These forums are read-only!
take a peek at my iptables setup
  • joek168
    Hi,
    I followed the very well tutorial on setting up my slice and added the firewall using the defaults given in the tutorial. I now have an application running that is accessed via port 2222. i tried poking the hole using the following command:

    iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

    iptables -L says it's there:

    ACCEPT tcp -- anywhere anywhere tcp dpt:rockwell-csp2

    but when i try to connect via http://ip:2222 the connection times out. Turning off iptables allows me to connect.

    btw, the output chain looks like this:

    ACCEPT all -- anywhere anywhere

    Any ideas? I greatly appreciate any help!

    Thanks,

    Joe
  • nezroynezroy
    I don't see anything immediately wrong, but it's been a long time since I've played with iptables. We'd probably need to see your entire chain to see if something else is overriding that. Also, are you sure the app isn't trying to use UDP also/instead?

    EDIT: Oh, and someone recently (not me) linked to this tool to greatly simplify your life with building iptable rules. Folks in that thread seemed to like it: Firewall Builder.
  • joek168
    Here's the complete output from iptables -L:

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT tcp -- anywhere anywhere tcp dpt:https
    ACCEPT tcp -- anywhere anywhere tcp dpt:hosts2-ns
    ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4122
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
    ACCEPT tcp -- anywhere anywhere tcp dpt:rockwell-csp2

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    I'll give that link a try. Thanks!
  • diazona
    You need to insert the rule for port 2222 before the REJECT rule that rejects the packets. Use something like
    iptables -I INPUT 6 -p tcp --dport 2222 -j ACCEPTwhere 6 specifies the position in the chain (1-based) to insert the rule.

    In fact, I'd suggest getting rid of that REJECT rule entirely and setting the input chain policy to DROP, which you can do by running the command
    iptables -P INPUT DROPThat way any rules you may add in the future will automatically be applied before packets are dropped. (If you decide to use Firewall Builder, its default rule set will set the chain policy to DROP)

    :) David
  • cau
    Another way to set the default policy is in your iptables save file (iptables.up.rules if you followed the article) by simply put this at the top:

    @*filter
    :INPUT DROP [0:0]@

    This way the rule will be restored next time you reboot.
  • ohkus
    Whenever you are looking at iptables do an "iptables -L --line -nv", this will make it so iptables doesn't do lookups on ips/ports, is verbose and shows lines. Again it all depends on what you want to do with your iptables rules. I make mine a little bit more complex for connection tracking and such.

    Quick suggestions
    1. Set you input/forward chain rule to drop as policy, also put a default drop policy at the bottom of the input chain just in case. You should do a log then drop if this is anything critical that way you can see who may be trying to get into your system.
    2. Setup related/established rules which can lower processing, these should be at the top.
    3. Drop is your friend rather than reject.
    4. You have an accept at the top making everything else null and void.
    5. Make sure you check how large your connection tracking table if you plan on getting lots of traffic.
    6. Rule #2 seems unnecessary.
    7. I tend to go from low to high port, just makes things easier to read.

    here is a small default. It doesn't include most of the advanced stuff as I'm sure thats overkill for what you want to do.

    # Generated by iptables-save v1.3.5 on Fri Dec 12 11:47:24 2008
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [10034635:10151550141]
    :mail - [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
    -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 965 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 35000:35010 -j ACCEPT
    -A INPUT -j DROP
    COMMIT
    # Completed on Fri Dec 12 11:47:24 2008
  • joek168
    thanks for all the comments, much much appreciated.
  • joek168
    i'm on CentOS and the tutorial has you add the commands individually. how do I add commands like

    *filter
    :INPUT DROP [0:0]

    a quick look at firewall builder look daunting...
  • joek168
    i was able to get it working, but would like to add some of the options mentioned above (*filter/:INPUT DROP [0:0]/etc) once I know the syntax:

    Chain INPUT (policy DROP 9 packets, 884 bytes)
    num pkts bytes target prot opt in out source destination
    1 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    2 0 0 REJECT all -- !lo * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
    3 1116 139K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
    6 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    7 126 6048 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
    8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:4122
    9 1 92 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    num pkts bytes target prot opt in out source destination
    1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

    Chain OUTPUT (policy ACCEPT 90 packets, 12480 bytes)
    num pkts bytes target prot opt in out source destination
    1 1241 1111K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

    thanks for the help!
  • diazona
    Posted By: joek168i'm on CentOS and the tutorial has you add the commands individually. how do I add commands like

    *filter
    :INPUT DROP [0:0]

    a quick look at firewall builder look daunting...

    FYI the format RossH posted is a specialized iptables format used by Ubuntu only. The normal way to do
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [10034635:10151550141]    would be
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    And Firewall Builder is kind of daunting at first but it makes a lot of sense once you figure it out. It took me a few hours to get used to it.

    :) David
  • ohkus
    Actually that is just the default iptables config file save format....
  • diazona
    Posted By: RossHActually that is just the default iptables config file save format....

    oh . . . yeah, I guess it is. My mistake.

    However, Ubuntu is the only distribution for which I've seen anyone suggest editing the iptables rules file directly. The normal way to edit iptables rules is to use the iptables command.

    :) David
  • joek168
    thanks guys...appreciate the help
  • joek168
    i ended up saving the following into a file called myfirewall and making it executable, then running it.

    #!/bin/bash
    #
    # iptables example configuration script
    #
    # Flush all current rules from iptables
    #
    iptables -F
    #
    # Allow SSH connections on tcp port 22
    # This is essential when working on remote servers via SSH to prevent locking yourself out of the system
    #
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    #
    # Set default policies for INPUT, FORWARD and OUTPUT chains
    #
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    #
    # Set access for localhost
    #
    iptables -A INPUT -i lo -j ACCEPT
    #
    # Accept packets belonging to established and related connections
    #
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p icmp -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
    iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 965 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 35000:35010 -j ACCEPT
    iptables -A INPUT -j DROP
    #
    # Save settings
    #
    /sbin/service iptables save
    #
    # List rules
    #
    iptables -L -v

    ------------------------------

    thanks for all your help!
  • joek168
    currently we have our mysql port open for replication purposes but we'd like to close it and setup an IP specific rule that will allow the slaves to communicate.

    we tried:

    # Set default policies for INPUT, FORWARD and OUTPUT chains
    #
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    iptables -I FORWARD -s 172.21.1.20 -j ACCEPT

    #
    # Set access for localhost
    #
    iptables -A INPUT -i lo -j ACCEPT
    #
    # Accept packets belonging to established and related connections
    #
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p icmp -j ACCEPT

    ------------------------------------

    seemed like it was working, we could ping the master from the slave, but mysql show slave status said "Reconnecting after a failed master event read". After changing it back to the way we had it, replication is back to functional.

    Should we add the rule as part of the INPUT chain rather than FORWARD?

    Thanks,

    Joe
  • diazona
    Yep, in my experience there's really no reason to accept any FORWARD packets if you're just running a server (web/email/database/etc.). That rule should almost certainly be in the INPUT chain.

    For what it's worth: I have an (incomplete) IPtables tutorial on my website, http://www.ellipsix.net/geninfo/firewall/index.html, that might have some useful information for you. (Sorry if I already told you about this, I know I mentioned it to someone but I don't think it was on this thread)

    :) David
  • joek168
    Tnx, right after i posted, i moved it to the input chain and it appears to be functioning as expected.
Add a Comment