Adding Telnet to a Working Setup

Adding Telnet to a Working Setup

[Alyn Ashworth]

I have a working iptables setup that uses the following script, and that I
would like to change to allow telnet connexions from the local network
(eth0) but nor from ppp0. Can anyone suggest the best way to do this
(politely and in words of one sylable, please!), and I would also welcome
any other comments on my script....

#============================SCRIPT STARTS==================================
# Load modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# (2) User-defined chain for ACCEPTed TCP packets - called okay
iptables -N okay
#next line would allow new connections
#iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

# (3) INPUT chain rules

# Rules for incoming pakets from LAN
iptables -A INPUT -p ALL -i eth0 -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.0/16 -j ACCEPT

#Rules for incoming packets from the Internet

#Packets for established connexions
iptables -A INPUT -p ALL -i ppp0 -m state --state ESTABLISHED,RELATED -j
ACCEPT

#TCP rules (not used as pres as no services running over net)

#UDP rules
iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 4000 -j ACCEPT

#ICMP rules
iptables -A INPUT -p ICMP -i ppp0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i ppp0 -s 0/0 --icmp-type 11 -j ACCEPT

# (4) FORWARD chain rules
# Accept packets we want to forward
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# (5) OUTPUT chain rules
# only output packets with local addreses (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.88 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.0/24 -j ACCEPT

# (6) POSTROUTING chain rules
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#==========================================================SCRIPT ENDS
==================

Many thanks

Alyn.


Alyn W. Ashworth

Re: Adding Telnet to a Working Setup

[Ralf Spenneberg]

Hi,

Am Mit, 2003-08-27 um 15.44 schrieb Alyn Ashworth:
> I have a working iptables setup that uses the following script, and that I
> would like to change to allow telnet connexions from the local network
> (eth0) but nor from ppp0.
Going where? To the firewall or the external network?
>  Can anyone suggest the best way to do this
> (politely and in words of one sylable, please!), and I would also welcome
> any other comments on my script....
> 
> #============================SCRIPT STARTS==================================
> # Load modules
> modprobe ip_tables
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> 
> # (1) Policies (default)
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> 
> # (2) User-defined chain for ACCEPTed TCP packets - called okay
> iptables -N okay
> #next line would allow new connections
> #iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A okay -p TCP -j DROP
> 
> # (3) INPUT chain rules
> 
> # Rules for incoming pakets from LAN
> iptables -A INPUT -p ALL -i eth0 -s 192.168.0.0/16 -j ACCEPT
Last rule allow telnet access to the firewall.

> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.0.0/16 -j ACCEPT
You do not need the last rule. Replace the last two with:
iptables -A INPUT -i lo -j ACCEPT
You trust everything on loopback.

> 
> #Rules for incoming packets from the Internet
> 
> #Packets for established connexions
> iptables -A INPUT -p ALL -i ppp0 -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> 
> #TCP rules (not used as pres as no services running over net)
> 
> #UDP rules
> iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 53 -j ACCEPT
> iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 2074 -j ACCEPT
> iptables -A INPUT -p UDP -i ppp0 -s 0/0 --destination-port 4000 -j ACCEPT
> 
> #ICMP rules
> iptables -A INPUT -p ICMP -i ppp0 -s 0/0 --icmp-type 8 -j ACCEPT
> iptables -A INPUT -p ICMP -i ppp0 -s 0/0 --icmp-type 11 -j ACCEPT
> 
> # (4) FORWARD chain rules
> # Accept packets we want to forward
> iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Last two rules allow telnet access to the internet.

> # (5) OUTPUT chain rules
> # only output packets with local addreses (no spoofing)
> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.88 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.0/24 -j ACCEPT
I do not know who 192.168.0.88 is. If it is the firewall, then this rule
 allows the firewall to answer to telnet, dns, whatever requests. Anyway,
you probably should add
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -m ACCEPT
This allows the firewall to answer all valid (see above) requests.
But I would strongly recommend to read some documents on (especially
stateful) firewalling, to understand whats going on.

> # (6) POSTROUTING chain rules
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: Adding Telnet to a Working Setup

[cc]

Alyn Ashworth wrote:

> I have a working iptables setup that uses the following script, and that I
> would like to change to allow telnet connexions from the local network
> (eth0) but nor from ppp0. Can anyone suggest the best way to do this

Telnet connections into your firewall from the local net?

But haven't you already done that already with your first INPUT rule and
your  3rd Output rule?

> iptables -A INPUT -p ALL -i eth0 -s 192.168.0.0/16 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.0/24 -j ACCEPT

Or did I completely miss the point?

> # (3) INPUT chain rules
> 
> # Rules for incoming pakets from LAN
> iptables -A INPUT -p ALL -i eth0 -s 192.168.0.0/16 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.0.0/16 -j ACCEPT

I don't understand why or how packets from 'lo' could
come from anything but 127.0.0.1?  Isn't the 3rd rule meaningless?
Or am I seriously mistaken?

> # (5) OUTPUT chain rules
> # only output packets with local addreses (no spoofing)
> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.88 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.0.0/24 -j ACCEPT

Isn't the 2nd made redundant by the 3rd rule?  If given
rule #3, you don't need rule #2.

It's definitely a good way to learn if someone can correct
my mistakes in understanding your scripts.

Thanks