Linux Iptables firewall
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Linux Iptables firewall

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    214

    Linux Iptables firewall

    I'm not a newbie to firewalls or networking, but I don't have a degree in them either. I noticed something interesting just now, and I hoped someone could explain this.

    I was configuring a fairly simple firewall for my home server, which is behind a NAT router. Since it is a mail server, I needed to open port 25, as well as local ports. Take a look:

    (This is a rule on the input table on Iptables, and in plain english):

    If protocol is TCP and destination is 192.168.2.196 and input interface is eth0 and destination port is 1024:65535 and source port is 25, Accept.

    I was thinking about this, and this basically means as long as the person making the request forges it so that their request comes from port 25, they can basically access any non-service port on my server, right?

    Is that possible?

    Thanks
    Either get busy living or get busy dying.

    -The Sawshank Redemption

  2. #2
    Hey im not good at this either but i'll give it a try....

    destination port is 1024:65535 and source port is 25, Accept.
    Doesn't that mean that they can access through any port between 1024 and 65535 as long as the request come from port 25 ... doesnt that still expose yo to risk, since they can exploit port 25 and you give them access to every port 1024:65535...?

    If someone can explain this better, im curious to ! Shouldnt you just allow port 25 to make connections if it is a mail server ?

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    214
    Thanks for your reply, DreamDown. Its required that I open the local ports, since it talks to other mail servers and the way tcp works, its needed to do that (unless there's a more secure way to write that rule, anyone?)
    Either get busy living or get busy dying.

    -The Sawshank Redemption

  4. #4
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    I thought Hping did something like that, could be wrong though, trying to remember from a similair post. Anyway, it would be possible for someone to tunnel a connection to a different port over 25 and then exploit another service.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  5. #5
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    im supposing that 192.168.2.196 is your mail server (with Netfilter on) ip address.

    # So to allow external guys connect to it:

    iptables -A INPUT -p tcp -dport 25 -m state --state NEW -j ACCEPT

    # to allow you to access external e-mail servers

    iptables -A OUTPUT -p tcp -sport 25 -m state --state NEW -j ACCEPT

    # allow only related and established sessions on both ways

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    so you dont need to open user ports. why you should?
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    214
    Thanks for your replies. Cacosapo, those two rules at the end of your post would work for all services then? So for example, if I also wanted to put a webserver online, I would open port 80 incoming and outgoing (like the two first rules in your post), and the other already existing rules would take care of the local ports? Please correct me if I misunderstood.

    kr5kernel, how can you tunnel a connection through port 25 to a different service? I didn't know that was possible..
    Either get busy living or get busy dying.

    -The Sawshank Redemption

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    As cacosapo posted, you really only need to give people access to TCP/25 (SMTP). If you want to have some fun once you are comfortable, look into playing with the owner module for netfilter.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  8. #8
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    WoW ..a lot going on here!!

    I’m drunk now, so bare with me ..

    If protocol is TCP and destination is 192.168.2.196 and input interface is eth0 and destination port is 1024:65535 and source port is 25, Accept.
    as DreamDown said, you want everyone to connect to any port between 1024 and 65535 if their source port is 25 ?? Or do you want them to connect to port 25, the port the smtp will listen to?

    Back to basics. You said it is behind a NAT router. How is this configured? You should be NATing port 25 to the mail server ( port 25 ) already, not allowing any other port requests from outside to be going to it? What interface is connected to the router? ( I suppose eth0 is connected to the LAN you want to access the mail server: ie. eth0 is facing the LAN? )


    Ok, now back to the firewall.
    First I must say here Logging everything will help you both identify problems with the firewall when you set it up and also keep track of who and what is connecting.

    What cacosapo said about the INPUT should work, but I would not be using the stateful part of Netfilter quite yet.
    To allow connections to port 25 on eth0
    iptables -A INPUT -p tcp -i eth0 --dport 25 -j LOG --log-level info --log-prefix "smtp in eth0: "
    iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT

    how can you tunnel a connection through port 25 to a different service? I didn't know that was possible..
    Of course it is, if they find another exploit! That port should be bound to the smtp engine.

    If eth1 is facing the NAT router, to connect to other outside mail servers
    iptables -A OUTPUT -p tcp -i eth1 --dport 25 -j LOG --log-level info --log-prefix "smtp out to net: "
    iptables -A OUTPUT -p tcp -i eth1 --dport 25 -j ACCEPT

    Here, correct me if I am wrong, your mail server should be using a different port ( between 1024 and 65535 ) to send its information to other servers listening to port 25.

    So you have your LAN connecting to the smtp box via eth0, your box connecting to outside smtp servers via eth1 ... but what about the other way around? What about outside servers trying to relay incoming mail to your server?

    iptables -A INPUT -p tcp -i eth1 --dport 25 -j LOG --log-level info --log-prefix "smtp in from net: "
    iptables -A INPUT -p tcp -i eth1 --dport 25 -j ACCEPT

    The requests from the LAN, both sending and receiving should still originate from the LAN and go to port 25, thus using the above rule.

    THEN, to maintain the connections, both inside and outside the LAN you would use the “stateful” properties of Netfilter:
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    those two rules at the end of your post would work for all services then?
    Yes! Just remember, Netfilter ( and IPTables ) works in a top-down method. Those rules would be AFTER the rules which allowed the original connections.

    Also note you should include such things as

    At the begining to clear all rules and make the default policy to drop everything you don’t explicitly allow:

    iptables -F
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    # ------Set default policies for packets going through this firewall box-------- #
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

    at the end of your firewall rules:

    # ---log all packets that hit the default policy ---- #
    iptables -A INPUT -j LOG --log-level info --log-prefix "input_default_drop: "
    iptables -A OUTPUT -j LOG --log-level info --log-prefix "output_default_drop: "
    iptables -A FORWARD -j LOG --log-level info --log-prefix "forward_default_drop: "


    Hope this helps ..... and I didn’t screw it up while drunk!
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted here by IKnowNot
    Yes! Just remember, Netfilter ( and IPTables ) works in a top-down method.
    This is incorrect. The number and location of rules in your file is unrelated to their situation in the actual rule chain. It works by following every rule on the chain until it hits an exit target (ACCEPT, DROP, DNAT, etc). Note LOG is not an exit target.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  10. #10
    Senior Member
    Join Date
    Apr 2002
    Posts
    214
    Thanks everyone for your help, I fixed everything now. The nat router only lets port 25 in, and the rules that cacosapo mentioned worked perfectly.
    Either get busy living or get busy dying.

    -The Sawshank Redemption

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •