[lug] Redhat doesn't support users that compile their own kernels.

Rob Nagler nagler at bivio.net
Fri Nov 2 19:18:12 MST 2001


> iptables, and have not had time to learn as yet, I simply ensure that
> the init script only loads ipchains.

I don't quite understand the issue.  You can't run, say, qpopper and
ipop3d simultaneously.  They share the same unique interface (port
110).  This is the same issue with ipchains and iptables.  While it
might be possible to build a knowledge base defining all the possible
resource conflicts, this isn't the "linux way" if you will.  DEC had
such a system for configuring VAX hardware.  It was pretty cool, but
which would you rather be using Ultrix or Linux. ;-)

Anyway, I recently switched from ipchains to iptables with:

chkconfig --del ipchains
chkconfig --add iptables
reboot

I don't think its all that complicated.  I feel obligated to the boot
configuration anyway, and rebooting is easier than executing than
playing rmmod/lsmod games.

If you are switching to iptables, here are a couple of problems I ran
into.

The --log-prefix is stored correctly by iptables-save, but
iptables-restore doesn't parse quoted strings.  This is on RH 7.1,
iptables v1.2.1a.  It's probably been fixed in a newer version.

Another problem is that /etc/rc.d/init.d/iptables doesn't load the
right modules.  You have to load them yourself.

So I ended up creating /etc/sysconfig/iptables.sh which does all the
work.  It's easier to debug than save/restore, because it is
repeatable.  I've attached the patch to /etc/rc.d/init.d/iptables.

The last "attachment" is my iptables script.  I cobbled together
various ideas from around the net.  Your comments are welcome.
[eth0 is the Internet (1.2.3.4).  eth1 is inside (192.168.1.1).]

Thanks,
Rob

----------------------------------------------------------------
*** /etc/rc.d/init.d/iptables	Wed Mar 21 23:27:45 2001
--- iptables	Fri Nov  2 19:04:37 2001
***************
*** 58,64 ****
              for i in $chains; do iptables -t $i -Z; done
  
  	    echo $"Applying iptables firewall rules: "
! 		grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/iptables-restore -c && \
  		    success $"Applying iptables firewall rules" || \
  		    failure $"Applying iptables firewall rules"
  	    echo
--- 58,64 ----
              for i in $chains; do iptables -t $i -Z; done
  
  	    echo $"Applying iptables firewall rules: "
! 		bash /etc/sysconfig/iptables.sh && \
  		    success $"Applying iptables firewall rules" || \
  		    failure $"Applying iptables firewall rules"
  	    echo
----------------------------------------------------------------
#!/bin/bash
#
# iptables initialization
#
# set -x
set -e
#
# SERVICES
#
TCP_SERVICES=ssh,ftp,http,https

#
# MODULES
#
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe iptable_filter
modprobe iptable_mangle
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_state

#
# FUNCTIONS
#

# stop_and_log chain rule jump prefix
#
# Log the rule on chain with prefix and rewrite rule if jump is not
# empty.
#
function stop_and_log {
    iptables -A $1 $2 -m limit --limit 2/m --limit-burst 1 -j LOG \
       	--log-prefix "$1 $4: "
    if [ "x$3" != x ]; then
    	iptables -A $1 $2 -j $3
    fi
}

# basic_filter chain accept_interfaces
#
# accept_interfaces are not filtered.  On the rest of the interfaces,
# allow established,related and drop invalid.
#
function basic_filter {
    typeset chain=$1
    shift
    typeset dir=$1
    shift
    typeset ifc
    for ifc in "$@"; do
    	iptables -A $chain $dir $ifc -j ACCEPT
    done

    # Basic protection
    iptables -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
    stop_and_log $chain '-m state --state INVALID' DROP 'invalid'
}

#
# FLUSH
#
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

#
# POLICY: DROP
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#
# SNAT
#
# Make everything going out eth0 look like it is going out correct IP addr
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

#
# DNAT
#
# Make incoming port 80 map to 192.168.1.1 (testing for now)
# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
#	-j DNAT --to 192.168.1.1

#
# INPUT (destined for this box)
#
# lo & eth1 are safe interfaces.  We accept anything from them.  Our
# servers are secure.
basic_filter INPUT -i lo eth1

# Allow incoming protocols: ssh, pop3, smtp, auth
# We don't run identd, but we'll return connection refused on "auth".
# Better than dropping packets.
iptables -A INPUT -m state --state NEW -p tcp -m multiport \
    --destination-port ssh,pop3,pop3s,smtp,auth -j ACCEPT

# LOG port scans
stop_and_log INPUT \
    '-p tcp --tcp-flags SYN,ACK,RST ACK -m state --state NEW' \
    'REJECT --reject-with tcp-reset' \
    'ACK scan'

# We'll see this with incoming trace route
stop_and_log INPUT \
    '-p tcp ! --syn -m state --state NEW' \
    DROP \
    'scan'
stop_and_log INPUT \
    '-p tcp --tcp-option 64' \
    DROP \
    'tcpopt 64'
stop_and_log INPUT \
    '-p tcp --tcp-option 128' \
    DROP \
    'tcpopt 128'
    
# Ignore route packets
iptables -A INPUT -p udp --dport route -j DROP

stop_and_log INPUT '' '' default

#
# OUTPUT (locally generated packets)
#
# Allow anything from this box out to eth1 and lo.  Our servers are friendly.
basic_filter OUTPUT -o lo eth1

# Outgoing UDP
iptables -A OUTPUT -o eth0 -p udp -m multiport \
    --destination-port domain,ntp -j ACCEPT
# traceroute uses lots of different ports
iptables -A OUTPUT -o eth0 -p udp \
    --destination-port 33435:33500 -j ACCEPT
# Outgoing TCP 
iptables -A OUTPUT -o eth0 -p tcp -m multiport \
    --destination-port $TCP_SERVICES,ntp,smtp,auth -j ACCEPT

# Outgoing ICMP
iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT

# log unwanted attempts, not flooding the logfile
stop_and_log OUTPUT '' '' default

#
# FORWARD (passing through box)
#
basic_filter FORWARD -i lo

# Outgoing TCP
iptables -A FORWARD -i eth1 -p tcp -m multiport \
    --destination-port $TCP_SERVICES -j ACCEPT

# Outgoing TCP on invalid ports, we reject
stop_and_log FORWARD \
   '-i eth1' \
   'REJECT --reject-with icmp-proto-unreachable' \
   'internal proto'

# Outgoing ICMP
iptables -A FORWARD -i ! eth0 -p icmp -j ACCEPT

# log unwanted attempts, not flooding the logfile
stop_and_log FORWARD '' '' default

exit 0



More information about the LUG mailing list