About iptables rules

[satimis]

Hi folks,


Ubuntu 7.04 lamp server amd64 - Host OS
VMware
Guest OS - not yet installed.
Iptables-1.3.6


$ cat /etc/network/interfaces

Code:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.10
        netmask 255.255.255.0
        gateway 192.168.0.1

Browser can connect Internet w/o problem.


After performing following steps to setup iptables, Internet connection blocked.

Edited /etc/rc.local and entered following rules on it

Code:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

#exit 0

#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902

# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable


#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.10 --reject-with icmp-port-unreachable

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 4 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable

$ sudo /etc/init.d/rc.local start

Code:

 * Running local boot scripts (/etc/rc.local)                                                     [ OK ]

$ sudo iptables -L

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.1         reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  127.0.0.10           anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable

$ ping -c3 yahoo.com

Code:

PING yahoo.com (216.109.112.135) 56(84) bytes of data.
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable

--- yahoo.com ping statistics ---
0 packets transmitted, 0 received, +3 errors

Failed.


I have to run following command to stop iptables.

$ sudo iptables -F
No complaint

$ ping -c3 yahoo.com

Code:

PING yahoo.com (216.109.112.135) 56(84) bytes of data.
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 ttl=55 time=242 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=2 ttl=54 time=247 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=3 ttl=54 time=246 ms

--- yahoo.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 242.397/245.283/247.256/2.086 ms

Internet connection then worked.


Please advise where goes wrong. TIA


B.R.
satimis

[anomie]

After performing following steps to setup iptables, Internet connection blocked.

No big mystery here. You're adding a rule to the OUTPUT chain that specifically blocks your IP address from getting out.

Code:

iptables -I OUTPUT 4 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable

The source matches your IP. Thus, you can not get out.

P.S. You might want to add a flush to that firewall script... You're stacking the same rules onto the same rules over and over.

[satimis]

No big mystery here. You're adding a rule to the OUTPUT chain that specifically blocks your IP address from getting out.

Code:

iptables -I OUTPUT 4 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable

The source matches your IP. Thus, you can not get out.

P.S. You might want to add a flush to that firewall script... You're stacking the same rules onto the same rules over and over.

Hi anomie,


I just followed following guide to proceed;
How to configure and secure Linux for VMware

He has 2 NICs. I have only one.

B.R.
satimis

[anomie]

What's your end game here? You want to run an application (LAMP) server?

Do your requirements involve being able to establish new outbound connections from that server (e.g. for software updates)?

I don't know what to recommend without knowing what you are trying to do.

[satimis]

Hi anomie,


My goal is to build a Virtual Machine with lamp server running on Ubuntu 7.04 amd64 as Host OS. This VM will be for testing. Inccidentally I found those guides on Internet therefore I'm following them. VMware is now running on this PC. I haven't installed Guest OS yet.

I have no idea whether those guides are applicable to my need.

Do your requirements involve being able to establish new outbound connections from that server (e.g. for software updates)?

Yes, I need to update the software components on the lamp server. I won't run the server as workstation. At the beginning of installation of this VM. I need to search technical documents on Internet, Therefore I run X and limited components of X such as Fluxbox (Desktop manager), GUI browser-Firefox (I'm not used to running TEXT browser), GUI text Editor (leafpad), Rox filer, screenshot, etc. X won't start a boot.

What I'm most concerned is the NIC will be shared by other OS, guest OS, to be installed later.


B.R.
satimis

[anomie]

The howto you found is fine (I actually know the author, FWIW), but you need to be able to adjust it to meet your own needs.

A few points:

• You're on a private (192.168.0.0/16) network. Does this mean you'll only be serving users on the same network?
• Your INPUT chain can be modified to only make visible the services you intend to provide -- my guess is only http (tcp 80) and https (tcp 443). You'll also need sshd (tcp 22) if you won't have console access.
• Your OUTPUT chain can probably be left wide open with a default policy of ACCEPT and no additional rules. At least for now, given the circumstances you've explained.

[satimis]

Hi anomie,

The howto you found is fine (I actually know the author, FWIW), but you need to be able to adjust it to meet your own needs.

Tks for your info. It is a good news to me saving me time searching another guide.

A few points:

• You're on a private (192.168.0.0/16) network. Does this mean you'll only be serving users on the same network?
  

• Network connection is as follows;
  
  Server -> Router -> DSL Modem -> ISP
  
  The Router and Modem are supplied by ISP. The former has 4 ports. 192.168.01 has been locked by ISP with password. I need login and password to access this address which is now used as Gateway address.
  
  192.168.0.10 is reserved for server. The other 3 ports are connected to workstations. I have fixed IP alloted by ISP and domain name registered with Godaddy. The server after setup will serve LAN as well as Internet.
  
  

• Your INPUT chain can be modified to only make visible the services you intend to provide -- my guess is only http (tcp 80) and https (tcp 443). You'll also need sshd (tcp 22) if you won't have console access.

[anomie]

Back up your old script and try this.

Code:

#!/bin/bash

TRUSTEDNET=192.168.0.0/24

# Flush rules
iptables -F

# INPUT

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow new ssh connections from trusted net
iptables -A INPUT -m state --state NEW -s ${TRUSTEDNET} -p tcp --dport 22 -j ACCEPT

# Allow new http connections from anywhere
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow new https connections from anywhere
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Drop all else by default
iptables -A INPUT -j DROP

# Set default policies
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

Notes:

• Change TRUSTEDNET to the IP (or subnet) that you want to have access to sshd.
• Add more restrictive OUTPUT chain rules as needed, once you've established what is legitimate outbound traffic in your situation.
• I'd suggest hardening sshd further rather than relying only on packet filtering rules.
• You're going to need to forward ports from your router/NAT device to the appropriate ports on your LAMP server.
• And the list goes on...

I'd recommend really knowing what you're doing before opening this up to the web, or else you're just another target waiting to get "pwned".

Please read and understand the manpages for iptables(8 ) so that you can set up rules based on your own needs.

[satimis]

Hi anomie,

Back up your old script and try this.

Code:

#!/bin/bash

TRUSTEDNET=192.168.0.0/24

# Flush rules
iptables -F

# INPUT

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow new ssh connections from trusted net
iptables -A INPUT -m state --state NEW -s ${TRUSTEDNET} -p tcp --dport 22 -j ACCEPT

# Allow new http connections from anywhere
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow new https connections from anywhere
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Drop all else by default
iptables -A INPUT -j DROP

# Set default policies
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

$ sudo mv /etc/rc.local /etc/rc.local.old
$ sudo touch /etc/rc.local

Copied your sample on "rc.local"


$ sudo /etc/rc.local start

$ sudo iptables -L

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTAB
LISHED 
ACCEPT     tcp  --  192.168.0.0/24       anywhere            state NEW tcp dpt:s
sh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:w
ww 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:h
ttps 
DROP       0    --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

It hung here a while

Code:

ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTAB
LISHED

before printout the rest.

$ ping -c3 yahoo.com

Code:

PING yahoo.com (66.94.234.13) 56(84) bytes of data.
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=53 time=180
 ms
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=2 ttl=52 time=179
 ms
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=3 ttl=53 time=180
 ms

--- yahoo.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2009ms
rtt min/avg/max/mdev = 179.378/180.043/180.387/0.470 ms

It worked.

I'd recommend really knowing what you're doing before opening this up to the web, or else you're just another target waiting to get "pwned".

Noted. This is a test machine not running 24 hours.


Others noted with thanks


B.R.
satimis