I'm able to run a simple test script ok, but it doesn't
seem to apply any of my rules after the initial default policy is set. Meaning,
even if I have my policy set to DROP, but allow a connection to SSH after that.
It won't let me connect to SSH. I’ve
also tried allowing PING and other
services, but it still blocks everything.
Connection Tracking is working fine as far as I can tell.
For a little background, I run the script as rc.firewall, with Red Hat 7.2. All I’m trying to do at the moment
is experiment with denying and allowing access to ports on the Linux box from a
local LAN. (ex:
I want my SSH client on my Windows system to be able to connect to the SSH
server on the firewall. If I set an
ACCEPT all policy, I am able to.
With the DROP all, and SSH ports ACCEPTED, I am unable to.)
Here's my test script.
#!/bin/bash
CONNECTION_TRACKING="1"
ACCEPT_AUTH="0"
SSH_SERVER="1"
FTP_SERVER="0"
WEB_SERVER="0"
SSL_SERVER="0"
DHCP_CLIENT="1"
INNIC="eth0" #Inbound NIC
OUTNIC="eth1" #Outbound NIC
INIP="192.168.32.3" #Inbound IP
OUTIP="192.168.32.4" #Outbound IP
SUB="192.168.32.0/24" #Not important at the moment
BROD_LAN="192.168.32.255" # Not important at the moment
LOOP="127.0.0.0/8" #Loopback
PRIVPORTS="0:1023" # Privileged ports
UNPRIVPORTS="1024:65535" # unprivileged port range
SSH_PORTS="1024:65535"
NFS_PORT="2049"
LOCKD_PORT="4045"
SOCKS_PORT="1080"
OPENWINDOWS_PORT="2000"
XWINDOW_PORTS="6000:6063"
SQUID_PORT="3128"
##########################################
# Remove any existing rules from all chains
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j
ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Set the default policy to drop
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat
--delete-chain
iptables -t mangle --delete-chain
###############################################################
# Using Connection State to
By-pass Rule Checking
if [
"$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A OUTPUT -m state
--state ESTABLISHED,RELATED -j ACCEPT
iptables
-A INPUT -m state --state INVALID -j LOG \
--log-prefix "INVALID input: "
iptables -A INPUT -m state --state
INVALID -j DROP
iptables -A OUTPUT -m state
--state INVALID -j LOG \
--log-prefix "INVALID ouput: "
iptables -A OUTPUT -m state
--state INVALID -j DROP
fi
###############################################################
# ssh (TCP Port 22)
# Outgoing Local Client Requests to Remote Servers (I’ve tried replacing
$SSH_PORTS with just 22 prior to this)
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INNIC -p tcp
\
-s $INIP --sport $SSH_PORTS \
--dport 22 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INNIC -p tcp
\
-s $INIP --sport $SSH_PORTS \
--dport 22 -j ACCEPT
iptables -A INPUT -i $INNIC
-p tcp ! --syn \
--source-port $SSH_PORTS \
-d $INIP --dport 22 -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$SSH_SERVER" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INNIC
-p tcp \
--sport $SSH_PORTS \
-d $INIP --dport 22 \
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INNIC
-p tcp \
--sport $SSH_PORTS \
-d $INIP --dport 22 -j ACCEPT
iptables -A OUTPUT -o $INNIC -p tcp
! --syn \
-s $INIP --sport $SSH_PORTS \
--dport 22 -j ACCEPT
fi
##########################################
exit 0
I read some things about a config file in the /etc/sysconfig directory that IPTABLES is suppose to use. And
commands like IPTABLES-SAVE and IPTABLES-RESTORE. There's
so many different explainations on this, and it's
very confusing. Running the rc.firewall script does the same thing as the IPTABLES default
file as far as I can tell. When I
put IPTABLES-SAVE > /etc/sysconfig/iptables at the
end of the rc.firewall, it didn’t help or hinder
the situation.
Please advise.
Thanks,
Mark
