Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Help with iptables

  1. #1

    Default Help with iptables

    Hello,

    I apologize if I have the wrong forum here. I'm running openSUSE 13.2 (Harlequin) (x86_64) 64-bit and I'm worried that maybe someone has gotten into my system. Here's the output from iptables -L
    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere             ctstate RELATED
    input_ext  all  --  anywhere             anywhere            
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
    DROP       all  --  anywhere             anywhere            
    
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING "
    
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    
    
    Chain forward_ext (0 references)
    target     prot opt source               destination         
    
    
    Chain input_ext (1 references)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
    ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
    LOG        tcp  --  anywhere             anywhere             tcp dpt:51413 ctstate NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC "
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:51413
    LOG        udp  --  anywhere             anywhere             udp dpt:51413 ctstate NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC "
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:51413
    DROP       all  --  anywhere             anywhere             PKTTYPE = multicast
    DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
    LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
    LOG        icmp --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
    LOG        udp  --  anywhere             anywhere             limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
    DROP       all  --  anywhere             anywhere            
    
    
    Chain reject_func (0 references)
    target     prot opt source               destination         
    REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
    REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
    The first line worries me. I don't know a lot about iptables but isn't that allowing any connection from anywhere into my system? Doesn't it essentially nullify the rest of my firewall because it's the first rule in the list? Any help would be greatly appreciated. Thank you.

  2. #2

    Default Re: Help with iptables

    Quote Originally Posted by Spork_Schivago View Post
    ...Here's the output from iptables -L

    The first line worries me. I don't know a lot about iptables but isn't that allowing any connection from anywhere into my system?
    No, or at least, not necessarily. -L doesn't give you all the information that you need. Probably -S is closer to what you want, and probably there is something else in that line, like a source of 'lo', and, if that is the case, it is a whole lot less worrying.

  3. #3
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,004

    Default Re: Help with iptables

    Quote Originally Posted by Spork_Schivago View Post
    Doesn't it essentially nullify the rest of my firewall because it's the first rule in the list?
    input_ext handles your external network devices, essentially your internet connection.

    It defaults to dropping all packages.
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  4. #4

    Default Re: Help with iptables

    Thank you for clarifying guys. It had me worried but not so much anymore. This is the output from iptables -S:
    Code:
    -P INPUT DROP-P FORWARD DROP
    -P OUTPUT ACCEPT
    -N forward_ext
    -N input_ext
    -N reject_func
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
    -A INPUT -j input_ext
    -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
    -A INPUT -j DROP
    -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
    -A OUTPUT -o lo -j ACCEPT
    -A input_ext -m pkttype --pkt-type broadcast -j DROP
    -A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
    -A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A input_ext -p tcp -m tcp --dport 51413 -m conntrack --ctstate NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 51413 -j ACCEPT
    -A input_ext -p udp -m udp --dport 51413 -m conntrack --ctstate NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
    -A input_ext -p udp -m udp --dport 51413 -j ACCEPT
    -A input_ext -m pkttype --pkt-type multicast -j DROP
    -A input_ext -m pkttype --pkt-type broadcast -j DROP
    -A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -j DROP
    -A reject_func -p tcp -j REJECT --reject-with tcp-reset
    -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
    -A reject_func -j REJECT --reject-with icmp-proto-unreachable
    I don't really understand what the different is. According to iptables --help, the -L lists the rules in a chain or all chains whereas the -S prints the rules in a chain or all chains. I read that part of the man page and got a bit confused. I tried googling it to no avail.

    Just to make sure I fully understand this, from the iptables -S output, the default for incoming packets is to drop them, I don't really understand the forward part. Is that for if my NIC somehow gets a packet that it is supposed to be forwarding to another computer or something? the default for outgoing is to accept the packets and allow them to go out through the firewall...the -N means create a new chain. We create three new chains and then we add rules to two of the new chains and we add a few rules to the INPUT chain. With the first part of the iptables saying to drop the incoming, that's only if a rule isn't matched down below, right? Like that's the default behavior? One of those if none of these rules match a packet, then drop it?

    I wanted to know if there was a way to tell if my firewall is setup to make my ports appear stealthed or not. Thanks for the help. I really appreciate you taking the time out of your schedule to answer my questions! Thank you!!!
    Last edited by Spork_Schivago; 16-May-2015 at 12:57. Reason: typographical error

  5. #5
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,004

    Default Re: Help with iptables

    Quote Originally Posted by Spork_Schivago View Post
    Like that's the default behavior? One of those if none of these rules match a packet, then drop it?
    That is correct. It's the default chain - if no rules match, drop it like its hot.

    Quote Originally Posted by Spork_Schivago View Post
    I wanted to know if there was a way to tell if my firewall is setup to make my ports appear stealthed or not. Thanks for the help. I really appreciate you taking the time out of your schedule to answer my questions! Thank you!!!
    There are several tools online to portscan your machine if you know your IP, for example: https://pentest-tools.com/discovery-...er-online-nmap

    You'll most likely get a "filtered" for all ports because they reject your connection.
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  6. #6

    Default Re: Help with iptables

    Quote Originally Posted by Miuku View Post
    That is correct. It's the default chain - if no rules match, drop it like its hot.


    There are several tools online to portscan your machine if you know your IP, for example: https://pentest-tools.com/discovery-...er-online-nmap

    You'll most likely get a "filtered" for all ports because they reject your connection.
    This is the results I got from the link you sent, I replaced my IP address with xx.xx.xx.xx and I selected all the ports:
    Starting job... [2015-05-16 22:13:30] Stay on this page for results!

    Starting Nmap 6.00 ( http://nmap.org ) at 2015-05-17 01:13 EEST
    NSE: Loaded 17 scripts for scanning.
    Initiating Ping Scan at 01:13
    Scanning xx.xx.xx.xx [4 ports]
    Completed Ping Scan at 01:13, 1.33s elapsed (1 total hosts)

    Nmap scan report for xx.xx.xx.xx [host down]
    Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

    Nmap done: 1 IP address (0 hosts up) scanned in 1.85 seconds
    Raw packets sent: 8 (304B) | Rcvd: 3 (156B)


    Job finished [2015-05-16 22:13:33]


  7. #7
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,004

    Default Re: Help with iptables

    In that case either your ISP already filters things or you have a hardware firewall (such as your DSL/Cable/Fibre device) that does it for you in addition to your software one.

    You should be just fine.
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  8. #8

    Default Re: Help with iptables

    Just to have a look at your input chain, for a second (simplifying, to try to make things clearer, and I've numbered the rules, just for ease of reference):

    Code:
    1)     -P INPUT DROP-P FORWARD DROP
    2)     -A INPUT -i lo -j ACCEPT
    3)     -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
    4)     -A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
    5)     -A INPUT -j input_ext
    6)     -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
    7)     -A INPUT -j DROP
    1) sets up a policy for this chain: only inbuilt chains have policies, and a policy is what happens to a packet if it has got to the end of the chain, without being shunted off somewhere else for processing. An interesting side note is that this does the same thing as rule 7), and you don't actually need both.

    2) 'accepts' packets, but it only applies to packets from the 'loopback' interface; this does not apply to external packets that get thrown at your box

    3) and 4) apply to packets from 'established' and 'related' connections; so these connections have already been checked and allowed and the packets are either directly from something already allowed or an offshoot of something already allowed.

    5) sends packets off to a custom chain called input_ext

    6) does some logging; it is rate limited, so you don't get the case that a lot of 'bad' packets crashing the box, because packets come too fast for the logging system to cope. I'm not sure, given the previous rule, that packets ever get here.

    7) duplicates the effect of the chain policy, so seems superfluous. There is a case that 'policies' that cause all packets to be dropped are a bit dangerous in situation where you've got a remote box that you rely on, eg, ssh for admin, and for which you manually fiddle around with the rules (because you can lock yourself out), but that doesn't really apply in this particular case. (This is, in a sense, the opposite of the uncomprehending advice that you find sprayed around the internet that only a policy of 'drop' is safe; people who say this haven't actually understood, but have repeated advice that they have seen elsewhere.)


    In any case, for all things iptables, the definitive work is available at frozentux.

  9. #9

    Default Re: Help with iptables

    Quote Originally Posted by Obscurant View Post
    Just to have a look at your input chain, for a second (simplifying, to try to make things clearer, and I've numbered the rules, just for ease of reference):

    Code:
    1)     -P INPUT DROP-P FORWARD DROP
    2)     -A INPUT -i lo -j ACCEPT
    3)     -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
    4)     -A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
    5)     -A INPUT -j input_ext
    6)     -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
    7)     -A INPUT -j DROP
    1) sets up a policy for this chain: only inbuilt chains have policies, and a policy is what happens to a packet if it has got to the end of the chain, without being shunted off somewhere else for processing. An interesting side note is that this does the same thing as rule 7), and you don't actually need both.

    2) 'accepts' packets, but it only applies to packets from the 'loopback' interface; this does not apply to external packets that get thrown at your box

    3) and 4) apply to packets from 'established' and 'related' connections; so these connections have already been checked and allowed and the packets are either directly from something already allowed or an offshoot of something already allowed.

    5) sends packets off to a custom chain called input_ext

    6) does some logging; it is rate limited, so you don't get the case that a lot of 'bad' packets crashing the box, because packets come too fast for the logging system to cope. I'm not sure, given the previous rule, that packets ever get here.

    7) duplicates the effect of the chain policy, so seems superfluous. There is a case that 'policies' that cause all packets to be dropped are a bit dangerous in situation where you've got a remote box that you rely on, eg, ssh for admin, and for which you manually fiddle around with the rules (because you can lock yourself out), but that doesn't really apply in this particular case. (This is, in a sense, the opposite of the uncomprehending advice that you find sprayed around the internet that only a policy of 'drop' is safe; people who say this haven't actually understood, but have repeated advice that they have seen elsewhere.)


    In any case, for all things iptables, the definitive work is available at frozentux.
    Thanks! I haven't really messed around with the tables at all. They just came that way. Thanks for the link. I have some stuff I need to get done today but I will definitely be reading it! For number four, doesn't that say let it through if it's related to something that's already allowed through, but only if it's an ICMP packet?

  10. #10

    Default Re: Help with iptables

    Quote Originally Posted by Miuku View Post
    In that case either your ISP already filters things or you have a hardware firewall (such as your DSL/Cable/Fibre device) that does it for you in addition to your software one.

    You should be just fine.
    We do have a router with a built-in firewall. It's nothing special or anything. Just a wireless N router. Perhaps that's stealthing the ports? We have cable but the cable modem doesn't have a firewall, unless Time Warner changed something from a few years back.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •