IMHO, your rules are more complicated than they need to be. You aren't gaining anything by adding uneeded complexity...just makes things harder to troubleshoot.
First of all, don't change where you set your default policies. Right at the beginning is fine. > CONNECTION_TRACKING="1" > ACCEPT_AUTH="0" > SSH_SERVER="1" > FTP_SERVER="0" > WEB_SERVER="0" > SSL_SERVER="0" > DHCP_CLIENT="1" Wouldn't it be easier and more secure just to shut down services if you don't want people connecting to them? > PRIVPORTS="0:1023" # Privileged ports > UNPRIVPORTS="1024:65535" # unprivileged port range Don't worry about which source high ports are being used. If someone is doing something Evil, I don't see how forcing them to use a source port above 1023 is going to make a difference. > INNIC="eth0" #Inbound NIC > OUTNIC="eth1" #Outbound NIC > INIP="192.168.32.3" #Inbound IP > OUTIP="192.168.32.4" #Outbound IP It's a matter of semantics, but wouldn't it be more clear to use external and internal here? I'm clearly misunderstanding what you're doing though since you don't even use OUTNIC or OUTIP in your script. > if [ "$CONNECTION_TRACKING" = "1" ]; then > iptables -A INPUT -m state --state ESTABLISHED,RELATED Is there some scenario where you will be turning off connection tracking? If not, get rid of this stuff. More uneeded complexity IMHO. You could make your script a whole lot easier to read. And, judging by some of the variables you have declared....it's only going to get worse:) > iptables -A OUTPUT -o $INNIC -p tcp ! --syn \ > -s $INIP --sport $SSH_PORTS \ > --dport 22 -j ACCEPT Anyway, I think this is your problem. Assuming your are trying to allow reply traffic from the SSH server.... The --sport for reply traffic should be 22 and the --dport should be $SSH_PORTS. Goodluck, Matt ----- Original Message ----- From: "Mark Feijo" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, March 31, 2002 11:43 PM Subject: Script porblems > I'm able to run a simple test script ok, but it doesn't seem to apply > any of my rules after the initial default policy is set. Meaning, even > if I have my policy set to DROP, but allow a connection to SSH after > that. It won't let me connect to SSH. I've also tried allowing PING and > other services, but it still blocks everything. Connection Tracking is > working fine as far as I can tell. > > For a little background, I run the script as rc.firewall, with Red Hat > 7.2. All I'm trying to do at the moment is experiment with denying and > allowing access to ports on the Linux box from a local LAN. (ex: I want > my SSH client on my Windows system to be able to connect to the SSH > server on the firewall. If I set an ACCEPT all policy, I am able to. > With the DROP all, and SSH ports ACCEPTED, I am unable to.) > > Here's my test script. > > > #!/bin/bash > > CONNECTION_TRACKING="1" > ACCEPT_AUTH="0" > SSH_SERVER="1" > FTP_SERVER="0" > WEB_SERVER="0" > SSL_SERVER="0" > DHCP_CLIENT="1" > > INNIC="eth0" #Inbound NIC > OUTNIC="eth1" #Outbound NIC > INIP="192.168.32.3" #Inbound IP > OUTIP="192.168.32.4" #Outbound IP > SUB="192.168.32.0/24" #Not important at the moment > BROD_LAN="192.168.32.255" # Not important at the moment > LOOP="127.0.0.0/8" #Loopback > > PRIVPORTS="0:1023" # Privileged ports > UNPRIVPORTS="1024:65535" # unprivileged port range > > SSH_PORTS="1024:65535" > > NFS_PORT="2049" > LOCKD_PORT="4045" > SOCKS_PORT="1080" > OPENWINDOWS_PORT="2000" > XWINDOW_PORTS="6000:6063" > SQUID_PORT="3128" > > ########################################## > # Remove any existing rules from all chains > iptables --flush > iptables -t nat --flush > iptables -t mangle --flush > > # Unlimited traffic on the loopback interface > iptables -A INPUT -i lo -j ACCEPT > iptables -A OUTPUT -o lo -j ACCEPT > > # Set the default policy to drop > iptables --policy INPUT DROP > iptables --policy OUTPUT DROP > iptables --policy FORWARD DROP > > # Remove any pre-existing user-defined chains > iptables --delete-chain > iptables -t nat --delete-chain > iptables -t mangle --delete-chain > > ############################################################### > # Using Connection State to By-pass Rule Checking > > if [ "$CONNECTION_TRACKING" = "1" ]; then > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A INPUT -m state --state INVALID -j LOG \ > --log-prefix "INVALID input: " > iptables -A INPUT -m state --state INVALID -j DROP > > iptables -A OUTPUT -m state --state INVALID -j LOG \ > --log-prefix "INVALID ouput: " > iptables -A OUTPUT -m state --state INVALID -j DROP > fi > > ############################################################### > # ssh (TCP Port 22) > > # Outgoing Local Client Requests to Remote Servers (I've tried replacing > $SSH_PORTS with just 22 prior to this) > > if [ "$CONNECTION_TRACKING" = "1" ]; then > iptables -A OUTPUT -o $INNIC -p tcp \ > -s $INIP --sport $SSH_PORTS \ > --dport 22 -m state --state NEW -j ACCEPT > fi > > iptables -A OUTPUT -o $INNIC -p tcp \ > -s $INIP --sport $SSH_PORTS \ > --dport 22 -j ACCEPT > > iptables -A INPUT -i $INNIC -p tcp ! --syn \ > --source-port $SSH_PORTS \ > -d $INIP --dport 22 -j ACCEPT > > #............................................................... > # Incoming Remote Client Requests to Local Servers > > if [ "$SSH_SERVER" = "1" ]; then > if [ "$CONNECTION_TRACKING" = "1" ]; then > iptables -A INPUT -i $INNIC -p tcp \ > --sport $SSH_PORTS \ > -d $INIP --dport 22 \ > -m state --state NEW -j ACCEPT > fi > > iptables -A INPUT -i $INNIC -p tcp \ > --sport $SSH_PORTS \ > -d $INIP --dport 22 -j ACCEPT > > iptables -A OUTPUT -o $INNIC -p tcp ! --syn \ > -s $INIP --sport $SSH_PORTS \ > --dport 22 -j ACCEPT > fi > > ########################################## > > exit 0 > > > I read some things about a config file in the /etc/sysconfig directory > that IPTABLES is suppose to use. And commands like IPTABLES-SAVE and > IPTABLES-RESTORE. There's so many different explainations on this, and > it's very confusing. Running the rc.firewall script does the same thing > as the IPTABLES default file as far as I can tell. When I put > IPTABLES-SAVE > /etc/sysconfig/iptables at the end of the rc.firewall, > it didn't help or hinder the situation. > > Please advise. > > Thanks, > > Mark >
