[WBEL-users] Iptables Not Working

Ed Morrison emorrison@ncen.org
Thu, 29 Jul 2004 19:05:58 -0700 

> I highly suggest putting your rules in a script so you can run them
and
> see what they are really doing one rule at a time, but that's just for
> ease of debugging, as in "bash -xv firewall.cfg" is often very useful.

Since this post and with help from the list I have put my rules in a
script and it is functioning well for me.  Thanks for the tip, I ran it
and it is informative.
 
> Other comments on general style, the ESTABLISHED rule should be the
very
> first thing in the INPUT chain, because it is the most often matched.
On
> a busy system this will make a visible difference in system time.

I no longer run the ESTABLISHED rule due to changes to my iptables.  A
copy of my script is posted below.

> It's faster and easier to understand if you set up a table to validate
> your tcp --syn packets, and just jump to that with a single rule if
it's
> a SYN packet. 

Not sure I understand this, would you mind expanding on it?

> It's safer to set policy on INPUT to DROP, then allow only
> what you really must have. 

I think this (below) is what you are referring to here but if the rule
before my accept rules is to drop all traffic, wouldn't that mean the
following rules would not apply?  I thought iptables walked through the
rules in order applying them in order. Would it not be better to have
the iptables -A INPUT -j DROP after the specific accept rules? 

# Allow other traffic
iptables -A INPUT -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 106 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
# iptables -A INPUT -s lo -j ACCEPT


In addition I was told to add a loopback acceptance...what is the danger
in NOT having this?  How would I add it if necessary: 

iptables -A INPUT -s 127.0.0.1 -j ACCEPT  ?

> Putting your icmp packets in a table makes
> this easy to understand as well.

Again, I'm not sure if I understand this or how I would implement it.


> Finally, it looks as if you may have chains rather than tables loaded,
> that may or may not be as issue, I assume the tables module gets
demand
> loaded eventually.
> 
> I think you have some syntax error, without COMMIT it does nothing,
> which explains your other problem. Hope this helps.

This has been fixed.


New iptables:

#!/bin/bash

# Make sure iptables module is loaded
insmod ip_tables

# Flush any existing rules
iptables -F INPUT

# Block x.x.x.x/x.x.x.x
iptables -A INPUT -s 24.20.253.108 -j DROP
iptables -A INPUT -s 69.145.105.154 -j DROP
iptables -A INPUT -s 4.11.196.79 -j DROP
iptables -A INPUT -s 80.202.20.7 -j DROP
iptables -A INPUT -s 137.164.158.14 -j DROP
iptables -A INPUT -s 201.129.85.142 -j DROP
iptables -A INPUT -s 24.19.7.146 -j DROP
iptables -A INPUT -s 66.44.140.103 -j DROP
iptables -A INPUT -s 12.205.157.201 -j DROP                   
iptables -A INPUT -s 201.129.85.95 -j DROP
iptables -A INPUT -s 219.103.193.130 -j DROP
iptables -A INPUT -s 130.120.81.14 -j DROP
iptables -A INPUT -s 207.3.145.251 -j DROP
iptables -A INPUT -s 131.234.66.101 -j DROP
iptables -A INPUT -s 12.109.164.254 -j DROP
iptables -A INPUT -s 12.109.164.25 -j DROP
iptables -A INPUT -s 219.120.54.178 -j DROP
iptables -A INPUT -s 219.120.54.1 -j DROP
iptables -A INPUT -s 201.129.85.221 -j DROP
iptables -A INPUT -s 69.145.104.154 -j DROP
iptables -A INPUT -s 208.19.107.78 -j DROP
iptables -A INPUT -s 210.92.210.1/24 -j DROP
iptables -A INPUT -s 62.3.209.74 -j DROP
iptables -A INPUT -s 66.160.82.166 -j DROP
iptables -A INPUT -s 202.141.1.28 -j DROP

# Allow other traffic
# iptables -A INPUT -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 106 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
# iptables -A INPUT -s lo -j ACCEPT

#Drop all other traffic
# iptables -A INPUT -i eth0 -j DROP 
> >

Thanks for your input and assistance.

Ed


> > *filter
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > -A INPUT -i lo  -j ACCEPT
> > -A INPUT -s 24.20.253.108 -j DROP
> > -A INPUT -s 69.145.105.154 -j DROP
> > -A INPUT -s 4.11.196.79 -j DROP
> > -A INPUT -s 80.202.20.7 -j DROP
> > -A INPUT -s 137.164.158.14 -j DROP
> > -A INPUT -s 201.129.85.142 -j DROP
> > -A INPUT -s 24.19.7.146 -j DROP
> > -A INPUT -s 66.44.140.103 -j DROP
> > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
> > -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> > -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
> > -A INPUT -m state --state NEW -m tcp -p tcp --dport 106 -j ACCEPT
> > -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
> > -A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
> > -A INPUT -m state --state NEW -m tcp -p udp --dport 995 -j ACCEPT
> > -A INPUT -j REJECT --reject-with icmp-host-prohibited
> > COMMIT
> >
> >
> > If I run: service iptables start I receive this error:
> >
> > # service iptables start
> > Flushing firewall rules: [  OK  ]
> > Setting chains to policy ACCEPT: filter [  OK  ]
> > Unloading iptables modules: [  OK  ]
> > Applying iptables firewall rules: iptables-restore: line 23 failed
> > [FAILED]
> >
> > It doesn't like the COMMIT line.
> >
> > If I remove the COMMIT.  I see this when start iptables:
> >
> > # service iptables start
> > Flushing firewall rules: [  OK  ]
> > Setting chains to policy ACCEPT: filter [  OK  ]
> > Unloading iptables modules: [  OK  ]
> > Applying iptables firewall rules: [  OK  ]
> >
> >
> >
> > And yet when I run: iptables -L -v   to verify that the tables
loaded
> > none of the rules show up:
> >
> > Chain INPUT (policy ACCEPT 1753 packets, 296K bytes)
> >  pkts bytes target     prot opt in     out     source
destination
> >
> >
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source
destination
> >
> >
> > Chain OUTPUT (policy ACCEPT 1820 packets, 293K bytes)
> >  pkts bytes target     prot opt in     out     source
destination
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Whitebox-users mailing list
> > Whitebox-users@beau.org
> > http://beau.org/mailman/listinfo/whitebox-users
> >
> 
> 
> --
>     -bill davidsen (davidsen@tmr.com)
> "The secret to procrastination is to put things off until the
>   last possible moment - but no longer"  -me
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users