RE: Script porblems

Mon, 01 Apr 2002 02:06:59 -0800

Title: Message
Mark,
 
The default policy in your script is very early on, the iptables will match the first rule found and use that so I always put default policy last.
 
ie: In all my scripts I set default policy _after_ all other rules for the chain
eg:
#flush and delete
$IPT -F
$IPT -t nat -F
$IPT -X
$IPT -t nat -F
#setup chains
$IPT -N bad_tcp_packets
$IPT -N allowed
$IPT -N tcp_packets
$IPT -N udp_packets
$IPT -N icmp_packets
#bad packets chain
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPT NEW and not SYN:"
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#spoofing check
for IP in ${RES_NET[@]}; do
        $IPT -A bad_tcp_packets -i $EX_IF -s $IP -j LOG --log-prefix "IPT SPOOFED IP: "
        $IPT -A bad_tcp_packets -i $EX_IF -s $IP -j DROP
done
#good allowed
$IPT -A allowed -p tcp --syn -j ACCEPT
$IPT -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A allowed -p tcp -j DROP
#all other rules in here
...INPUT
...OUTPUT
...FORWARD
...udp_packets
...tcp_packets
...etc
#last set default policy
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

this works for me no problems
 
As for the iptables-save and iptables-restore these are to help with management of the various firewallscripts you may use
 
ie: when you iptables script from init.d is called it uses iptables-restore to restore your firewall.
 
What I do is when I have a script I like and want to use i simply do
 
# service iptables save
 
which is the same as
 
# iptables-save > /etc/sysconfig/iptables
 
but shorter to type
 
then if you need to make changes etc and you dont like them and want to go back to your stable do
 
# service iptables restart
 
I then only use iptables-save and -restore for other sxcripts ie:
 
# iptables-save > ~myhome/firewall-test1
 
and
 
# iptables-restore < ~myhome/firewall-test1
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Feijo
Sent: Monday, April 01, 2002 3:44 PM
To: [EMAIL PROTECTED]
Subject: Script porblems

I'm able to run a simple test script ok, but it doesn't seem to apply any of my rules after the initial default policy is set. Meaning, even if I have my policy set to DROP, but allow a connection to SSH after that. It won't let me connect to SSH.  I’ve also tried allowing PING and other services, but it still blocks everything.  Connection Tracking is working fine as far as I can tell. 

 

For a little background, I run the script as rc.firewall, with Red Hat 7.2.  All I’m trying to do at the moment is experiment with denying and allowing access to ports on the Linux box from a local LAN.  (ex: I want my SSH client on my Windows system to be able to connect to the SSH server on the firewall.  If I set an ACCEPT all policy, I am able to.  With the DROP all, and SSH ports ACCEPTED, I am unable to.)

Here's my test script.


#!/bin/bash

CONNECTION_TRACKING="1"
ACCEPT_AUTH="0"
SSH_SERVER="1"
FTP_SERVER="0"
WEB_SERVER="0"
SSL_SERVER="0"
DHCP_CLIENT="1"

INNIC="eth0" #Inbound NIC
OUTNIC="eth1" #Outbound NIC
INIP="192.168.32.3" #Inbound IP
OUTIP="192.168.32.4" #Outbound IP
SUB="192.168.32.0/24" #Not important at the moment
BROD_LAN="192.168.32.255" # Not important at the moment
LOOP="127.0.0.0/8" #Loopback

PRIVPORTS="0:1023" # Privileged ports
UNPRIVPORTS="1024:65535" # unprivileged port range

SSH_PORTS="1024:65535"

NFS_PORT="2049"
LOCKD_PORT="4045"
SOCKS_PORT="1080"
OPENWINDOWS_PORT="2000"
XWINDOW_PORTS="6000:6063"
SQUID_PORT="3128"

##########################################
# Remove any existing rules from all chains
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# Unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set the default policy to drop
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain

 

###############################################################

# Using Connection State to By-pass Rule Checking

 

if [ "$CONNECTION_TRACKING" = "1" ]; then

    iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 

    iptables -A INPUT -m state --state INVALID -j LOG \

             --log-prefix "INVALID input: "

    iptables -A INPUT -m state --state INVALID -j DROP

 

    iptables -A OUTPUT -m state --state INVALID -j LOG \

             --log-prefix "INVALID ouput: "

    iptables -A OUTPUT -m state --state INVALID -j DROP

fi

 

###############################################################
# ssh (TCP Port 22)

# Outgoing Local Client Requests to Remote Servers (I’ve tried replacing $SSH_PORTS with just 22 prior to this)

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INNIC -p tcp \
-s $INIP --sport $SSH_PORTS \
--dport 22 -m state --state NEW -j ACCEPT
fi

iptables -A OUTPUT -o $INNIC -p tcp \
-s $INIP --sport $SSH_PORTS \
--dport 22 -j ACCEPT

iptables -A INPUT -i $INNIC -p tcp ! --syn \
--source-port $SSH_PORTS \
-d $INIP --dport 22 -j ACCEPT

#...............................................................
# Incoming Remote Client Requests to Local Servers

if [ "$SSH_SERVER" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INNIC -p tcp \
--sport $SSH_PORTS \
-d $INIP --dport 22 \
-m state --state NEW -j ACCEPT
fi

iptables -A INPUT -i $INNIC -p tcp \
--sport $SSH_PORTS \
-d $INIP --dport 22 -j ACCEPT

iptables -A OUTPUT -o $INNIC -p tcp ! --syn \
-s $INIP --sport $SSH_PORTS \
--dport 22 -j ACCEPT
fi

##########################################

exit 0


I read some things about a config file in the /etc/sysconfig directory that IPTABLES is suppose to use. And commands like IPTABLES-SAVE and IPTABLES-RESTORE. There's so many different explainations on this, and it's very confusing.  Running the rc.firewall script does the same thing as the IPTABLES default file as far as I can tell.  When I put IPTABLES-SAVE > /etc/sysconfig/iptables at the end of the rc.firewall, it didn’t help or hinder the situation.

 

Please advise.

 

Thanks,

 

Mark

Reply via email to