creating IPtables

win32sux · 07-31-2006, 03:28 AM

Quote:

Originally Posted by MrSako

im trying to close all ports except for the ones needed for my servers, which at this time are ports 21 (ftp), 22 (ssh), 25 (SMTP), 80 (http), 110 (POP3), and 10000 (Webmin)

then all you need to do is add one rule to the script i posted:

Code:

#!/bin/sh

IPT="/sbin/iptables"

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p TCP -i eth0 -m multiport --dports \
21,22,25,80,110,10000 -m state --state NEW -j ACCEPT

after executing this script, do a:

Code:

/sbin/service iptables save

and then you should be good to go, AFAICT...

http://kbase.redhat.com/faq/FAQ_44_954.shtm

to check that the rules are "sticking", just reboot and then do a:

Code:

iptables -L -v -n

you should see something like this:

Code:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           multiport dports 21,22,25,80,110,10000 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

MrSako · 07-31-2006, 12:41 PM

i beleive my network interface is venet0

i have two IPs (venet0:0 and venet0:1) so i guess my interface would be just venet0

MrSako · 07-31-2006, 10:52 PM

i want to try this script out but i think my external hardware might be venet0 (or venet0:0) and i dont wanna lcok myself out. (this is on a VPS im rneting i dont have physical access to the server only via shell and webmin)

win32sux · 08-01-2006, 07:40 AM

Quote:

Originally Posted by MrSako

i want to try this script out but i think my external hardware might be venet0 (or venet0:0) and i dont wanna lcok myself out. (this is on a VPS im rneting i dont have physical access to the server only via shell and webmin)

what i would do then is cron a script to clear all my rules and chains like in 20 minutes just in case... so if i lock myselft out i know i'll just have to wait 20 minutes before i can get back in... it's just a suggestion and if you use it make sure you test it beforehand...

Code:

#!/bin/sh

IPT="/sbin/iptables"

$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

MrSako · 08-01-2006, 01:55 PM

i created that cronjob but how do i know if it works?

win32sux · 08-01-2006, 02:06 PM

Quote:

Originally Posted by MrSako

i created that cronjob but how do i know if it works?

run some pointless rules or whatever, and then check they are active with:

Code:

iptables -L

then wait for the cronjob to kick-in, and again do a:

Code:

iptables -L

there should be no rules and the policies should all be ACCEPT...

MrSako · 08-01-2006, 03:36 PM

instead of your configuration for the iptables to test out the cronjob i did one where i had done it before and i knew i could still log into the server via ssh

anyway the cronjob didnt work but i used ssh to login to root and do this:

[root@vps ~]# iptables -P INPUT ACCEPT
[root@vps ~]# iptables -P OUTPUT ACCEPT

is it possible to do this in a cronjob? ie

su root
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

as the cronjob script

win32sux · 08-01-2006, 03:55 PM

Quote:

Originally Posted by MrSako

instead of your configuration for the iptables to test out the cronjob i did one where i had done it before and i knew i could still log into the server via ssh

anyway the cronjob didnt work but i used ssh to login to root and do this:

[root@vps ~]# iptables -P INPUT ACCEPT
[root@vps ~]# iptables -P OUTPUT ACCEPT

is it possible to do this in a cronjob? ie

su root
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

as the cronjob script

yes, you can cron any script you want... but croning all scripts is the same procedure, so if you couldn't get mine to work it's fair to assume you won't get yours to work either... what does the line in your crontab look like??

EDIT: wait, i just noticed your "su root" thing... why are you doing that?? are you using your non-root crontab for this?? if so, that's likely why it won't work... you need to use root's crontab...

MrSako · 08-01-2006, 04:36 PM

i did a chmod +x to the script file for the cronjob i got this though

[root@vps local]# /usr/local/cron-iptables
: bad interpreter: No such file or directory

i tried making a cronjob with the commands i described but i got this..

/bin/sh: iptables: command not found
/bin/sh: iptables: command not found

this is the command i set for being the cron job (i set it to run as root, i forgo about that so theres no need to be su)

iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT

id rather figure out whats not working about iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT becasue i know doing this in the SSH works fine (i typed it just like that into my SSH client with no error)

win32sux · 08-01-2006, 05:01 PM

Quote:

Originally Posted by MrSako

i did a chmod +x to the script file for the cronjob i got this though

[root@vps local]# /usr/local/cron-iptables
: bad interpreter: No such file or directory

i tried making a cronjob with the commands i described but i got this..

/bin/sh: iptables: command not found
/bin/sh: iptables: command not found

this is the command i set for being the cron job (i set it to run as root, i forgo about that so theres no need to be su)

iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT

id rather figure out whats not working about iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT becasue i know doing this in the SSH works fine (i typed it just like that into my SSH client with no error)

in your crontab, you need to use absolute pathnames...

notice how in my script "/sbin/iptables" is used instead of "iptables"...

catworld · 08-01-2006, 05:13 PM

To my mind, this is one job you have to run as root, iptables is invisible to the user. The webmin cron interface has a "run as" option, but I'm not sure it won't hang awaiting a root pass in the background, i.e. fail if yoy select "run as root."

MrSako · 08-01-2006, 05:17 PM

ok i got the cron to work. just i cant get the scrip to execute now..

[root@vps local]# ls
bin gamecreate include lib man share teamspeak
etc games iptables_script libexec sbin src webmin
[root@vps local]# chmod +x iptables_script
[root@vps local]# ./iptable_script
-bash: ./iptable_script: No such file or directory
[root@vps local]# /usr/local/iptables_script
: bad interpreter: No such file or directory

i tried the full patth the second time just to ry it

i did ls and i see the file right there i dont understand

win32sux · 08-01-2006, 05:19 PM

Quote:

Originally Posted by catworld

To my mind, this is one job you have to run as root, iptables is invisible to the user.

it's not invisible at all, in fact it's in non-root users' paths... they have access to the binary, they will just get a permissions error when they run it...

Code:

win32sux@carly:~$ whoami
win32sux
win32sux@carly:~$ iptables -L
iptables v1.3.3: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
win32sux@carly:~$

win32sux · 08-01-2006, 05:24 PM

Quote:

Originally Posted by MrSako

[root@vps local]# chmod +x iptables_script
[root@vps local]# ./iptable_script

okay this is because you misspelled the script's name...

Quote:

-bash: ./iptable_script: No such file or directory
[root@vps local]# /usr/local/iptables_script
: bad interpreter: No such file or directory

this looks like your shebang (#!/bin/sh) isn't set right...

i seriously recommend that you use my cleanup script from post #19 instead of just two rules which do nothing but set policies...

MrSako · 08-01-2006, 05:25 PM

Quote:

Originally Posted by win32sux

okay this is because you misspelled the script's name...

this looks like your shebang (#!/bin/sh) isn't set right...

how do i make it "set right"