[question]iptables

Support for security such as Firewalls and securing linux
shogun1234
Posts: 10
Joined: 2005/03/10 01:02:45

[question]iptables

Post by shogun1234 » 2005/04/17 13:22:11

hi,
i've made some changed to the iptables, how can i make it use my new setting when system startup.
for i use chkconfig to make iptables run as service, yet it seems always use the old setting.
what should i do?
i appreciate any suggestion, sincerely.

Gawen
Posts: 27
Joined: 2005/04/09 21:06:48
Contact:

Re: [question]iptables

Post by Gawen » 2005/04/17 13:57:53

Insert your rules after testing to /etc/sysconfig/iptables. Its an iptables restore file.

After inserting a rule there restart iptables with "service iptables restart". This is also automatically loaded at boot time if the service is set active (it is by default).

devil
Posts: 42
Joined: 2005/02/08 15:41:01
Location: Bangalore

Re: [question]iptables

Post by devil » 2005/04/18 13:12:53

use "iptables-save" it will save to the same file, no need to manually append the rules i.e /etc/sysconfig/iptables, a beter approch is to save the orginal file and then make changes to new one, in case u want to revert back...

to make it auto-startup services use chkconfig --iptables on ( this get enabled in runlevel 3,5)

Gawen
Posts: 27
Joined: 2005/04/09 21:06:48
Contact:

Re: [question]iptables

Post by Gawen » 2005/04/18 17:26:50

[quote]devil wrote: use "iptables-save" it will save to the same file, ...[/quote]
Does it without > /etc/sysconfig/iptables ? :-D

shogun1234
Posts: 10
Joined: 2005/03/10 01:02:45

Re: [question]iptables

Post by shogun1234 » 2005/04/19 01:42:27

[quote]
devil wrote:
use "iptables-save" it will save to the same file, no need to manually append the rules i.e /etc/sysconfig/iptables, a beter approch is to save the orginal file and then make changes to new one, in case u want to revert back...

to make it auto-startup services use chkconfig --iptables on ( this get enabled in runlevel 3,5)[/quote]

Thanks all your help, sincerely.; )
Originally I use the command like sketched above (/sbin/chkconfig --level 345 iptables on, referred to http://www.centos.org/docs/4/html/rhel-sag-en-4/s1-basic-firewall-activate-iptables.html)
However, it seems only set iptables as service, but can't recognize my new setting, in which i add a new rule to open port 80 in order to let other people to access my apche web page; therefore, each time after reboot my system (centos) port 80 is always closed due to the default setting without port 80 opened. After few try, i solve it (but the machine is not on my hand this moment, so i only can write down my steps roughly, which exsites on my mind; if there's any step goes wrong, please correct me; ).

1. loopkup /etc/init.d/ there'd be one script named iptables.
2. then cd to /etc/rc.d/rc?.d (? stands for runlevel)
3. make symbalic to this folder, in which i use command like "ln -s /path/to/iptable-script /path/to/rc-.d/SXXiptables". (XX is the numeric)
4. reboot system to test weather it works or not.

P.S.: But I'm not sure weather these steps are right or wrong (simplu it works). So plese tell me what to do is a better practice,
I appreciate it, sincerely.

Gawen
Posts: 27
Joined: 2005/04/09 21:06:48
Contact:

Re: [question]iptables

Post by Gawen » 2005/04/19 11:35:31

There is no need for manual symlinks. Just do a "/sbin/chkconfig --level 345 iptables on" and edit your rules in /etc/sysconfig/iptables manually or use a web GUI like webmin to edit it. Using Webmin to modify it is the easiest way.

[quote]
[root@centos ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 3000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[/quote]

This one allows public access to http, https, ssh, smtp and pop3 and aditionally to ntop and webmin from internal addresses. This is just a quick hack and not a production config for an exposed hosting server.

After changes do a "/sbin/service iptables restart" to apply them.

greatguangong
Posts: 18
Joined: 2005/04/03 15:38:04
Contact:

Re: [question]iptables

Post by greatguangong » 2005/05/28 06:00:33

What should a minimum set of rules look like to make online port scans on my machine's closed ports appear filtered, instead of closed?

I don't have access to my box right now, but basically I expanded from the default set of rules:

*filter
0. drop input in state invalid, all icmp packets
1. accept input in state related, established
2. accept input to tcp dport 22, 443
3. drop everything else

why doesn't the rest of the ports appear filtered (except 22, 443) to the online port scanners, nor nmap? they show closed (yuk!) ;(

B000
Posts: 18
Joined: 2005/04/30 21:18:27

Re: [question]iptables

Post by B000 » 2005/05/28 21:59:41

Perhaps, if you change line 3 (the last line) to

3. reject everything else with -- ...
instead of
3. drop everything else

That may give you a result closer to what you want to see. Reject tells the initiating end that the request was not accepted by sending back a packet saying so.

man iptables for options for rejection packets

greatguangong
Posts: 18
Joined: 2005/04/03 15:38:04
Contact:

Re: [question]iptables

Post by greatguangong » 2005/05/29 04:23:17

Thanks for replying. Here are my n00b expanded INPUT chain:

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 3 LOG flags 7 level 7 prefix `IPTABLES TCP-FILTER-IN: '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 3 LOG flags 7 level 7 prefix `IPTABLES UDP-FILTER-IN: '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 3 LOG flags 7 level 7 prefix `IPTABLES ICMP-FILTER-IN: '
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW multiport dports 22,443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 22,443
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:4500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:10000
DROP all -- 0.0.0.0/0 0.0.0.0/0

Forth line is specified with "-i lo", hence shouldn't be suspect for eth0/ppp0?
udp sport 500/4500/10000 are required for Cisco VPN Client.

Simple no?

please forgive my n00b-ness:

1. filtered = stealth, no?
2. but does not REJECT mean the OS sending back a RST packet to the originator of the SYN packet? That's not stealth/filtered.

I did use the good ol' man:
DROP means to drop the packet on the floor.
This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating TARGET, ending rule traversal.

How can I make my fw drop all packets (so as to appear filtered) from the Internet, except those to 22 and 443 (and of course I originated, which will qualify as ESTABLISHED,RELATED connections)?

Thanks!

greatguangong
Posts: 18
Joined: 2005/04/03 15:38:04
Contact:

Re: [question]iptables

Post by greatguangong » 2005/06/03 14:14:21

well, this laptop is running centos4. hence i've set the kernel setting "local port ranges" to only 65035:65535, besides the ssh and https standard ports.

dropping everything within the INPUT chain from 1:21,23:442,444:65034 gave me the "filtered" effect via nmap.

but i suppose the best practise is to specifically allow whatever and blocking all the rest? is specifically dropping tcp and udp protocols on these ports considered best practise still?

Post Reply

Return to “CentOS 4 - Security Support”