Firewall not exactly Firewalling

[vettezuki]

My ultimate goal is to limit SSH logins to a few specified static IPs and block everything else.

I thought iptables was the way to do this, however, as a novice, I'm fumbling a bit. To just play it safe and try things as a start, I used "lokkit" to disable incoming FTP and study the changes to iptables. Only problem is, after deselecting FTP (and checking iptables to see that the change was reflected) I could still login via ftp. I did check to make sure I selected the correct physical interface. I did run service 'iptables status' before and after 'lokkit' to see the difference (the entry for port 21 is simply absent after deselecting FTP in lokkit.) Well, at this point I'm not sure what to do if I can't even get the most rudimentary selection to function as expected. Is it possible there is some kernel module requirement that's not being met, and thus no filtering? Some other configuration that allows incoming (FTP) traffic, overriding iptables. Just guessing at this point. Any advice on where to turn or what to try would be much appreciated.

There are two NICs in the box, but only one is connecteed to the network. The correct NIC (eth0) is selected in lokkit.


Here's a readout of iptable status. The -> indicates the line that is absent when FTP is deselected in lokkit.

Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
-> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

[Krendoshazin]

i believe the problem is with the default policies you have set, they're set to ACCEPT which will basically allow anything through, switch to root and use the command

iptables -P INPUT DROP

this will change the default policy to drop all traffic, after that you can add individual addresses to accept on certain ports, or allow all traffic on a certain port. change INPUT with FORWARD and OUTPUT for the same effect

[vettezuki]

The server is colocated in Galaxy far far away . . . well, Koreatown, which is not the nicest part of LA to make a trip to, so I've got to be careful when making these changes. I have done the following, however:

/etc/sysconfig/iptables:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j DROP
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


Then run,
'service iptables restart'
'service iptables stats'

and the status is:

Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
DROP tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


Now I'm obviously missing something becuase this reads to me something like, let it all in except new tcp connections from anywhere on port 21. But I can still log in over FTP on port 21.


Thank you for your assistance.

[Krendoshazin]

you might want to try adding the rule to INBOUND