 |
 |
|
|
|
|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Display Modes |
07-02-2008, 09:06 PM
|
|||
|
|||
|
iptables: allowing only listed hosts to connect to a port
I want to allow only hosts from the local area network and certain
external networks to be able to access a specific port number. I have created a script firewall.sh, as follows: #!/bin/sh ALLOWED=" 10.0.0.0/8 192.168.0.0/16 51.0.0.0/8 62.30.0.0/16 80.0.0.0/13 " for addr in $ALLOWED do iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT done iptables -A INPUT -p tcp --dport 7500 -jDROP After running the script iptables -L -n reveals: Chain INPUT (policy ACCEPT) ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500 ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500 ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500 ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500 ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500 I find that hosts outside of the list are still able to access the port. Is the last entry in the table correct? DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500 | Should this read "anywhere"? Why isn't my filter working? Please advise. Mark. -- Mark Hobley, 393 Quinton Road West, Quinton, BIRMINGHAM. B32 1QE. 
|
|
07-02-2008, 09:21 PM
|
|||
|
|||
|
Re: iptables: allowing only listed hosts to connect to a port
On Wednesday 2 July 2008 23:06, Mark Hobley wrote:
> I want to allow only hosts from the local area network and certain > external networks to be able to access a specific port number. I have > created a script firewall.sh, as follows: > > #!/bin/sh > > ALLOWED=" > 10.0.0.0/8 > 192.168.0.0/16 > 51.0.0.0/8 > 62.30.0.0/16 > 80.0.0.0/13 > " > > for addr in $ALLOWED > do > iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT > done > > iptables -A INPUT -p tcp --dport 7500 -jDROP > > After running the script iptables -L -n reveals: > > Chain INPUT (policy ACCEPT) > ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500 > ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500 > ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500 > ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500 > ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500 > DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500 > > I find that hosts outside of the list are still able to access the port. Set a DROP default policy for the INPUT chain: iptables -P INPUT -j DROP (usually this is done before allowing anything) this will drop anything not explicitly allowed, so be careful if you run that command while you are remotely connected.
|
|
07-02-2008, 10:33 PM
|
|||
|
|||
|
Re: iptables: allowing only listed hosts to connect to a port
pk <pk@pk.invalid> wrote:
> Set a DROP default policy for the INPUT chain: Doesn't this affect the overall networking policy for every port number? On the whole, I want my network traffic unfiltered (allowed by default). However there are certain ports that I want traffic blocked on, unless I specifically allow it. Maybe I need some sort of allow by default for some ports, but drop by default for other ports type of policy. (Is that possible?) > iptables -P INPUT -j DROP > > (usually this is done before allowing anything) > > this will drop anything not explicitly allowed, so be careful if you run > that command while you are remotely connected. I am remotely connected (though not via port 7500 which is a different kind of service and nothing to do with my remote connection). I am concerned that that will zap all of my network services. This is a busy server. I only want to make changes to port 7500. Regards, Mark. -- Mark Hobley, 393 Quinton Road West, Quinton, BIRMINGHAM. B32 1QE.
|
|
07-02-2008, 11:42 PM
|
|||
|
|||
|
Re: iptables: allowing only listed hosts to connect to a port
"Mark Hobley" <markhobley@hotpop.donottypethisbit.com> wrote in message
news:ebctj5-rqg.ln1@neptune.markhobley.yi.org... > > Set a DROP default policy for the INPUT chain: > > Doesn't this affect the overall networking policy for every port number? No, it only affects the default policy for the INPUT chain on that interface. Deny all, allow only what is specified. > On the whole, I want my network traffic unfiltered (allowed by default). Only an incompetent fool of an administrator would want such an unfiltered traffic.
|
|
07-03-2008, 01:02 AM
|
|||
|
|||
|
Re: iptables: allowing only listed hosts to connect to a port
h.stroph <me@privacy.net> wrote:
> Only an incompetent fool of an administrator would want such an unfiltered > traffic. This particular computer is a public access machine and the traffic is already being filtered by a remote hardware based firewall device and intermediate routing devices. The specific filtering on port 7500 is being done locally on the machine in supplement to the external firewalling due to a limitation of the external hardware based firewall, which is not able to handle a lengthy access list chain against the forwarded 7500 service port. The computer is providing public access web services, news feeds, email, internet relay chat, game services and internal networking services, such as internal client access, and network file services on several port numbers. I don't want a change to the iptables list to affect those services. All I want to do through iptables is limit access to port 7500 to those networks on the access list. I want the remaining networking ports to remain operational, as they are now. I would have made these restrictions on one of the external firewalling devices rather than on the local machine had this been possible. Regards, Mark. -- Mark Hobley, 393 Quinton Road West, Quinton, BIRMINGHAM. B32 1QE.
|
|
07-03-2008, 10:35 AM
|
|||
|
|||
|
Re: iptables: allowing only listed hosts to connect to a port
Hello,
Mark Hobley a écrit : > > After running the script iptables -L -n reveals: > > Chain INPUT (policy ACCEPT) > ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500 > ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500 > ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500 > ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500 > ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500 > DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500 > > I find that hosts outside of the list are still able to access the port. Weird. Are there other rules in the ruleset ? What happens if you remove all the ACCEPT rules and leave only the DROP rule ? > Is the last entry in the table correct? > > DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500 > | > Should this read "anywhere"? With the -n option it is the "anywhere" in the other lines which should read "0.0.0.0/0".
|
|
07-03-2008, 07:10 PM
|
|||
|
|||
|
Re: iptables: allowing only listed hosts to connect to a port
Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> wrote:
> Weird. Are there other rules in the ruleset ? What happens if you remove > all the ACCEPT rules and leave only the DROP rule ? There are no additional rules in the ruleset. The setup script is as posted. If I just have the drop line, all traffic to the port is dropped. If I invert the script as follows: iptables -A INPUT -p tcp --dport 7500 -jDROP for addr in $ALLOWED do iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT done This produces a filter table as follows: DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500 ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500 ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500 ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500 ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500 ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500 However, in this scenario, all network traffic to port 7500 remains blocked, even from the accepted ports, presumable because the first rule produces a match, and the rest of the table is then ignored. iptables -V reveals: iptables v1.3.6 cat /proc/version reveals: Linux version 2.6.18-6-486 (Debian 2.6.18.dfsg.1-18etch6) Regards, Mark. -- Mark Hobley, 393 Quinton Road West, Quinton, BIRMINGHAM. B32 1QE.
|
|
07-03-2008, 10:24 PM
|
|||
|
|||
|
Re: iptables: allowing only listed hosts to connect to a port
Mark Hobley a écrit :
> > If I just have the drop line, all traffic to the port is dropped. Just as expected. Are you really really 100% sure that hosts outside the list ranges can connect to the port ? > If I invert the script as follows: > > iptables -A INPUT -p tcp --dport 7500 -jDROP > > for addr in $ALLOWED > do > iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT > done > > This produces a filter table as follows: > > DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500 > ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500 > ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500 > ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500 > ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500 > ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500 > > However, in this scenario, all network traffic to port 7500 remains > blocked, even from the accepted ports, presumable because the first rule > produces a match, and the rest of the table is then ignored. Just as expected.
|
|
07-04-2008, 01:01 AM
|
|||
|
|||
|
Re: iptables: allowing only listed hosts to connect to a port
Mark Hobley wrote:
> Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> wrote: > >> Weird. Are there other rules in the ruleset ? What happens if you remove >> all the ACCEPT rules and leave only the DROP rule ? > > There are no additional rules in the ruleset. The setup script is as > posted. > > If I just have the drop line, all traffic to the port is dropped. > > If I invert the script as follows: > > iptables -A INPUT -p tcp --dport 7500 -jDROP > > for addr in $ALLOWED > do > iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT > done > > This produces a filter table as follows: > > DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500 > ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500 > ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500 > ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500 > ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500 > ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500 > > However, in this scenario, all network traffic to port 7500 remains > blocked, even from the accepted ports, presumable because the first rule > produces a match, and the rest of the table is then ignored. > > iptables -V reveals: > > iptables v1.3.6 > > cat /proc/version reveals: > > Linux version 2.6.18-6-486 (Debian 2.6.18.dfsg.1-18etch6) > > Regards, > > Mark. > Yes working correctly. The first rule drops the packet and the other rules then match nothing. -- Tayo'y mga Pinoy
|
|
07-04-2008, 06:12 AM
|
|||
|
|||
|
Re: iptables: allowing only listed hosts to connect to a port
Baho Utot wrote:
> Mark Hobley wrote: > >> Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> wrote: >> >>> Weird. Are there other rules in the ruleset ? What happens if you remove >>> all the ACCEPT rules and leave only the DROP rule ? >> There are no additional rules in the ruleset. The setup script is as >> posted. >> >> If I just have the drop line, all traffic to the port is dropped. >> >> If I invert the script as follows: >> >> iptables -A INPUT -p tcp --dport 7500 -jDROP >> >> for addr in $ALLOWED >> do >> iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT >> done >> >> This produces a filter table as follows: >> >> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500 >> ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500 >> ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500 >> ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500 >> ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500 >> ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500 >> >> However, in this scenario, all network traffic to port 7500 remains >> blocked, even from the accepted ports, presumable because the first rule >> produces a match, and the rest of the table is then ignored. >> >> iptables -V reveals: >> >> iptables v1.3.6 >> >> cat /proc/version reveals: >> >> Linux version 2.6.18-6-486 (Debian 2.6.18.dfsg.1-18etch6) >> >> Regards, >> >> Mark. >> > > Yes working correctly. > The first rule drops the packet and the other rules then match nothing. > Erm shouldn't the DROP rule be at after the accept rules?
|
|
|
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Linear Mode
