Newbie: need help with table rules

Newbie: need help with table rules

[Jean-Christian Imbeault]

I've written my first set of iptable rules but they're still buggy =) I 
keep locking myself out. So I'm trying to enable logging to see why I 
can't SSH to my box but I can't seem to get logging to work.

I have set the default policy to DROP and added only ACCEPT rules, so 
nothing gets DROPPED or REJECTED before making to the last (logging) 
rule. The last rule should LOG anything that didn't match ... but I 
can't find any iptables entries in /var/log/messages ...

Two questions:

#1 why isn't logging working
#2 What is wrong with my rules :)


My network setup is like this:


LAN ---- FIREWALL ---- WAN
  |          |
  |          |
JC        LINUX

I don't control the Firewall. But it's settings are fine I think since I 
can connect from JC <-> LINUX just fine. But if I try my iptable rules I 
lock myself out.

The services I'd like to allow access to are:

HTTP, HTTPS, SMTP, DNS from anywhere and
SSH from JC --> LINUX

My rules are:

IPT="/usr/local/sbin/iptables"
LINUX="x.x.x.x"
JC="x.x.x.x"

for i in filter
do
   $IPT -t $i -F
   $IPT -t $i -X
done

$IPT --policy INPUT   DROP
$IPT --policy OUTPUT  DROP
$IPT --policy FORWARD DROP

# Loopback accepts everything
$IPT -A INPUT  -i lo   -j ACCEPT
$IPT -A OUTPUT -o lo   -j ACCEPT

# Allow all other icmp
$IPT -A INPUT  -p icmp -j ACCEPT

# Allow previously established connections
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED        -j ACCEPT

# HTTP, HTTPS
$IPT -A INPUT  -p TCP -s 0/0 -i eth0 -d $LINUX --dport 80  -j ACCEPT
$IPT -A INPUT  -p TCP -s 0/0 -i eth0 -d $LINUX --dport 443 -j ACCEPT

# SSH FROM JC --> LINUX
$IPT -A INPUT  -p TCP -s $JC -i eth0 -d $LINUX --dport 22  -j ACCEPT

# SMTP
$IPT -A INPUT  -p tcp --dport 25 --syn -m limit --limit 1/s 
--limit-burst 10 -j ACCEPT
$IPT -A INPUT  -p tcp --dport 25 -j ACCEPT

# DNS
$IPT -A INPUT  -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT  -p udp --dport 53 -j ACCEPT

# LOG anything that didn't get accepted ...
$IPT -A INPUT  -p tcp --syn -m limit --limit 5/minute -j LOG --log-level 
debug --log-prefix "Firewalled packet:"

My /etc/syslog.conf has this entry to send all debug messages to 
/var/log/firewall:

kern.debug /var/log/firewall

Yet even when I telnet to my machine I don't see any iptables related 
messages ...

What did I miss to get logging enabled? (and if anyone can spot why I 
can't SSH to my box from my PC (JC) please let me know ;)

Thanks,

Jc

RE: Newbie: need help with table rules

[Eugene Joubert]

[-- Attachment #1: Type: text/plain, Size: 3154 bytes --]

Jean-Christian,

First of all you're connection SSH doesn't work  because you have got your
OUTPUT policy as DROP. Now surely if you want the linux box to return your
request you need to allow it to do so:-)
So my advice is that you should change your default OUTPUT policy to ACCEPT
and keep your INPUT as DROP. If something can't get in, it can't get out.
Hope this makes sense.

AS for you logging, I am afraid that I have not played around with my
firewall all that much in the last six months as I have someone else doing
it for me.

Hope this helps

-----Original Message-----
From: Jean-Christian Imbeault [mailto:jc@mega-bucks.co.jp] 
Sent: 14 02 2003 08:50 AM
To: netfilter@lists.netfilter.org
Subject: Newbie: need help with table rules


I've written my first set of iptable rules but they're still buggy =) I 
keep locking myself out. So I'm trying to enable logging to see why I 
can't SSH to my box but I can't seem to get logging to work.

I have set the default policy to DROP and added only ACCEPT rules, so 
nothing gets DROPPED or REJECTED before making to the last (logging) 
rule. The last rule should LOG anything that didn't match ... but I 
can't find any iptables entries in /var/log/messages ...

Two questions:

#1 why isn't logging working
#2 What is wrong with my rules :)


My network setup is like this:


LAN ---- FIREWALL ---- WAN
  |          |
  |          |
JC        LINUX

I don't control the Firewall. But it's settings are fine I think since I 
can connect from JC <-> LINUX just fine. But if I try my iptable rules I 
lock myself out.

The services I'd like to allow access to are:

HTTP, HTTPS, SMTP, DNS from anywhere and
SSH from JC --> LINUX

My rules are:

IPT="/usr/local/sbin/iptables"
LINUX="x.x.x.x"
JC="x.x.x.x"

for i in filter
do
   $IPT -t $i -F
   $IPT -t $i -X
done

$IPT --policy INPUT   DROP
$IPT --policy OUTPUT  DROP
$IPT --policy FORWARD DROP

# Loopback accepts everything
$IPT -A INPUT  -i lo   -j ACCEPT
$IPT -A OUTPUT -o lo   -j ACCEPT

# Allow all other icmp
$IPT -A INPUT  -p icmp -j ACCEPT

# Allow previously established connections
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED        -j ACCEPT

# HTTP, HTTPS
$IPT -A INPUT  -p TCP -s 0/0 -i eth0 -d $LINUX --dport 80  -j ACCEPT $IPT -A
INPUT  -p TCP -s 0/0 -i eth0 -d $LINUX --dport 443 -j ACCEPT

# SSH FROM JC --> LINUX
$IPT -A INPUT  -p TCP -s $JC -i eth0 -d $LINUX --dport 22  -j ACCEPT

# SMTP
$IPT -A INPUT  -p tcp --dport 25 --syn -m limit --limit 1/s 
--limit-burst 10 -j ACCEPT
$IPT -A INPUT  -p tcp --dport 25 -j ACCEPT

# DNS
$IPT -A INPUT  -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT  -p udp --dport 53 -j ACCEPT

# LOG anything that didn't get accepted ...
$IPT -A INPUT  -p tcp --syn -m limit --limit 5/minute -j LOG --log-level 
debug --log-prefix "Firewalled packet:"

My /etc/syslog.conf has this entry to send all debug messages to 
/var/log/firewall:

kern.debug /var/log/firewall

Yet even when I telnet to my machine I don't see any iptables related 
messages ...

What did I miss to get logging enabled? (and if anyone can spot why I 
can't SSH to my box from my PC (JC) please let me know ;)

Thanks,

Jc


[-- Attachment #2: Type: text/html, Size: 5871 bytes --]

Re: Newbie: need help with table rules

[Jean-Christian Imbeault]

Eugene Joubert wrote:
> 
> First of all you're connection SSH doesn't work  because you have got 
> your OUTPUT policy as DROP. Now surely if you want the linux box to 
> return your request you need to allow it to do so:-)

Doh! So true. Ok, now I have fixed that but I still cannot get to SSH. 
The new rules are:

$IPT --policy INPUT   DROP
$IPT --policy OUTPUT  ACCEPT
$IPT --policy FORWARD DROP

# Loopback accepts everything

$IPT -A INPUT  -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Aceept ICMP
$IPT -A INPUT -p icmp -j ACCEPT

# Allow previously established connections

$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# HTTP, HTTPS, SSH

$IPT -A INPUT -p TCP -s 0/0 -i eth0 -d $IP --dport 80  -j ACCEPT
$IPT -A INPUT -p TCP -s 0/0 -i eth0 -d $IP --dport 443 -j ACCEPT
$IPT -A INPUT -p TCP -s 0/0 -i eth0 -d $IP --dport 22  -j ACCEPT

# DNS
$IPT -A INPUT -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -p udp --dport 53 -j ACCEPT

Re: Newbie: need help with table rules

[hclfm]

Hi,

Modify stateful rule like this.

$IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Hope your problem is solved.

regards,

U.SivaKumar

Newbie: need help with table rules

[Peter Hurley]

Jean-Christian Imbeault wrote:

> Doh! So true. Ok, now I have fixed that but I still cannot get to SSH.

Based on your earlier post, I'm assuming that "JC" is the machine that
you're installing this on, and you want to be able to originate
connections (HTTP, SSH, etc) from that machine, but not allowing
connections originating from other machines.  If that's the case, then
your script should be like:

$IPT --policy INPUT   DROP
$IPT --policy OUTPUT  ACCEPT
$IPT --policy FORWARD DROP

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

The situation for you're SSH connection is this:

JC      |                  | LINUX
        |                  |
 (1068) |<---------------->| SSH (22)

Your SSH connection is *to* port 22 on "LINUX" and *from* port whatever
on "JC" (because the SSH client on "JC" will just get an available
socket).
This means that on the OUTPUT chain the packet will look like:
	out=eth0  src= "JC":1068  dest= "LINUX":22
The reply packet from LINUX will come in on the INPUT chain and look
like:
      in=eth0  src="LINUX":22  dest="JC":1068
That's why your INPUT chain rules (HTTP/HTTPS/SSH/whatever) wouldn't
match.

The state match rules on the INPUT chain will match packets that "JC"
has *seen* before: basically meaning packets that have left the OUTPUT
chain (there are some exceptions).

Unless you're hosting HTTP server, HTTPS server, SSH server or DNS
server your other INPUT chain rules aren't doing anything.

Also, I took the liberty of removing your other OUTPUT rules since
you're policy is ACCEPT.

Sincerely,

Peter Hurley
phurley@imaginexd.com

PS - Sorry, that this isn't a thread reply.  I don't have delivery setup
yet.

Re: Newbie: need help with table rules

[Joel Newkirk]

On Friday 14 February 2003 01:49 am, Jean-Christian Imbeault wrote:
> I've written my first set of iptable rules but they're still buggy =)
> I keep locking myself out. So I'm trying to enable logging to see why
> I can't SSH to my box but I can't seem to get logging to work.
>
> I have set the default policy to DROP and added only ACCEPT rules, so
> nothing gets DROPPED or REJECTED before making to the last (logging)
> rule. The last rule should LOG anything that didn't match ... but I
> can't find any iptables entries in /var/log/messages ...
>
> Two questions:
>
> #1 why isn't logging working

Check /etc/syslog.conf, which controls what messages are logged, and 
where.  You should probably try inserting something like this:

> #2 What is wrong with my rules :)
>
>
> My network setup is like this:
>
>
> LAN ---- FIREWALL ---- WAN
>
>
> JC        LINUX
>
> I don't control the Firewall. But it's settings are fine I think since
> I can connect from JC <-> LINUX just fine. But if I try my iptable
> rules I lock myself out.
>
> The services I'd like to allow access to are:
>
> HTTP, HTTPS, SMTP, DNS from anywhere and
> SSH from JC --> LINUX
>
> My rules are:
>
> IPT="/usr/local/sbin/iptables"
> LINUX="x.x.x.x"
> JC="x.x.x.x"
>
> for i in filter
> do
>    $IPT -t $i -F
>    $IPT -t $i -X
> done
>
> $IPT --policy INPUT   DROP
> $IPT --policy OUTPUT  DROP
> $IPT --policy FORWARD DROP
>
> # Loopback accepts everything
> $IPT -A INPUT  -i lo   -j ACCEPT
> $IPT -A OUTPUT -o lo   -j ACCEPT
>
> # Allow all other icmp
> $IPT -A INPUT  -p icmp -j ACCEPT
>
> # Allow previously established connections
> $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED        -j ACCEPT
>
> # HTTP, HTTPS
> $IPT -A INPUT  -p TCP -s 0/0 -i eth0 -d $LINUX --dport 80  -j ACCEPT
> $IPT -A INPUT  -p TCP -s 0/0 -i eth0 -d $LINUX --dport 443 -j ACCEPT
>
> # SSH FROM JC --> LINUX
> $IPT -A INPUT  -p TCP -s $JC -i eth0 -d $LINUX --dport 22  -j ACCEPT
>
> # SMTP
> $IPT -A INPUT  -p tcp --dport 25 --syn -m limit --limit 1/s
> --limit-burst 10 -j ACCEPT
> $IPT -A INPUT  -p tcp --dport 25 -j ACCEPT
>
> # DNS
> $IPT -A INPUT  -p tcp --dport 53 -j ACCEPT
> $IPT -A INPUT  -p udp --dport 53 -j ACCEPT
>
> # LOG anything that didn't get accepted ...
> $IPT -A INPUT  -p tcp --syn -m limit --limit 5/minute -j LOG
> --log-level debug --log-prefix "Firewalled packet:"
>
> My /etc/syslog.conf has this entry to send all debug messages to
> /var/log/firewall:
>
> kern.debug /var/log/firewall
>
> Yet even when I telnet to my machine I don't see any iptables related
> messages ...
>
> What did I miss to get logging enabled? (and if anyone can spot why I
> can't SSH to my box from my PC (JC) please let me know ;)
>
> Thanks,
>
> Jc

Re: Newbie: need help with table rules

[Joel Newkirk]

Apologies, I accidentally sent while trying to insert...  Doh!

On Friday 14 February 2003 01:49 am, Jean-Christian Imbeault wrote:
> I've written my first set of iptable rules but they're still buggy =)
> I keep locking myself out. So I'm trying to enable logging to see why
> I can't SSH to my box but I can't seem to get logging to work.
>
> I have set the default policy to DROP and added only ACCEPT rules, so
> nothing gets DROPPED or REJECTED before making to the last (logging)
> rule. The last rule should LOG anything that didn't match ... but I
> can't find any iptables entries in /var/log/messages ...
>
> Two questions:
>
> #1 why isn't logging working

See below.

> #2 What is wrong with my rules :)

> I don't control the Firewall. But it's settings are fine I think since
> I can connect from JC <-> LINUX just fine. But if I try my iptable
> rules I lock myself out.

LAN ---- FIREWALL ---- WAN
  |          |
  |          |
JC        LINUX

Is LINUX the firewall box itself, or another machine on the other side of 
it from JC?  If the latter, are your iptables rules invoked on the 
firewall, or on LINUX?

Remember that INPUT and OUTPUT are only for traffic to and from the 
firewall box itself, FORWARD is for traffic going THROUGH from a machine 
on one side to a machine on the other.  If the rules you listed are used 
on FIREWALL in your diagram, since you don't have any FORWARD rules to 
ACCEPT anything, then NO communications will be permitted from LAN to 
WAN or WAN to LAN.

> Yet even when I telnet to my machine I don't see any iptables related
> messages ...

Try "kern.=debug" instead.  And you will need to restart the syslogd 
daemon after changing it, probably with "service syslog restart".

j