You are not logged in.
I've written a small script to setup the iptables on my home server.
Everything appears to be work as intended save for making an outbound ssh connection. The server does allow and accept ssh connections to it, but for I'm at a loss as to why I can't get out.
Any advise or suggestions would be much appreciated.
#!/bin/bash
##########################################################################################
# iptablesOPEN flushes all current IP chains opening the PC to all network traffic
##########################################################################################
iptablesOPEN()
{
# Flush all chains
iptables -F
}
##########################################################################################
# End iptablesOPEN
##########################################################################################
##########################################################################################
# iptablesHALT flushes all current chains and drops all network traffic on a STOP or
# HALT option closing PC to all network traffic
##########################################################################################
iptablesHALT()
{
# Flush all chains
iptables -F
# Drops all network traffic
iptables -A INPUT -j LOG --log-level 4 --log-prefix "Input packets: "
iptables -A INPUT -j DROP
iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "Output packets: "
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j LOG --log-level 4 --log-prefix "Forward packets: "
iptables -A FORWARD -j DROP
}
##########################################################################################
# End iptablesHALT
##########################################################################################
##########################################################################################
# iptablesCONF flushes all current chains and sets desired firewall permissions on a
# START or RESTART option
##########################################################################################
iptablesCONF()
{
# Flush all chains
iptables -F
##########################################################################################
# INPUT Chains
##########################################################################################
# Enable TCP SYN cookie protection from SYN floods
iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j DROP
# Don't accept ICMP echo-request messages
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# Don't accept ICMP redirect messages
iptables -A INPUT -p icmp --icmp-type redirect -j DROP
# Enable source address spoofing protection
iptables -A INPUT -i eth0 -s #.#.#.# -j DROP
# Allow all local inbound traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow only connections requested from local service
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow access to www & ssh services to authorised IP ranges only
iptables -A INPUT -s #.#.#.#/24 -p tcp -m multiport --dports 80,22 -j ACCEPT
iptables -A INPUT -s #.#.#.#/32 -p tcp -m multiport --dports 80,22 -j ACCEPT
iptables -A INPUT -s #.#.#.#/32 -p tcp -m multiport --dports 80,22 -j ACCEPT
# Log and drop all other traffic
iptables -A INPUT -j LOG --log-level 4 --log-prefix "Input packets: "
iptables -A INPUT -j DROP
##########################################################################################
# OUTPUT Chains
##########################################################################################
# Don't send ICMP redirect messages
iptables -A OUTPUT -p icmp --icmp-type redirect -j REJECT
# Allow New & Established connection requests
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow all OutBound traffic to www & ssh ports
iptables -A OUTPUT -p tcp -m multiport --dports 80,22 -j ACCEPT
# Log and reject all other traffic
iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "Output packets: "
iptables -A OUTPUT -j REJECT
##########################################################################################
# FORWARD Chains
##########################################################################################
# Log and drop all other traffic
iptables -A FORWARD -j LOG --log-level 4 --log-prefix "Forward packets: "
iptables -A FORWARD -j DROP
}
##########################################################################################
# End iptablesCONF
##########################################################################################
##########################################################################################
# The following is the OPTIONS list that allows you to start and stop the firewall
##########################################################################################
if [ "$1" = "start" ]; then
iptablesCONF
elif [ "$1" = "stop" ]; then
iptablesHALT
elif [ "$1" = "restart" ]; then
iptablesCONF
elif [ "$1" = "open" ]; then
iptablesOPEN
else
echo "usage: $0 start|stop|restart|open"
fi
##########################################################################################
# End options list
##########################################################################################
Last edited by Medieval_Creations (2009-10-21 22:23:09)
Offline
# Allow New & Established connection requests
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
You're missing RELATED from this list.
# Allow all OutBound traffic to www & ssh ports
iptables -A OUTPUT -p tcp -m multiport --dports 80,22 -j ACCEPT
This rule is redundant since you have already accepted NEW connections above.
# Enable TCP SYN cookie protection from SYN floods
iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j DROP
Side note: the kernel has inbuilt SYN cookie protection. Arch enables it by default, see /etc/sysctl.conf
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Awesome. Thanks for that.
I made those changes and tried again, but was still unable to connect.
I went back in to see if maybe I fat fingered something with those changes and figured out what I didn wrong.
A stupid noob mistake.
When I copied over the script, I forgot to change the spoofing line to the local ip for machine I copied the other IP over to.
# Enable source address spoofing protection
iptables -A INPUT -i eth0 -s #.#.#.# -j DROP
Everything is working now.
Cheers!
Last edited by Medieval_Creations (2009-10-22 01:02:00)
Offline
When I copied over the script, I forgot to change the spoofing line to the local ip for machine I copied the script over to.
That's the hard part about obscuring details -- we couldn't have picked that up
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline