iptables issues....pls help

**chusoon** · 01-19-2008

Hi all,

I have an exiting server that user for web server only. Can anyone help check whether correct?

the following was my iptables setting.EPT [17421:3794081]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18142:2796768]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

*-->xxx.xxx.xxx.xxx == ip address

should i insert this at the end since this only use for web server?
-A INPUT -j DROP

for what i noe from the setting, it should not bblock any connect rite? but y i cant connect through port 3306 if i noe allow port 3306?

after i try specify an IP to connect through 3306, but now i can connect from any source, y?

I am newbie to linux and the setting was set by previous vendor.

any suggestion to imrpove it?

thanks at advance.

**RobinVossen** · 01-25-2008

Heh ok, let me help you. And English isnt your native language is it? But well hey Neither is mine so

Anyhow, I am not here to Troll or make you feel bad so lets get down to your Config.
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT

These are fine. It shows that your lo and eth0 are allowed to get connections

-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
This shows that you can ping with one Spefic type (ICMP 255)
Is also fine.

-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT

No idea what this is..

-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This makes sure that if a connection is already ESTABLISHED it doesnt get cut off.

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

This accepts Connections on Port 80 (Web-server)

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

This accepts Connections on Port 443 (HTTPS-Web-server)

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT

This accepts Connections on Port 21 (FTP-server)

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

This accepts Connections on Port 22 (SSH-server)

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT

This accepts TCP and UDP for DNS. Id just leave this on if Id were you

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT

This accepts Connctions (TCP and UDP) for port 3306 from IPadress xxx.xxx.xxx.xx if you want to remove that only one IP change it to:

Code:

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306  -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 3306 -m state --state NEW -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

This makes sure people cant ping you.
But its on REJECT that is kinda stupid.
Change that to DROP.
Since pinging is often used in port-Scanning.
And if he gets Rejected he knows the box is on.
If he doesnt get a reply yea, he kinda just knows the pc is up.

Use Nmap and Hping to test your firewall settings

**chusoon** · 01-27-2008

Originally Posted by RobinVossen

Heh ok, let me help you. And English isnt your native language is it? But well hey Neither is mine so

Anyhow, I am not here to Troll or make you feel bad so lets get down to your Config.
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT

These are fine. It shows that your lo and eth0 are allowed to get connections

-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
This shows that you can ping with one Spefic type (ICMP 255)
Is also fine.

-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT

No idea what this is..

-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This makes sure that if a connection is already ESTABLISHED it doesnt get cut off.

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

This accepts Connections on Port 80 (Web-server)

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

This accepts Connections on Port 443 (HTTPS-Web-server)

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT

This accepts Connections on Port 21 (FTP-server)

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

This accepts Connections on Port 22 (SSH-server)

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT

This accepts TCP and UDP for DNS. Id just leave this on if Id were you

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT

This accepts Connctions (TCP and UDP) for port 3306 from IPadress xxx.xxx.xxx.xx if you want to remove that only one IP change it to:

Code:

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306  -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 3306 -m state --state NEW -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

This makes sure people cant ping you.
But its on REJECT that is kinda stupid.
Change that to DROP.
Since pinging is often used in port-Scanning.
And if he gets Rejected he knows the box is on.
If he doesnt get a reply yea, he kinda just knows the pc is up.

Use Nmap and Hping to test your firewall settings

thank for ur reply n sorry for my language.

Code:

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT

y i can connect to server through this port number although i not from xxx.xxx.xxx.xxx? isnt there have some setting wrong?

**RobinVossen** · 01-27-2008

You should also add a DROP ALL on the bottom I belive

**chusoon** · 01-28-2008

Originally Posted by RobinVossen

You should also add a DROP ALL on the bottom I belive

i try alre..but cant...

i add this

-A RH-Firewall-1-INPUT -p tcp -m tcp -j DROP
-A RH-Firewall-1-INPUT -p udp -m udp -j DROP

Thread Tools

Display

iptables issues....pls help

Posting Permissions