[gentoo-user] Re: IPTables - Going Stateless

[gentoo-user] Re: IPTables - Going Stateless

[Nick Khamis]

For testing purposes I changed the ssh rule to:

-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

And still no go. As mentioned before, everything works fine until I
try to close up the rest of the ports not opened up in the chains
"UDP" and "TCP" stated above:

#echo -e "       - Dropping input TCP and UDP traffic to closed ports"
-A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
-A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable

#echo -e "       - Dropping output TCP and UDP traffic to closed ports"
-A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
-A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable

#echo -e "       - Dropping input traffic to remaining protocols sent
to closed ports"
-A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e "       - Dropping output traffic to remaining protocols sent
to closed ports"
-A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

That is when I cannot SSH over to the server.

N.

Re: [gentoo-user] Re: IPTables - Going Stateless

[Alan McKinnon]

On 21/05/2013 18:01, Nick Khamis wrote:
> For testing purposes I changed the ssh rule to:
> 
> -A TCP -p tcp -m tcp --dport 22 -j ACCEPT
> -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP
> 
> And still no go. As mentioned before, everything works fine until I
> try to close up the rest of the ports not opened up in the chains
> "UDP" and "TCP" stated above:
> 
> #echo -e "       - Dropping input TCP and UDP traffic to closed ports"
> -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable
> 
> #echo -e "       - Dropping output TCP and UDP traffic to closed ports"
> -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable
> 
> #echo -e "       - Dropping input traffic to remaining protocols sent
> to closed ports"
> -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
> 
> #echo -e "       - Dropping output traffic to remaining protocols sent
> to closed ports"
> -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
> 
> That is when I cannot SSH over to the server.


Now you are feeling the pain.

Drive to where the router is and fix it on the console then put
conntrack back.



-- 
Alan McKinnon
alan.mckinnon@gmail.com

[gentoo-user] Re: IPTables - Going Stateless

[Nick Khamis]

On 5/21/13, Neal Murphy <neal.p.murphy@alum.wpi.edu> wrote:
> You still aren't accepting *each* direction. Either accept each direction
> with
> explicit rules or rewrite the rules so they apply to both directions at
> once.
> The former is probably easier to understand months later, even though it is
>
> more verbose.
>
> Mea culpa. I missed the '--dport'; that should be changed to '--sport' in
> one
> of the rules. I adjusted the rule below.
>
> N
>
> On Tuesday, May 21, 2013 11:07:10 AM you wrote:
>> Hello Everyone,
>>
>> #echo -e "       - Accepting SSH Traffic"
>> $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
>> --dport 22 -j ACCEPT
>> $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j
>> DROP
>>
>> Everything works fine with the REJECT rules commented out, but when
>> included SSH access is blocked out. Not sure why, isn't the sequence
>> correct (i.e., the ACCPET entries before the DROP and REJECT)?
>
> SSH isn't a one-way protocol. I believe you need at least one more rule.
> This:
>     -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 \
>        --dport 22 -j ACCEPT
> only matches packets in one direction. You need to add:
>     -A TCP -p tcp -m tcp -s 192.168.2.5 -d 192.168.2.0/24 \
>        --sport 22 -j ACCEPT
> to accept packets in the other direction.
>
>


That was it!!! Thank you so much. For future searchers to similar problems:


#!/bin/bash
IPTABLES='/sbin/iptables'

#Set interface values
INTIF1='eth0'

#flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

#echo -e "       - Accepting input lo traffic"
$IPTABLES -A INPUT -i lo -j ACCEPT

#echo -e "       - Accepting output lo traffic"
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#echo -e "       - Defined Chains"
$IPTABLES -N TCP
$IPTABLES -N UDP

#echo -e "       - Accepting SSH Traffic"
$IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
--dport 22 -j ACCEPT
$IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.5 --sport 22 -d
192.168.2.0/24 -j ACCEPT
$IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

#echo -e "       - Accepting input TCP and UDP traffic to open ports"
$IPTABLES -A INPUT -i $INTIF1 -p tcp -j TCP
$IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP

#echo -e "       - Accepting output TCP and UDP traffic to open ports"
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j TCP
$IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP

#echo -e "       - Dropping input TCP and UDP traffic to closed ports"
$IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
$IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "       - Dropping output TCP and UDP traffic to closed ports"
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
$IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "       - Dropping input traffic to remaining protocols sent
to closed ports"
$IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e "       - Dropping output traffic to remaining protocols sent
to closed ports"
$IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable


Kind Regards,

Nick.

[gentoo-user] Re: IPTables - Going Stateless

[Nick Khamis]

Neal,

As for the --sport flag for OUTPUT, should it not be left arbitrary?
The SSH  daemon should use unprivileged ports between 1024 and 65535.
The only daemon I know thus far that does not is NTP which is
hardwired to 123 both ways.

Thanks Guys,

Nick.

Re: [gentoo-user] Re: IPTables - Going Stateless

[Mike Gilbert]

On Tue, May 21, 2013 at 12:53 PM, Nick Khamis <symack@gmail.com> wrote:
> Neal,
>
> As for the --sport flag for OUTPUT, should it not be left arbitrary?
> The SSH  daemon should use unprivileged ports between 1024 and 65535.
> The only daemon I know thus far that does not is NTP which is
> hardwired to 123 both ways.
>

Most daemons send/receive on the same port on the server. The port
used by the /client/ is generally random.

An exception would be an FTP daemon, which uses port 20 for active
mode data connections, but a random port for passive data connections.
FTP is weird like that.

Re: [gentoo-user] Re: IPTables - Going Stateless

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 209 bytes --]

Anyone advocating stateless firewalls in 2013 deserves scrutiny. I would be
asking for some evidence there is a performance issue, and that the best
solution to the problem is to turn off stateful inspection.

[-- Attachment #2: Type: text/html, Size: 235 bytes --]

[gentoo-user] Re: IPTables - Going Stateless

[James]

Adam Carter <adamcarter3 <at> gmail.com> writes:


> Anyone advocating stateless firewalls in 2013 deserves scrutiny. I would 
> be asking for some evidence there is a performance issue, and that the 
> best solution to the problem is to turn off stateful inspection.


There are lots of tools and approaches to security. Here is something
you might want to investigate further: Stateless Firewall Filters:
great for fending off DDOS and such.......

Instead of the maginot wall (firewall router) several different
security devices can be layered in a serial path to perfrom
various and diffent security functions.

Here is a starting point by a fairly reputable routing vendor:

http://www.juniper.net/techpubs/en_US/junos12.2/topics/concept/firewall-filter-overview.html

http://www.juniper.net/techpubs/software/junos-security/junos-security10.3/junos-security-swconfig-interfaces-and-routing/topic-47671.html

http://www.juniper.net/techpubs/en_US/junos/topics/concept/firewall-filter-types.html


James