HOWTO: Iptables for newbies. PART II: Securing your Network

[kannX]

Code: Select all

$IPT -A PREROUTING -i $INTIF1 -s $INTNET1 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -A INPUT -i $INTIF1 -d ! $INTIP1 -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

hmm, doesn't work for me:

Code: Select all

iptables -A PREROUTING -i eth0 -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables: No chain/target/match by that name

[krunk]

I'm an idiot, that's what I get for posting before coffee. Pay no attention to my previous post.

[ilyung]

I really appreciate this HOWTO.
However, I am having some trouble with ntp.
I followed every step on this HOWTO. Everything works fine except NTP.
On the boot, ntp-client does not work properly. Actually, this service won't start at all.
Here is the log info.
--------------
[ntpd] Frequency format error in /var/lib/ntp/ntp.drift
[ntpd] sendto(204.17.42.198) : Operation not permitted
----------------
I wonder if this problem is connected to firewall?

Thank you in advance,

[59729]

Code: Select all

$IPT -A PREROUTING -i $INTIF1 -s $INTNET1 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -A INPUT -i $INTIF1 -d ! $INTIP1 -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

hmm, doesn't work for me:

Code: Select all

iptables -A PREROUTING -i eth0 -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables: No chain/target/match by that name

I think you have to create the CHAIN first

Code: Select all

# Have this before the rule that require this CHAIN
$IPT -N REDIRECT

I am not sure though

[kannX]

ntpd uses broadcasts to sync clients, maybe you want to allow them

Code: Select all

$IPT -A OUTPUT   -o $INTIF1 -s $INTIP1 -d $INTBC1  -p udp --sport ntp -j ACCEPT

and of course you must allow ntp requests in

Code: Select all

$IPT -A INPUT    -i $INTIF1 -s $INTNET1 -d $INTIP1  -p udp --dport ntp -j  ACCEPT
$IPT -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET1  -p udp --sport ntp -j ACCEPT

if you use bootp you probably want to allow this

Code: Select all

$IPT -A INPUT    -i $INTIF1 -s $INTNET1 -d $INTIP1  -p udp --sport bootpc --dport bootps -j ACCEPT
$IPT -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTBC1  -p udp --sport bootps --dport bootpc -j  ACCEPT

[kannX]

I think you have to create the CHAIN first

Code: Select all

# Have this before the rule that require this CHAIN
$IPT -N REDIRECT

I am not sure though

REDIRECT is a build in target and only valid in the nat table.

Code: Select all

   REDIRECT
       This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are  only
       called from those chains.  It alters the destination IP address to send the packet to the machine itself (locally-gener-
       ated packets are mapped to the 127.0.0.1 address).  It takes one option:

       --to-ports port[-port]
              This specifies a destination port or range of ports to use: without this, the destination port is never  altered.
              This is only valid if the rule also specifies -p tcp or -p udp.

[ilyung]

KannX,

Thank you so much for the help. I could solve this problem with your advice.
By the way, I have another question about firewall..(It sucks!)
One of my friend is running ftp service with a certain port rather than 21.
He is running with 1xxxx port for ftp.
I edited firewall so I could connect this ftp server. However, I am not able to see the contents in it. I mean, I can log in but I can not list up the files for example.

Thanks in advance,

[59729]

You probably need to use the module 'ip_conntrack_ftp'

If I remember correctly you only have to allow the port, then add something like
modprobe ip_conntrack_ftp(portnr)


If you don' have that module you have to enable it in the kernel,
make menuconfig
#find enable the connection tracking module for ftp
make && make modules
# make install # maybe? don't remember

[nadsys]

krunk or neurolabs,

i am using neurolabs script which is a redo of krunks. i cant get my clients out to the internet or even to ping anything. i keep getting "connect: network is unreachable" with a ping or with an ftp session.

please advise. i have my configuration on another post:
http://forums.gentoo.org/viewtopic.php?t=230953

thank you for any advise. i like the firewall, just getting hacked off i cant fully understand it all yet and small things dont work. odd.

maybe you never intended for clients to have internet access but from the section saying "allow internal machine to use services" i assume you did?

[krunk]

from the scirpt in you post looks like you copy'd and pasted the one before I corrected an error at the bottom.

change the last iptables entries from 'iptables' to $IPT and give it a shot. when you run the script look for errors.

[nadsys]

ty for quick reply krunk. the script on page 2 of this thread posted by you (the neurolabs redo) still has that iptables error in it. hence why i had it .

i changed script, ran it. only error i get are two warnings about the two modules already busy, think its more of a red herring.

i have put the script that i now run in the last post of my link above. in it the only changes i made were to add two variables. one for ports i want to use for ftp'ing, second for ports i want the ftp client/firewall to use for passive (still not sure how to tell it to use the range of 14000:14500). i read up on the ftp firewalling rules. it talks about the "related" rule being what you need and that is near the bottom of your script so i would assume it would have worked. yet it doesn't work on any other port than 21.

just to clarify, this is not for an ftp server, this is for an ftp client, ftp server works fine.

also, my client PC still cannot see the outside world, keeps getting "connect : Netowrk is unreachable. only thing it can do is ping the server. it does work when firewalls off. so it is a firewall related problem. nothing else (using dnsmasq and dhcp, they still work).

any help/suggestions welcome.

thank you klunk + anyone else who is brave enough to take this on

Neil

[nadsys]

quick note, i thought "what the hell", lets try it on my second pc, the 12.168.0.10 machine. so i booted it up and tried "ping www.yahoo.com", it worked, then i tried a mozilla session, bingo, worked first time.

so why does one pc work and the other (192.168.0.9) not work. any idea's?

the .10 machine runs fedora core 2. the .9 machine is gentoo 2.6.7, server .25 is gentoo 2.6.8

thank you,

Neil

[krunk]

Sorry bout the error, I've edited (for real) now so no one else wil l have to deal with it.

That is very odd. But here is what I would suggest:

On machine where iptables is running do a:

Code: Select all

tail -f /var/log/messages 

*or where ever your logs are being sent to*

Than attempt a connection, if iptables is blocking the packets you should see the logs begin to scroll in which case post the appropriate ones here.

Secondly, if the rule set works on one machine and not the other, I would expect a configuration error somewhere on the client. The rules dynamically grab ip's and netmasks of appropriate devices. It would better help us wrap our mind around the issue with a network schematic like the [url
=http://www.tuxmac.homelinux.org/~james/ ... xample.jpg]following[/url[

See, as far as your server is concerned in the vast majority of cases, there should be any rule difference between xxx.xxx.xxx.9 and xxx.xxx.xxx.10 as long as they are on the same subnet or unless you have some ip specific filters running. In otherwords, most rules which client your are coming from, but which subnet. (e.g. the subnet of a particular interface).

So post/check everything related to networking on the trouble client you can as well as logs of dropped packets.

[nadsys]

ok, fixed it. forgot about the conf.d/net file. the 2nd pc was setup as a server at one point so dhcp settings were slightly off. needed to add gateway and -N -h to make it a client.

sorry to have wasted your time.

BUT there still does remain a problem. the firewall script i posted will only allow Active ftp on port 21. i cant get passive to work on any port, or active on any port except 21.

the ports i have been trying are in my script as a variable. so i can connect to server, but when it tries to list "list -a OR -aL" it fails.

im assuming this is because the ports its trying to use for passive are not the ones i want it to use. i.e. the range of 14000:14500.

any idea's/hints on what i should check.

last but not least, everyone talks about /var/log/messages. i use metalog, there is no such file. i have /everything/current or /kernel/current. but no /messages.

many thanx,

Neil

[59729]

Passive uses several ports, one for connection and another for transfer and listing, if I remember correctly... don't know which ports I think it's randomized between all high port numbers

I think thats what the ftp tracking module should do ip_conntrack_ftp which should be included with your kernel sources and are very easy to add

[krunk]

I think thats what the ftp tracking module should do ip_conntrack_ftp which should be included with your kernel sources and are very easy to add

Your are exactly correct.

[nadsys]

to answer you above, i do have conntrack_ftp and nat_ftp running as modules. i seem to be getting more success with the server off of port 21, still not 100% but i'll look into it further.

easier example then, playing yahoo games, should only require http port, correct? + it runs on java so java must be installed but thats not an issue.

works when firewall is off, not when its on. firewall reject messages are as below. is it safe to tell the server to allow all ports above 1024 and if so how?

or is it possible to say "for this application allow all traffic on these ports" i.e. application filtering. im used to kerio personal firewall and all i had to do was block all lower ports except ones i needed, then add rules for eevery app and ports it used so they were filtered then deny all at the bottom, worked like a charm. no such ability to do that for say mozilla/gftp?

Code: Select all

Oct  3 22:42:48 [kernel] FIREWALL REJECT UNKNOWN:IN= OUT=ppp0 SRC=84.57.35.49 DST=66.218.71.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30774 DF PROTO=TCP SPT=34173 DPT=11999 WINDOW=5808 RES=0x00 SYN URGP=0 
Oct  3 22:42:51 [kernel] FIREWALL REJECT UNKNOWN:IN= OUT=ppp0 SRC=84.57.35.49 DST=66.218.71.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30775 DF PROTO=TCP SPT=34173 DPT=11999 WINDOW=5808 RES=0x00 SYN URGP=0

thanx for any advice

[krunk]

Allowing all ports above 1024 is like not having a firewall at all for about 55,000 of the 65,556 ports available. (not too advised)
The web games must use other ports besides http. The logs below indicate that ip 84.57.35.49 is attempted to connect from port 34173 to port 11999.

You don't have to open them all up, just those two and only going in one direction.

$IPT -A INPUT -s 84.57.35.49 --sport 34173 -p tcp --dport 11999 -j ACCEPT

(I think anyway, you may have to play around with the syntax)

[woodm]

This firewall script works flawlessly for me. Which is fantastic.

However, I want to dig into it, and see exactly what's happening (damn curiosity. Hey, wher's my cat?) anyway, I can't seem to undo this monster at all.

I try:

Code: Select all

[doorman:~] > /sbin/iptables -F
[doorman:~] > /sbin/iptables -X
[doorman:~] > /sbin/iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
[doorman:~] > ssh (somewhere else known to work)
ssh: (location): Temporary failure in name resolution
[doorman:~] > ping yahoo.com
ping: unknown host yahoo.com
[doorman:~] > ping 128.138.240.1
PING 128.138.240.1 (128.138.240.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

I don't understand why that would happen at all.

I even try running the script from your FIRST HOW-TO which just kinda gets everything up and running. Even if I completely shutdown the machine and make sure the iptables-restore is empty, I still can't get to the outside world.

I don't understand how that's possible, but then again, I don't understand what's happening within this script anyway. It seems to me that the only non /sbin/iptables commands that are entered are the envirnment variables and echo 1/0 > /proc/**** commands. I've tried matching these to other linux boxes I have, but nothing seems to work.

Anyone have any ideas?

I mean, I do have a working firewall, but I can't really change it, and I don't understand what's going on. These 2 things are bugging the crap out of me.

[edit]

Oh, here may be a hint for those that know more than me (everyone): I ran your big script above with bash's debug flag (-x) on, and I noticed the following:

Code: Select all

+ /sbin/iptables -N DROPl
+ /sbin/iptables -A DROPl -j LOG --log-prefix DROPl:
+ /sbin/iptables -A DROPl -j DROP
+ /sbin/iptables -N REJECTl
+ /sbin/iptables -A REJECTl -j LOG --log-prefix REJECTl:
+ /sbin/iptables -A REJECTl -j REJECT
iptables: No chain/target/match by that name

No chain by that name? That seems strange.

BTW, I have read the above posts, but that doesn't necessarily mean that I haven't missed something ridiculously embarrassing. You don't have to be gentle at all.
[/edit]

Anyway, thanks guys. This is clearly the best forum in existence.

[krunk]

In the first case, if you notice your default policies are 'DROP' this means if anything is not covered by a rule it is dropped. This is the first thing set by the script.

Secondly, you'll see this in the script:

Code: Select all

$ECHO 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

which blocks all icmp type packets.....ping included.

cheers

btw you should check out the iptables howto at FrozenTux.net

FrozenTux

[woodm]

So the default policie for DROP isn't removed when I flush the system? Do you just have to change the default to ACCEPT then?

Intersting.

/me goes and reads a LOT more how-tos.

[kannX]

Code: Select all

$ECHO 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

which blocks all icmp type packets.....ping included.

Well, i think it drops all incoming icmp send to the boradcast address.
Icmp with the right address (INTIP1, INTIP2) from clients int INTNET1, INTNET2 and icmp outgoing should work .

[krunk]

Code: Select all

$ECHO 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

which blocks all icmp type packets.....ping included.

Well, i think it drops all incoming icmp send to the boradcast address.
Icmp with the right address (INTIP1, INTIP2) from clients int INTNET1, INTNET2 and icmp outgoing should work .

Actually, I double checked and you are right. Wouldn't the default POLICY of DROP be at the root though?

[jimbob0i0]

I've been trying to get this script to work for me but have a problem....
I have an internal mailserver running imaps, smtp and smtp on port 2525 (girlfiriend's ISP blocks 25 for her so she can't connect on that)

I put in:

#Mail systems from the outside world to the internal server
$IPT -t nat -A PREROUTING -p tcp --dport 25 -i $EXTIF -j DNAT --to $CENTRAL
$IPT -t nat -A PREROUTING -p tcp --dport 993 -i $EXTIF -j DNAT --to $CENTRAL
$IPT -t nat -A PREROUTING -p tcp --dport 2525 -i $EXTIF -j DNAT --to $CENTRAL

Which I thought should have done it ($CENTRAL is defined as the IP address of the machine on the local network) but port scans show these ports as closed if I also put in a $IPT -A INPUT rule for those ports or stealthed if I try forward or forward&input

The logs show:

Code: Select all

Nov 14 20:57:38 gateway DROPl:IN=eth1 OUT= MAC=00:09:5b:1b:72:09:00:0b:fc:43:c0:a8:08:00 SRC=204.1.226.228 DST=82.43.43.146 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=32768 PROTO=TCP SPT=62263 DPT=2525 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 14 20:57:05 gateway DROPl:IN=eth1 OUT= MAC=00:09:5b:1b:72:09:00:0b:fc:43:c0:a8:08:00 SRC=204.1.226.228 DST=82.43.43.146 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=32768 PROTO=TCP SPT=62228 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 14 19:46:34 gateway DROPl:IN=eth1 OUT= MAC=00:09:5b:1b:72:09:00:0b:fc:43:c0:a8:08:00 SRC=204.1.226.228 DST=82.43.43.146 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=32768 PROTO=TCP SPT=56955 DPT=993 WINDOW=8192 RES=0x00 SYN URGP=0

Any ideas guys? I'd really like to lock down my firewall better than it is now.

[Jerri]

does anyone sufer from extremely huge log files?
I let my router run (using this script) for a week and a half, without checking on it. /var/log/messages was over 25 MB. That seems a touch excessive.

I realise that its probably a good idea to review all the packets dropped. But... something doesn't sit very well with me on that one. I don't know.

I guess what i'm interested in hearing from others, is whats your policy on logging every dropped packet? what do you do with your log files? i suppose i could run a cron job, to compress them every couple of days and store them somewhere. The only problem is that my router is running out of space. I mean, i have a 1.2 GB hard disk. thats not a huge amount of room to work with.

Anyways. The script works well. Much obliged for the HOWTO :)