Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Iptables help!

  1. #1
    It's a gas!
    Join Date
    Jul 2002
    Posts
    699

    Iptables help!

    Hi guys

    I need help getting my iptables script to run on my RedHat 7.3 box.
    The script is as follows

    Code:
    #!/bin/bash
    ./iptables -A INPUT -p udp --dport 68 -j REJECT
    ./iptables -A INPUT -p udp --dport 1025 -j REJECT
    ./iptables -A INPUT -p udp --dport 111 -j REJECT
    ./iptables -A INPUT -p udp --dport 1024 -j REJECT
    ./iptables -A INPUT -p tcp --dport 25 -j REJECT
    ./iptables -A INPUT -p tcp --dport 111 -j REJECT
    ./iptables -A INPUT -p tcp --dport 1024 -j REJECT
    ./iptables -A INPUT -p tcp --dport 1025 -j REJECT
    ./iptables -A INPUT -p tcp --dport 6000 -j REJECT
    which is in /sbin, but when i run the script and do a scan on myself the ports are still open!
    Ive tried typing iptables -V but i get 'command not found' which i think means that iptables is not loaded.
    Ive also tried ipchains -V which gives me the same message so that isnt loaded!

    I dont know what else to do so any help would be great!

    Cheers

    r3b00+

  2. #2
    It's a gas!
    Join Date
    Jul 2002
    Posts
    699
    C'mon guys, can nobody out there help me out?

  3. #3
    Junior Member
    Join Date
    Oct 2001
    Posts
    5
    Well, I'll do my best.

    First, make sure iptables is installed by doing "whereis iptables".

    Second, make sure you're root when you try to do anything with iptables, like "iptables -V"

    Third, try changing REJECT to DROP. I'm not sure if Redhat installs any extra targets, but according the documentation I've read, the only targets installed by default are DROP and ACCEPT, not reject.

    Fourthly, make sure you're doing a UDP scan of the computer, as most scanners (like nMap) default to a TCP scan.

    If all of this fails, read the How-To, which you can find at http://www.netfilter.org/unreliable-...ltering-HOWTO/

    Hope some of that helps!
    -Onager

  4. #4
    It's a gas!
    Join Date
    Jul 2002
    Posts
    699
    Thanks for the reply Onager.

    1 Well iptables is installed, its located in /sbin
    2 I am root when i try the command iptables -V
    3 Havent tried this yet, but im gonna give it a go soon as i get home
    4 Ive done both a UDP and TCP scan on my box
    5 Ill give that a read now

    Cheers again

    r3b00+

  5. #5
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Firstly i agree with onager..... change the reject to drop. Also iptables does not "close" the ports, but takes the actions you define at the entrance of the port itself. How did you test your script, just with a portscan, or did you actually try to connect to the ports mentioned. If the ports are set to reject, then you can still see them as open in a portscan, but can you actually connect to them?

    Then to "hide" them from simple scans, also drop/reject icmp, since some scans have ping enabled which is not blocked if you reject/drop udp, tcp.

    Then the most important of all......
    Block everything, then allow only what is really needed.

    i hope the example below helps you.

    (ps $IPTABLES in your case is like you defined it : ./iptables)

    ie.


    this flushes all rules and should be at the begining of most iptables scripts

    #Default policy and flush

    $IPTABLES -P INPUT DROP

    $IPTABLES -P FORWARD DROP

    $IPTABLES -P OUTPUT DROP


    $IPTABLES -F #Flushing all chains (table filters)

    $IPTABLES -t nat -F #Flushing all chains (table nat)

    $IPTABLES -X #Delete all userdefined chains
    #(Table filters)

    ------------------------------------------------------------

    this allows your local connections (ssh localhost etc....)

    #Local processes

    $IPTABLES -A OUTPUT -o lo -j ACCEPT

    $IPTABLES -a INPUT -o lo -j ACCEPT


    ------------------------------------------------------------

    After you have blocked all access (the above) then start allowing what you want to accept.

    for example the first step is always dns, after that http, ftp, (both for input and output) etc....


    ie.

    for your web browser

    #HTTP

    $IPTABLES -A OUTPUT -o $EXT -m state --state NEW \

    -p TCP --sport $p_high --dport HTTP \

    -j ACCEPT


    This is only a rough idea, but i hope it actually helps you out. Important is that you actually have a policy. DONT allow all, and block out the few things you dont want, thats very unsafe. Instead block everything and specifically allow only what you really need. Your example of the script you have posted will not prevent a trojan or any other service running on a port you did not mention, which is why to block everything first, then allow what is wanted/needed.

    I also recomend you google for iptables tutorials and see what else you can come up with.

    Good luck

    ooops, what i forgot to mention.....in my example i have $p_high and $EXT....

    at the begining of my script i have defined them :

    this is used as source ports most of the time

    set p_high = 1024:65535 #Unprivilged ports


    and this is my interface (all this is only an example)

    set EXT = eth0

    you have to add alot more to the iptables script to make it safe. Read up as much as you can on iptables.

    good luck

  6. #6
    It's a gas!
    Join Date
    Jul 2002
    Posts
    699
    Wow!
    Thanks for such a detailed reply instronics.
    I can actually connect to the ports, so they must be open!
    Someone i know just wrote that simple iptables script for me, and it was meant to be a simple script.
    But im starting to understand iptables now and the various arguments that can be passed to them, so when ive got time im gonna write myself a more secure script.

    I have changed the policy on my current script to DROP and scanned myself from my own box but these ports still appear to be open!

    Cheers

    r3b00+

  7. #7
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    You welcome....the reason why you still have open ports maybe the fact that you have not flushed the rules at the beginning of the script.

    But yeah, take your time and read your way through. Once you get the hang of it you will see how addictive iptables can become. Alot of fun.

    For more info i recomend http://www.netfilter.org/documentati...-tutorial.html

    that site is very well and simply explained and will take you from a simple script to a very advanced firewall script.

    Good luck to you

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    Originally posted here by instronics

    Then the most important of all......
    Block everything, then allow only what is really needed.
    Bravo...I couldn't have said it better myself. This is definately the most important thing you can do. Although it is not directly related to your problem, I thought it was worth repeating.

  9. #9
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    IBID instronics,
    "Block everything, then allow only what is really needed."

    Because it doesn't recognize the iptables command, I think maybe this is where you went wrong
    IPtables is not running by default, and will not run if IPchains is installed and running
    Make sure the IPChains RPMs are removed from the configuration (Red Hat 7.2, 7.3 install them by default, don't remeber about 8.0)
    As root;
    Test to see if ipchains is running
    "chkconfig -- list ipchains"
    if it is, turn it off
    "chkconfig ipchains off"
    if necessary , use "rpm -e ipchains" to remove ipchains
    To test if they are installed,
    "rpm -q ipchains" or better yet,
    "rpm -qa |grep ipchains"
    you can do the same to check that iptables is installed.
    Check to see if IPtables is running
    "chkconfig -- list iptables"
    if it is not running and ipchains and ipfwadm are not installed, run the following:
    "chkconfig iptables on"

    IPTABLES is very powerful, but it is easy to miss configure, even by people who use it every day. Don't forget to check out the Security Announcements at
    http://www.netfilter.org/security/

    hope this helps
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  10. #10
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    hi r3b00+,
    I learned to set my iptables rules using...iptables tutorial from Oskar Andreasson maybe this one can help you out...http://www.linuxsecurity.com/resourc...-tutorial.html
    Not an image or image does not exist!
    Not an image or image does not exist!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •