From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: workstation iptables
Date: Wed, 7 Oct 2015 21:41:39 +0100 [thread overview]
Message-ID: <201510072142.02185.michaelkintzios@gmail.com> (raw)
In-Reply-To: <loom.20151007T145510-218@post.gmane.org>
[-- Attachment #1: Type: Text/Plain, Size: 4889 bytes --]
On Wednesday 07 Oct 2015 14:23:39 James wrote:
> Mick <michaelkintzios <at> gmail.com> writes:
> > > http://gentoo-en.vfose.ru
> > > /wiki/IptablesIptables_and_stateful_firewalls#State_basics
> >
> > Start iptables, run the script, stop iptables with '/etc/init.d/iptables
> > >
>
> stop' which will save your rules to /var/lib/iptables/rules-save,
>
>
> after starting iptables, I ran /etc/firewall.sh (the previously published
> script) and the stop with the syntax above::
>
> cat /var/lib/iptables/rules-save
> # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015
> *mangle
>
> :PREROUTING ACCEPT [16022765:14170972269]
> :INPUT ACCEPT [16022479:14170935323]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [19311825:1508198446]
> :POSTROUTING ACCEPT [19311825:1508198446]
>
> COMMIT
> # Completed on Wed Oct 7 09:13:59 2015
> # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015
> *filter
>
> :INPUT DROP [471:17192]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [722751:44404539]
>
> [740388:740719942] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> COMMIT
> # Completed on Wed Oct 7 09:13:59 2015
>
>
> was the ouput.
Are you sure that restarting iptables did not produce errors on the CLI? The
script you are using is somewhat old and the iptables syntax has changed since
then.
Have a look here:
https://wiki.gentoo.org/wiki/Iptables
Your single rule line above should therefore look like this:
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
but before this rule you should specify a default policy for your INPUT and
other chains - ideally one to DROP all packets coming in and allow all going
out; e.g.
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
Also, to accept any INPUT packets on interfaces other than eth0, you would
precede these lines with:
-A INPUT ! -i eth0 -j ACCEPT
More details on syntax can be found in 'man iptables-extensions'. You will
need to modify your script accordingly for this new syntax. To see if you are
getting syntax errors run each rule on the CLI first, e.g.
/sbin/iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
and check that it takes with:
/sbin/iptables -L -v -n
NOTE: The order in which you add iptables rules on the CLI is the order in
which they will end up listed in /var/lib/iptables/rules-save.
BTW, I recall a thread posted for a firewall script within the last couple of
years, but can't recall exactly who was the contributor. Have a quick search
in Gmane to see if you can find it.
> sysctl is not set up. I did find this page on that::
> https://wiki.gentoo.org/wiki/Procfs
>
> Any suggestions on setting up sysctl for iptables and other future
> usage?
According to the URL you posted above you should use /etc/sysctl.d/local.conf,
rather than the legacy /etc/sysctl.conf which I suggested. Apologies for a
bum steer. Use your previous URL for stateful firewalls to see what sysctl
settings you need to add here.
> > nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX
>
> Worked flawlessly. Very precise syntax (thanks). Here are the highlights::
>
> Not shown: 65534 closed ports
Not good. Unless you have set up a default policy to REJECT packets, this
shows ports that are not firewalled, but happen to be closed (no service is
running there). If you had a DROP policy/rule for INPUT packets it should say
"65534 filtered ports".
> PORT STATE SERVICE VERSION
> 22/tcp open ssh OpenSSH 5.9p1-hpn13v11lpk (protocol 2.0)
Not good. Unless you have also defined a rule for allowing connections to
port 22, this shows an open port, to which a service (ssh) is currently
listening for incoming connections.
If you want to only allow ssh connections from some local address
192.168.1.27, you can try adding a rule for it like this:
-A INPUT -s 192.168.1.27/32 -i eth0 -p tcp -m conntrack --ctstate NEW -m mac
--mac-source 67:35:AC:34:89:48 -m conntrack --ctorigdstport 22 -j ACCEPT
> Not bad for a quick workstation firewall(s). After I get sysctl setup,
> I'll test a few other verssions and post again. Then wikify these
> for community consumption.
Your script needs more work. Look first at the iptables URL I posted above,
which has the modern syntax. Also, either define a default INPUT chain policy
to DROP or REJECT packets, or end your script with rules to drop all other
packets, not already accepted by previous rules:
-A INPUT -i eth0 -j DROP
PS. Instead of running some script, you can always specify your rules in your
/var/lib/iptables/rules-save and also back it up. Then use this file to
change settings as you see fit and reload/start the firewall for the settings
to take.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
next prev parent reply other threads:[~2015-10-07 20:42 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-06 19:14 [gentoo-user] workstation iptables James
2015-10-07 5:46 ` Mick
2015-10-07 13:23 ` [gentoo-user] " James
2015-10-07 20:41 ` Mick [this message]
2015-10-07 18:20 ` [gentoo-user] " Tom H
2015-10-07 18:22 ` Alon Bar-Lev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201510072142.02185.michaelkintzios@gmail.com \
--to=michaelkintzios@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox