All about iptables

Discuss Networking
bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

All about iptables

Post by bazoukas »

Yes Sir.
After Voids request, lets make this the central thread about iptables,
Just to give an idea to the other members, I asked in the RedHatd ( http://voidmain.is-a-geek.net/forums/viewtopic.php?t=89 about how to close the famous port 6000.
Baz
am trying to close port 6000............ I run netstat -lp and I dont see any port 6000 open. ............... did a port scan with my other machine to the above machine yet the port is still open.
Void
I usually use "iptables" to block all that sort of stuff (firewall). Or block it from everywhere except from specific client addresses. are you really using XDM or are you using KDM or GDM to start an X session? If you are using GDM then I would say you need to add the parameter to /etc/X11/gdm/gdm.conf (or one of the other configuration files under that directory. If you are using KDM you might want to look through the /etc/X11/xdm/kdmrc file and see if it spawns X from another location. Regardless, iptables is the easiest way and independent of which X display manager you use. For servers that touch the Internet I do a mostly closed configuration. I deny everything on the outside interface except for the specific ports I want coming in. And then I restrict those ports to the specific IP addresses/ranges that need to connect to them. I also block a lot of outbound traffic in many cases so if a breach of one of the open services were to occur information may not be able to be sent back to the person doing the breaching.. ............. iptables really isn't that hard. In fact you can use the graphical Red Hat firewall utility or webmin to configure it if you want. They all use iptables and /etc/sysconfig/iptables save file. I prefer command line or webmin.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Couple of questions. Is this the machine you are using as your gateway? If so could you post the contents of your existing /etc/sysconfig/iptables file? I will take it and add some more rules to it to get you a basic firewall setup. Also, which ports do you need to have open?

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas »

Code: Select all

# Generated by iptables-save v1.2.6a on Mon Feb  3 17:56:12 2003
*nat
:PREROUTING ACCEPT [3:144]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE 
[0:0] -A POSTROUTING -o etho0 -j MASQUERADE 
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE 
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE 
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Mon Feb  3 17:56:12 2003
# Generated by iptables-save v1.2.6a on Mon Feb  3 17:56:12 2003
*filter
:INPUT ACCEPT [6:228]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:120]
:RH-Lokkit-0-50-INPUT - [0:0]
COMMIT
# Completed on Mon Feb  3 17:56:12 2003

Everything will be done in the gateway. computer.
eth(0) is the NIC that uses dynamic IP

Am just downloaded web admin and will install it.

The ports I need to have open really are for:
Apache (80)
samba
sendmail (port 110 right?)

Now as i understand it I dont need X open if i can remote connect using SSH

Oneother question, if the gateway has all ports closed besides those that it needs for it to function, will I be able to use programs such as a P2P (gnutella), GAIM in my client machine?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Why do you want Samba open on the Internet side? This is generally bad...

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas »

Ops Didnt know. I guess that samba is more for local networks.

Skip samba then. I am mainly intrested in Apache and sendmail :)

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Ok, make a backup copy of your /etc/sysconfig/iptables file and then copy this one over it:

http://voidmain.is-a-geek.net/files/ipt ... s.bazoukas

Then do a

# service iptables restart

This should block everything but port 80 (http) and 22 (ssh) and certain ICMP messages (blocking all ICMP is not recommended although many people do it). I would also recommend that you restrict port 22 to specific IP addresses/ranges that you will be connecting from (on the outside world). It is set so that anything on your internal network can connect to that server.

Are you sure you need SMTP (25) open? You are going to receive mail on this server? If so copy the port 80 line and change the 80 to 25. Now this will block most everything on your internet side from coming in. It doesn't block anything from going out but you will be much better off than you were before.

I'll run some nmap checks to make sure things are closed up.
Last edited by Void Main on Mon Feb 03, 2003 10:44 pm, edited 1 time in total.

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas »

Since i want to create a forum hosted in my machine wont I need sendmail and doesnt sendmail need SMTP to be on?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

No, you only need sendmail to send messages out, not receive them. The firewall script I gave you does not block any outbound traffic, only inbound.

And I would say you are in dire need of closing some stuff:

Code: Select all

Port       State       Service
22/tcp     open        ssh
111/tcp    open        sunrpc
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
1024/tcp   open        kdm
1080/tcp   filtered    socks
1400/tcp   filtered    cadkey-tablet
1433/tcp   filtered    ms-sql-s
1434/tcp   filtered    ms-sql-m
6000/tcp   open        X11
10000/tcp  open        snet-sensor-mgmt
:)

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas »

LOL....aaaaaaallrighty then.....from what I see my computer right now with all those ports open is a bonofied slut to the internet.

It crys "Rape me" from the song of Nirvana lol

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas »

Yep itworked like a charm no problem what so ever.
Thanks Void :)


Now am looking at the script you gaveme to see how exactly it works and am also looking at web sites with iptables .
In that script i can also add things for not letting outbound traffic right?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Yes. Any one of those lines in that file (-A INPUT blah blah) you can run on the command line as root by putting the "iptables" command in front of it. I add rules by just typing them on the command line and then when I have it working the way I want I do an "# service iptables save" which will update the /etc/sysconfig/iptables file that you have been working with. You can look at the existing rules by typing "iptables -L". If you add a rull with the "-A" and want to remove that rule use the exact same command line that you used to add the rule except replace the "-A" with a "-D". "man iptables" is a good reference. There are many sites out there with information and HOWTOs for iptables.

I have a couple of scripts that I run to block/unblock specific IP addresses from touching my system at all and run it automatically from my code red detector script. Here are the block/unblock scripts that you can run on the command line:

http://voidmain.is-a-geek.net/files/iptables/

Also, I need to say this and can't stress it enough. I failed to even mention firewall in the IP Masq thread. Here's a secret that should not be a secret. Any port that you have open on your Internet connected interface you need to make sure you keep that service updated and restricted to only those addresses that absolutely need access to it. In the case of port 80 most everyone needs access so you need to make sure you keep anything behind that port updated and security holes closed (Apache, PHP, phpBB, etc, etc). For port 22 I would seriously figure out all the places you need to ssh to your server from and only allow port 22 traffic from those addresses. And of course keep sshd updated to the absolute latest at all times. sshd has had many vulnerabilities over the last few years and a new one could pop up at any time. You don't want to be caught with your pants down.

Also, I prefer a DMZ setup which is even more secure. Keep the firewall machine only for doing firewall and IP Masq/NAT tasks. Put in a 3rd network interface with another machine attached to it to run your web server and other Internet related stuff. And then you can keep your internal network internal and allow absolutely no inbound traffic. Obviously this takes another machine and another network card but it is more secure. If someone does break into your web server they still will not have access to the rest of your internal network.

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas »

Yep it starts to make sense now Void. These are fun. You can do anything you want with it.

Here are some links I found for anyone who is intrested

http://www.netfilter.org/documentation/ ... orial.html

http://www.linuxguruz.org/iptables/

http://www.groovyweb.uklinux.net/?page_ ... sics%20NHF

http://netfilter.kfki.hu/documentation/.


Man i need to take a brake for a bit my head kinda spins right now

:shock: :shock:

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas »

So in other words. The rule of less is more should be in play here.

You just let others see what you wanna see and you put the lock to everything else and dont take a chance by saying "oh ok....i dont think they will figure out what ports I have open".



I was actually thinking of a third machine. Its not that am gonna have PRECIOUS things in my web server. But just for the learning experience for it.

I will sure need a switch to switch between monitors.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

You don't need a switch. I do everything from my laptop in my living room (just like I am typing this message). Having said that I do have a switch with all my servers plugged into downstairs. :) I rarely work on the consoles though.

Yes, you only want to give the enemy the minimal amount of information. :) It's a single command to see what ports you have open and there are simple tools to check for vulnerabilities (nessus and other security apps, not to mention all the script kiddie programs).

Yes, iptables is an extremely powerful tool. It is also good for port redirection (transparent proxy), security logging, firewalling, forwarding, masquerading, OS fingerprint masquerading, traffic counters, etc, etc....

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas »

Ohh yeah I remember you saying that you use your lap top as a terminal. Sweet idea. :D

Post Reply