Re: was: fail2ban for apache2, now iptables help

[Gene Heskett]

On Monday 02 December 2019 04:35:26 Andrei POPESCU wrote:

> On Du, 01 dec 19, 22:28:43, Gene Heskett wrote:
> > It, iptables,  did not get restarted on the fresh boot, so obviously
> > the systemd manager hasn't been informed to start iptables,
> > reloading from /etc/iptables/saved-rules.
>
> To my knowledge Debian doesn't include anything like this by default.
>
> > So 1. how do I query systemd to determine if it should have started
> > iptables, and if not, 2. what is the command to set it so it does
> > start iptables at bootup?
>
> You might want to install iptables-persistent, otherwise you'll have
> to roll-out your own solution.
>
> With systemd the generic solution would look like:
>
> 1. Write a script that does what you want
> 2. Write a corresponding .service unit describing how / when it's run
> 3. Tell systemd to use your .service unit.
>
> In the particular case of iptables instead of writing a script you
> should probably just reuse your existing rules file and load that with
> an 'iptables-restore' from the .service unit.
>
> We are quite far from the original topic so I would suggest you start
> a new thread in case you need assistance with this.
>
I did find the syntax for iptables-restore and have that working as I'd 
been doing a new iptables-save everytime I added a new rule. So I've got 
most of them muzzled again.

But you're right, the thread has drifted as I looked for a solution for 
the DDOS I was suffering from.

> Kind regards,
> Andrei


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

iptables help requested

[Gururajan Ramachandran]

Hello,

I think iptables may be blocking SMTP. I cannot figure
out how. Could you tell me if I am correct and how I
can fix it?

Two NICs: eth0 is the LAN and eth1 is the WAN

Here are my iptables-save and iptables -L -n outputs:


# Generated by iptables-save v1.2.9 on Sun Sep  5
12:43:05 2004
*nat
:PREROUTING ACCEPT [17469:1368391]
:POSTROUTING ACCEPT [616:37414]
:OUTPUT ACCEPT [219:13008]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j
DNAT --to-destination local_destination 
COMMIT
# Completed on Sun Sep  5 12:43:05 2004
# Generated by iptables-save v1.2.9 on Sun Sep  5
12:43:05 2004
*filter
:INPUT DROP [31:1836]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [23239:5177809]
-A INPUT -s 127.0.0.1 -i eth1 -j DROP 
-A INPUT -d 127.0.0.1 -i eth1 -j DROP 
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j DROP 
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth1 -j DROP 
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j DROP 
-A INPUT -s 127.0.0.1 -j ACCEPT 
-A INPUT -d 127.0.0.1 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -i eth0 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT 
-A FORWARD -s 127.0.0.1 -i eth1 -j DROP 
-A FORWARD -d 127.0.0.1 -i eth1 -j DROP 
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth1 -j DROP 
-A FORWARD -s 172.16.0.0/255.240.0.0 -i eth1 -j DROP 
-A FORWARD -s 10.0.0.0/255.0.0.0 -i eth1 -j DROP 
-A FORWARD -o eth1 -p tcp -m tcp --sport 137:139 -j
DROP 
-A FORWARD -o eth1 -p udp -m udp --sport 137:139 -j
DROP 
-A FORWARD -s ! local_network -i eth0 -j DROP 
-A FORWARD -i eth0 -j ACCEPT 
-A FORWARD -o eth1 -m state --state NEW -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j
ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j
ACCEPT 
-A FORWARD -s allowed_ip_range -i eth1 -p tcp -m tcp
--dport 3389 -j ACCEPT 
-A FORWARD -p tcp -m tcp --dport 3389 -j LOG
--log-prefix RDT:  --log-level 6 
-A OUTPUT -o eth1 -p tcp -m tcp --sport 137:139 -j
DROP 
-A OUTPUT -o eth1 -p udp -m udp --sport 137:139 -j
DROP 
-A OUTPUT -o eth1 -m state --state NEW -j ACCEPT 
COMMIT
# Completed on Sun Sep  5 12:43:05 2004
Chain INPUT (policy DROP)
target prot opt source   destination  
  
DROP   all  --  127.0.0.10.0.0.0/0
  
DROP   all  --  0.0.0.0/0127.0.0.1
  
DROP   all  --  192.168.0.0/16   0.0.0.0/0
  
DROP   all  --  172.16.0.0/120.0.0.0/0
  
DROP   all  --  10.0.0.0/8   0.0.0.0/0
  
ACCEPT all  --  127.0.0.10.0.0.0/0
  
ACCEPT all  --  0.0.0.0/0127.0.0.1
  
ACCEPT icmp --  0.0.0.0/00.0.0.0/0
  icmp type 8 
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0
  tcp dpt:22 
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0
  tcp dpt:25 
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0
  tcp dpt:80 
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0
  tcp dpt:443 
ACCEPT all  --  0.0.0.0/00.0.0.0/0
  
ACCEPT all  --  0.0.0.0/00.0.0.0/0
  state RELATED,ESTABLISHED 

Chain FORWARD (policy DROP)
target prot opt source   destination  
  
DROP   all  --  127.0.0.10.0.0.0/0
  
DROP   all  --  0.0.0.0/0127.0.0.1
  
DROP   all  --  192.168.0.0/16   0.0.0.0/0
  
DROP   all  --  172.16.0.0/120.0.0.0/0
  
DROP   all  --  10.0.0.0/8   0.0.0.0/0
  
DROP   tcp  --  0.0.0.0/00.0.0.0/0
  tcp spts:137:139 
DROP   udp  --  0.0.0.0/00.0.0.0/0
  udp spts:137:139 
DROP   all  -- !192.168.100.0/24 0.0.0.0/0
  
ACCEPT all  --  0.0.0.0/00.0.0.0/0
  
ACCEPT all  --  0.0.0.0/00.0.0.0/0
  state NEW 
ACCEPT all  --  0.0.0.0/00.0.0.0/0
  state RELATED,ESTABLISHED 
ACCEPT all  --  0.0.0.0/00.0.0.0/0
  state RELATED,ESTABLISHED 
ACCEPT tcp  --  allowed_ip_range   0.0.0.0/0
  tcp dpt:3389 
LOGtcp  --  0.0.0.0/00.0.0.0/0
  tcp dpt:3389 LOG flags 0 level 6 prefix `RDT: ' 

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination  
  
DROP   tcp  --  0.0.0.0/00.0.0.0/0
  tcp spts:137:139 
DROP   udp  --  0.0.0.0/00.0.0.0/0
  udp spts:137:139 
ACCEPT all  --  0.0.0.0/00.0.0.0/0
  state NEW 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact 

Re: iptables help requested

[Craig Jackson]

On Sun, 5 Sep 2004 12:21:50 -0700 (PDT)
Gururajan Ramachandran [EMAIL PROTECTED] wrote:

 Hello,
 
 I think iptables may be blocking SMTP. I cannot figure
 out how. Could you tell me if I am correct and how I
 can fix it?
 
 Two NICs: eth0 is the LAN and eth1 is the WAN

When asking for help on iptables it is helpful to state exactly what you
are trying to do. It looks like you are running a mail server on
boundary box and trying to accept mail on 22 vis the INPUT line. If this
is true, why are you accepting only established/related on the INPUT
but on the FORWARD accepting NEW also.

My guess is that you are running a mail server on the inside LAN and
this boundary box is forwarding packets to the mail server. Before
I proceed, please elaborate.

Craig Jackson


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Iptables help ..

[David Bokan]

Title: RE: Iptables help ..





From: David Bokan
Sent: Tuesday, August 31, 2004 1:56 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Iptables help ..

I think that you'd have to use the FORWARD chain instead of INPUT
/sbin/iptables -A FORWARD -p tcp -I eth0 -s 0/0 -d ! 10.0.0.0/8 --dport 25 -j REJECT

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, August 31, 2004 1:22 PM
 To: [EMAIL PROTECTED]
 Subject: Iptables help ..
 
 Hi,
 
 I am using the following iptables rules for the NAT, but i also want to
 block outgoing port 25 traffic from the LAN clients. INAT works fine but
 the outgoing port 25 is still open
 
 /sbin/iptables -F -t nat
 /sbin/iptables -A INPUT -p tcp -i eth0 -s 0/0 -d ! 10.0.0.0/8
 --dport 25
 -j REJECT
 /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
 
 But the outgoing port 25 is still open, can some tell me whats wrong in
 these rules.
 
 Regards
 Azher
 
 
 
 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]

Iptables help ..

[debi]

Hi,

I am using the following iptables rules for the NAT, but i also want to 
block outgoing port 25 traffic from the LAN clients. INAT works fine but 
the outgoing port 25 is still open

/sbin/iptables -F -t nat
/sbin/iptables -A INPUT -p tcp -i eth0 -s 0/0 -d ! 10.0.0.0/8 
--dport 25  
-j REJECT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

But the outgoing port 25 is still open, can some tell me whats wrong in 
these rules.

Regards
Azher



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Iptables help ..

[Eric Gaumer]

On Tue, 2004-08-31 at 10:21, [EMAIL PROTECTED] wrote:
 Hi,
 
 I am using the following iptables rules for the NAT, but i also want to 
 block outgoing port 25 traffic from the LAN clients. INAT works fine but 
 the outgoing port 25 is still open
 
 /sbin/iptables -F -t nat
 /sbin/iptables -A INPUT -p tcp -i eth0 -s 0/0 -d ! 10.0.0.0/8 
 --dport 25  
 -j REJECT
 /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
 
 But the outgoing port 25 is still open, can some tell me whats wrong in 
 these rules.
 

Filtering for NAT is done on the FORWARD chain. The only reason you
appear to be blocking incoming traffic on 25 is that the port isn't
being forwarded through in the first place. 

You don't need to explicitly block incoming traffic to the LAN because
it only allows traffic for ports specifically setup to forward through
into the LAN.



signature.asc
Description: This is a digitally signed message part

iptables... HELP...

[Damien Babilon]

Bonjour  tous,

Je me suis install un petit serveur avec Gibraltar dessus pour servir
de Firewall et de routeur. J'essaye de configurer iptables, j'ai presque
tout trouv, mais mon serveur web n'est pas joignable semble-t'il...

http://212.88.247.32:3000

Donc le routeur a 2 NIC (eth1  eth2) eth1 est ct WAN et eth2 est ct
LAN.
L'ip de eth2 est 192.168.0.254
Je dois rediriger les visiteurs web (port 3000) vers l'ip
192.168.1.151:3000 et j'y arrive pas :(

Je vous joins mon script... 
Aprs je devrais aussi activer le ftp sur le port 1450, alors si vous
avez des ides pour a aussi ;)

Merci,

Damien

#! /bin/bash
##
## Vide le contenu actuel
##

for TABLE in filter nat mangle; do
iptables -t $TABLE -F
iptables -t $TABLE -X
done

##
## Initialise quelques variales
###

OUT=eth1# Carte reseau cote WAN
IN=eth2 # Carte reseau cote LAN
WEB1=192.168.1.151  # Adresse IP Serveur Web 1 (Rafi)
MYSQL=192.168.1.150 # Adresse IP Serveur MySQL (Phil)

##
## Charge les modules du kernel ncssaires
###

modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat

##
## Accepte toutes les sorties
#

iptables -t filter -A OUTPUT -j ACCEPT

##
## Accepte tout sur le loopback
###

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

##
## Masquerading pour le LAN
###


echo 1  /proc/sys/net/ipv4/ip_forward
echo 1  /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t nat -A POSTROUTING -o $OUT -j MASQUERADE

##
## Autorise les requetes DNS


for DNS in $(grep ^n /etc/resolv.conf|awk '{print $2}'); do
iptables -t filter -A INPUT -p udp -s $DNS --source-port domain
-j ACCEPT
done

##
## Accepte les entres WAN:3000 et redirige vers rafi:3000
##

iptables -t nat -A PREROUTING -i $OUT -p tcp --dport 3000 -j DNAT
--to-destination $WEB1:3000
iptables -A FORWARD -i $OUT -o $IN -p tcp --destination-port 3000 -m
state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o $OUT -i $IN -p tcp --source-port 3000 -m state
--state ESTABLISHED -j ACCEPT

##
## Bloque toute les entres sur ETH1 et log les attempts


iptables -N logdeny
iptables -t filter -A logdeny -j LOG --log-prefix dropped from
gateway: 
iptables -t filter -A logdeny  -j DROP
iptables -t filter -A INPUT -i $OUT -m state --state NEW,INVALID -j
logdeny

##
## Accepte les ping
###

iptables -t filter -A INPUT -p tcp --source-port 8 -j ACCEPT

echo [## T E R M I N E##]
# end script




-- 

Damien Babilon - Websol
Rue St Mdard, 2
B-1370 Jodoigne
http://www.websol.be
[EMAIL PROTECTED]
Tel: +32 (0)10/860.803
Mobile: +32 (0)486/631.971

Iptables Help

[GBV]

I have an webserver on port 3321
how I can use iptables to deny(drop) all packages 
coming from internet??

my inet interface is eth0

something like

Deny any request coming from eth0, destinated to 
this host on port 3321

thks..

Re: Iptables Help

[jereme]

GBV [EMAIL PROTECTED] writes:

 I have an webserver on port 3321
 
 how I can use iptables to deny(drop) all packages coming from internet??

[...]

 Deny any request coming from eth0, destinated to this host on port
 3321

I had a bit of trouble interpretting what you really wanted answered.
You should be a bit more specific about the machine's configuration
and what you are looking to achive.

None the less, I am going to *assume* that you do not want a default
deny type setup, (though you probably should).  Going on that
assumption, to have your host drop all packets destined for a 3321/tcp
listener on interface eth0.

iptables -A INPUT -i eth0 -p tcp --dport 3321 -j DROP

...is one of many ways to do it and it assume that the input chains
policy is ACCEPT.

Let me reidirate, this is a _very_bad_ way to conscruct a firewall.  A
better arpproach would be to tell us what services you do want to
provide, and to whom, the number of interfaces and their connections,
etc.

Then you set the default policy on all chains to DENY and open only
those services you intend to provide and can secure.  This is then a
good place to start from, their are many other layers of security to
consider, tcpwrappers, ALG's, etc.

Perhaps this is a multihomed host and it has a web server on 3321/tcp
and you only want it listening on the internal interface?  Most
daemons can be configured to bind to a specific addr as versus all
available, though this in no way preclude the need to harden an
Internet accessible system.  You should consider all these angles.



hope that, (at least mildly) helps,
jereme

-- 
+--+
Jereme Corrado [EMAIL PROTECTED]
System Administrator
Restorative Management Corp.

gpg: 1024D/9C39E1F0


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Iptables Help

[Vineet Kumar]

* GBV ([EMAIL PROTECTED]) [030213 10:08]:
 I have an webserver on port 3321
 how I can use iptables to deny(drop) all packages coming from internet??

iptables -P INPUT DROP

will drop all incoming packets period.

 
 my inet interface is eth0

iptables -A INPUT -j DROP -i eth0

will drop all packets inbound from eth0.

 
 something like
 
 Deny any request coming from eth0, destinated to this host on port 3321

iptables -A INPUT -j DROP -i eth0 -d $EXT_IP -p tcp --destination-port 3321

Given examples like this, it seems like it would be easy to write a
natural-language-to-iptables parser ;-)

Seriously, though, I highly recommend _reading_ and _understanding_ the
netfilter documentation:

http://netfilter.samba.org/

Having a poorly-configured firewall is arguably worse than no firewall
at all, for the false sense of security you get with the former.  It is
a worthwhile exercise to sit down and determine your needs in terms of
security and access.  Then, if you understand how to use your tools, it
should be easy to implement a plan that will meet your needs.

good times,
Vineet


good times,
Vineet
-- 
http://www.doorstop.net/
-- 
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.  --Benjamin Franklin



msg30583/pgp0.pgp
Description: PGP signature

Re: Iptables Help

[Pigeon]

On Thu, Feb 13, 2003 at 02:17:59PM -0500, jereme wrote:
 Let me reidirate, this is a _very_bad_ way to conscruct a firewall.  A
 better arpproach would be to tell us what services you do want to
 provide, and to whom, the number of interfaces and their connections,
 etc.
 
 Then you set the default policy on all chains to DENY and open only
 those services you intend to provide and can secure.  This is then a
 good place to start from, their are many other layers of security to
 consider, tcpwrappers, ALG's, etc.

The problem with firewall construction is that it requires Joe
Pigeon-brained User to acquire arcane expertise in 'the reverse of
cracking'.

How do you figure out what to allow and what to deny to, say, have a
web browser, email and apt-get working, everything those tasks don't
need being blocked? How do you figure out what else you can block if
you don't mind your browser not being able to play sounds off
websites? You have to dig pretty deeply into how networking and the
applications concerned operate. The fact that such digging is possible
in Linux is great; the fact that it is necessary, not so great.

It would be very useful to have some script that would ask you what
services you intended to run, and generated scripts for iptables etc.
that ensured that only the minimum necessary services were available.
I'm figuring that such a thing is not available, because this is one
of those questions that brings responses of hack this, tweak that as
opposed to apt-get piece_of_debian_magic. 

Pigeon


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Iptables Help

[Colin Watson]

On Thu, Feb 13, 2003 at 11:34:39PM +, Pigeon wrote:
 It would be very useful to have some script that would ask you what
 services you intended to run, and generated scripts for iptables etc.
 that ensured that only the minimum necessary services were available.

Don't we have this kind of thing already? I know there are several
firewall builder scripts in Debian.

-- 
Colin Watson  [[EMAIL PROTECTED]]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Iptables Help

[Nathan E Norman]

On Fri, Feb 14, 2003 at 03:38:39AM +, Colin Watson wrote:
 On Thu, Feb 13, 2003 at 11:34:39PM +, Pigeon wrote:
  It would be very useful to have some script that would ask you what
  services you intended to run, and generated scripts for iptables etc.
  that ensured that only the minimum necessary services were available.
 
 Don't we have this kind of thing already? I know there are several
 firewall builder scripts in Debian.

Last time I looked ipmasq did a good job setting up a NAT + filter
proxy (and it works with iptables and ipchains).  However, I had to
ditch it about a year ago when I added a VPN interface for work (I
rolled my own script).

-- 
Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED]
  Liberty may be endangered by the abuses of liberty as well as by
  the abuses of power.
  -- James Madison


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

woody ftp iptables! help!

[Roberto]

Galera! instalei o woody aki no trampo compartilhei a net pra todo mundo com
o
iptables porem nao estou conseguindo acessar ftps!
o que preciso fazer pra liberar acesso a ftp

abracos!
_
Roberto S. Martins - Desenvolvedor
[EMAIL PROTECTED]
Programar e um arte da qual muitos adimitam mais poucos fazem.

RE: woody ftp iptables! help!

[Felipe Szczesny Rout]

Oppsss, onde esta -dport trocar por --dport 21

-Original Message-
From: Felipe Szczesny Rout [mailto:[EMAIL PROTECTED] 
Sent: sexta-feira, 16 de agosto de 2002 15:12
To: 'Roberto'; debian-user-portuguese@lists.debian.org
Subject: RE: woody ftp iptables! help! 


Supondo que ta tudo certo no kernel (conntrack, módulo para ftp, etc...)

+ ou - assim

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables
-A FORWARD -p tcp -s x.x.x.x --sport 1024: -dport -j ACCEPT



-Original Message-
From: Roberto [mailto:[EMAIL PROTECTED] 
Sent: sexta-feira, 16 de agosto de 2002 12:28
To: debian
Subject: woody ftp iptables! help! 


Galera! instalei o woody aki no trampo compartilhei a net pra todo mundo com
o iptables porem nao estou conseguindo acessar ftps! o que preciso fazer pra
liberar acesso a ftp

abracos!
_
Roberto S. Martins - Desenvolvedor
[EMAIL PROTECTED]
Programar e um arte da qual muitos adimitam mais poucos fazem.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]

[[IPTABLES HELP (fwd)]] (fwd)

[dude]

-- Forwarded message --
Date: Sat, 14 Jul 2001 17:30:26 -0400
From: Wayne Topa [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [[IPTABLES HELP (fwd)]]



OK, 1 more time.  If you don't get this, go to the archives.




- Forwarded message from Wayne Topa [EMAIL PROTECTED] -

From: Wayne Topa [EMAIL PROTECTED]
Date: Sat, 14 Jul 2001 10:53:10 -0400
To: dude [EMAIL PROTECTED]
Subject: [EMAIL PROTECTED]: Re: IPTABLES HELP (fwd)]
Reply-To: [EMAIL PROTECTED]




dude..  You got a very good response sent to the list!

Yes your test messages are also getting there as well.


- Forwarded message from Vineet Kumar [EMAIL PROTECTED] -

From: Vineet Kumar [EMAIL PROTECTED]
Date: Fri, 13 Jul 2001 15:25:26 -0700
To: debian-firewall@lists.debian.org
Subject: Re: IPTABLES HELP (fwd)

A few general comments on your setup:

You don't have any policy statements. The built-in chains default to
policy ACCEPT, which is probably not what you want. True, the last
statement of your block chain is effectively the same as setting
policy to DROP for INPUT and FORWARD, but I always like to see it
specified right at the top of your firewall setup.

Second, I also like to see rules crafted as explicitly as possible:
include incoming and outgoing interfaces wherever applicable.

It seems to me you have a slightly befuddled view of this setup: you -j
ACCEPT some things and -j DROP other things based on what you think
you need. I have found that an easy way to get a relatively secure
setup is to start with policy drop on all chains and then simply add
rules for only what you want to allow. My first impression of your
ruleset is that it should work and should do what you want it to do.
You won't have any incoming connections made from the outside world
(ssh included).

I know the old saying about giving a man a fish and teaching a man to
fish, so let me try to talk you though the way I'd approach this
setup.


#!/bin/sh
# I find it easier to avoid catastrophic typographical errors and
# allow for easy maintenance by using some definitions at the top;
# something like this:

IPTABLES=/sbin/iptables
INTERNAL_IFACE=eth1
EXTERNAL_IFACE=eth0
INTERNAL_IP=192.168.1.1
INTERNAL_NETWORK=192.168.1.1/27
# no EXTERNAL_IP definition because you're presumedly using a dynamic
# address (hence MASQUERADE, right?)

# These definitions also make the script portable; you can use it on
# your machine just by changing the definitions above and not mess
# with the rules below.

# Start with policy.

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# clean up

$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z

# Remember that separate tables need separate statements entirely!
# You're implicitly saying -t filter above, and it doesn't affect
# (clean up) the nat table.
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z

# Enable nat
$IPTABLES -t nat -s $INTERNAL_NETWORK -d ! $INTERNAL_NETWORK \
 -o $EXTERNAL_IFACE -j MASQUERADE

# Filtering section
# INPUT chain
# We want to allow ONLY:
#  1. local (loopback) traffic
#  2. traffic from our LAN hosts
#  3. traffic from the Internet that is part of an existing connection
# (no new connections)

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -s $INTERNAL_NETWORK -i $INTERNAL_IFACE  -j ACCEPT
$IPTABLES -m state -A INPUT -s ! $INTERNAL_NETWORK \
 -i $EXTERNAL_IFACE --state ESTABLISHED,RELATED -j ACCEPT

# FORWARD chain
# We want to forward only for hosts on our LAN. This means 2 rules:
# 1. outgoing traffic
# 2. reply traffic

$IPTABLES -A FORWARD -s $INTERNAL_NETWORK -d ! $INTERNAL_NETWORK \
 -i $INTERNAL_IFACE -o $EXTERNAL_IFACE -j ACCEPT
$IPTABLES -m state -A FORWARD \
 -s ! $INTERNAL_NETWORK -d $INTERNAL_NETWORK \
 -i $EXTERNAL_IFACE -o $INTERNAL_IFACE \
 --state ESTABLISHED,RELATED -j ACCEPT

That's it! I'm not sure I explained it too well, and my intention was
not just to do it for you, so please, if you have any questions about
the setup itself *or* about how I came up with it, please don't
hesitate to ask.

Also notice that in this setup I have just let the OUTPUT policy
remain ACCEPT. This should be acceptable for most purposes, unless you
really want to enforce that the gateway system is not to converse with
the Internet, or some such thing. If you did want to do that, it would
be like this:

# change the output policy line above to this:
$IPTABLES -P OUTPUT -P DROP

# Add this to the filtering section:
# OUTPUT chain:
# only allow outgoing traffic:
#  1. to loopback
#  2. to LAN
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNAL_IFACE -d $INTERNAL_NETWORK -j ACCEPT

Note that this practically disconnects the gateway machine from the
Internet, which is probably not what you want. It can still be used to
forward/filter for your LAN, but it will be impossible to, for
instance, use apt-get from the machine (horrors!).

I hope you see what I mean about setting a policy

IPTABLES HELP

[dude]

If this is the wrong list, please tell
me where i should post this.

Here is my iptables setup.

As you can see I want a very secure firewall (and gateway)
but i do want to have the ability to ssh from the outside
and i am still not sure how to go about it.


Anyway, here is my setup and
i would appreciate it if any
security gurus would comment on it.
Thanks


#!/bin/sh
#chmod 755 is needed to make this executable

#Turn on ip_forward with this command
echo 1  /proc/sys/net/ipv4/ip_forward


#Clean up tables
iptables -F
iptables -X
iptables -Z


#This allow maquerading
iptables -t nat -A POSTROUTING -j MASQUERADE


#This allow a connection to the gateway from inside the network
#tank
iptables -A INPUT -s 192.168.2.2 -j ACCEPT
iptables -A OUTPUT -d 192.168.2.2 -j ACCEPT

#evvie
iptables -A INPUT -s 192.168.2.20 -j ACCEPT
iptables -A OUTPUT -d 192.168.2.20 -j ACCEPT

#text
iptables -A INPUT -s 192.168.2.3 -j ACCEPT
iptables -A OUTPUT -d 192.168.2.3 -j ACCEPT


# Disallow NEW and INVALID incoming or forwarded packets from eth0.
#iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
#iptables -A FORWARD -i eth0  -m state --state NEW,INVALID -j DROP



#Most people just have a single PPP connection to the Internet,
#and don't want anyone coming back into their network, or the firewall:
## Create chain which blocks new connections, except if coming from
inside.
#I have an eth0 so i made tha appropriate changes

iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A block -j DROP

 ## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block

Re: IPTABLES HELP

[Wayne Topa]

Subject: IPTABLES HELP
Date: Fri, Jul 13, 2001 at 11:05:33AM -0400

In reply to:dude

Quoting dude([EMAIL PROTECTED]):
 
 If this is the wrong list, please tell
 me where i should post this.
 

debian-firewall

-- 
Enter any 11-digit prime number to continue...
___

iptables help

[Tom Tsaknakis]

i will give anyone my first born if you can help me with converting this
\'/sbin/ipchains -A input -s 10.96.8.1 -p IGMP -j ACCEPT\'

to an iptables line
thanx in advance
Tom



-
This mail sent through IMP on IGN WebMail.
http://webmail.ign.com.au

Re: iptables help

[Jonathan D. Proulx]

On Mon, Jun 25, 2001 at 01:04:30PM +1000, Tom Tsaknakis wrote:
:i will give anyone my first born if you can help me with converting this
:\'/sbin/ipchains -A input -s 10.96.8.1 -p IGMP -j ACCEPT\'

I have all the kids I need :)

But I have this working:
iptables -A INPUT --proto icmp -s 10.9.1.1/32 -i ppp+ -j ACCEPT

this is my ADSL router and the only 10.0.0.0/8 I want to see on the
other side of a ppp link.  Can't see why --proto IGMP couldn't be
substituted...

HTH,
-Jon

Re: iptables help

[Tom Tsaknakis]

a billion thanks
you sure you dont want that kid?
hehe
thanks again
ill try that
adios
tom

Quoting \Jonathan D. Proulx\ [EMAIL PROTECTED]:

 On Mon, Jun 25, 2001 at 01:04:30PM +1000, Tom Tsaknakis wrote:
 :i will give anyone my first born if you can help me with converting this
 :\\\'/sbin/ipchains -A input -s 10.96.8.1 -p IGMP -j ACCEPT\\\'
 
 I have all the kids I need :)
 
 But I have this working:
 iptables -A INPUT --proto icmp -s 10.9.1.1/32 -i ppp+ -j ACCEPT
 
 this is my ADSL router and the only 10.0.0.0/8 I want to see on the
 other side of a ppp link.  Can\'t see why --proto IGMP couldn\'t be
 substituted...
 
 HTH,
 -Jon
 
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
 with a subject of \unsubscribe\. Trouble? Contact
 [EMAIL PROTECTED]
 


-
This mail sent through IMP on IGN WebMail.
http://webmail.ign.com.au

iptables help?

[Brian May]

Hello,

I thought that these iptables rules:

snoopy:~# iptables -v -L ppp0-out
Chain ppp0-out (1 references)
 pkts bytes target prot opt in out source   destination 

0 0 LOGall  --  anyany 192.168.0.0/16   anywhere
   LOG level warning 
0 0 REJECT all  --  anyany 192.168.0.0/16   anywhere
   reject-with icmp-port-unreachable 
9   868 ACCEPT all  --  anyany anywhere anywhere
   
and:

Chain OUTPUT (policy DROP 1 packets, 40 bytes)
 pkts bytes target prot opt in out source   destination 

   26  1994 ppp0-out   all  --  anyppp0anywhere anywhere
   

would prevent packets with the source address 192.168.*.* from
appearing on ppp0, however it doesn't. In fact, even if I run ping to
an outside host from a 192.168.*.* computer (eth0), none of the
counters for INPUT, FORWARD, or OUTPUT are incremented (if I turn on
masquerading everything works as expected though).

So, how can the packet get received by eth0, be forwarded to ppp0, and
transmitted out ppp0 without any of the chain counters recording it?
I know the packet is appearing on ppp0 by looking at tcpdump, ifconfig
and the transmit light on the modem.

I am confused...

I can only guess that some sort of optimisation is occurring, but
seems strange it only occurs without masquerading or SNAT.

Am I doing something obvious wrong?
-- 
Brian May [EMAIL PROTECTED]

Re: iptables help?

[Brian May]

 Brian == Brian May [EMAIL PROTECTED] writes:

Brian I am confused...

Sorry about my noise. I found it was due to two reasons:

1. IN/OUT rules are used unless the packet is delivered to the local
computer (ie not used if the packet is being forwarded).  This seems
to be a differences between ipchains and iptables that I previously
overlooked.

2. when the packet counts have a postfix of k, they don't change if
the packet count only changes by 1. Arrgghh. Why didn't I realize that
before?  (no wonder the FORWARD rule didn't seem to be working...)

So what I was trying to do may not be as easy as I originally thought.
-- 
Brian May [EMAIL PROTECTED]