| 1 |
On Wednesday 07 Oct 2015 14:23:39 James wrote: |
| 2 |
> Mick <michaelkintzios <at> gmail.com> writes: |
| 3 |
> > > http://gentoo-en.vfose.ru |
| 4 |
> > > /wiki/IptablesIptables_and_stateful_firewalls#State_basics |
| 5 |
> > |
| 6 |
> > Start iptables, run the script, stop iptables with '/etc/init.d/iptables |
| 7 |
> > > |
| 8 |
> |
| 9 |
> stop' which will save your rules to /var/lib/iptables/rules-save, |
| 10 |
> |
| 11 |
> |
| 12 |
> after starting iptables, I ran /etc/firewall.sh (the previously published |
| 13 |
> script) and the stop with the syntax above:: |
| 14 |
> |
| 15 |
> cat /var/lib/iptables/rules-save |
| 16 |
> # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 |
| 17 |
> *mangle |
| 18 |
> |
| 19 |
> :PREROUTING ACCEPT [16022765:14170972269] |
| 20 |
> :INPUT ACCEPT [16022479:14170935323] |
| 21 |
> :FORWARD ACCEPT [0:0] |
| 22 |
> :OUTPUT ACCEPT [19311825:1508198446] |
| 23 |
> :POSTROUTING ACCEPT [19311825:1508198446] |
| 24 |
> |
| 25 |
> COMMIT |
| 26 |
> # Completed on Wed Oct 7 09:13:59 2015 |
| 27 |
> # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 |
| 28 |
> *filter |
| 29 |
> |
| 30 |
> :INPUT DROP [471:17192] |
| 31 |
> :FORWARD ACCEPT [0:0] |
| 32 |
> :OUTPUT ACCEPT [722751:44404539] |
| 33 |
> |
| 34 |
> [740388:740719942] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
| 35 |
> COMMIT |
| 36 |
> # Completed on Wed Oct 7 09:13:59 2015 |
| 37 |
> |
| 38 |
> |
| 39 |
> was the ouput. |
| 40 |
|
| 41 |
Are you sure that restarting iptables did not produce errors on the CLI? The |
| 42 |
script you are using is somewhat old and the iptables syntax has changed since |
| 43 |
then. |
| 44 |
|
| 45 |
Have a look here: |
| 46 |
|
| 47 |
https://wiki.gentoo.org/wiki/Iptables |
| 48 |
|
| 49 |
|
| 50 |
Your single rule line above should therefore look like this: |
| 51 |
|
| 52 |
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
| 53 |
|
| 54 |
but before this rule you should specify a default policy for your INPUT and |
| 55 |
other chains - ideally one to DROP all packets coming in and allow all going |
| 56 |
out; e.g. |
| 57 |
|
| 58 |
-P INPUT DROP |
| 59 |
-P FORWARD DROP |
| 60 |
-P OUTPUT ACCEPT |
| 61 |
|
| 62 |
Also, to accept any INPUT packets on interfaces other than eth0, you would |
| 63 |
precede these lines with: |
| 64 |
|
| 65 |
-A INPUT ! -i eth0 -j ACCEPT |
| 66 |
|
| 67 |
|
| 68 |
More details on syntax can be found in 'man iptables-extensions'. You will |
| 69 |
need to modify your script accordingly for this new syntax. To see if you are |
| 70 |
getting syntax errors run each rule on the CLI first, e.g. |
| 71 |
|
| 72 |
/sbin/iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j |
| 73 |
ACCEPT |
| 74 |
|
| 75 |
and check that it takes with: |
| 76 |
|
| 77 |
/sbin/iptables -L -v -n |
| 78 |
|
| 79 |
NOTE: The order in which you add iptables rules on the CLI is the order in |
| 80 |
which they will end up listed in /var/lib/iptables/rules-save. |
| 81 |
|
| 82 |
|
| 83 |
BTW, I recall a thread posted for a firewall script within the last couple of |
| 84 |
years, but can't recall exactly who was the contributor. Have a quick search |
| 85 |
in Gmane to see if you can find it. |
| 86 |
|
| 87 |
|
| 88 |
> sysctl is not set up. I did find this page on that:: |
| 89 |
> https://wiki.gentoo.org/wiki/Procfs |
| 90 |
> |
| 91 |
> Any suggestions on setting up sysctl for iptables and other future |
| 92 |
> usage? |
| 93 |
|
| 94 |
According to the URL you posted above you should use /etc/sysctl.d/local.conf, |
| 95 |
rather than the legacy /etc/sysctl.conf which I suggested. Apologies for a |
| 96 |
bum steer. Use your previous URL for stateful firewalls to see what sysctl |
| 97 |
settings you need to add here. |
| 98 |
|
| 99 |
|
| 100 |
> > nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX |
| 101 |
> |
| 102 |
> Worked flawlessly. Very precise syntax (thanks). Here are the highlights:: |
| 103 |
> |
| 104 |
> Not shown: 65534 closed ports |
| 105 |
|
| 106 |
Not good. Unless you have set up a default policy to REJECT packets, this |
| 107 |
shows ports that are not firewalled, but happen to be closed (no service is |
| 108 |
running there). If you had a DROP policy/rule for INPUT packets it should say |
| 109 |
"65534 filtered ports". |
| 110 |
|
| 111 |
|
| 112 |
> PORT STATE SERVICE VERSION |
| 113 |
> 22/tcp open ssh OpenSSH 5.9p1-hpn13v11lpk (protocol 2.0) |
| 114 |
|
| 115 |
Not good. Unless you have also defined a rule for allowing connections to |
| 116 |
port 22, this shows an open port, to which a service (ssh) is currently |
| 117 |
listening for incoming connections. |
| 118 |
|
| 119 |
If you want to only allow ssh connections from some local address |
| 120 |
192.168.1.27, you can try adding a rule for it like this: |
| 121 |
|
| 122 |
-A INPUT -s 192.168.1.27/32 -i eth0 -p tcp -m conntrack --ctstate NEW -m mac |
| 123 |
--mac-source 67:35:AC:34:89:48 -m conntrack --ctorigdstport 22 -j ACCEPT |
| 124 |
|
| 125 |
|
| 126 |
> Not bad for a quick workstation firewall(s). After I get sysctl setup, |
| 127 |
> I'll test a few other verssions and post again. Then wikify these |
| 128 |
> for community consumption. |
| 129 |
|
| 130 |
Your script needs more work. Look first at the iptables URL I posted above, |
| 131 |
which has the modern syntax. Also, either define a default INPUT chain policy |
| 132 |
to DROP or REJECT packets, or end your script with rules to drop all other |
| 133 |
packets, not already accepted by previous rules: |
| 134 |
|
| 135 |
-A INPUT -i eth0 -j DROP |
| 136 |
|
| 137 |
PS. Instead of running some script, you can always specify your rules in your |
| 138 |
/var/lib/iptables/rules-save and also back it up. Then use this file to |
| 139 |
change settings as you see fit and reload/start the firewall for the settings |
| 140 |
to take. |
| 141 |
|
| 142 |
-- |
| 143 |
Regards, |
| 144 |
Mick |
Archives