Firewall did not block SSH - what is wrong

Firewall did not block SSH - what is wrong

[Hilmar Berger]

[-- Attachment #1: Type: text/plain, Size: 1002 bytes --]


Hi,

I am running iptables 1.2.11/Linux 2.4.27-pre2. Firewall is started when ADSL connection is going up. 
The rule set I use is from some example iptables ruleset to set up IP-masquerading. I needed this sometime ago in order to connect my laptop to my desktop and connect to internet through its dsl modem. 
I never had any trouble with my firewall before. It worked as expected - at least that's what it seems to me. 

Today someone tried to break in my machine (desktop, the one the firewall is running on) by connection to sshd - which should have been blocked. I tried to test if this was because my firewall rules are bad or because there is some other bug. Unfortunately, I don't have another machine around right now and iptables does not have the -C option that exists with ipchains to check if the rules work as desired. 

Any ideas how I can check the ruleset without another linux box ?

I attached the script I use to setup the firewall in case anybody is interested.

Thanks, 
Hilmar


[-- Attachment #2: MASQ-firewall --]
[-- Type: application/octet-stream, Size: 4724 bytes --]

FWVER=0.78s


echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"

IPTABLES=/sbin/iptables

LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
GREP=$(which grep)
AWK=$(which awk)
SED=$(which sed)
IFCONFIG=/sbin/ifconfig

EXTIF="ppp0"
INTIF="eth1"
echo "  External Interface:  $EXTIF"
echo "  Internal Interface:  $INTIF"
echo "  ---"

EXTIP="`$IFCONFIG $EXTIF | $AWK \
 /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"


echo "  External IP: $EXTIP"
echo "  ---"


INTNET="192.168.1.0/24"
INTIP="192.168.1.2/24"
echo "  Internal Network: $INTNET"
echo "  Internal IP:      $INTIP"
echo "  ---"


UNIVERSE="0.0.0.0/0"

echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

echo -en "    Loading kernel modules: "

echo -en "ip_tables, "
#Verify the module isn't loaded.  If it is, skip it
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
   $INSMOD ip_tables
fi


echo -en "ip_conntrack, "
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack
fi


if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack_ftp
fi


if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack_irc
fi


echo -en "iptable_nat, "
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   $INSMOD iptable_nat
fi


echo -e "ip_nat_ftp"
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   $INSMOD ip_nat_ftp
fi

echo "  ---"

echo "  Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


echo "  Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "  ---"

echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD 
$IPTABLES -F -t nat

if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
   $IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z

echo "  Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info 
$IPTABLES -A drop-and-log-it -j REJECT

echo -e "\n   - Loading INPUT rulesets"

$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT


# remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it


# remote interface, any source, going to permanent PPP address is valid
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT


# Allow any related traffic coming back to the MASQ server in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT


# Catch all rule, all other incoming is denied and logged. 
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e "   - Loading OUTPUT rulesets"

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are 
#         already flushed and set to a default policy of DROP. 
#

# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT


# local interface, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT


# outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it


# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT


# Catch all rule, all other outgoing is denied and logged. 
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e "   - Loading FORWARD rulesets"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#


echo "     - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged. 
#
$IPTABLES -A FORWARD -j drop-and-log-it


echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP


#######################################################################


echo -e "\nDone.\n"

Re: Firewall did not block SSH - what is wrong

[lst_hoe01]

Zitat von Hilmar Berger <Hilmar.Berger@gmx.de>:

>
> Hi,
>
> I am running iptables 1.2.11/Linux 2.4.27-pre2. Firewall is started when ADSL
> connection is going up.
> The rule set I use is from some example iptables ruleset to set up
> IP-masquerading. I needed this sometime ago in order to connect my laptop to
> my desktop and connect to internet through its dsl modem.
> I never had any trouble with my firewall before. It worked as expected - at
> least that's what it seems to me.
>
> Today someone tried to break in my machine (desktop, the one the firewall is
> running on) by connection to sshd - which should have been blocked. I tried
> to test if this was because my firewall rules are bad or because there is
> some other bug. Unfortunately, I don't have another machine around right now
> and iptables does not have the -C option that exists with ipchains to check
> if the rules work as desired.

With this rule

# remote interface, any source, going to permanent PPP address is valid
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

and sshd bind to any interface you should not wonder why every one can connect
to your firewall sshd and any other service running on the firewall ...

Regards

Andreas

Re: Firewall did not block SSH - what is wrong

[Samuel Díaz García]

try something as:

#Substitute values for yours.
#your iptables binary
IPT=iptables
#your external iface
EFACE=ppp0

$IPT -A INPUT -i $EFACE -p tcp --dport ssh --syn -j DROP


Say us if that is your need and if that works fine for you.

lst_hoe01@kwsoft.de writes:

> Zitat von Hilmar Berger <Hilmar.Berger@gmx.de>:
>
>>
>> Hi,
>>
>> I am running iptables 1.2.11/Linux 2.4.27-pre2. Firewall is started when ADSL
>> connection is going up.
>> The rule set I use is from some example iptables ruleset to set up
>> IP-masquerading. I needed this sometime ago in order to connect my laptop to
>> my desktop and connect to internet through its dsl modem.
>> I never had any trouble with my firewall before. It worked as expected - at
>> least that's what it seems to me.
>>
>> Today someone tried to break in my machine (desktop, the one the firewall is
>> running on) by connection to sshd - which should have been blocked. I tried
>> to test if this was because my firewall rules are bad or because there is
>> some other bug. Unfortunately, I don't have another machine around right now
>> and iptables does not have the -C option that exists with ipchains to check
>> if the rules work as desired.
>
> With this rule
>
> # remote interface, any source, going to permanent PPP address is valid
> #
> $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
>
> and sshd bind to any interface you should not wonder why every one can connect
> to your firewall sshd and any other service running on the firewall ...
>
> Regards
>
> Andreas
>
>
>



Samuel Díaz Garcí­a
Director Gerente
ArcosCom Wireless, S.L.L.

mailto:samueldg@arcoscom.com
http://www.arcoscom.com
móvil: 651 93 72 48
tlfn.: 956 70 13 15
fax:   956 70 34 83

Firewall did not block SSH - what is wrong

[ju0815nk]

Hi,

thanks for your help. Actually, I wanted to block all incoming traffic that
is not related to connections originating from my machine. Should a default
policy of dropping all packets plus allowing only related packages be
sufficient ?

e.g.

$IPTABLES -P INPUT DROP
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT

Is there any way to test iptables-based firewalls without access to a second
machine ?
I installed the rule you told me and commented out the one allowing
connections to the firewall - but how can I test that it works for me
(except testing if my email/mozilla works)?

Thanks, Hilmar


> try something as: 
> 
> #Substitute values for yours.
> #your iptables binary
> IPT=iptables
> #your external iface
> EFACE=ppp0 
> 
> $IPT -A INPUT -i $EFACE -p tcp --dport ssh --syn -j DROP 
> Say us if that is your need and if that works fine for you. 


-- 
DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen!
AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl

Re: Firewall did not block SSH - what is wrong

[lst_hoe01]

Zitat von ju0815nk@gmx.net:

> Hi,
>
> thanks for your help. Actually, I wanted to block all incoming traffic that
> is not related to connections originating from my machine. Should a default
> policy of dropping all packets plus allowing only related packages be
> sufficient ?
>
> e.g.
>
> $IPTABLES -P INPUT DROP
> $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
>  ESTABLISHED,RELATED -j ACCEPT

I would loose the "-d $EXTIP" because you want ESTABLISHED and RELATED also on
your internal IFs. Traffic coming in your external IF for your internal net or
your internal IF should be checked in the FORWARD chain.

> Is there any way to test iptables-based firewalls without access to a second
> machine ?
> I installed the rule you told me and commented out the one allowing
> connections to the firewall - but how can I test that it works for me
> (except testing if my email/mozilla works)?

There are many online scanners available at the net. For example
http://scan.sygatetech.com/. Choose one and see what's happening.

Regards

Andreas