Re: Default Policy = DROP. Help-me
On 2007-10-24 Yuri Rodrigues wrote:
> I usually browse the Internet, get ssh servers for my network and get my
> ssh server when I am in a remote location. But can not access servers
> ssh from my server firewall. Somebody help me with that firewall?
[...]
> intranet="eth0"
> iptables="/sbin/iptables"
> internet="eth1"
> rede="192.168.121.0/24"
>
> echo "-----------------======= Firewall =======------------------"
> echo " Por: Yuri Rodrigues "
> echo "Monitoramento: [ /var/log/syslog ] "
> echo ""
> echo "Iniciando o script "
> echo ""
>
> # Para monitoramento ver logs em
> # /var/log/syslog
>
> #### Limpando regras ####
> $iptables -F
> $iptables -t nat -F
> $iptables -t mangle -F
[...]
> echo "1" > /proc/sys/net/ipv4/ip_forward
[...]
> $iptables -t filter -P INPUT DROP
> $iptables -t filter -P OUTPUT DROP
> $iptables -t filter -P FORWARD DROP
Ouch. *Never* flush the chains before setting the default policies.
Also *never* enable IP forwarding before setting the default policies.
> # Tabela nat
> $iptables -t nat -P PREROUTING DROP
> $iptables -t nat -P OUTPUT DROP
> $iptables -t nat -P POSTROUTING DROP
> # Tabela mangle
> $iptables -t mangle -P PREROUTING DROP
> $iptables -t mangle -P OUTPUT DROP
> $iptables -t mangle -P INPUT DROP
> $iptables -t mangle -P POSTROUTING DROP
It's usually safe to set the default policies in the nat and mangle
tables to ACCEPT (for filtering there's the filter table). Keep your
ruleset simple.
>From your description it isn't too clear which SSH connections are not
working:
[...]
> #### Servidor SSH Rede > Internet ####
> $iptables -t nat -A POSTROUTING -p tcp --dport 22 -o $internet -j MASQUERADE
> $iptables -A FORWARD -p tcp -i $internet --sport 22 -j ACCEPT
> $iptables -A FORWARD -p tcp -i $intranet --dport 22 -j ACCEPT
These rules allow outbound SSH from your LAN to the Internet. They also
allow inbound connections into your LAN from source port 22, which is
probably something you don't want to allow. You don't need that rule
anyway, because the SSH responses are already covered by the
ESTABLISHED,RELATED rule.
SSH LAN->Internet should work. Correct?
[...]
> #### Acesso ssh Internet > Servidor ####
> $iptables -A INPUT -p tcp --dport 22 -i $internet -j ACCEPT
> $iptables -A OUTPUT -p tcp --sport 22 -o $internet -j ACCEPT
These rules allow inbound SSH connections from the Internet to your
firewall.
SSH Internet->Firewall should work. Correct?
> #### Acesso ssh Servidor > Internet ####
> $iptables -A INPUT -p tcp --sport 22 -i $internet -j ACCEPT
> $iptables -A OUTPUT -p tcp --dport 22 -o $internet -j ACCEPT
These rules allow outbound SSH connections from your firewall to the
Internet. (Same problem as with the LAN rules above, BTW.)
SSH Firewall->Internet should work. Correct?
[...]
> #### Servidor SSH Intranet ####
> $iptables -A INPUT -i $intranet -p tcp --dport 22 -j ACCEPT
> $iptables -A INPUT -i $intranet -p tcp --syn --dport 22 -j ACCEPT
> $iptables -A INPUT -i $intranet -p tcp --dport 22 -j LOG --log-prefix "SSH INTRA: "
> $iptables -A OUTPUT -o $intranet -d $rede -p tcp --sport 22 -j ACCEPT
These rules allow inbound SSH from your LAN to your Firewall.
SSH LAN->Firewall should work. Correct?
AFAICS you don't have rules allowing the following two SSH connections:
Firewall->LAN
Internet->LAN
These are not supposed to work, according to the ruleset.
Besides, your rules are way too complicated. Keep them simple.
----8<----
echo "0" > /proc/sys/net/ipv4/ip_forward
$iptables -t filter -P INPUT DROP
$iptables -t filter -P OUTPUT DROP
$iptables -t filter -P FORWARD DROP
$iptables -t nat -P PREROUTING ACCEPT
$iptables -t nat -P POSTROUTING ACCEPT
$iptables -t mangle -P PREROUTING ACCEPT
$iptables -t mangle -P POSTROUTING ACCEPT
$iptables -F
$iptables -t nat -F
$iptables -t mangle -F
echo "1" > /proc/sys/net/ipv4/ip_forward
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$iptables -A INPUT -i lo -j ACCEPT
# Allow SSH
$iptables -A FORWARD -p tcp -i $intranet --dport 22 -m state --state NEW -j ACCEPT
$iptables -A INPUT -p tcp --dport 22 -i $internet -m state --state NEW -j ACCEPT
$iptables -A INPUT -p tcp --dport 22 -i $intranet -m state --state NEW -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 22 -o $internet -m state --state NEW -j ACCEPT
# Just enable masquerading, the rest is already handled by the filter table.
$iptables -t nat -A POSTROUTING -j MASQUERADE
---->8----
Some side-notes:
> #### Protecao contra ping da morte ####
> $iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
> 1/s -j ACCEPT
> echo "Protecao contra ping da morte ...................... [ OK ]"
This rule does not protect against a Ping-of-Death (which is an overly
large ICMP packet that crashes buggy TCP/IP stacks). If your host is
vulnerable to Ping-of-Death, a single packet is sufficient.
> #### Bloqueando pacotes fragmentados ####
> $iptables -A INPUT -f -i $internet -j LOG --log-prefix "Fragmentos: "
> $iptables -A INPUT -f -i $internet -j DROP
> echo "Bloquando pacotes fragmentados ..................... [ OK ]"
You know that you're breaking IP here, do you? At least REJECT the
fragments, so that the sender knows that the transmission failed.
> #### Protecao contra ping flood ####
> $iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
> echo "Protecao contra ping flood ......................... [ Ok ]"
A limit rule does not protect against ping floods. "ping flood" means
that the attacker is sending so much echo-requrests that they consume
your entire bandwidth. There's exactly nothing you can do on your
firewall to protect you from that.
Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html
Reply to: