Find the answer to your Linux question:
Results 1 to 9 of 9
Hi folks, Ubuntu 7.04 lamp server amd64 - Host OS VMware Guest OS - not yet installed. Iptables-1.3.6 $ cat /etc/network/interfaces Code: # This file describes the network interfaces available ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Guru
    Join Date
    Sep 2004
    Posts
    1,804

    About iptables rules


    Hi folks,


    Ubuntu 7.04 lamp server amd64 - Host OS
    VMware
    Guest OS - not yet installed.
    Iptables-1.3.6


    $ cat /etc/network/interfaces
    Code:
    # This file describes the network interfaces available on your system
    # and how to activate them. For more information, see interfaces(5).
    
    # The loopback network interface
    auto lo
    iface lo inet loopback
    
    # The primary network interface
    auto eth0
    iface eth0 inet static
            address 192.168.0.10
            netmask 255.255.255.0
            gateway 192.168.0.1

    Browser can connect Internet w/o problem.


    After performing following steps to setup iptables, Internet connection blocked.

    Edited /etc/rc.local and entered following rules on it
    Code:
    #!/bin/sh -e
    #
    # rc.local
    #
    # This script is executed at the end of each multiuser runlevel.
    # Make sure that the script will "exit 0" on success or any other
    # value on error.
    #
    # In order to enable or disable this script just change the execution
    # bits.
    #
    # By default this script does nothing.
    
    #exit 0
    
    #
    # INPUT
    #
    
    # allow all incoming traffic from the management interface NIC
    # as long as it is a part of an established connection
    iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED
    
    # allow all ssh traffic to the management interface NIC
    iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22
    
    # allow all VMware MUI HTTP traffic to the management interface NIC
    iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222
    
    # allow all VMware MUI HTTPS traffic to the management interface NIC
    iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333
    
    # allow all VMware Authorization Daemon traffic to the management interface NIC
    iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902
    
    # reject all other traffic to the management interface NIC
    iptables -I INPUT 6 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable
    
    
    #
    # OUTPUT
    #
    
    # allow all outgoing traffic from the management interface NIC
    # if it is a part of an established connection
    iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED
    
    # allow all DNS queries from the management interface NIC
    iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53
    
    # reject all other traffic from localhost
    iptables -I OUTPUT 3 -j REJECT -s 127.0.0.10 --reject-with icmp-port-unreachable
    
    # reject all other traffic from the management interface NIC
    iptables -I OUTPUT 4 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable

    $ sudo /etc/init.d/rc.local start
    Code:
     * Running local boot scripts (/etc/rc.local)                                                     [ OK ]
    $ sudo iptables -L
    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
    REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
    ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
    REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
    ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
    REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
    ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
    REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
    ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
    REJECT     0    --  anywhere             192.168.0.1         reject-with icmp-port-unreachable 
    ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
    ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
    REJECT     0    --  127.0.0.10           anywhere            reject-with icmp-port-unreachable 
    REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
    ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
    ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
    REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
    REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
    ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
    ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
    REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
    REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
    ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
    ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
    REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
    REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
    ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
    ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
    REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
    REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable

    $ ping -c3 yahoo.com
    Code:
    PING yahoo.com (216.109.112.135) 56(84) bytes of data.
    From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
    From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
    From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
    
    --- yahoo.com ping statistics ---
    0 packets transmitted, 0 received, +3 errors
    Failed.


    I have to run following command to stop iptables.

    $ sudo iptables -F
    No complaint

    $ ping -c3 yahoo.com
    Code:
    PING yahoo.com (216.109.112.135) 56(84) bytes of data.
    64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 ttl=55 time=242 ms
    64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=2 ttl=54 time=247 ms
    64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=3 ttl=54 time=246 ms
    
    --- yahoo.com ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 1998ms
    rtt min/avg/max/mdev = 242.397/245.283/247.256/2.086 ms
    Internet connection then worked.


    Please advise where goes wrong. TIA


    B.R.
    satimis

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Quote Originally Posted by satimis
    After performing following steps to setup iptables, Internet connection blocked.
    No big mystery here. You're adding a rule to the OUTPUT chain that specifically blocks your IP address from getting out.

    Code:
    iptables -I OUTPUT 4 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
    The source matches your IP. Thus, you can not get out.

    P.S. You might want to add a flush to that firewall script... You're stacking the same rules onto the same rules over and over.

  3. #3
    Linux Guru
    Join Date
    Sep 2004
    Posts
    1,804
    Quote Originally Posted by anomie View Post
    No big mystery here. You're adding a rule to the OUTPUT chain that specifically blocks your IP address from getting out.

    Code:
    iptables -I OUTPUT 4 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
    The source matches your IP. Thus, you can not get out.

    P.S. You might want to add a flush to that firewall script... You're stacking the same rules onto the same rules over and over.
    Hi anomie,


    I just followed following guide to proceed;
    How to configure and secure Linux for VMware

    He has 2 NICs. I have only one.

    B.R.
    satimis

  4. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    What's your end game here? You want to run an application (LAMP) server?

    Do your requirements involve being able to establish new outbound connections from that server (e.g. for software updates)?

    I don't know what to recommend without knowing what you are trying to do.

  5. #5
    Linux Guru
    Join Date
    Sep 2004
    Posts
    1,804
    Hi anomie,


    My goal is to build a Virtual Machine with lamp server running on Ubuntu 7.04 amd64 as Host OS. This VM will be for testing. Inccidentally I found those guides on Internet therefore I'm following them. VMware is now running on this PC. I haven't installed Guest OS yet.

    I have no idea whether those guides are applicable to my need.

    Do your requirements involve being able to establish new outbound connections from that server (e.g. for software updates)?
    Yes, I need to update the software components on the lamp server. I won't run the server as workstation. At the beginning of installation of this VM. I need to search technical documents on Internet, Therefore I run X and limited components of X such as Fluxbox (Desktop manager), GUI browser-Firefox (I'm not used to running TEXT browser), GUI text Editor (leafpad), Rox filer, screenshot, etc. X won't start a boot.

    What I'm most concerned is the NIC will be shared by other OS, guest OS, to be installed later.


    B.R.
    satimis

  6. #6
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    The howto you found is fine (I actually know the author, FWIW), but you need to be able to adjust it to meet your own needs.

    A few points:
    • You're on a private (192.168.0.0/16) network. Does this mean you'll only be serving users on the same network?
    • Your INPUT chain can be modified to only make visible the services you intend to provide -- my guess is only http (tcp 80) and https (tcp 443). You'll also need sshd (tcp 22) if you won't have console access.
    • Your OUTPUT chain can probably be left wide open with a default policy of ACCEPT and no additional rules. At least for now, given the circumstances you've explained.

  7. #7
    Linux Guru
    Join Date
    Sep 2004
    Posts
    1,804
    Hi anomie,


    The howto you found is fine (I actually know the author, FWIW), but you need to be able to adjust it to meet your own needs.
    Tks for your info. It is a good news to me saving me time searching another guide.


    A few points:
    • You're on a private (192.168.0.0/16) network. Does this mean you'll only be serving users on the same network?
    • Network connection is as follows;

      Server -> Router -> DSL Modem -> ISP

      The Router and Modem are supplied by ISP. The former has 4 ports. 192.168.01 has been locked by ISP with password. I need login and password to access this address which is now used as Gateway address.

      192.168.0.10 is reserved for server. The other 3 ports are connected to workstations. I have fixed IP alloted by ISP and domain name registered with Godaddy. The server after setup will serve LAN as well as Internet.

    • Your INPUT chain can be modified to only make visible the services you intend to provide -- my guess is only http (tcp 80) and https (tcp 443). You'll also need sshd (tcp 22) if you won't have console access.
    How to modify INPUT chain making it only visible the services intended?

    Ports 20 and 80 are now open. I have ssh client and server installed. The server can be remote-accessed by workstations and vice versa.

  8. Your OUTPUT chain can probably be left wide open with a default policy of ACCEPT and no additional rules. At least for now, given the circumstances you've explained.
Whether making the rule as
Code:
iptables -A OUTPUT -p icmp --icmp-type 8 -s 192.168.0.10 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
???

TIA


B.R.
satimis
Reply With Quote Reply With Quote

  • #8
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Back up your old script and try this.

    Code:
    #!/bin/bash
    
    TRUSTEDNET=192.168.0.0/24
    
    # Flush rules
    iptables -F
    
    # INPUT
    
    # Allow loopback traffic
    iptables -A INPUT -i lo -j ACCEPT
    
    # Allow established connections
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Allow new ssh connections from trusted net
    iptables -A INPUT -m state --state NEW -s ${TRUSTEDNET} -p tcp --dport 22 -j ACCEPT
    
    # Allow new http connections from anywhere
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
    
    # Allow new https connections from anywhere
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
    
    # Drop all else by default
    iptables -A INPUT -j DROP
    
    # Set default policies
    iptables -P INPUT ACCEPT
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    Notes:
    • Change TRUSTEDNET to the IP (or subnet) that you want to have access to sshd.
    • Add more restrictive OUTPUT chain rules as needed, once you've established what is legitimate outbound traffic in your situation.
    • I'd suggest hardening sshd further rather than relying only on packet filtering rules.
    • You're going to need to forward ports from your router/NAT device to the appropriate ports on your LAMP server.
    • And the list goes on...


    I'd recommend really knowing what you're doing before opening this up to the web, or else you're just another target waiting to get "pwned".

    Please read and understand the manpages for iptables(8 ) so that you can set up rules based on your own needs.

  • #9
    Linux Guru
    Join Date
    Sep 2004
    Posts
    1,804
    Hi anomie,

    Back up your old script and try this.

    Code:
    #!/bin/bash
    
    TRUSTEDNET=192.168.0.0/24
    
    # Flush rules
    iptables -F
    
    # INPUT
    
    # Allow loopback traffic
    iptables -A INPUT -i lo -j ACCEPT
    
    # Allow established connections
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Allow new ssh connections from trusted net
    iptables -A INPUT -m state --state NEW -s ${TRUSTEDNET} -p tcp --dport 22 -j ACCEPT
    
    # Allow new http connections from anywhere
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
    
    # Allow new https connections from anywhere
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
    
    # Drop all else by default
    iptables -A INPUT -j DROP
    
    # Set default policies
    iptables -P INPUT ACCEPT
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    $ sudo mv /etc/rc.local /etc/rc.local.old
    $ sudo touch /etc/rc.local

    Copied your sample on "rc.local"


    $ sudo /etc/rc.local start

    $ sudo iptables -L
    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     0    --  anywhere             anywhere            
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTAB
    LISHED 
    ACCEPT     tcp  --  192.168.0.0/24       anywhere            state NEW tcp dpt:s
    sh 
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:w
    ww 
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:h
    ttps 
    DROP       0    --  anywhere             anywhere            
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    It hung here a while
    Code:
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTAB
    LISHED
    before printout the rest.

    $ ping -c3 yahoo.com
    Code:
    PING yahoo.com (66.94.234.13) 56(84) bytes of data.
    64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=53 time=180
     ms
    64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=2 ttl=52 time=179
     ms
    64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=3 ttl=53 time=180
     ms
    
    --- yahoo.com ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2009ms
    rtt min/avg/max/mdev = 179.378/180.043/180.387/0.470 ms
    It worked.


    I'd recommend really knowing what you're doing before opening this up to the web, or else you're just another target waiting to get "pwned".
    Noted. This is a test machine not running 24 hours.


    Others noted with thanks


    B.R.
    satimis

  • Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •