Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Iptables trouble



Hello David,

I see a few potential issues here, though nothing really serious may be.

You need a clarification on "communicate":

On Thu, Jan 11, 2018 at 4:31 AM, David J Iannucci
<jlinux@example.com> wrote:
> The problem is that the IT dept cannot communicate with this box over
> the private subnet when these rules are in place, and I don't know why.
>
What protocols, ports are they using, for what?

I never edit the output of `iptables save` or whatever produced the
output below, I write a bash script that clears/resets everything and
then sets it properly, but let me try inline...
If you get syntax error or some other error, you'll need to figure it out:

> ## Default policy: allow nothing coming in, everything going out
> :INPUT DROP [150:10296]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [42178:3090645]
>
For OUTPUT, I usually also list only permitted traffic (related and
some new), but let's leave that for later, once it works.
You might need to delete (edit?) the "[]" above to get it working?

Also, I find it useful to add inline comments with `-m comment` that
you can see with `iptables -L -nv` later.
BTW, you/IT is not using IPv6, right? Do you have any IPv6 addresses
at all (`ip addr`)?

> ## Accept anything over the loopback i/f
> -A INPUT -i lo -j ACCEPT
>
OK, but I'd add OUTPUT as well.
-A OUTPUT -i lo -j ACCEPT

> ## Accept any packets that are part of an already ESTABLISHED
> ## connection, or RELATED(?) to something? Not sure about
> ## RELATED, but I don't think it's hurting me :=)
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
OK.
Here I'll generally accept some ICMP, like ping.
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m comment
--comment "Accept ping from everywhere"

> ## Accept all TCP connection packets whose origin IP is in the
> ## given range. This is SUPPOSED to allow the IT dept to talk to me.
> -A INPUT -p tcp -m tcp --source 172.16.0.0/12 -j ACCEPT
>
Only TCP? What about ICMP (ping) and/or UDP?

BTW, I don't think you need '-m tcp', '-p tcp' defaults to it, IMHO.
For a start I'd say you need:
-A INPUT --source 172.16.0.0/12 -j ACCEPT -m comment --comment "Accept
all incoming IT dept. communication"
-A OUTPUT --destination 172.16.0.0/12 -j ACCEPT -m comment --comment
"Accept all outgoing IT dept. communication"


> ## Accept all TCP connection packets to ports 80 and 443. I suppose
> ## this is only needed on initial establishment, as the ESTABLISHED
> ## rule should then take over, no?
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
>
so add NEW then (and below):
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT -m comment
--comment "Accept inbound HTTP"
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT -m comment
--comment "Accept inbound HTTPS"


> ## Accept all TCP connection packets to port 22 only if the origin
> ## is in the given IP range.
> -A INPUT -s 133.171.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s 112.160.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
>
-A INPUT -s 133.171.0.0/16 -p tcp --dport 22 -m state --state NEW -j
ACCEPT -m comment --comment "Accept inbound SSH from
WHATEVER_YOU_DESCRIBE"
-A INPUT -s 112.160.0.0/16 -p tcp --dport 22 -m state --state NEW -j
ACCEPT -m comment --comment "Accept inbound SSH from
WHATEVER_YOU_DESCRIBE"


> ## More like the ones above for SSH, but for different ports
> -A INPUT -s 133.171.0.0/16 -p tcp -m tcp --dport 3000 -j ACCEPT
> -A INPUT -s 133.171.0.0/16 -p tcp -m tcp --dport 3030 -j ACCEPT
> -A INPUT -s 133.171.0.0/16 -p tcp -m tcp --dport 4040 -j ACCEPT
> -A INPUT -s 133.171.0.0/16 -p tcp -m tcp --dport 4200 -j ACCEPT
>
If those are logically connected, i.e. you can describe them as one
system, org, whatever, use a single rule like:

-A INPUT -s 133.171.0.0/16 -p tcp -m mutiport --dports
3000,3030,4040,4200 -m state --state NEW -j ACCEPT -m comment
--comment "Accept inbound SSH FROM/FOR WHATEVER_YOU_DESCRIBE"


and some touch-up, to separate (for debugging or accounting)
reply-to-incoming traffic from outgoing:
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment
--comment "Accept replies to incoming traffic"
-A OUTPUT -j ACCEPT -m comment --comment "Accept all other outgoing traffic"


And you can add some logging here (temporary, don't forget to turn it
off in production, if this systems faces the Net).

-A INPUT -j LOG --log-prefix "IPv4:INPUT_before_DROP: "
-A FORWARD -j LOG --log-prefix "IPv4:FORWARD_before_DROP: "
-A OUTPUT -j LOG --log-prefix "IPv4:OUTPUT_before_ACCEPT: "

> COMMIT
>
OK, I guess that is part of the format, just leave it there.

> [*] Note that I've changed the IP addresses in an attempt at obscurity
>       security, though against what I'm not sure.
>
LoL

Cheers,
Kalin.


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links