1 |
On Wednesday 07 Oct 2015 14:23:39 James wrote: |
2 |
> Mick <michaelkintzios <at> gmail.com> writes: |
3 |
> > > http://gentoo-en.vfose.ru |
4 |
> > > /wiki/IptablesIptables_and_stateful_firewalls#State_basics |
5 |
> > |
6 |
> > Start iptables, run the script, stop iptables with '/etc/init.d/iptables |
7 |
> > > |
8 |
> |
9 |
> stop' which will save your rules to /var/lib/iptables/rules-save, |
10 |
> |
11 |
> |
12 |
> after starting iptables, I ran /etc/firewall.sh (the previously published |
13 |
> script) and the stop with the syntax above:: |
14 |
> |
15 |
> cat /var/lib/iptables/rules-save |
16 |
> # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 |
17 |
> *mangle |
18 |
> |
19 |
> :PREROUTING ACCEPT [16022765:14170972269] |
20 |
> :INPUT ACCEPT [16022479:14170935323] |
21 |
> :FORWARD ACCEPT [0:0] |
22 |
> :OUTPUT ACCEPT [19311825:1508198446] |
23 |
> :POSTROUTING ACCEPT [19311825:1508198446] |
24 |
> |
25 |
> COMMIT |
26 |
> # Completed on Wed Oct 7 09:13:59 2015 |
27 |
> # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 |
28 |
> *filter |
29 |
> |
30 |
> :INPUT DROP [471:17192] |
31 |
> :FORWARD ACCEPT [0:0] |
32 |
> :OUTPUT ACCEPT [722751:44404539] |
33 |
> |
34 |
> [740388:740719942] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
35 |
> COMMIT |
36 |
> # Completed on Wed Oct 7 09:13:59 2015 |
37 |
> |
38 |
> |
39 |
> was the ouput. |
40 |
|
41 |
Are you sure that restarting iptables did not produce errors on the CLI? The |
42 |
script you are using is somewhat old and the iptables syntax has changed since |
43 |
then. |
44 |
|
45 |
Have a look here: |
46 |
|
47 |
https://wiki.gentoo.org/wiki/Iptables |
48 |
|
49 |
|
50 |
Your single rule line above should therefore look like this: |
51 |
|
52 |
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
53 |
|
54 |
but before this rule you should specify a default policy for your INPUT and |
55 |
other chains - ideally one to DROP all packets coming in and allow all going |
56 |
out; e.g. |
57 |
|
58 |
-P INPUT DROP |
59 |
-P FORWARD DROP |
60 |
-P OUTPUT ACCEPT |
61 |
|
62 |
Also, to accept any INPUT packets on interfaces other than eth0, you would |
63 |
precede these lines with: |
64 |
|
65 |
-A INPUT ! -i eth0 -j ACCEPT |
66 |
|
67 |
|
68 |
More details on syntax can be found in 'man iptables-extensions'. You will |
69 |
need to modify your script accordingly for this new syntax. To see if you are |
70 |
getting syntax errors run each rule on the CLI first, e.g. |
71 |
|
72 |
/sbin/iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j |
73 |
ACCEPT |
74 |
|
75 |
and check that it takes with: |
76 |
|
77 |
/sbin/iptables -L -v -n |
78 |
|
79 |
NOTE: The order in which you add iptables rules on the CLI is the order in |
80 |
which they will end up listed in /var/lib/iptables/rules-save. |
81 |
|
82 |
|
83 |
BTW, I recall a thread posted for a firewall script within the last couple of |
84 |
years, but can't recall exactly who was the contributor. Have a quick search |
85 |
in Gmane to see if you can find it. |
86 |
|
87 |
|
88 |
> sysctl is not set up. I did find this page on that:: |
89 |
> https://wiki.gentoo.org/wiki/Procfs |
90 |
> |
91 |
> Any suggestions on setting up sysctl for iptables and other future |
92 |
> usage? |
93 |
|
94 |
According to the URL you posted above you should use /etc/sysctl.d/local.conf, |
95 |
rather than the legacy /etc/sysctl.conf which I suggested. Apologies for a |
96 |
bum steer. Use your previous URL for stateful firewalls to see what sysctl |
97 |
settings you need to add here. |
98 |
|
99 |
|
100 |
> > nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX |
101 |
> |
102 |
> Worked flawlessly. Very precise syntax (thanks). Here are the highlights:: |
103 |
> |
104 |
> Not shown: 65534 closed ports |
105 |
|
106 |
Not good. Unless you have set up a default policy to REJECT packets, this |
107 |
shows ports that are not firewalled, but happen to be closed (no service is |
108 |
running there). If you had a DROP policy/rule for INPUT packets it should say |
109 |
"65534 filtered ports". |
110 |
|
111 |
|
112 |
> PORT STATE SERVICE VERSION |
113 |
> 22/tcp open ssh OpenSSH 5.9p1-hpn13v11lpk (protocol 2.0) |
114 |
|
115 |
Not good. Unless you have also defined a rule for allowing connections to |
116 |
port 22, this shows an open port, to which a service (ssh) is currently |
117 |
listening for incoming connections. |
118 |
|
119 |
If you want to only allow ssh connections from some local address |
120 |
192.168.1.27, you can try adding a rule for it like this: |
121 |
|
122 |
-A INPUT -s 192.168.1.27/32 -i eth0 -p tcp -m conntrack --ctstate NEW -m mac |
123 |
--mac-source 67:35:AC:34:89:48 -m conntrack --ctorigdstport 22 -j ACCEPT |
124 |
|
125 |
|
126 |
> Not bad for a quick workstation firewall(s). After I get sysctl setup, |
127 |
> I'll test a few other verssions and post again. Then wikify these |
128 |
> for community consumption. |
129 |
|
130 |
Your script needs more work. Look first at the iptables URL I posted above, |
131 |
which has the modern syntax. Also, either define a default INPUT chain policy |
132 |
to DROP or REJECT packets, or end your script with rules to drop all other |
133 |
packets, not already accepted by previous rules: |
134 |
|
135 |
-A INPUT -i eth0 -j DROP |
136 |
|
137 |
PS. Instead of running some script, you can always specify your rules in your |
138 |
/var/lib/iptables/rules-save and also back it up. Then use this file to |
139 |
change settings as you see fit and reload/start the firewall for the settings |
140 |
to take. |
141 |
|
142 |
-- |
143 |
Regards, |
144 |
Mick |