Linux Gurus - iptables - WTH?

[larsenmtl]

Dopers,

Anybody want to try and explain IPTables to me? I’ve googled and googled but even the intro tutorials are complicated. I wouldn’t even consider myself a linux newbie.

Background
I recently installed apache2 on my linux box. In an attempt to lock things down a little better, I fired up iptables. I noticed two things right off the back that it was stopping; my Samba connections to Windows 2000 shares were not accesible and I was no longer able to passive ftp into my ftp server.

So, first, here’s my iptables file:

# Firewall configuration written by redhat-config-securitylevel
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s 68.33.103.42 --dport 80 -j REJECT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Now, I added 4 entries to the out-of-the-box config. The tcp port 139, udp 138, udp 137 and finally the specific ip address reject. The 139, 138 and 137 were supposed to be the ports for SAMBA but opening those hasn’t fixed that problem. The specific ip reject is to block a box launching a continual attack on my apache server (that one seems to work).

1.) anyone know where I went wrong with SAMBA? How can I set it to only allow boxes on my network to see the SAMBA shares (ie anything with a 192.168.1.0/24 – -s maybe)?
2.) does my specific ip block look correct?
3.) to get passive ftp to work, I think I must specify a passive port range in my ftp config and then open those ports, right?

Details
Fedora Core 1 - VSftpd - Apache2 - if you need the version #s I’ll dig them out.

Thanks,

LarsenMTL

[SiouxChief]

A few quick recommendations, then I’ll let the others chime in:

First, don’t modify your system firewall file directly at first. Instead, write a shell script to build your firewall. It’s much more readable and powerful. Then when your firewall is built how you like it, you can run iptables-save to create the file in the format you need (the format you used in your example)

Secondly, be sure to set your default policy to DROP, then ACCEPT individual ports as needed. Much safer than the other way around. I don’t think the default red hat firewall script is set up this way (which is why I didn’t use it at all)

Third, use the logging capability of iptables to figure out what ports are being blocked when you’re trying to use ANY service (like samba) that you want to let through. That way, you can see from your log which port you need to open up in your firewall.

I recommend the book “Linux Firewalls” by Bob Ziegler. Great book…covers all of the ins-and-outs of firewall design with iptables. He has a site that has some good information (http://linux-firewall-tools.com/linux/ but the book is much better.

Here is a sample firewall build script: (minus the definitions of the variables $LOCALIP, etc)

echo “Removing existing firewall rules”

Remove any existing rules from all chains

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

Allow unlimited traffic on the loopback interface

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Set the default policy to DROP

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

################################

Remove any pre-existing user-defined chains

################################
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
################################

echo “Configuring”
################################

Allow Remote access to a local web server

################################
echo “…Web Server”
iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS
-d $LOCALIP --dport 80 -m state --state NEW -j ACCEPT

iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS
-d $LOCALIP --dport 80 -j ACCEPT

iptables -A OUTPUT -o $INTERNET -p tcp ! --syn
-s $LOCALIP --sport 80 --dport $UNPRIVPORTS -j ACCEPT
################################

################################

Log Dropped packets (useful for testing a specific need)

Uncomment these lines to enable logging of dropped packets

NOTE: Do NOTE leave this on all the time, as it will produce a lot of logs

################################
#echo “…Logging of dropped packets”
i#ptables -A INPUT -i $INTERNET -j LOG
################################

echo “Firewall Setup Complete”

Hope that helps you a little. Time to go to bed…

[SiouxChief]

By the way, remember that when you define a “Drop all connections except the ones I specify” firewall, it’s a lot more annoying to get it working the way you want it, because you’ll have to define EVERYTHING. After running the script I gave you, the only thing that will work is local IP traffic, and serving up web pages. It won’t even allow running a web browser or DNS lookups…you have to define those separately.

But, that said, after you define everything you’ll be MUCH more satisfied with your level of protection.

I didn’t pay much attention to my firewall until after I got hacked (someone hacked into my print driver and gained control of the system). Now I’m pretty anal about it.

[larsenmtl]

SiouxChief - thanks for the excellent advice. I guess I’m looking for too quick of a fix without delving into the nitty-gritty of it. The site you provide had some sample scripts and I think that’ll be a good starting point.