* [gentoo-user] iptables question...
@ 2011-12-16 15:17 Tanstaafl
2011-12-17 16:34 ` Hari Purnama
0 siblings, 1 reply; 17+ messages in thread
From: Tanstaafl @ 2011-12-16 15:17 UTC (permalink / raw
To: gentoo-user
Hi all,
I was reading up on some iptables rules in the gentoo security handbook:
http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12&style=printable
It mentions DROPing packets with an INVALID state.
It sounded/sounds like a good idea, so I added the following rule:
-A INPUT -i eth0 -m state --state INVALID -j LOG
As suggested, I addd this rule just ABOVE this one:
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
I also changed the DROP action to LOG so I could see what it did if
anything.
Right after adding this rule, I started seeing lines like this in the log:
Dec 16 10:15:31 myhost kernel: IN=eth0 OUT=
MAC=00:e0:81:54:9c:8a:00:90:7f:86:a8:c0:08:00 SRC=208.87.137.233
DST=192.168.1.252 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP
SPT=50113 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
What I don't understand is why it isn't using my LOG prefix that is used
for everything else:
-A INPUT -j LOG --log-prefix "(>fw-drop): " --log-level 7
Anyone?
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [gentoo-user] iptables question...
2011-12-16 15:17 [gentoo-user] iptables question Tanstaafl
@ 2011-12-17 16:34 ` Hari Purnama
2011-12-17 17:25 ` Tanstaafl
0 siblings, 1 reply; 17+ messages in thread
From: Hari Purnama @ 2011-12-17 16:34 UTC (permalink / raw
To: gentoo-user
On 12/16/11 22:17, Tanstaafl wrote:
> Hi all,
>
> I was reading up on some iptables rules in the gentoo security handbook:
>
> http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12&style=printable
>
>
> It mentions DROPing packets with an INVALID state.
>
> It sounded/sounds like a good idea, so I added the following rule:
>
> -A INPUT -i eth0 -m state --state INVALID -j LOG
>
> As suggested, I addd this rule just ABOVE this one:
>
> -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> I also changed the DROP action to LOG so I could see what it did if
> anything.
>
> Right after adding this rule, I started seeing lines like this in the
> log:
>
> Dec 16 10:15:31 myhost kernel: IN=eth0 OUT=
> MAC=00:e0:81:54:9c:8a:00:90:7f:86:a8:c0:08:00 SRC=208.87.137.233
> DST=192.168.1.252 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP
> SPT=50113 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
>
> What I don't understand is why it isn't using my LOG prefix that is
> used for everything else:
>
> -A INPUT -j LOG --log-prefix "(>fw-drop): " --log-level 7
>
> Anyone?
>
Did you put the log-prefix rule before or after the LOG rule?
Or why didn't you put it in a 1liner, say:
-A INPUT -i eth0 -m state --state INVALID -j LOG --log-level 7
--log-prefix "(>fw-drop): " --log-ip-options --log-tcp-options
--
Regards,
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [gentoo-user] iptables question...
2011-12-17 16:34 ` Hari Purnama
@ 2011-12-17 17:25 ` Tanstaafl
0 siblings, 0 replies; 17+ messages in thread
From: Tanstaafl @ 2011-12-17 17:25 UTC (permalink / raw
To: gentoo-user
On 2011-12-17 11:34 AM, Hari Purnama <hari@mapits.com> wrote:
> Did you put the log-prefix rule before or after the LOG rule?
After - the log prefix rule is last...
> Or why didn't you put it in a 1liner, say:
>
> -A INPUT -i eth0 -m state --state INVALID -j LOG --log-level 7
> --log-prefix "(>fw-drop): " --log-ip-options --log-tcp-options
Well, because I thought the log prefix rule applied to everything that
comes before it...?
^ permalink raw reply [flat|nested] 17+ messages in thread
* [gentoo-user] IPtables question
@ 2007-01-31 20:36 James Colby
2007-01-31 20:56 ` Albert Hopkins
` (2 more replies)
0 siblings, 3 replies; 17+ messages in thread
From: James Colby @ 2007-01-31 20:36 UTC (permalink / raw
To: gentoo-user
List members -
I have a small home server that I have connected to the internet
through a linksys router and cable modem. The linksys router is
currently forwarding all ssh traffic to my gentoo box. What I would
like to do is set up iptables to only allow ssh logins from a small
number of internet hosts, and to reject and log all other ssh
attempts. Can someone please help me out with this. All of the
tutorials and documentation that I have found are setting up a fully
functioning firewall / NAT / proxy, and I think that is a little
overkill for my needs.
Thanks for any help that you may be able to provide,
James
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [gentoo-user] IPtables question
2007-01-31 20:36 [gentoo-user] IPtables question James Colby
@ 2007-01-31 20:56 ` Albert Hopkins
2007-01-31 23:25 ` Mick
2007-02-01 3:58 ` Norberto Bensa
2007-02-02 8:45 ` Pawel Kraszewski
2 siblings, 1 reply; 17+ messages in thread
From: Albert Hopkins @ 2007-01-31 20:56 UTC (permalink / raw
To: gentoo-user
On Wed, 2007-01-31 at 15:36 -0500, James Colby wrote:
> List members -
>
> I have a small home server that I have connected to the internet
> through a linksys router and cable modem. The linksys router is
> currently forwarding all ssh traffic to my gentoo box. What I would
> like to do is set up iptables to only allow ssh logins from a small
> number of internet hosts, and to reject and log all other ssh
> attempts. Can someone please help me out with this. All of the
> tutorials and documentation that I have found are setting up a fully
> functioning firewall / NAT / proxy, and I think that is a little
> overkill for my needs.s
If you don't want the whole iptables suite you might want to consider
good ole hosts.allow/hosts.deny as an alternative. They work fine with
sshd if you have tcpwrappers enabled.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [gentoo-user] IPtables question
2007-01-31 20:56 ` Albert Hopkins
@ 2007-01-31 23:25 ` Mick
0 siblings, 0 replies; 17+ messages in thread
From: Mick @ 2007-01-31 23:25 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 2422 bytes --]
On Wednesday 31 January 2007 20:56, Albert Hopkins wrote:
> On Wed, 2007-01-31 at 15:36 -0500, James Colby wrote:
> > List members -
> >
> > I have a small home server that I have connected to the internet
> > through a linksys router and cable modem. The linksys router is
> > currently forwarding all ssh traffic to my gentoo box. What I would
> > like to do is set up iptables to only allow ssh logins from a small
> > number of internet hosts, and to reject and log all other ssh
> > attempts. Can someone please help me out with this. All of the
> > tutorials and documentation that I have found are setting up a fully
> > functioning firewall / NAT / proxy, and I think that is a little
> > overkill for my needs.s
>
> If you don't want the whole iptables suite you might want to consider
> good ole hosts.allow/hosts.deny as an alternative. They work fine with
> sshd if you have tcpwrappers enabled.
It depends how secure you want your set up to be. I always suggest to disable
passwd authentication and enable public key authentication, after you copy &
paste each client's public key in the file ~/.ssh/authorized_keys. Any
passwd cracking attacks will simply fail. I would also suggest that you move
your sshd port from 22 to a higher number. All/most of these bots scanning
port 22 will now leave you alone. Finally, you can set up additional layers
like allow/deny users, MAC addresses, etc. While you're at it, don't forget
disabling root logins.
If you want to introduce diverse protection then iptables (and as previously
suggested hosts.allow/hosts.deny) is an option. In your iptables script (or
saved set of iptables rules) add something like:
iptables -A INPUT -i eth0 -p tcp -s <client_ip_address> -m tcp --dport 22 -d
<server_LAN_ip_address> -j ACCEPT
Of course, I suggest that you change port 22 in the line above to a higher
number 'free' port. Your final catch-all rule at the bottom of your iptables
will drop any packets (on any port) from hosts other than the clients you
specified in my line above.
Finally, you can repeat this in your router's firewall rules, assuming that
you can specify WAN ip addresses (I know that you can in my hardware router,
but don't know in yours).
If any one manages to break in to the server through such a sshd setup, then
they bl**dy well deserve it!
HTH.
--
Regards,
Mick
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [gentoo-user] IPtables question
2007-01-31 20:36 [gentoo-user] IPtables question James Colby
2007-01-31 20:56 ` Albert Hopkins
@ 2007-02-01 3:58 ` Norberto Bensa
2007-02-02 8:45 ` Pawel Kraszewski
2 siblings, 0 replies; 17+ messages in thread
From: Norberto Bensa @ 2007-02-01 3:58 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 424 bytes --]
James Colby wrote:
> currently forwarding all ssh traffic to my gentoo box. What I would
> like to do is set up iptables to only allow ssh logins from a small
> number of internet hosts,
iptables -A INPUT -s ip-address-of-know-host --dport 22 -j ACCEPT
> and to reject and log all other ssh
> attempts.
iptables -A INPUT --dport 22 -j LOG
iptables -A INPUT --dport 22 -j REJECT
Regards,
Norberto
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [gentoo-user] IPtables question
2007-01-31 20:36 [gentoo-user] IPtables question James Colby
2007-01-31 20:56 ` Albert Hopkins
2007-02-01 3:58 ` Norberto Bensa
@ 2007-02-02 8:45 ` Pawel Kraszewski
2007-02-02 9:54 ` Hans-Werner Hilse
2 siblings, 1 reply; 17+ messages in thread
From: Pawel Kraszewski @ 2007-02-02 8:45 UTC (permalink / raw
To: gentoo-user
Dnia środa, 31 stycznia 2007, James Colby napisał:
> I have a small home server that I have connected to the internet
> through a linksys router and cable modem. The linksys router is
> currently forwarding all ssh traffic to my gentoo box. What I would
^^^^^^^^^
Take note, that forwarded traffic (it is DNAT-ed in Linksys) would appear on
your host as originating from your router. Original source address is
stripped by router's NAT.
Ergo, you need source address filtering in your router.
--
Pawel Kraszewski
www.kraszewscy.net
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [gentoo-user] IPtables question
2007-02-02 8:45 ` Pawel Kraszewski
@ 2007-02-02 9:54 ` Hans-Werner Hilse
2007-02-02 11:01 ` Pawel Kraszewski
0 siblings, 1 reply; 17+ messages in thread
From: Hans-Werner Hilse @ 2007-02-02 9:54 UTC (permalink / raw
To: gentoo-user
Hi,
On Fri, 2 Feb 2007 09:45:53 +0100 Pawel Kraszewski
<Gentoo@kraszewscy.net> wrote:
> Dnia środa, 31 stycznia 2007, James Colby napisał:
>
> > I have a small home server that I have connected to the internet
> > through a linksys router and cable modem. The linksys router is
> > currently forwarding all ssh traffic to my gentoo box. What I would
> ^^^^^^^^^
>
> Take note, that forwarded traffic (it is DNAT-ed in Linksys) would
> appear on your host as originating from your router. Original source
> address is stripped by router's NAT.
Nope, just the target Adress is rewritten (by routing). DNAT is
Destination NAT! I.e. the target IP of the packet is rewritten. Since
the Linksys is the default gateway, packets can keep their source IP
address. Of course, the source MAC address will be rewritten to the
router's -- but that's got nothing to do with NAT but routing instead.
-hwh
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [gentoo-user] IPtables question
2007-02-02 9:54 ` Hans-Werner Hilse
@ 2007-02-02 11:01 ` Pawel Kraszewski
0 siblings, 0 replies; 17+ messages in thread
From: Pawel Kraszewski @ 2007-02-02 11:01 UTC (permalink / raw
To: gentoo-user
Dnia piątek, 2 lutego 2007, Hans-Werner Hilse napisał:
> Nope, just the target Adress is rewritten (by routing). DNAT is
> Destination NAT! I.e. the target IP of the packet is rewritten. Since
> the Linksys is the default gateway, packets can keep their source IP
> address. Of course, the source MAC address will be rewritten to the
> router's -- but that's got nothing to do with NAT but routing instead.
Jeee, I'm terrible sorry. My only excuse is that it was written without the
morning coffee... Of course SNAT rewrites source IP and DNAT destination IP,
and port forwarding uses DNAT. Once more, sorry for confusion - my mind was
somehow floating around proxying not forwarding.
--
Pawel Kraszewski
www.kraszewscy.net
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 17+ messages in thread
* [gentoo-user] iptables question
@ 2006-03-28 13:38 Hiren Dave
2006-03-28 14:06 ` Boyd Stephen Smith Jr.
` (2 more replies)
0 siblings, 3 replies; 17+ messages in thread
From: Hiren Dave @ 2006-03-28 13:38 UTC (permalink / raw
To: gentoo-user, VGLUG
[-- Attachment #1: Type: text/plain, Size: 506 bytes --]
Hi,
I want to configure firewall such that network 192.168.1.0/24 can
only access http server from server1(192.168.0.2/24) and
network 192.168.0.0/24 can not access http server. So I tried this:
#service iptables stop
#iptables -P INPUT DROP
#iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT
But this command sends error that "Unknown arg: --dport"
HOW CAN I ACHIEVE THIS?
ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF
IPTABLES?
TnR
Hiren
[-- Attachment #2: Type: text/html, Size: 746 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [gentoo-user] iptables question
2006-03-28 13:38 [gentoo-user] iptables question Hiren Dave
@ 2006-03-28 14:06 ` Boyd Stephen Smith Jr.
2006-03-28 14:35 ` Uwe Thiem
2006-03-29 2:24 ` JimD
2 siblings, 0 replies; 17+ messages in thread
From: Boyd Stephen Smith Jr. @ 2006-03-28 14:06 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 790 bytes --]
On Tuesday 28 March 2006 07:38, "Hiren Dave" <hiren2k4@gmail.com> wrote
about '[gentoo-user] iptables question':
> #service iptables stop
> #iptables -P INPUT DROP
> #iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT
>
> But this command sends error that "Unknown arg: --dport"
> HOW CAN I ACHIEVE THIS?
Raw IP doesn't have port numbers; You'll have to match on the TCP or UDP
protocol to be able to match ports.
> ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF
> IPTABLES?
Tldp is a good resource.
--
"If there's one thing we've established over the years,
it's that the vast majority of our users don't have the slightest
clue what's best for them in terms of package stability."
-- Gentoo Developer Ciaran McCreesh
[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [gentoo-user] iptables question
2006-03-28 13:38 [gentoo-user] iptables question Hiren Dave
2006-03-28 14:06 ` Boyd Stephen Smith Jr.
@ 2006-03-28 14:35 ` Uwe Thiem
2006-03-29 2:24 ` JimD
2 siblings, 0 replies; 17+ messages in thread
From: Uwe Thiem @ 2006-03-28 14:35 UTC (permalink / raw
To: gentoo-user
On 28 March 2006 15:38, Hiren Dave wrote:
> Hi,
>
> I want to configure firewall such that network 192.168.1.0/24 can
> only access http server from server1(192.168.0.2/24) and
> network 192.168.0.0/24 can not access http server. So I tried this:
>
> #service iptables stop
> #iptables -P INPUT DROP
> #iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT
>
> But this command sends error that "Unknown arg: --dport"
> HOW CAN I ACHIEVE THIS?
Iptables is right, that line is nonsense.
>
> ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF
> IPTABLES?
I don't have the URL handy right now, but google for "Iptables Tutorial
1.2.0".
Uwe
--
Why do consumers keep buying products they will live to curse?
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [gentoo-user] iptables question
2006-03-28 13:38 [gentoo-user] iptables question Hiren Dave
2006-03-28 14:06 ` Boyd Stephen Smith Jr.
2006-03-28 14:35 ` Uwe Thiem
@ 2006-03-29 2:24 ` JimD
2 siblings, 0 replies; 17+ messages in thread
From: JimD @ 2006-03-29 2:24 UTC (permalink / raw
To: gentoo-user
On Tue, 28 Mar 2006 19:08:38 +0530
"Hiren Dave" <hiren2k4@gmail.com> wrote:
> Hi,
>
> I want to configure firewall such that network 192.168.1.0/24 can
> only access http server from server1(192.168.0.2/24) and
> network 192.168.0.0/24 can not access http server. So I tried this:
>
> #service iptables stop
> #iptables -P INPUT DROP
> #iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT
>
> But this command sends error that "Unknown arg: --dport"
> HOW CAN I ACHIEVE THIS?
Because you need to put in a protocol like -p tcp.
> ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING
> OF IPTABLES?
http://www.google.com/search?q=iptables+howto
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 17+ messages in thread
* [gentoo-user] iptables question
@ 2006-01-20 19:49 Dmitry S. Makovey
2006-01-20 20:49 ` Trenton Adams
0 siblings, 1 reply; 17+ messages in thread
From: Dmitry S. Makovey @ 2006-01-20 19:49 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 535 bytes --]
somewhat offtopic, but since I need any help I can get:
how do I redirect trafic from outward facing interface
(192.168.1.114:80) to loopback device (127.0.0.1:80) ?
my most obvious trick:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \
-j DNAT --to 127.0.0.1:80
and
echo 1 > /proc/sys/net/ipv4/ip_forward
didn't help. Machine which is opening connection is hanging there
indefinitely...
what did I miss?
--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [gentoo-user] iptables question
2006-01-20 19:49 Dmitry S. Makovey
@ 2006-01-20 20:49 ` Trenton Adams
2006-01-20 22:21 ` Dmitry S. Makovey
0 siblings, 1 reply; 17+ messages in thread
From: Trenton Adams @ 2006-01-20 20:49 UTC (permalink / raw
To: gentoo-user
Under the *nat rule,
-A PREROUTING -i eth0 -p tcp -m tcp --dport 58443 -j DNAT --to 192.168.7.1:443
Under the *filter rules.
-A ADAMS-FW-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport
443 -j ACCEPT
On 1/20/06, Dmitry S. Makovey <dmitry@athabascau.ca> wrote:
>
> somewhat offtopic, but since I need any help I can get:
>
> how do I redirect trafic from outward facing interface
> (192.168.1.114:80) to loopback device (127.0.0.1:80) ?
>
> my most obvious trick:
> iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \
> -j DNAT --to 127.0.0.1:80
> and
> echo 1 > /proc/sys/net/ipv4/ip_forward
> didn't help. Machine which is opening connection is hanging there
> indefinitely...
>
> what did I miss?
>
> --
> Dmitry Makovey
> Web Systems Administrator
> Athabasca University
> (780) 675-6245
>
>
>
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2011-12-17 17:26 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-16 15:17 [gentoo-user] iptables question Tanstaafl
2011-12-17 16:34 ` Hari Purnama
2011-12-17 17:25 ` Tanstaafl
-- strict thread matches above, loose matches on Subject: below --
2007-01-31 20:36 [gentoo-user] IPtables question James Colby
2007-01-31 20:56 ` Albert Hopkins
2007-01-31 23:25 ` Mick
2007-02-01 3:58 ` Norberto Bensa
2007-02-02 8:45 ` Pawel Kraszewski
2007-02-02 9:54 ` Hans-Werner Hilse
2007-02-02 11:01 ` Pawel Kraszewski
2006-03-28 13:38 [gentoo-user] iptables question Hiren Dave
2006-03-28 14:06 ` Boyd Stephen Smith Jr.
2006-03-28 14:35 ` Uwe Thiem
2006-03-29 2:24 ` JimD
2006-01-20 19:49 Dmitry S. Makovey
2006-01-20 20:49 ` Trenton Adams
2006-01-20 22:21 ` Dmitry S. Makovey
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox