-
December 30th, 2002, 09:24 PM
#1
Iptables help!
Hi guys
I need help getting my iptables script to run on my RedHat 7.3 box.
The script is as follows
Code:
#!/bin/bash
./iptables -A INPUT -p udp --dport 68 -j REJECT
./iptables -A INPUT -p udp --dport 1025 -j REJECT
./iptables -A INPUT -p udp --dport 111 -j REJECT
./iptables -A INPUT -p udp --dport 1024 -j REJECT
./iptables -A INPUT -p tcp --dport 25 -j REJECT
./iptables -A INPUT -p tcp --dport 111 -j REJECT
./iptables -A INPUT -p tcp --dport 1024 -j REJECT
./iptables -A INPUT -p tcp --dport 1025 -j REJECT
./iptables -A INPUT -p tcp --dport 6000 -j REJECT
which is in /sbin, but when i run the script and do a scan on myself the ports are still open!
Ive tried typing iptables -V but i get 'command not found' which i think means that iptables is not loaded.
Ive also tried ipchains -V which gives me the same message so that isnt loaded!
I dont know what else to do so any help would be great!
Cheers
r3b00+
-
December 31st, 2002, 09:54 AM
#2
C'mon guys, can nobody out there help me out?
-
December 31st, 2002, 12:18 PM
#3
Junior Member
Well, I'll do my best.
First, make sure iptables is installed by doing "whereis iptables".
Second, make sure you're root when you try to do anything with iptables, like "iptables -V"
Third, try changing REJECT to DROP. I'm not sure if Redhat installs any extra targets, but according the documentation I've read, the only targets installed by default are DROP and ACCEPT, not reject.
Fourthly, make sure you're doing a UDP scan of the computer, as most scanners (like nMap) default to a TCP scan.
If all of this fails, read the How-To, which you can find at http://www.netfilter.org/unreliable-...ltering-HOWTO/
Hope some of that helps!
-Onager
-
December 31st, 2002, 12:25 PM
#4
Thanks for the reply Onager.
1 Well iptables is installed, its located in /sbin
2 I am root when i try the command iptables -V
3 Havent tried this yet, but im gonna give it a go soon as i get home
4 Ive done both a UDP and TCP scan on my box
5 Ill give that a read now
Cheers again
r3b00+
-
January 2nd, 2003, 12:31 PM
#5
Firstly i agree with onager..... change the reject to drop. Also iptables does not "close" the ports, but takes the actions you define at the entrance of the port itself. How did you test your script, just with a portscan, or did you actually try to connect to the ports mentioned. If the ports are set to reject, then you can still see them as open in a portscan, but can you actually connect to them?
Then to "hide" them from simple scans, also drop/reject icmp, since some scans have ping enabled which is not blocked if you reject/drop udp, tcp.
Then the most important of all......
Block everything, then allow only what is really needed.
i hope the example below helps you.
(ps $IPTABLES in your case is like you defined it : ./iptables)
ie.
this flushes all rules and should be at the begining of most iptables scripts
#Default policy and flush
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -F #Flushing all chains (table filters)
$IPTABLES -t nat -F #Flushing all chains (table nat)
$IPTABLES -X #Delete all userdefined chains
#(Table filters)
------------------------------------------------------------
this allows your local connections (ssh localhost etc....)
#Local processes
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -a INPUT -o lo -j ACCEPT
------------------------------------------------------------
After you have blocked all access (the above) then start allowing what you want to accept.
for example the first step is always dns, after that http, ftp, (both for input and output) etc....
ie.
for your web browser
#HTTP
$IPTABLES -A OUTPUT -o $EXT -m state --state NEW \
-p TCP --sport $p_high --dport HTTP \
-j ACCEPT
This is only a rough idea, but i hope it actually helps you out. Important is that you actually have a policy. DONT allow all, and block out the few things you dont want, thats very unsafe. Instead block everything and specifically allow only what you really need. Your example of the script you have posted will not prevent a trojan or any other service running on a port you did not mention, which is why to block everything first, then allow what is wanted/needed.
I also recomend you google for iptables tutorials and see what else you can come up with.
Good luck
ooops, what i forgot to mention.....in my example i have $p_high and $EXT....
at the begining of my script i have defined them :
this is used as source ports most of the time
set p_high = 1024:65535 #Unprivilged ports
and this is my interface (all this is only an example)
set EXT = eth0
you have to add alot more to the iptables script to make it safe. Read up as much as you can on iptables.
good luck
-
January 2nd, 2003, 08:18 PM
#6
Wow!
Thanks for such a detailed reply instronics.
I can actually connect to the ports, so they must be open!
Someone i know just wrote that simple iptables script for me, and it was meant to be a simple script.
But im starting to understand iptables now and the various arguments that can be passed to them, so when ive got time im gonna write myself a more secure script.
I have changed the policy on my current script to DROP and scanned myself from my own box but these ports still appear to be open!
Cheers
r3b00+
-
January 2nd, 2003, 11:08 PM
#7
You welcome....the reason why you still have open ports maybe the fact that you have not flushed the rules at the beginning of the script.
But yeah, take your time and read your way through. Once you get the hang of it you will see how addictive iptables can become. Alot of fun.
For more info i recomend http://www.netfilter.org/documentati...-tutorial.html
that site is very well and simply explained and will take you from a simple script to a very advanced firewall script.
Good luck to you
-
January 3rd, 2003, 01:58 PM
#8
Originally posted here by instronics
Then the most important of all......
Block everything, then allow only what is really needed.
Bravo...I couldn't have said it better myself. This is definately the most important thing you can do. Although it is not directly related to your problem, I thought it was worth repeating.
-
January 4th, 2003, 08:21 AM
#9
IBID instronics,
"Block everything, then allow only what is really needed."
Because it doesn't recognize the iptables command, I think maybe this is where you went wrong
IPtables is not running by default, and will not run if IPchains is installed and running
Make sure the IPChains RPMs are removed from the configuration (Red Hat 7.2, 7.3 install them by default, don't remeber about 8.0)
As root;
Test to see if ipchains is running
"chkconfig -- list ipchains"
if it is, turn it off
"chkconfig ipchains off"
if necessary , use "rpm -e ipchains" to remove ipchains
To test if they are installed,
"rpm -q ipchains" or better yet,
"rpm -qa |grep ipchains"
you can do the same to check that iptables is installed.
Check to see if IPtables is running
"chkconfig -- list iptables"
if it is not running and ipchains and ipfwadm are not installed, run the following:
"chkconfig iptables on"
IPTABLES is very powerful, but it is easy to miss configure, even by people who use it every day. Don't forget to check out the Security Announcements at
http://www.netfilter.org/security/
hope this helps
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
January 4th, 2003, 08:45 AM
#10
hi r3b00+,
I learned to set my iptables rules using...iptables tutorial from Oskar Andreasson maybe this one can help you out...http://www.linuxsecurity.com/resourc...-tutorial.html
Not an image or image does not exist!
Not an image or image does not exist!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|