and grow. You have decided the best option is to be spoon feed. Sorry my spoon cannot feed someone who is not willing to learn.