* IPTABLES and SSH
@ 2003-01-16 10:13 Steffen Bisgaard
2003-01-16 10:42 ` Raymond Leach
0 siblings, 1 reply; 5+ messages in thread
From: Steffen Bisgaard @ 2003-01-16 10:13 UTC (permalink / raw)
To: netfilter
Hallo everybody,
This is the first time I use this feature so if I am doing anything wrong
please bear with me...
I have the following iptables running on a RH7.3 machine. Can anybody tell
me why I am unable to ssh to the machine when iptables is running?
For the SSH part I have also tried:
iptables -I INPUT -i $EXTERNAL_INTERFACE -p tcp --dport 22 --sport
1024:65535 -j ACCEPT
but still no go...
# --------------------------------------------------------------------------
--
#
# Invoked from /etc/rc.d/init.d/iptables.
# chkconfig: - 60 95
# description: Starts and stops the IPTABLES packet filter \
# used to provide firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/iptables ]; then
exit 0
fi
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling: "
# --------------------------------------------------------------------------
--
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
#IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1`
IPADDR="10.2.0.28"
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # Your local naming convention
PRIMARY_NAMESERVER="212.120.66.194" # Your Primary Name Server
SECONDARY_NAMESERVER="212.120.66.195" # Your Secondary Name Server
#SYSLOG_CLIENT="***.**.**.*" # Your Syslog Clients IP ranges
LOOPBACK="127.0.0.0/8" # Reserved loopback addr range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addr
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addr
BROADCAST_SRC="0.0.0.0" # Broadcast source addr
BROADCAST_DEST="255.255.255.255" # Broadcast destination addr
PRIVPORTS="0:1023" # Privileged port range
UNPRIVPORTS="1024:" # Unprivileged port range
# --------------------------------------------------------------------------
--
# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535" # Port range for local clients
SSH_REMOTE_PORTS="513:65535" # Port range for remote clients
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# --------------------------------------------------------------------------
--
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
iptables -F
# Remove any existing user-defined chains.
iptables -X
# Set the default policy of the filter to deny.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# --------------------------------------------------------------------------
--
# LOOPBACK
# --------
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
#
#
#
# --------------------------------------------------------------------------
--
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse incoming packets pretending to be from the external address.
iptables -A INPUT -s $IPADDR -j DROP
# Refuse incoming packets claiming to be from a Class A, B or C private
##network
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
iptables -A INPUT -s $CLASS_C -j DROP
# Refuse broadcast address SOURCE packets
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
# Refuse special addresses defined as reserved by the IANA.
# Note: The remaining reserved addresses are not included
# filtering them causes problems as reserved blocks are
# being allocated more often now. The following are based on
# reservations as listed by IANA as of 2001/01/04. Please regularly
# check at http://www.iana.org/ for the latest status.
# Note: this list includes the loopback, multicast, & reserved addresses.
# 0.*.*.* - Can't be blocked for DHCP users.
# 127.*.*.* - LoopBack
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 224-255.*.*.* - Classes D & E, plus unallocated.
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
#
#
#
# --------------------------------------------------------------------------
--
# UDP TRACEROUTE
# --------------
# traceroute usually uses -S 32769:65535 -D 33434:33523
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
-d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
#
#
#
# --------------------------------------------------------------------------
--
# DNS forward-only nameserver
# ---------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $PRIMARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $PRIMARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $SECONDARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $SECONDARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
#
#
#
# ------------------------------------------------------------------
# POP server (110)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 110 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 110 \
--destination-port $UNPRIVPORTS -j ACCEPT
# POP client (110)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 110 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 110 -j ACCEPT
#
#
#
# ------------------------------------------------------------------
# SMTP server (25)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 25 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 25 \
--destination-port $UNPRIVPORTS -j ACCEPT
#
#
#
# ------------------------------------------------------------------
# SMTP client (25)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 25 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 25 -j ACCEPT
#
#
#
# ------------------------------------------------------------------
# SSH server (22)
# ---------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $SSH_REMOTE_PORTS \
-d $IPADDR --destination-port 22 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 22 \
--destination-port $SSH_REMOTE_PORTS -j ACCEPT
#
#
#
# --------------------------------------------------------------------------
--
# ICMP
# ----
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-reply \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type source-quench \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type time-exceeded \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type parameter-problem \
-d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type parameter-problem -j ACCEPT
#
#
#
# --------------------------------------------------------------------------
--
# Enable logging for selected denied packets
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $PRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 5 -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 13/255 -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT
# --------------------------------------------------------------------------
--
;;
stop)
echo -n "Shutting Firewalling: "
# Remove all existing rules belonging to this filter
iptables -F
# Delete all user-defined chain to this filter
iptables -X
# Reset the default policy of the filter to accept.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
status iptables
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: iptables {start|stop|status|restart|reload}"
exit 1
esac
echo "done"
exit 0
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: IPTABLES and SSH
2003-01-16 10:13 IPTABLES and SSH Steffen Bisgaard
@ 2003-01-16 10:42 ` Raymond Leach
2003-01-16 11:07 ` Sven Schuster
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Raymond Leach @ 2003-01-16 10:42 UTC (permalink / raw)
To: Steffen Bisgaard; +Cc: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 13535 bytes --]
On Thu, 2003-01-16 at 12:13, Steffen Bisgaard wrote:
> Hallo everybody,
>
> This is the first time I use this feature so if I am doing anything wrong
> please bear with me...
>
> I have the following iptables running on a RH7.3 machine. Can anybody tell
> me why I am unable to ssh to the machine when iptables is running?
>
> For the SSH part I have also tried:
>
>
> iptables -I INPUT -i $EXTERNAL_INTERFACE -p tcp --dport 22 --sport
> 1024:65535 -j ACCEPT
>
You also need to allow the server to respond:
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --sport 22 --dport
1024:65535 -j ACCEPT
Have you checked your firewall log file for other clues?
> but still no go...
>
>
> # --------------------------------------------------------------------------
> --
> #
> # Invoked from /etc/rc.d/init.d/iptables.
> # chkconfig: - 60 95
> # description: Starts and stops the IPTABLES packet filter \
> # used to provide firewall network services.
> # Source function library.
> . /etc/rc.d/init.d/functions
> # Source networking configuration.
> . /etc/sysconfig/network
> # Check that networking is up.
> if [ ${NETWORKING} = "no" ]
> then
> exit 0
> fi
> if [ ! -x /sbin/iptables ]; then
> exit 0
> fi
> # See how we were called.
> case "$1" in
> start)
> echo -n "Starting Firewalling: "
> # --------------------------------------------------------------------------
> --
> # Some definitions for easy maintenance.
> # EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
> #IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1`
> IPADDR="10.2.0.28"
> EXTERNAL_INTERFACE="eth0" # Internet connected interface
> LOOPBACK_INTERFACE="lo" # Your local naming convention
> PRIMARY_NAMESERVER="212.120.66.194" # Your Primary Name Server
> SECONDARY_NAMESERVER="212.120.66.195" # Your Secondary Name Server
> #SYSLOG_CLIENT="***.**.**.*" # Your Syslog Clients IP ranges
> LOOPBACK="127.0.0.0/8" # Reserved loopback addr range
> CLASS_A="10.0.0.0/8" # Class A private networks
> CLASS_B="172.16.0.0/12" # Class B private networks
> CLASS_C="192.168.0.0/16" # Class C private networks
> CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addr
> CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addr
> BROADCAST_SRC="0.0.0.0" # Broadcast source addr
> BROADCAST_DEST="255.255.255.255" # Broadcast destination addr
> PRIVPORTS="0:1023" # Privileged port range
> UNPRIVPORTS="1024:" # Unprivileged port range
> # --------------------------------------------------------------------------
> --
> # The SSH client starts at 1023 and works down to 513 for each
> # additional simultaneous connection originating from a privileged port.
> # Clients can optionally be configured to use only unprivileged ports.
> SSH_LOCAL_PORTS="1022:65535" # Port range for local clients
> SSH_REMOTE_PORTS="513:65535" # Port range for remote clients
> # traceroute usually uses -S 32769:65535 -D 33434:33523
> TRACEROUTE_SRC_PORTS="32769:65535"
> TRACEROUTE_DEST_PORTS="33434:33523"
> # --------------------------------------------------------------------------
> --
> # Default policy is DENY
> # Explicitly accept desired INCOMING & OUTGOING connections
> # Remove all existing rules belonging to this filter
> iptables -F
> # Remove any existing user-defined chains.
> iptables -X
> # Set the default policy of the filter to deny.
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> # --------------------------------------------------------------------------
> --
> # LOOPBACK
> # --------
> # Unlimited traffic on the loopback interface.
> iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
> iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
> #
> #
> #
> # --------------------------------------------------------------------------
> --
> # SPOOFING & BAD ADDRESSES
> # Refuse spoofed packets.
> # Ignore blatantly illegal source addresses.
> # Protect yourself from sending to bad addresses.
> # Refuse incoming packets pretending to be from the external address.
> iptables -A INPUT -s $IPADDR -j DROP
> # Refuse incoming packets claiming to be from a Class A, B or C private
> ##network
> iptables -A INPUT -s $CLASS_A -j DROP
> iptables -A INPUT -s $CLASS_B -j DROP
> iptables -A INPUT -s $CLASS_C -j DROP
> # Refuse broadcast address SOURCE packets
> iptables -A INPUT -s $BROADCAST_DEST -j DROP
> iptables -A INPUT -d $BROADCAST_SRC -j DROP
> # Refuse Class D multicast addresses
> # Multicast is illegal as a source address.
> # Multicast uses UDP.
> iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
> # Refuse Class E reserved IP addresses
> iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
> # Refuse special addresses defined as reserved by the IANA.
> # Note: The remaining reserved addresses are not included
> # filtering them causes problems as reserved blocks are
> # being allocated more often now. The following are based on
> # reservations as listed by IANA as of 2001/01/04. Please regularly
> # check at http://www.iana.org/ for the latest status.
> # Note: this list includes the loopback, multicast, & reserved addresses.
> # 0.*.*.* - Can't be blocked for DHCP users.
> # 127.*.*.* - LoopBack
> # 169.254.*.* - Link Local Networks
> # 192.0.2.* - TEST-NET
> # 224-255.*.*.* - Classes D & E, plus unallocated.
> iptables -A INPUT -s 0.0.0.0/8 -j DROP
> iptables -A INPUT -s 127.0.0.0/8 -j DROP
> iptables -A INPUT -s 169.254.0.0/16 -j DROP
> iptables -A INPUT -s 192.0.2.0/24 -j DROP
> iptables -A INPUT -s 224.0.0.0/3 -j DROP
> #
> #
> #
> # --------------------------------------------------------------------------
> --
> # UDP TRACEROUTE
> # --------------
> # traceroute usually uses -S 32769:65535 -D 33434:33523
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> --source-port $TRACEROUTE_SRC_PORTS \
> -d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
> --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
> #
> #
> #
> # --------------------------------------------------------------------------
> --
> # DNS forward-only nameserver
> # ---------------------------
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> -s $PRIMARY_NAMESERVER --source-port 53 \
> -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR --source-port $UNPRIVPORTS \
> -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
> -s $PRIMARY_NAMESERVER --source-port 53 \
> -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR --source-port $UNPRIVPORTS \
> -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> -s $SECONDARY_NAMESERVER --source-port 53 \
> -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR --source-port $UNPRIVPORTS \
> -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
> -s $SECONDARY_NAMESERVER --source-port 53 \
> -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR --source-port $UNPRIVPORTS \
> -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
> #
> #
> #
> # ------------------------------------------------------------------
> # POP server (110)
> # ----------------
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR --destination-port 110 -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
> -s $IPADDR --source-port 110 \
> --destination-port $UNPRIVPORTS -j ACCEPT
> # POP client (110)
> # ----------------
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
> --source-port 110 \
> -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR --source-port $UNPRIVPORTS \
> --destination-port 110 -j ACCEPT
> #
> #
> #
> # ------------------------------------------------------------------
> # SMTP server (25)
> # ----------------
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR --destination-port 25 -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
> -s $IPADDR --source-port 25 \
> --destination-port $UNPRIVPORTS -j ACCEPT
> #
> #
> #
> # ------------------------------------------------------------------
> # SMTP client (25)
> # ----------------
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
> --source-port 25 \
> -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR --source-port $UNPRIVPORTS \
> --destination-port 25 -j ACCEPT
> #
> #
> #
> # ------------------------------------------------------------------
> # SSH server (22)
> # ---------------
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $SSH_REMOTE_PORTS \
> -d $IPADDR --destination-port 22 -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
> -s $IPADDR --source-port 22 \
> --destination-port $SSH_REMOTE_PORTS -j ACCEPT
> #
> #
> #
> # --------------------------------------------------------------------------
> --
> # ICMP
> # ----
> # To prevent denial of service attacks based on ICMP bombs, filter
> # incoming Redirect (5) and outgoing Destination Unreachable (3).
> # Note, however, disabling Destination Unreachable (3) is not
> # advisable, as it is used to negotiate packet fragment size.
> # For bi-directional ping.
> # Message Types: Echo_Reply (0), Echo_Request (8)
> # To prevent attacks, limit the src addresses to your ISP range.
> #
> # For outgoing traceroute.
> # Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
> # default UDP base: 33434 to base+nhops-1
> #
> # For incoming traceroute.
> # Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
> # To block this, deny OUTGOING 3 and 11
> # 0: echo-reply (pong)
> # 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
> # 4: source-quench
> # 5: redirect
> # 8: echo-request (ping)
> # 11: time-exceeded
> # 12: parameter-problem
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type echo-reply \
> -d $IPADDR -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type destination-unreachable \
> -d $IPADDR -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type source-quench \
> -d $IPADDR -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type time-exceeded \
> -d $IPADDR -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type parameter-problem \
> -d $IPADDR -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR --icmp-type source-quench -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR --icmp-type echo-request -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR --icmp-type parameter-problem -j ACCEPT
> #
> #
> #
> # --------------------------------------------------------------------------
> --
> # Enable logging for selected denied packets
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> --destination-port $PRIVPORTS -j DROP
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> --destination-port $UNPRIVPORTS -j DROP
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type 5 -j DROP
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type 13/255 -j DROP
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT
> # --------------------------------------------------------------------------
> --
> ;;
> stop)
> echo -n "Shutting Firewalling: "
> # Remove all existing rules belonging to this filter
> iptables -F
> # Delete all user-defined chain to this filter
> iptables -X
> # Reset the default policy of the filter to accept.
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> ;;
> status)
> status iptables
> ;;
> restart|reload)
> $0 stop
> $0 start
> ;;
> *)
> echo "Usage: iptables {start|stop|status|restart|reload}"
> exit 1
> esac
> echo "done"
> exit 0
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
( Raymond Leach )
) Knowledge Factory (
( )
) Tel: +27 11 445 8100 (
( Fax: +27 11 445 8101 )
) (
( http://www.knowledgefactory.co.za/ )
) http://www.saptg.co.za/ (
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o o
o o
.--. .--.
| o_o| |o_o |
| \_:| |:_/ |
/ / \\ // \ \
( | |) (| | )
/`\_ _/'\ /'\_ _/`\
\___)=(___/ \___)=(___/
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: IPTABLES and SSH
2003-01-16 10:42 ` Raymond Leach
@ 2003-01-16 11:07 ` Sven Schuster
2003-01-16 11:34 ` Arnt Karlsen
2003-01-16 14:02 ` IPTABLES and SSH -- READABILITY Andre Costa
2 siblings, 0 replies; 5+ messages in thread
From: Sven Schuster @ 2003-01-16 11:07 UTC (permalink / raw)
To: netfilter
Maybe a better way would be to use stateful checking, like
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --sport 22 \
-m state --state ESTABLISHED -j ACCEPT
Regards
Sven
Raymond Leach wrote:
>On Thu, 2003-01-16 at 12:13, Steffen Bisgaard wrote:
>
>
>>Hallo everybody,
>>
>>This is the first time I use this feature so if I am doing anything wrong
>>please bear with me...
>>
>>I have the following iptables running on a RH7.3 machine. Can anybody tell
>>me why I am unable to ssh to the machine when iptables is running?
>>
>>For the SSH part I have also tried:
>>
>>
>>iptables -I INPUT -i $EXTERNAL_INTERFACE -p tcp --dport 22 --sport
>>1024:65535 -j ACCEPT
>>
>>
>>
>You also need to allow the server to respond:
>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --sport 22 --dport
>1024:65535 -j ACCEPT
>
>Have you checked your firewall log file for other clues?
>
>
>
>>but still no go...
>>
>>
>># --------------------------------------------------------------------------
>>--
>>#
>># Invoked from /etc/rc.d/init.d/iptables.
>># chkconfig: - 60 95
>># description: Starts and stops the IPTABLES packet filter \
>># used to provide firewall network services.
>># Source function library.
>>. /etc/rc.d/init.d/functions
>># Source networking configuration.
>>. /etc/sysconfig/network
>># Check that networking is up.
>>if [ ${NETWORKING} = "no" ]
>>then
>>exit 0
>>fi
>>if [ ! -x /sbin/iptables ]; then
>>exit 0
>>fi
>># See how we were called.
>>case "$1" in
>>start)
>>echo -n "Starting Firewalling: "
>># --------------------------------------------------------------------------
>>--
>># Some definitions for easy maintenance.
>># EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
>>#IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1`
>>IPADDR="10.2.0.28"
>>EXTERNAL_INTERFACE="eth0" # Internet connected interface
>>LOOPBACK_INTERFACE="lo" # Your local naming convention
>>PRIMARY_NAMESERVER="212.120.66.194" # Your Primary Name Server
>>SECONDARY_NAMESERVER="212.120.66.195" # Your Secondary Name Server
>>#SYSLOG_CLIENT="***.**.**.*" # Your Syslog Clients IP ranges
>>LOOPBACK="127.0.0.0/8" # Reserved loopback addr range
>>CLASS_A="10.0.0.0/8" # Class A private networks
>>CLASS_B="172.16.0.0/12" # Class B private networks
>>CLASS_C="192.168.0.0/16" # Class C private networks
>>CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addr
>>CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addr
>>BROADCAST_SRC="0.0.0.0" # Broadcast source addr
>>BROADCAST_DEST="255.255.255.255" # Broadcast destination addr
>>PRIVPORTS="0:1023" # Privileged port range
>>UNPRIVPORTS="1024:" # Unprivileged port range
>># --------------------------------------------------------------------------
>>--
>># The SSH client starts at 1023 and works down to 513 for each
>># additional simultaneous connection originating from a privileged port.
>># Clients can optionally be configured to use only unprivileged ports.
>>SSH_LOCAL_PORTS="1022:65535" # Port range for local clients
>>SSH_REMOTE_PORTS="513:65535" # Port range for remote clients
>># traceroute usually uses -S 32769:65535 -D 33434:33523
>>TRACEROUTE_SRC_PORTS="32769:65535"
>>TRACEROUTE_DEST_PORTS="33434:33523"
>># --------------------------------------------------------------------------
>>--
>># Default policy is DENY
>># Explicitly accept desired INCOMING & OUTGOING connections
>># Remove all existing rules belonging to this filter
>>iptables -F
>># Remove any existing user-defined chains.
>>iptables -X
>># Set the default policy of the filter to deny.
>>iptables -P INPUT DROP
>>iptables -P OUTPUT DROP
>>iptables -P FORWARD DROP
>># --------------------------------------------------------------------------
>>--
>># LOOPBACK
>># --------
>># Unlimited traffic on the loopback interface.
>>iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
>>iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
>>#
>>#
>>#
>># --------------------------------------------------------------------------
>>--
>># SPOOFING & BAD ADDRESSES
>># Refuse spoofed packets.
>># Ignore blatantly illegal source addresses.
>># Protect yourself from sending to bad addresses.
>># Refuse incoming packets pretending to be from the external address.
>>iptables -A INPUT -s $IPADDR -j DROP
>># Refuse incoming packets claiming to be from a Class A, B or C private
>>##network
>>iptables -A INPUT -s $CLASS_A -j DROP
>>iptables -A INPUT -s $CLASS_B -j DROP
>>iptables -A INPUT -s $CLASS_C -j DROP
>># Refuse broadcast address SOURCE packets
>>iptables -A INPUT -s $BROADCAST_DEST -j DROP
>>iptables -A INPUT -d $BROADCAST_SRC -j DROP
>># Refuse Class D multicast addresses
>># Multicast is illegal as a source address.
>># Multicast uses UDP.
>>iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
>># Refuse Class E reserved IP addresses
>>iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
>># Refuse special addresses defined as reserved by the IANA.
>># Note: The remaining reserved addresses are not included
>># filtering them causes problems as reserved blocks are
>># being allocated more often now. The following are based on
>># reservations as listed by IANA as of 2001/01/04. Please regularly
>># check at http://www.iana.org/ for the latest status.
>># Note: this list includes the loopback, multicast, & reserved addresses.
>># 0.*.*.* - Can't be blocked for DHCP users.
>># 127.*.*.* - LoopBack
>># 169.254.*.* - Link Local Networks
>># 192.0.2.* - TEST-NET
>># 224-255.*.*.* - Classes D & E, plus unallocated.
>>iptables -A INPUT -s 0.0.0.0/8 -j DROP
>>iptables -A INPUT -s 127.0.0.0/8 -j DROP
>>iptables -A INPUT -s 169.254.0.0/16 -j DROP
>>iptables -A INPUT -s 192.0.2.0/24 -j DROP
>>iptables -A INPUT -s 224.0.0.0/3 -j DROP
>>#
>>#
>>#
>># --------------------------------------------------------------------------
>>--
>># UDP TRACEROUTE
>># --------------
>># traceroute usually uses -S 32769:65535 -D 33434:33523
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
>>--source-port $TRACEROUTE_SRC_PORTS \
>>-d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
>>-s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
>>--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
>>#
>>#
>>#
>># --------------------------------------------------------------------------
>>--
>># DNS forward-only nameserver
>># ---------------------------
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
>>-s $PRIMARY_NAMESERVER --source-port 53 \
>>-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
>>-s $IPADDR --source-port $UNPRIVPORTS \
>>-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
>>-s $PRIMARY_NAMESERVER --source-port 53 \
>>-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
>>-s $IPADDR --source-port $UNPRIVPORTS \
>>-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
>>-s $SECONDARY_NAMESERVER --source-port 53 \
>>-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
>>-s $IPADDR --source-port $UNPRIVPORTS \
>>-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
>>-s $SECONDARY_NAMESERVER --source-port 53 \
>>-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
>>-s $IPADDR --source-port $UNPRIVPORTS \
>>-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
>>#
>>#
>>#
>># ------------------------------------------------------------------
>># POP server (110)
>># ----------------
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
>>--source-port $UNPRIVPORTS \
>>-d $IPADDR --destination-port 110 -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
>>-s $IPADDR --source-port 110 \
>>--destination-port $UNPRIVPORTS -j ACCEPT
>># POP client (110)
>># ----------------
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
>>--source-port 110 \
>>-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
>>-s $IPADDR --source-port $UNPRIVPORTS \
>>--destination-port 110 -j ACCEPT
>>#
>>#
>>#
>># ------------------------------------------------------------------
>># SMTP server (25)
>># ----------------
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
>>--source-port $UNPRIVPORTS \
>>-d $IPADDR --destination-port 25 -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
>>-s $IPADDR --source-port 25 \
>>--destination-port $UNPRIVPORTS -j ACCEPT
>>#
>>#
>>#
>># ------------------------------------------------------------------
>># SMTP client (25)
>># ----------------
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
>>--source-port 25 \
>>-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
>>-s $IPADDR --source-port $UNPRIVPORTS \
>>--destination-port 25 -j ACCEPT
>>#
>>#
>>#
>># ------------------------------------------------------------------
>># SSH server (22)
>># ---------------
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
>>--source-port $SSH_REMOTE_PORTS \
>>-d $IPADDR --destination-port 22 -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
>>-s $IPADDR --source-port 22 \
>>--destination-port $SSH_REMOTE_PORTS -j ACCEPT
>>#
>>#
>>#
>># --------------------------------------------------------------------------
>>--
>># ICMP
>># ----
>># To prevent denial of service attacks based on ICMP bombs, filter
>># incoming Redirect (5) and outgoing Destination Unreachable (3).
>># Note, however, disabling Destination Unreachable (3) is not
>># advisable, as it is used to negotiate packet fragment size.
>># For bi-directional ping.
>># Message Types: Echo_Reply (0), Echo_Request (8)
>># To prevent attacks, limit the src addresses to your ISP range.
>>#
>># For outgoing traceroute.
>># Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
>># default UDP base: 33434 to base+nhops-1
>>#
>># For incoming traceroute.
>># Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
>># To block this, deny OUTGOING 3 and 11
>># 0: echo-reply (pong)
>># 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
>># 4: source-quench
>># 5: redirect
>># 8: echo-request (ping)
>># 11: time-exceeded
>># 12: parameter-problem
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type echo-reply \
>>-d $IPADDR -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type destination-unreachable \
>>-d $IPADDR -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type source-quench \
>>-d $IPADDR -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type time-exceeded \
>>-d $IPADDR -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type parameter-problem \
>>-d $IPADDR -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
>>-s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
>>-s $IPADDR --icmp-type source-quench -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
>>-s $IPADDR --icmp-type echo-request -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
>>-s $IPADDR --icmp-type parameter-problem -j ACCEPT
>>#
>>#
>>#
>># --------------------------------------------------------------------------
>>--
>># Enable logging for selected denied packets
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
>>--destination-port $PRIVPORTS -j DROP
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
>>--destination-port $UNPRIVPORTS -j DROP
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type 5 -j DROP
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type 13/255 -j DROP
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT
>># --------------------------------------------------------------------------
>>--
>>;;
>>stop)
>>echo -n "Shutting Firewalling: "
>># Remove all existing rules belonging to this filter
>>iptables -F
>># Delete all user-defined chain to this filter
>>iptables -X
>># Reset the default policy of the filter to accept.
>>iptables -P INPUT ACCEPT
>>iptables -P OUTPUT ACCEPT
>>iptables -P FORWARD ACCEPT
>>;;
>>status)
>>status iptables
>>;;
>>restart|reload)
>>$0 stop
>>$0 start
>>;;
>>*)
>>echo "Usage: iptables {start|stop|status|restart|reload}"
>>exit 1
>>esac
>>echo "done"
>>exit 0
>>
>>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: IPTABLES and SSH
2003-01-16 10:42 ` Raymond Leach
2003-01-16 11:07 ` Sven Schuster
@ 2003-01-16 11:34 ` Arnt Karlsen
2003-01-16 14:02 ` IPTABLES and SSH -- READABILITY Andre Costa
2 siblings, 0 replies; 5+ messages in thread
From: Arnt Karlsen @ 2003-01-16 11:34 UTC (permalink / raw)
To: netfilter
On 16 Jan 2003 12:42:10 +0200,
Raymond Leach <raymondl@knowledgefactory.co.za> wrote in message
<1042713729.485.14.camel@rayw.knowledgefactory.co.za>:
> On Thu, 2003-01-16 at 12:13, Steffen Bisgaard wrote:
> > Hallo everybody,
> >
> > This is the first time I use this feature so if I am doing anything
> > wrong please bear with me...
> >
> > I have the following iptables running on a RH7.3 machine. Can
> > anybody tell me why I am unable to ssh to the machine when iptables
> > is running?
> >
> > For the SSH part I have also tried:
> >
> >
> > iptables -I INPUT -i $EXTERNAL_INTERFACE -p tcp --dport 22 --sport
> > 1024:65535 -j ACCEPT
> >
> You also need to allow the server to respond:
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --sport 22 --dport
> 1024:65535 -j ACCEPT
>
> Have you checked your firewall log file for other clues?
>
> > but still no go...
...and sshd of course runs and is set up to accept sessions from
your box? (A variant of the "and the power is on?", btdt. ;-) )
> >
> > # -----------------------------------------------------------------
> > # ---------
> > --
> > #
> > # Invoked from /etc/rc.d/init.d/iptables.
> > # chkconfig: - 60 95
> > # description: Starts and stops the IPTABLES packet filter \
> > # used to provide firewall network services.
> > # Source function library.
> > . /etc/rc.d/init.d/functions
> > # Source networking configuration.
> > . /etc/sysconfig/network
> > # Check that networking is up.
> > if [ ${NETWORKING} = "no" ]
> > then
> > exit 0
> > fi
> > if [ ! -x /sbin/iptables ]; then
> > exit 0
> > fi
> > # See how we were called.
> > case "$1" in
> > start)
> > echo -n "Starting Firewalling: "
> > # -----------------------------------------------------------------
> > # ---------
> > --
> > # Some definitions for easy maintenance.
> > # EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
> > #IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f
> > #1`
> > IPADDR="10.2.0.28"
> > EXTERNAL_INTERFACE="eth0" # Internet connected interface
> > LOOPBACK_INTERFACE="lo" # Your local naming convention
> > PRIMARY_NAMESERVER="212.120.66.194" # Your Primary Name Server
> > SECONDARY_NAMESERVER="212.120.66.195" # Your Secondary Name Server
> > #SYSLOG_CLIENT="***.**.**.*" # Your Syslog Clients IP ranges
> > LOOPBACK="127.0.0.0/8" # Reserved loopback addr range
> > CLASS_A="10.0.0.0/8" # Class A private networks
> > CLASS_B="172.16.0.0/12" # Class B private networks
> > CLASS_C="192.168.0.0/16" # Class C private networks
> > CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addr
> > CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addr
> > BROADCAST_SRC="0.0.0.0" # Broadcast source addr
> > BROADCAST_DEST="255.255.255.255" # Broadcast destination addr
> > PRIVPORTS="0:1023" # Privileged port range
> > UNPRIVPORTS="1024:" # Unprivileged port range
> > # -----------------------------------------------------------------
> > # ---------
> > --
> > # The SSH client starts at 1023 and works down to 513 for each
> > # additional simultaneous connection originating from a privileged
> > # port. Clients can optionally be configured to use only
> > # unprivileged ports.
> > SSH_LOCAL_PORTS="1022:65535" # Port range for local clients
> > SSH_REMOTE_PORTS="513:65535" # Port range for remote clients
> > # traceroute usually uses -S 32769:65535 -D 33434:33523
> > TRACEROUTE_SRC_PORTS="32769:65535"
> > TRACEROUTE_DEST_PORTS="33434:33523"
> > # -----------------------------------------------------------------
> > # ---------
> > --
> > # Default policy is DENY
> > # Explicitly accept desired INCOMING & OUTGOING connections
> > # Remove all existing rules belonging to this filter
> > iptables -F
> > # Remove any existing user-defined chains.
> > iptables -X
> > # Set the default policy of the filter to deny.
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> > # -----------------------------------------------------------------
> > # ---------
> > --
> > # LOOPBACK
> > # --------
> > # Unlimited traffic on the loopback interface.
> > iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
> > iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
> > #
> > #
> > #
> > # -----------------------------------------------------------------
> > # ---------
> > --
> > # SPOOFING & BAD ADDRESSES
> > # Refuse spoofed packets.
> > # Ignore blatantly illegal source addresses.
> > # Protect yourself from sending to bad addresses.
> > # Refuse incoming packets pretending to be from the external
> > # address.
> > iptables -A INPUT -s $IPADDR -j DROP
> > # Refuse incoming packets claiming to be from a Class A, B or C
> > # private
> > ##network
> > iptables -A INPUT -s $CLASS_A -j DROP
> > iptables -A INPUT -s $CLASS_B -j DROP
> > iptables -A INPUT -s $CLASS_C -j DROP
> > # Refuse broadcast address SOURCE packets
> > iptables -A INPUT -s $BROADCAST_DEST -j DROP
> > iptables -A INPUT -d $BROADCAST_SRC -j DROP
> > # Refuse Class D multicast addresses
> > # Multicast is illegal as a source address.
> > # Multicast uses UDP.
> > iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
> > # Refuse Class E reserved IP addresses
> > iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
> > # Refuse special addresses defined as reserved by the IANA.
> > # Note: The remaining reserved addresses are not included
> > # filtering them causes problems as reserved blocks are
> > # being allocated more often now. The following are based on
> > # reservations as listed by IANA as of 2001/01/04. Please regularly
> > # check at http://www.iana.org/ for the latest status.
> > # Note: this list includes the loopback, multicast, & reserved
> > # addresses. 0.*.*.* - Can't be blocked for DHCP users.
> > # 127.*.*.* - LoopBack
> > # 169.254.*.* - Link Local Networks
> > # 192.0.2.* - TEST-NET
> > # 224-255.*.*.* - Classes D & E, plus unallocated.
> > iptables -A INPUT -s 0.0.0.0/8 -j DROP
> > iptables -A INPUT -s 127.0.0.0/8 -j DROP
> > iptables -A INPUT -s 169.254.0.0/16 -j DROP
> > iptables -A INPUT -s 192.0.2.0/24 -j DROP
> > iptables -A INPUT -s 224.0.0.0/3 -j DROP
> > #
> > #
> > #
> > # -----------------------------------------------------------------
> > # ---------
> > --
> > # UDP TRACEROUTE
> > # --------------
> > # traceroute usually uses -S 32769:65535 -D 33434:33523
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> > --source-port $TRACEROUTE_SRC_PORTS \
> > -d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
> > -s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
> > --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
> > #
> > #
> > #
> > # -----------------------------------------------------------------
> > # ---------
> > --
> > # DNS forward-only nameserver
> > # ---------------------------
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> > -s $PRIMARY_NAMESERVER --source-port 53 \
> > -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
> > -s $IPADDR --source-port $UNPRIVPORTS \
> > -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
> > -s $PRIMARY_NAMESERVER --source-port 53 \
> > -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
> > -s $IPADDR --source-port $UNPRIVPORTS \
> > -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> > -s $SECONDARY_NAMESERVER --source-port 53 \
> > -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
> > -s $IPADDR --source-port $UNPRIVPORTS \
> > -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
> > -s $SECONDARY_NAMESERVER --source-port 53 \
> > -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
> > -s $IPADDR --source-port $UNPRIVPORTS \
> > -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
> > #
> > #
> > #
> > # ------------------------------------------------------------------
> > # POP server (110)
> > # ----------------
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
> > --source-port $UNPRIVPORTS \
> > -d $IPADDR --destination-port 110 -j ACCEPT
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
> > -s $IPADDR --source-port 110 \
> > --destination-port $UNPRIVPORTS -j ACCEPT
> > # POP client (110)
> > # ----------------
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
> > --source-port 110 \
> > -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
> > -s $IPADDR --source-port $UNPRIVPORTS \
> > --destination-port 110 -j ACCEPT
> > #
> > #
> > #
> > # ------------------------------------------------------------------
> > # SMTP server (25)
> > # ----------------
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
> > --source-port $UNPRIVPORTS \
> > -d $IPADDR --destination-port 25 -j ACCEPT
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
> > -s $IPADDR --source-port 25 \
> > --destination-port $UNPRIVPORTS -j ACCEPT
> > #
> > #
> > #
> > # ------------------------------------------------------------------
> > # SMTP client (25)
> > # ----------------
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
> > --source-port 25 \
> > -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
> > -s $IPADDR --source-port $UNPRIVPORTS \
> > --destination-port 25 -j ACCEPT
> > #
> > #
> > #
> > # ------------------------------------------------------------------
> > # SSH server (22)
> > # ---------------
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
> > --source-port $SSH_REMOTE_PORTS \
> > -d $IPADDR --destination-port 22 -j ACCEPT
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
> > -s $IPADDR --source-port 22 \
> > --destination-port $SSH_REMOTE_PORTS -j ACCEPT
> > #
> > #
> > #
> > # -----------------------------------------------------------------
> > # ---------
> > --
> > # ICMP
> > # ----
> > # To prevent denial of service attacks based on ICMP bombs, filter
> > # incoming Redirect (5) and outgoing Destination Unreachable (3).
> > # Note, however, disabling Destination Unreachable (3) is not
> > # advisable, as it is used to negotiate packet fragment size.
> > # For bi-directional ping.
> > # Message Types: Echo_Reply (0), Echo_Request (8)
> > # To prevent attacks, limit the src addresses to your ISP range.
> > #
> > # For outgoing traceroute.
> > # Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
> > # default UDP base: 33434 to base+nhops-1
> > #
> > # For incoming traceroute.
> > # Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
> > # To block this, deny OUTGOING 3 and 11
> > # 0: echo-reply (pong)
> > # 3: destination-unreachable, port-unreachable,
> > # fragmentation-needed, etc. 4: source-quench
> > # 5: redirect
> > # 8: echo-request (ping)
> > # 11: time-exceeded
> > # 12: parameter-problem
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> > --icmp-type echo-reply \
> > -d $IPADDR -j ACCEPT
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> > --icmp-type destination-unreachable \
> > -d $IPADDR -j ACCEPT
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> > --icmp-type source-quench \
> > -d $IPADDR -j ACCEPT
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> > --icmp-type time-exceeded \
> > -d $IPADDR -j ACCEPT
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> > --icmp-type parameter-problem \
> > -d $IPADDR -j ACCEPT
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
> > -s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
> > -s $IPADDR --icmp-type source-quench -j ACCEPT
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
> > -s $IPADDR --icmp-type echo-request -j ACCEPT
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
> > -s $IPADDR --icmp-type parameter-problem -j ACCEPT
> > #
> > #
> > #
> > # -----------------------------------------------------------------
> > # ---------
> > --
> > # Enable logging for selected denied packets
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> > --destination-port $PRIVPORTS -j DROP
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> > --destination-port $UNPRIVPORTS -j DROP
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> > --icmp-type 5 -j DROP
> > iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> > --icmp-type 13/255 -j DROP
> > iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT
> > # -----------------------------------------------------------------
> > # ---------
> > --
> > ;;
> > stop)
> > echo -n "Shutting Firewalling: "
> > # Remove all existing rules belonging to this filter
> > iptables -F
> > # Delete all user-defined chain to this filter
> > iptables -X
> > # Reset the default policy of the filter to accept.
> > iptables -P INPUT ACCEPT
> > iptables -P OUTPUT ACCEPT
> > iptables -P FORWARD ACCEPT
> > ;;
> > status)
> > status iptables
> > ;;
> > restart|reload)
> > $0 stop
> > $0 start
> > ;;
> > *)
> > echo "Usage: iptables {start|stop|status|restart|reload}"
> > exit 1
> > esac
> > echo "done"
> > exit 0
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: IPTABLES and SSH -- READABILITY
2003-01-16 10:42 ` Raymond Leach
2003-01-16 11:07 ` Sven Schuster
2003-01-16 11:34 ` Arnt Karlsen
@ 2003-01-16 14:02 ` Andre Costa
2 siblings, 0 replies; 5+ messages in thread
From: Andre Costa @ 2003-01-16 14:02 UTC (permalink / raw)
To: netfilter
Gentlemen,
please don't forget to remove unnecessary quoted text from your replies.
Original poster was ok to send 300+ lines of code (after all, this was
the reason for the post in the 1st place), but replies kept 90% of
quoted lines for no reason...
Best,
Andre
On 16 Jan 2003 12:42:10 +0200
Raymond Leach <raymondl@knowledgefactory.co.za> wrote:
> On Thu, 2003-01-16 at 12:13, Steffen Bisgaard wrote:
> > Hallo everybody,
> >
> > This is the first time I use this feature so if I am doing anything
> > wrong please bear with me...
> >
> > I have the following iptables running on a RH7.3 machine. Can
> > anybody tell me why I am unable to ssh to the machine when iptables
> > is running?
> >
> > For the SSH part I have also tried:
> >
> >
> > iptables -I INPUT -i $EXTERNAL_INTERFACE -p tcp --dport 22 --sport
> > 1024:65535 -j ACCEPT
> >
> You also need to allow the server to respond:
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --sport 22 --dport
> 1024:65535 -j ACCEPT
>
> Have you checked your firewall log file for other clues?
[snip]
--
Andre Oliveira da Costa
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-01-16 14:02 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-16 10:13 IPTABLES and SSH Steffen Bisgaard
2003-01-16 10:42 ` Raymond Leach
2003-01-16 11:07 ` Sven Schuster
2003-01-16 11:34 ` Arnt Karlsen
2003-01-16 14:02 ` IPTABLES and SSH -- READABILITY Andre Costa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox