From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 48D4113888F for ; Wed, 7 Oct 2015 20:42:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5004721C010; Wed, 7 Oct 2015 20:42:07 +0000 (UTC) Received: from mail-wi0-f171.google.com (mail-wi0-f171.google.com [209.85.212.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E39FAE07FA for ; Wed, 7 Oct 2015 20:42:05 +0000 (UTC) Received: by wicfx3 with SMTP id fx3so45374012wic.0 for ; Wed, 07 Oct 2015 13:42:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=2kegtyt6ahxuuPxEtmVdUReOJ3pkCfh3LtKInENi60I=; b=w0X/dP8c1IiZA/TBe4HNSNnhGGsmEtf6DUGqDkk1nrNoGOy40VTTnZY6XiZ8R6RXhU OUtEol03Ukd7JqGmuRXFXmUrA92QfRvl5xYe4M51+L4rxfM4qru0MzMpJyPq42IDqy8G uI/GXw9xTSLcy7bSFehugvmWDRdd6K8eMWqjubWqdhoTHYynj/9tzU7jlern3jYactje 1ggt1tx5JxxyTRi6t17e79Knp1YvBS1NsWHDJVU47zehj97tldxQlfSc02Xe7B5/gKJG AGYDGD2YQYy6bL9rNmE9NLZ2YvI+xkeB+kJL7ZHTaOxS9tH0ruMA5aBJo6t937jfxV+x bUDw== X-Received: by 10.180.105.196 with SMTP id go4mr3812484wib.36.1444250524828; Wed, 07 Oct 2015 13:42:04 -0700 (PDT) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by smtp.gmail.com with ESMTPSA id gt4sm4115840wib.21.2015.10.07.13.42.03 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 07 Oct 2015 13:42:03 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: workstation iptables Date: Wed, 7 Oct 2015 21:41:39 +0100 User-Agent: KMail/1.13.7 (Linux/4.0.5-gentoo; KDE/4.14.8; x86_64; ; ) References: <201510070646.15772.michaelkintzios@gmail.com> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2886472.Tba2Ttb6a7"; protocol="application/pgp-signature"; micalg=pgp-sha256 Content-Transfer-Encoding: 7bit Message-Id: <201510072142.02185.michaelkintzios@gmail.com> X-Archives-Salt: 6482f1e8-ba4a-4391-baee-02d3c028eeee X-Archives-Hash: fa101411551f2814a5258ae2f8925c71 --nextPart2886472.Tba2Ttb6a7 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Wednesday 07 Oct 2015 14:23:39 James wrote: > Mick gmail.com> writes: > > > http://gentoo-en.vfose.ru > > > /wiki/IptablesIptables_and_stateful_firewalls#State_basics > >=20 > > Start iptables, run the script, stop iptables with '/etc/init.d/iptables > > > >=20 > stop' which will save your rules to /var/lib/iptables/rules-save, >=20 >=20 > after starting iptables, I ran /etc/firewall.sh (the previously published > script) and the stop with the syntax above:: >=20 > cat /var/lib/iptables/rules-save > # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 > *mangle >=20 > :PREROUTING ACCEPT [16022765:14170972269] > :INPUT ACCEPT [16022479:14170935323] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [19311825:1508198446] > :POSTROUTING ACCEPT [19311825:1508198446] >=20 > COMMIT > # Completed on Wed Oct 7 09:13:59 2015 > # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 > *filter >=20 > :INPUT DROP [471:17192] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [722751:44404539] >=20 > [740388:740719942] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > COMMIT > # Completed on Wed Oct 7 09:13:59 2015 >=20 >=20 > was the ouput. Are you sure that restarting iptables did not produce errors on the CLI? T= he=20 script you are using is somewhat old and the iptables syntax has changed si= nce=20 then. =20 Have a look here: https://wiki.gentoo.org/wiki/Iptables Your single rule line above should therefore look like this: -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT but before this rule you should specify a default policy for your INPUT and= =20 other chains - ideally one to DROP all packets coming in and allow all goin= g=20 out; e.g. -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT Also, to accept any INPUT packets on interfaces other than eth0, you would= =20 precede these lines with: -A INPUT ! -i eth0 -j ACCEPT More details on syntax can be found in 'man iptables-extensions'. You will= =20 need to modify your script accordingly for this new syntax. To see if you = are=20 getting syntax errors run each rule on the CLI first, e.g. /sbin/iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED= -j=20 ACCEPT and check that it takes with: /sbin/iptables -L -v -n NOTE: The order in which you add iptables rules on the CLI is the order in= =20 which they will end up listed in /var/lib/iptables/rules-save. BTW, I recall a thread posted for a firewall script within the last couple = of=20 years, but can't recall exactly who was the contributor. Have a quick sear= ch=20 in Gmane to see if you can find it. > sysctl is not set up. I did find this page on that:: > https://wiki.gentoo.org/wiki/Procfs >=20 > Any suggestions on setting up sysctl for iptables and other future > usage? According to the URL you posted above you should use /etc/sysctl.d/local.co= nf,=20 rather than the legacy /etc/sysctl.conf which I suggested. Apologies for a= =20 bum steer. Use your previous URL for stateful firewalls to see what sysctl= =20 settings you need to add here. > > nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX >=20 > Worked flawlessly. Very precise syntax (thanks). Here are the highlights:: >=20 > Not shown: 65534 closed ports Not good. Unless you have set up a default policy to REJECT packets, this= =20 shows ports that are not firewalled, but happen to be closed (no service is= =20 running there). If you had a DROP policy/rule for INPUT packets it should = say=20 "65534 filtered ports". > PORT STATE SERVICE VERSION > 22/tcp open ssh OpenSSH 5.9p1-hpn13v11lpk (protocol 2.0) Not good. Unless you have also defined a rule for allowing connections to= =20 port 22, this shows an open port, to which a service (ssh) is currently=20 listening for incoming connections. If you want to only allow ssh connections from some local address=20 192.168.1.27, you can try adding a rule for it like this: =2DA INPUT -s 192.168.1.27/32 -i eth0 -p tcp -m conntrack --ctstate NEW -m = mac=20 =2D-mac-source 67:35:AC:34:89:48 -m conntrack --ctorigdstport 22 -j ACCEPT > Not bad for a quick workstation firewall(s). After I get sysctl setup, > I'll test a few other verssions and post again. Then wikify these > for community consumption. Your script needs more work. Look first at the iptables URL I posted above= ,=20 which has the modern syntax. Also, either define a default INPUT chain pol= icy=20 to DROP or REJECT packets, or end your script with rules to drop all other= =20 packets, not already accepted by previous rules: =2DA INPUT -i eth0 -j DROP PS. Instead of running some script, you can always specify your rules in y= our=20 /var/lib/iptables/rules-save and also back it up. Then use this file to=20 change settings as you see fit and reload/start the firewall for the settin= gs=20 to take. =2D-=20 Regards, Mick --nextPart2886472.Tba2Ttb6a7 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABCAAGBQJWFYOaAAoJELAdA+zwE4Ye2wwIAIzxSoLr9NeUYq1wPis32OwX tCsN+2HOFEN+BupN3FhGtUdyEKDAdk3u1UdYG9po1y9I8cEI4tfshCQ1fimUELRi fjzLiHo6JYyXv52QdR8UKb5N/rjXdChqO4O1nj+dQOLfguDu7ad76Ou+am4dXILy 235D9Ho/d5RJEvFBvYxJRUe2Ki/xYyUUBwf095Mqwj6Clx3l8uL1p7Jzb00sIOFD SY8EZ/BGGMwAoYiAkF67Sf0Q+eZiEevFS3zM1SJvwkFlngKO2WxKPoiqkbQ827y+ vWzVeBfzHAbrtufqYDQ8fuNx/pIBWmkaQ0/lM2odimBqKwt0VFf3CKvh9OU8As0= =GiRL -----END PGP SIGNATURE----- --nextPart2886472.Tba2Ttb6a7--