iptables and permits ports

iptables and permits ports

[Mohamed Nassih]

[-- Attachment #1: Type: text/plain, Size: 2571 bytes --]


 Hi,

 my firewall file is like below, It is work without any
problem, today I test to connect to a oracle server via the
internet from inside to the port 1521(in outside oracle
server), and it is work.

 Normaly as you can see from the roles I drop all paquets
that do not have as a distination-port www,ftp..the
firewall must drop all paquets with the port-destination
1521!!
 Can I have please explanation of this..


The firewall file :

/sbin/modprobe iptables iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe iptable_filter

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

iptables -F
iptables -X

iptables -t nat -A POSTROUTING -o eth0 -s 10.154.17.0/24 -j
MASQUERADE

iptables -A INPUT -i eth0 -s 199.243.181.226 -j DROP

iptables -A INPUT -i eth1 -s ! 10.154.17.0/24 -j DROP
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state
NEW -j DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT

iptables -A INPUT -i eth1 -p tcp --destination-port www -j
ACCEPT
iptables -A INPUT -i eth1 -p tcp --destination-port ftp -j
ACCEPT
iptables -A INPUT -i eth1 -p tcp --destination-port ftp-
data -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --destination-port smtp -j
ACCEPT
iptables -A INPUT -i eth1 -p tcp --destination-port 110 -j
ACCEPT
iptables -A INPUT -i eth1 -d 198.235.216.131 -p udp --
destination-port domain -j ACCEPT
iptables -A INPUT -i eth1 -d 198.235.216.131 -p tcp --
destination-port domain -j ACCEPT
iptables -A INPUT -i eth1 -d 198.235.216.130 -p udp --
destination-port domain -j ACCEPT
iptables -A INPUT -i eth1 -d 198.235.216.130 -p tcp --
destination-port domain -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --destination-port www -j
ACCEPT
iptables -A INPUT -i eth0 -p tcp --destination-port ftp -j
ACCEPT
iptables -A INPUT -i eth0 -p tcp --destination-port ftp-
data -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --destination-port smtp -j
ACCEPT
#iptables -A INPUT -i eth0 -p tcp --destination-port 110 -j
ACCEPT

iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-
with tcp-reset

iptables -A INPUT -j DROP

Thanks in advance.
______________________________________________________
Boîte aux lettres - Caramail - http://www.caramail.com

Re: iptables and permits ports

[Anders Fugmann]

Mohamed Nassih wrote:
>  Hi,
> 
>  my firewall file is like below, It is work without any 
> problem, today I test to connect to a oracle server via the 
> internet from inside to the port 1521(in outside oracle 
> server), and it is work.
> 
>  Can I have please explanation of this..
Yes. You say that you connect from the "inside". I assume that
you hereby mean a machine located behind the firewall on the lan, and 
has to go through the firewall in order to connect to the internet.

If this is correct, the you can connect because you have no FORWARD 
rules. The packet is masqueraded perfectly, and all replys to the 
connection is routed without problem the the machine on the lan.
You should read: 
http://www.netfilter.org/documentation/tutorials/blueflux/,
and understand how packets traverse the chains.

The INPUT and OUTPUT are only for packets for the server itself and for 
packets originating from the server itself.

> 
> 
> The firewall file :
> 
> /sbin/modprobe iptables iptable_nat 
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_irc
> /sbin/modprobe iptable_filter
> 
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
> then
> for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
> do
> echo 1 > $filtre
> done
> fi
> 
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> 
> iptables -F
> iptables -X
> 
> iptables -t nat -A POSTROUTING -o eth0 -s 10.154.17.0/24 -j 
> MASQUERADE
> 
> iptables -A INPUT -i eth0 -s 199.243.181.226 -j DROP
> 
> iptables -A INPUT -i eth1 -s ! 10.154.17.0/24 -j DROP
> iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state 
> NEW -j DROP
> 
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j 
> ACCEPT
> 
> iptables -A INPUT -i eth1 -p tcp --destination-port www -j 
> ACCEPT
> iptables -A INPUT -i eth1 -p tcp --destination-port ftp -j 
> ACCEPT
> iptables -A INPUT -i eth1 -p tcp --destination-port ftp-
> data -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --destination-port smtp -j 
> ACCEPT
> iptables -A INPUT -i eth1 -p tcp --destination-port 110 -j 
> ACCEPT
> iptables -A INPUT -i eth1 -d 198.235.216.131 -p udp --
> destination-port domain -j ACCEPT
> iptables -A INPUT -i eth1 -d 198.235.216.131 -p tcp --
> destination-port domain -j ACCEPT
> iptables -A INPUT -i eth1 -d 198.235.216.130 -p udp --
> destination-port domain -j ACCEPT
> iptables -A INPUT -i eth1 -d 198.235.216.130 -p tcp --
> destination-port domain -j ACCEPT
> 
> iptables -A INPUT -i eth0 -p tcp --destination-port www -j 
> ACCEPT
> iptables -A INPUT -i eth0 -p tcp --destination-port ftp -j 
> ACCEPT
> iptables -A INPUT -i eth0 -p tcp --destination-port ftp-
> data -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --destination-port smtp -j 
> ACCEPT
> #iptables -A INPUT -i eth0 -p tcp --destination-port 110 -j 
> ACCEPT
> 
> iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-
> with tcp-reset
> 
> iptables -A INPUT -j DROP
> 
> Thanks in advance.
I strongly advice your to start your script with these three commands:
	iptables -P INPUT DROP
	iptables -P FORWARD DROP
	iptables -P OUTPUT DROP

This sets the default policy on all filter chains, meaning that if no 
rule matched the packet, the packet is dropped.

Beware. When you do this, no users on the lan can access the internet,
and the firewall cannot communicate with any other machines, because you 
only accept packets to the loopback interface.

Regards
Anders Fugmann

-- 
Author of FIAIF
FIAIF Is An Intelligent/Iptables Firewall
http://fiaif.fugmann.dhs.org

Re: iptables and permits ports

[Antony Stone]

On Wednesday 11 September 2002 10:23 pm, Mohamed Nassih wrote:

>  Hi,
>
>  my firewall file is like below, It is work without any
> problem, today I test to connect to a oracle server via the
> internet from inside to the port 1521(in outside oracle
> server), and it is work.
>
>  Normaly as you can see from the roles I drop all paquets
> that do not have as a distination-port www,ftp..the
> firewall must drop all paquets with the port-destination
> 1521!!
>  Can I have please explanation of this..

I don't know whether by "inside" you mean some machine on your LAN (not your 
firewall), or the firewall itself, however:

You have no FORWARDing rules whatsoever, so if you're sending packets from 
your internal LAN, everything is allowed by the default ACCEPT policy (which 
you haven't changed).

You have no OUTPUT policy either, so if you're sending packets from the 
firewall itself, everything is allowed by the default ACCEPT policy (which 
you haven't changed).

Antony.

-- 

All matter in the Universe can be placed into one of two categories:

1. things which need to be fixed
2. things which will need to be fixed once you've had a few minutes to play 
with them