Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

iptables rulebase question

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
User avatar
Derpbian
Posts: 27
Joined: 2018-02-11 02:46

iptables rulebase question

#1 Post by Derpbian »

Hello,

I configured iptables according to this guide https://wiki.debian.org/iptables I just want to check if my rules from the specific sources in the input chain are valid, ie; I want to deny any source address outside of network 172.10.88.0 - 255.255.255.248 to reach my debian desktop on TCP port 22,3389 and 32400. My desktop has an address assigned from the DHCP server on 172.10.88.0 - 255.255.255.248 network.

Code: Select all

dave@hal9000:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             source IP range 172.10.88.1-172.10.88.6 tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             source IP range 172.10.88.1-172.10.88.6 tcp dpt:3389
ACCEPT     tcp  --  anywhere             anywhere             source IP range 172.10.88.1-172.10.88.6 tcp dpt:32400
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
dave@hal9000:~$ cat /etc/iptables.up.rules
# Generated by iptables-save v1.6.0 on Tue Mar 13 20:28:14 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m iprange --src-range 172.10.88.1-172.10.88.6 -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m iprange --src-range 172.10.88.1-172.10.88.6 -m tcp --dport 3389 -j ACCEPT
-A INPUT -p tcp -m iprange --src-range 172.10.88.1-172.10.88.6 -m tcp --dport 32400 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Tue Mar 13 20:28:14 2018
I am not able to test this from another RFC1918 network at the moment, I just want to check with you if the syntax in the rulebase is correct, because the source/destination anywhere/anywhere columns from the sudo iptables -L output confuses me.

Thanks,

BR.
su

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: iptables rulebase question

#2 Post by p.H »

The output of "iptables -L" is incomplete and rather useless. Use the output of iptables-save instead. I guess this is what is in /etc/iptables.up.rules.

Note that you don't need to use the "iprange" match, you can use "-s 172.10.88.0/29" instead.
Also, you can use the "multiport" match instead of --dport to match the 3 ports in a single rule.

IIUC, you want to :
- drop incoming packets to ports 22,3389 and 32400 not from 172.10.88.0/255.255.255.248 (172.10.88.0/29)
- allow all other incoming packets to any port from any address.

However, your current ruleset does :
- allow incoming packets to ports 22,3389 and 32400 from 172.10.88.0/255.255.255.248
- drop all other incoming packets to any port from any address.

Not quite the same thing.

User avatar
Derpbian
Posts: 27
Joined: 2018-02-11 02:46

Re: iptables rulebase question

#3 Post by Derpbian »

p.H wrote:However, your current ruleset does :
- allow incoming packets to ports 22,3389 and 32400 from 172.10.88.0/255.255.255.248
- drop all other incoming packets to any port from any address.

Not quite the same thing.
Thanks for your reply! Yes, I noticed that when I tried sudo apt-get update, guess the packets went to dev null, I need to do some more research on iptables. Yes, I want to deny from source any (except any host on 172.10.88.0/29) destination my host on 172.10.88.x:22,3389,32400. When I bring my laptop to work I don't want my co-workers to try to access my plex-server on 32400 or try to ssh to my laptop. I have denied root ssh access but still. I just want packets from networks, outside my "home net" to be able to reach those three services :)
su

xman1
Posts: 14
Joined: 2018-03-06 17:32

Re: iptables rulebase question

#4 Post by xman1 »

Might i suggest you install Gufw Firewall. It is a frontend for IPTables and it is pretty self explanatory.

User avatar
None1975
df -h | participant
df -h | participant
Posts: 1389
Joined: 2015-11-29 18:23
Location: Russia, Kaliningrad
Has thanked: 45 times
Been thanked: 66 times

Re: iptables rulebase question

#5 Post by None1975 »

Just install The Uncomplicated Firewall (ufw). It is a frontend for iptables and is particularly well-suited for host-based firewalls. Ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall.
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: iptables rulebase question

#6 Post by GarryRicketson »

There also is one called Easy Firewall Generator :
http://easyfwgen.morizot.net/
Or
http://etmg.altervista.org/tools/efg.php

Post Reply