iptables rulebase question

Kernels & Hardware, configuring network, installing services

iptables rulebase question

Postby Derpbian » 2018-03-13 18:58

Hello,

I configured iptables according to this guide https://wiki.debian.org/iptables I just want to check if my rules from the specific sources in the input chain are valid, ie; I want to deny any source address outside of network 172.10.88.0 - 255.255.255.248 to reach my debian desktop on TCP port 22,3389 and 32400. My desktop has an address assigned from the DHCP server on 172.10.88.0 - 255.255.255.248 network.


Code: Select all
dave@hal9000:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             source IP range 172.10.88.1-172.10.88.6 tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             source IP range 172.10.88.1-172.10.88.6 tcp dpt:3389
ACCEPT     tcp  --  anywhere             anywhere             source IP range 172.10.88.1-172.10.88.6 tcp dpt:32400
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
dave@hal9000:~$ cat /etc/iptables.up.rules
# Generated by iptables-save v1.6.0 on Tue Mar 13 20:28:14 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m iprange --src-range 172.10.88.1-172.10.88.6 -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m iprange --src-range 172.10.88.1-172.10.88.6 -m tcp --dport 3389 -j ACCEPT
-A INPUT -p tcp -m iprange --src-range 172.10.88.1-172.10.88.6 -m tcp --dport 32400 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Tue Mar 13 20:28:14 2018


I am not able to test this from another RFC1918 network at the moment, I just want to check with you if the syntax in the rulebase is correct, because the source/destination anywhere/anywhere columns from the sudo iptables -L output confuses me.

Thanks,

BR.
su
User avatar
Derpbian
 
Posts: 27
Joined: 2018-02-11 02:46

Re: iptables rulebase question

Postby p.H » 2018-03-13 19:21

The output of "iptables -L" is incomplete and rather useless. Use the output of iptables-save instead. I guess this is what is in /etc/iptables.up.rules.

Note that you don't need to use the "iprange" match, you can use "-s 172.10.88.0/29" instead.
Also, you can use the "multiport" match instead of --dport to match the 3 ports in a single rule.

IIUC, you want to :
- drop incoming packets to ports 22,3389 and 32400 not from 172.10.88.0/255.255.255.248 (172.10.88.0/29)
- allow all other incoming packets to any port from any address.

However, your current ruleset does :
- allow incoming packets to ports 22,3389 and 32400 from 172.10.88.0/255.255.255.248
- drop all other incoming packets to any port from any address.

Not quite the same thing.
p.H
 
Posts: 402
Joined: 2017-09-17 07:12

Re: iptables rulebase question

Postby Derpbian » 2018-03-13 19:34

p.H wrote:However, your current ruleset does :
- allow incoming packets to ports 22,3389 and 32400 from 172.10.88.0/255.255.255.248
- drop all other incoming packets to any port from any address.

Not quite the same thing.


Thanks for your reply! Yes, I noticed that when I tried sudo apt-get update, guess the packets went to dev null, I need to do some more research on iptables. Yes, I want to deny from source any (except any host on 172.10.88.0/29) destination my host on 172.10.88.x:22,3389,32400. When I bring my laptop to work I don't want my co-workers to try to access my plex-server on 32400 or try to ssh to my laptop. I have denied root ssh access but still. I just want packets from networks, outside my "home net" to be able to reach those three services :)
su
User avatar
Derpbian
 
Posts: 27
Joined: 2018-02-11 02:46

Re: iptables rulebase question

Postby xman1 » 2018-03-21 00:51

Might i suggest you install Gufw Firewall. It is a frontend for IPTables and it is pretty self explanatory.
xman1
 
Posts: 9
Joined: 2018-03-06 17:32

Re: iptables rulebase question

Postby None1975 » 2018-03-21 15:02

Just install The Uncomplicated Firewall (ufw). It is a frontend for iptables and is particularly well-suited for host-based firewalls. Ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall.
OS: Debian 9.4 / WM: Xmonad
Debian Wiki | DontBreakDebian, My config files in github
Linux User #607425
User avatar
None1975
 
Posts: 506
Joined: 2015-11-29 18:23
Location: Lithuania, Vilnius

Re: iptables rulebase question

Postby GarryRicketson » 2018-03-21 19:29

There also is one called Easy Firewall Generator :
http://easyfwgen.morizot.net/
Or
http://etmg.altervista.org/tools/efg.php
User avatar
GarryRicketson
 
Posts: 4872
Joined: 2015-01-20 22:16
Location: Durango, Mexico


Return to System configuration

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable