iptables help with rules


 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users iptables help with rules
# 1  
Old 01-01-2017
iptables help with rules

Hi,

I've been struggling with this all morning and seem to have a blind spot on what the problem is. I'm trying to use iptables to block traffic on a little cluster of raspberry pi's but to allow ssh and ping traffic within it.

The cluster has a firewall server with a wifi card connecting to my home network and eth0 connection to a switch connecting the pi's within the cluster. All the other pi's just use the switch to talk to each on a network. They all use IP addresses in the range 10.10.1.2/5. The firewall pi uses 10.10.1.1 for eth0 and picks up a 192.168.1.122 address from my router on the wifi card.

I have this rule set that is currently preventing me from ssh'ing from the fwl to an internal pi on the cluster. I know that because if I clear the rules I can connect:

Code:
root@fwl:~# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   70  5472 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh ctstate NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-reply
   59  8329 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   40  3304 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp spt:ssh ctstate NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    lo      anywhere             anywhere
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http state NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:domain state NEW
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:domain state NEW
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
   14  1032 DROP       all  --  any    any     anywhere             anywhere

Here is the script I use to create the rules:

Code:
root@fwl:~# cat fwl.cfg
#!/bin/sh

# Flushing all rules
iptables -F
iptables -X

# Setting default filter policy
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow ssh
iptables -I INPUT -p tcp  --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --sport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Setting default filter policy
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

I'm no expert on firewalls but I've been reading a lot this morning about setting up ssh in iptables and think the idea is to allow what you want and then append a drop of everything else after those rules.

Most of the pages I've looked at suggest doing this at the start of the rules:

Code:
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

and then relaxing the rules for ssh and ping afterwards, but I couldn't get that to work either.

Like I said though, I can connect if I flush the rules out.

Can anyone suggest where I'm going wrong?

Thanks

Steady
# 2  
Old 01-01-2017
Hi,

for debugging purposes I suggest you add some these logging rules

Code:
# Logging rules of what packages are dropped
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG

Just before the Default-Drop-Rules

Code:
# Setting default filter policy 
iptables -A INPUT -j DROP 
iptables -A OUTPUT -j DROP 
iptables -A FORWARD -j DROP

You should find the messages of the drop rules somewhere within the /var/log directory - most likely in log file kern.log there.

As for a possible error I'm wondering if state NEW for dns is sufficient. I would add ESTABLISHED to.

What I'm wondering too ist that you use 2 different methods to define your state. You use conntrack/cstate for ssh and state for dns/http. I suggest to use the state method for ssh too. (Never used conntrack with this).

Last edited by stomp; 01-01-2017 at 11:45 AM..
These 2 Users Gave Thanks to stomp For This Post:
# 3  
Old 01-01-2017
Thanks, stomp,

That logging tip is really useful. Looks like I'm sending a SYN but not allowing a SYN-ACK if I'm understanding it correctly:

Code:
Dec 31 22:39:44 fwl kernel: [ 5336.614582] IN= OUT=eth0 SRC=10.10.1.1 DST=10.10.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48912 DF PROTO=TCP SPT=45562 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Dec 31 22:39:52 fwl kernel: [ 5344.634727] IN= OUT=eth0 SRC=10.10.1.1 DST=10.10.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48913 DF PROTO=TCP SPT=45562 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Dec 31 22:40:08 fwl kernel: [ 5360.654968] IN= OUT=eth0 SRC=10.10.1.1 DST=10.10.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48914 DF PROTO=TCP SPT=45562 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0

---------- Post updated at 04:05 PM ---------- Previous update was at 03:22 PM ----------

So my current set of rules is created like so:

Code:
root@fwl:~# cat fwl.cfg
#!/bin/sh

# Flushing all rules
#iptables -F
#iptables -X

# Logging rules
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
#iptables -A FORWARD -j LOG

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow ssh
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp  --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

#iptables -A INPUT  -p tcp  --dport 22  -j ACCEPT
#iptables -A OUTPUT -p tcp  --sport 22  -j ACCEPT

iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ping
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

When trying to make a connection from the fwl pi into one of the others I see a SYN go out but nothing back in my post of the log as shown above.

For the life of name I can't understand why or how to progress with investigating, so all suggestions welcome folks.
# 4  
Old 01-01-2017
Look at my other two advices above. The solution will most likely to change that conntrack thingy.
# 5  
Old 01-01-2017
This works but...

I've tried

Code:
iptables -A INPUT  -p tcp  --dport 22  -j ACCEPT
iptables -A OUTPUT -p tcp  --sport 22  -j ACCEPT

But that makes no difference. It seems to be the port that is causing the issue as this works fine:

Code:
iptables -A INPUT  -p tcp  -j ACCEPT
iptables -A OUTPUT -p tcp  -j ACCEPT


Combined, these allow me to log in via the wlan0 interface and go onto the inner pi's via eth0:

Code:
# Allow ssh
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp  --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp  -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp  -j ACCEPT

But I can't define port 22 on the eth0 interface without it failing... Weird! I wonder if it could be related to my interfaces file:

Code:
root@fwl:~# cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)

# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback
auto eth0

iface eth0 inet static
    address 10.10.1.1
    netmask 255.255.255.0
    network 10.10.1.0

allow-hotplug wlan0
iface wlan0 inet dhcp
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. IP Networking

iptables - formatting icmp rules

Hi, I am relatively new to firewalls and netfilter. I have a Debian Stretch router box running dnsmasq, connected to a VPN. Occasionally dnsmasq polls all of the desired DNS servers to select the fastest. When it does this it responds to replies of the non-selected DNS servers with a icmp type... (0 Replies)
Discussion started by: CrazyDave
0 Replies

2. Cybersecurity

Need help for iptables rules

Hello, I did 2 scripts. The second one is, I hope, more secure. What do you think? Basic connection (no server, no router, no DHCP and the Ipv6 is disabled) #######script one #################### iptables -F iptables -X -t filter iptables -P INPUT DROP iptables -P FORWARD... (6 Replies)
Discussion started by: Thomas342
6 Replies

3. Shell Programming and Scripting

Need to Convert the QNX rules to UNIX iptables

Need to convert the QNX rules to Linux ubuntu 12.04. kindly any one help us with any tools (4 Replies)
Discussion started by: mageshkumar
4 Replies

4. UNIX for Advanced & Expert Users

Editing iptables rules with custom chain

Hello, I have iptables service running on my CentOS5 server. It has approx 50 rules right now. The problem I am facing now is as follows - I have to define a new chain in the filter table, say DOS_RULES & add all rules in this chain starting from index number 15 in the filter table. ... (1 Reply)
Discussion started by: BhushanPathak
1 Replies

5. Red Hat

iptables Rules for my network

Hi Champs i am new in Iptables and trying to write rules for my Samba server.I took some help from internet, created one script and run from rc.local : #Allow loopback iptables -I INPUT -i lo -j ACCEPT # Accept packets from Trusted network iptables -A INPUT -s my-network/subnet -j... (0 Replies)
Discussion started by: Vaibhav.T
0 Replies

6. Red Hat

Iptables/Firewall rules for multicast IP.

Hi Gurus, I need to add Multicast Port = xyz Multicast Address = 123.134.143 ( example) to my firewall rules. Can you please guide me with the lines I need to update my iptables files with. (0 Replies)
Discussion started by: rama krishna
0 Replies

7. Ubuntu

iptables rules (ubuntu)

Could someone help me with writing rules for iptables? I need a dos attacks protection for a game server. port type udp ports 27015:27030 interface: eth0 Accept all packets from all IPs Chek if IP sent more than 50 packets per second Drop all packets from this IP for 5 minutes I would be... (0 Replies)
Discussion started by: Greenice
0 Replies

8. Cybersecurity

Editing rules on iptables

Hello, I was playing around with iptables to setup an isolated system. On a SLES10 system, I ran the below to setup my first draft of rules. I noticed that the rules come into effect immediately and do not require any restart of iptables. iptables -A INPUT -j ACCEPT iptables -A OUTPUT -m... (4 Replies)
Discussion started by: garric
4 Replies

9. IP Networking

Iptables rules at boot

Hi I have small home network and I want to block some forums on web When I use this iptables -A INPUT -s forum -j DROP rules is applied but when I restart some of PC rules are not present any more also I tried to save firewall settings iptables-save > /root/dsl.fw but how to... (2 Replies)
Discussion started by: solaris_user
2 Replies

10. Shell Programming and Scripting

SED inserting iptables rules in while loop

I'm trying to insert multiple new lines of text into an iptables script using sed in a while loop. I'm not sure if this is the most effective way. Searching the forums has helped me come up with a good beginning but it's not 100%. I'd like it to search out a unique line in my current iptables file... (2 Replies)
Discussion started by: verbalicious
2 Replies
Login or Register to Ask a Question