Find the answer to your Linux question:
Results 1 to 4 of 4
My ultimate goal is to limit SSH logins to a few specified static IPs and block everything else. I thought iptables was the way to do this, however, as a ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2005
    Location
    Southern California, US
    Posts
    5

    Firewall not exactly Firewalling


    My ultimate goal is to limit SSH logins to a few specified static IPs and block everything else.

    I thought iptables was the way to do this, however, as a novice, I'm fumbling a bit. To just play it safe and try things as a start, I used "lokkit" to disable incoming FTP and study the changes to iptables. Only problem is, after deselecting FTP (and checking iptables to see that the change was reflected) I could still login via ftp. I did check to make sure I selected the correct physical interface. I did run service 'iptables status' before and after 'lokkit' to see the difference (the entry for port 21 is simply absent after deselecting FTP in lokkit.) Well, at this point I'm not sure what to do if I can't even get the most rudimentary selection to function as expected. Is it possible there is some kernel module requirement that's not being met, and thus no filtering? Some other configuration that allows incoming (FTP) traffic, overriding iptables. Just guessing at this point. Any advice on where to turn or what to try would be much appreciated.

    There are two NICs in the box, but only one is connecteed to the network. The correct NIC (eth0) is selected in lokkit.


    Here's a readout of iptable status. The -> indicates the line that is absent when FTP is deselected in lokkit.

    Table: filter
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain RH-Firewall-1-INPUT (2 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT icmp -- anywhere anywhere icmp any
    ACCEPT ipv6-crypt-- anywhere anywhere
    ACCEPT ipv6-auth-- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
    ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
    -> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

  2. #2
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    i believe the problem is with the default policies you have set, they're set to ACCEPT which will basically allow anything through, switch to root and use the command
    iptables -P INPUT DROP
    this will change the default policy to drop all traffic, after that you can add individual addresses to accept on certain ports, or allow all traffic on a certain port. change INPUT with FORWARD and OUTPUT for the same effect

  3. #3
    Just Joined!
    Join Date
    May 2005
    Location
    Southern California, US
    Posts
    5
    The server is colocated in Galaxy far far away . . . well, Koreatown, which is not the nicest part of LA to make a trip to, so I've got to be careful when making these changes. I have done the following, however:

    /etc/sysconfig/iptables:
    # Firewall configuration written by system-config-securitylevel
    # Manual customization of this file is not recommended.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
    -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
    -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j DROP
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    COMMIT


    Then run,
    'service iptables restart'
    'service iptables stats'

    and the status is:

    Table: filter
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain RH-Firewall-1-INPUT (2 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT icmp -- anywhere anywhere icmp any
    ACCEPT ipv6-crypt-- anywhere anywhere
    ACCEPT ipv6-auth-- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
    ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
    DROP tcp -- anywhere anywhere state NEW tcp dpt:ftp
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


    Now I'm obviously missing something becuase this reads to me something like, let it all in except new tcp connections from anywhere on port 21. But I can still log in over FTP on port 21.


    Thank you for your assistance.

  4. #4
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    you might want to try adding the rule to INBOUND

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •