Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Iptables trouble
- Date: Thu, 11 Jan 2018 09:51:43 +0100
- From: Kalin KOZHUHAROV <me.kalin@example.com>
- Subject: Re: [tlug] Iptables trouble
- References: <1515641488.1593636.1231426376.22933952@webmail.messagingengine.com>
Hello David, I see a few potential issues here, though nothing really serious may be. You need a clarification on "communicate": On Thu, Jan 11, 2018 at 4:31 AM, David J Iannucci <jlinux@example.com> wrote: > The problem is that the IT dept cannot communicate with this box over > the private subnet when these rules are in place, and I don't know why. > What protocols, ports are they using, for what? I never edit the output of `iptables save` or whatever produced the output below, I write a bash script that clears/resets everything and then sets it properly, but let me try inline... If you get syntax error or some other error, you'll need to figure it out: > ## Default policy: allow nothing coming in, everything going out > :INPUT DROP [150:10296] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [42178:3090645] > For OUTPUT, I usually also list only permitted traffic (related and some new), but let's leave that for later, once it works. You might need to delete (edit?) the "[]" above to get it working? Also, I find it useful to add inline comments with `-m comment` that you can see with `iptables -L -nv` later. BTW, you/IT is not using IPv6, right? Do you have any IPv6 addresses at all (`ip addr`)? > ## Accept anything over the loopback i/f > -A INPUT -i lo -j ACCEPT > OK, but I'd add OUTPUT as well. -A OUTPUT -i lo -j ACCEPT > ## Accept any packets that are part of an already ESTABLISHED > ## connection, or RELATED(?) to something? Not sure about > ## RELATED, but I don't think it's hurting me :=) > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > OK. Here I'll generally accept some ICMP, like ping. -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept ping from everywhere" > ## Accept all TCP connection packets whose origin IP is in the > ## given range. This is SUPPOSED to allow the IT dept to talk to me. > -A INPUT -p tcp -m tcp --source 172.16.0.0/12 -j ACCEPT > Only TCP? What about ICMP (ping) and/or UDP? BTW, I don't think you need '-m tcp', '-p tcp' defaults to it, IMHO. For a start I'd say you need: -A INPUT --source 172.16.0.0/12 -j ACCEPT -m comment --comment "Accept all incoming IT dept. communication" -A OUTPUT --destination 172.16.0.0/12 -j ACCEPT -m comment --comment "Accept all outgoing IT dept. communication" > ## Accept all TCP connection packets to ports 80 and 443. I suppose > ## this is only needed on initial establishment, as the ESTABLISHED > ## rule should then take over, no? > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > so add NEW then (and below): -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT -m comment --comment "Accept inbound HTTP" -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT -m comment --comment "Accept inbound HTTPS" > ## Accept all TCP connection packets to port 22 only if the origin > ## is in the given IP range. > -A INPUT -s 133.171.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -s 112.160.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -s 133.171.0.0/16 -p tcp --dport 22 -m state --state NEW -j ACCEPT -m comment --comment "Accept inbound SSH from WHATEVER_YOU_DESCRIBE" -A INPUT -s 112.160.0.0/16 -p tcp --dport 22 -m state --state NEW -j ACCEPT -m comment --comment "Accept inbound SSH from WHATEVER_YOU_DESCRIBE" > ## More like the ones above for SSH, but for different ports > -A INPUT -s 133.171.0.0/16 -p tcp -m tcp --dport 3000 -j ACCEPT > -A INPUT -s 133.171.0.0/16 -p tcp -m tcp --dport 3030 -j ACCEPT > -A INPUT -s 133.171.0.0/16 -p tcp -m tcp --dport 4040 -j ACCEPT > -A INPUT -s 133.171.0.0/16 -p tcp -m tcp --dport 4200 -j ACCEPT > If those are logically connected, i.e. you can describe them as one system, org, whatever, use a single rule like: -A INPUT -s 133.171.0.0/16 -p tcp -m mutiport --dports 3000,3030,4040,4200 -m state --state NEW -j ACCEPT -m comment --comment "Accept inbound SSH FROM/FOR WHATEVER_YOU_DESCRIBE" and some touch-up, to separate (for debugging or accounting) reply-to-incoming traffic from outgoing: -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Accept replies to incoming traffic" -A OUTPUT -j ACCEPT -m comment --comment "Accept all other outgoing traffic" And you can add some logging here (temporary, don't forget to turn it off in production, if this systems faces the Net). -A INPUT -j LOG --log-prefix "IPv4:INPUT_before_DROP: " -A FORWARD -j LOG --log-prefix "IPv4:FORWARD_before_DROP: " -A OUTPUT -j LOG --log-prefix "IPv4:OUTPUT_before_ACCEPT: " > COMMIT > OK, I guess that is part of the format, just leave it there. > [*] Note that I've changed the IP addresses in an attempt at obscurity > security, though against what I'm not sure. > LoL Cheers, Kalin.
- References:
- [tlug] Iptables trouble
- From: David J Iannucci
- [tlug] Iptables trouble
- Prev by Date: [tlug] [announcement] *Shinnenkai* Saturday Jan 13.
- Next by Date: Re: [tlug] Iptables trouble
- Previous by thread: Re: [tlug] Iptables trouble
- Next by thread: Re: [tlug] Iptables trouble
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |