Linux Netfilter discussions
 help / color / mirror / Atom feed
* Firewall did not block SSH - what is wrong
@ 2005-02-21 19:36 Hilmar Berger
  2005-02-22 13:25 ` lst_hoe01
  0 siblings, 1 reply; 5+ messages in thread
From: Hilmar Berger @ 2005-02-21 19:36 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 1002 bytes --]


Hi,

I am running iptables 1.2.11/Linux 2.4.27-pre2. Firewall is started when ADSL connection is going up. 
The rule set I use is from some example iptables ruleset to set up IP-masquerading. I needed this sometime ago in order to connect my laptop to my desktop and connect to internet through its dsl modem. 
I never had any trouble with my firewall before. It worked as expected - at least that's what it seems to me. 

Today someone tried to break in my machine (desktop, the one the firewall is running on) by connection to sshd - which should have been blocked. I tried to test if this was because my firewall rules are bad or because there is some other bug. Unfortunately, I don't have another machine around right now and iptables does not have the -C option that exists with ipchains to check if the rules work as desired. 

Any ideas how I can check the ruleset without another linux box ?

I attached the script I use to setup the firewall in case anybody is interested.

Thanks, 
Hilmar


[-- Attachment #2: MASQ-firewall --]
[-- Type: application/octet-stream, Size: 4724 bytes --]

FWVER=0.78s


echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"

IPTABLES=/sbin/iptables

LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
GREP=$(which grep)
AWK=$(which awk)
SED=$(which sed)
IFCONFIG=/sbin/ifconfig

EXTIF="ppp0"
INTIF="eth1"
echo "  External Interface:  $EXTIF"
echo "  Internal Interface:  $INTIF"
echo "  ---"

EXTIP="`$IFCONFIG $EXTIF | $AWK \
 /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"


echo "  External IP: $EXTIP"
echo "  ---"


INTNET="192.168.1.0/24"
INTIP="192.168.1.2/24"
echo "  Internal Network: $INTNET"
echo "  Internal IP:      $INTIP"
echo "  ---"


UNIVERSE="0.0.0.0/0"

echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

echo -en "    Loading kernel modules: "

echo -en "ip_tables, "
#Verify the module isn't loaded.  If it is, skip it
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
   $INSMOD ip_tables
fi


echo -en "ip_conntrack, "
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack
fi


if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack_ftp
fi


if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack_irc
fi


echo -en "iptable_nat, "
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   $INSMOD iptable_nat
fi


echo -e "ip_nat_ftp"
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   $INSMOD ip_nat_ftp
fi

echo "  ---"

echo "  Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


echo "  Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "  ---"

echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD 
$IPTABLES -F -t nat

if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
   $IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z

echo "  Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info 
$IPTABLES -A drop-and-log-it -j REJECT

echo -e "\n   - Loading INPUT rulesets"

$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT


# remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it


# remote interface, any source, going to permanent PPP address is valid
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT


# Allow any related traffic coming back to the MASQ server in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT


# Catch all rule, all other incoming is denied and logged. 
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e "   - Loading OUTPUT rulesets"

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are 
#         already flushed and set to a default policy of DROP. 
#

# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT


# local interface, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT


# outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it


# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT


# Catch all rule, all other outgoing is denied and logged. 
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e "   - Loading FORWARD rulesets"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#


echo "     - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged. 
#
$IPTABLES -A FORWARD -j drop-and-log-it


echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP


#######################################################################


echo -e "\nDone.\n"

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Firewall did not block SSH - what is wrong
@ 2005-02-22 19:16 ju0815nk
  2005-02-23  7:42 ` lst_hoe01
  0 siblings, 1 reply; 5+ messages in thread
From: ju0815nk @ 2005-02-22 19:16 UTC (permalink / raw)
  To: netfilter

Hi,

thanks for your help. Actually, I wanted to block all incoming traffic that
is not related to connections originating from my machine. Should a default
policy of dropping all packets plus allowing only related packages be
sufficient ?

e.g.

$IPTABLES -P INPUT DROP
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT

Is there any way to test iptables-based firewalls without access to a second
machine ?
I installed the rule you told me and commented out the one allowing
connections to the firewall - but how can I test that it works for me
(except testing if my email/mozilla works)?

Thanks, Hilmar


> try something as: 
> 
> #Substitute values for yours.
> #your iptables binary
> IPT=iptables
> #your external iface
> EFACE=ppp0 
> 
> $IPT -A INPUT -i $EFACE -p tcp --dport ssh --syn -j DROP 
> Say us if that is your need and if that works fine for you. 


-- 
DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen!
AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2005-02-23  7:42 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-21 19:36 Firewall did not block SSH - what is wrong Hilmar Berger
2005-02-22 13:25 ` lst_hoe01
2005-02-22 13:39   ` Samuel Díaz García
  -- strict thread matches above, loose matches on Subject: below --
2005-02-22 19:16 ju0815nk
2005-02-23  7:42 ` lst_hoe01

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox