#31  
Old 30th April 2008, 08:21
daveb daveb is offline
Senior Member
 
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default

yea I belive I had to create the dir firewall.d and file post-rule-setup.sh added my rules restarted bastille /etc/init.d/bastille_firewall restart and you can check you rules with iptables -L
Reply With Quote
Sponsored Links
  #32  
Old 30th April 2008, 08:42
tal56 tal56 is offline
Member
 
Join Date: Oct 2007
Posts: 91
Thanks: 11
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by daveb
yea I belive I had to create the dir firewall.d and file post-rule-setup.sh added my rules restarted bastille /etc/init.d/bastille_firewall restart and you can check you rules with iptables -L
That sounds like exactly what i'm looking for. I'll give it a try as well and see if it helps reduce the hack attempts. I'll also post back later and let everyone know if I had to redo the rules after a upgrade as I'll be upgrading soon.
Reply With Quote
  #33  
Old 8th May 2008, 02:47
tal56 tal56 is offline
Member
 
Join Date: Oct 2007
Posts: 91
Thanks: 11
Thanked 2 Times in 2 Posts
Default

Daveb,

I've added the lines to my firewall as you explained, however I'm not certain it's working as I tried connecting to ssh through putty several times with the wrong password and it keeps letting me try. The only thing I've changed is the ETH in your line to "ETH0" for my network card.

Here is my iptables -L output. Can you let me know if it looks ok, and how I can test this? Thanks

Quote:
[root@server3 post-rule-setup.sh]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: SSH side: source
DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: SSH side: source

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PAROLE (9 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns
PAROLE tcp -- anywhere anywhere tcp dptop3
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:ndmp
ACCEPT udp -- anywhere anywhere udp dpt:domain
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Reply With Quote
  #34  
Old 9th June 2008, 01:50
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Unhappy New iptables rules don't seem to be recognised by Bastille

I tried to add the following two rules

Code:
/sbin/iptables -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 8007 -j DNAT --to-destination 10.8.0.7:8080
/sbin/iptables -t nat -A OUTPUT -p tcp -d a.b.c.d --dport 8007 -j DNAT --to-destination 10.8.0.7:8080
based on advice received from URL="http://www.howtoforge.com/forums/showthread.php?t=23889&goto=newpost"]this post [/URL]
(The purpose is to relay a http request from any external workstation via an OpenVPN server to an OpenVPN client which has no public IP address). a.b.c.d is obviously replaced with my public IP address on my system.

Now, I added a file pre-chain-split.sh to a new directory firewall.d under /etc/Bastille as decribed in this post. The restart runs through just fine:
Code:
root@blackbird:/etc/Bastille/firewall.d# /etc/init.d/bastille-firewall restart
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.
but no iptables rule seems to be appended. The output of iptables -L -v (as shown below) is exctly as before, and a PREROUTING chain is not even mentioned.

I deliberately put an error into pre-chain-split.sh to check whether it is even run. And yes, I get an error message, if I build in an error into the file, so we now it is executed fine.

Any idea anyone why this might not be working for me?

Cheers

chillifire


Appendix: Output of iptables -L -v
Code:
root@blackbird:/etc/Bastille/firewall.d# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  !lo    any     anywhere             127.0.0.0/8
 1505  160K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
   37  1924 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 DROP       all  --  any    any     BASE-ADDRESS.MCAST.NET/4  anywhere
   19  1046 PUB_IN     all  --  eth+   any     anywhere             anywhere
    0     0 PUB_IN     all  --  ppp+   any     anywhere             anywhere
    0     0 PUB_IN     all  --  slip+  any     anywhere             anywhere
    0     0 PUB_IN     all  --  venet+ any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 278 packets, 24730 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2361  474K PUB_OUT    all  --  any    eth+    anywhere             anywhere
    0     0 PUB_OUT    all  --  any    ppp+    anywhere             anywhere
    0     0 PUB_OUT    all  --  any    slip+   anywhere             anywhere
    0     0 PUB_OUT    all  --  any    venet+  anywhere             anywhere

Chain INT_IN (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain INT_OUT (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain PAROLE (16 references)
 pkts bytes target     prot opt in     out     source               destination
   18   976 ACCEPT     all  --  any    any     anywhere             anywhere

Chain PUB_IN (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-request
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:domain
   16   856 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:www
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:81
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:https
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:webmin
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:radius
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:radius-acct
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:mysql
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:openvpn
    2   120 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:munin
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:2812
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:4960
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:domain
    1    70 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:openvpn
    0     0 DROP       icmp --  any    any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain PUB_OUT (4 references)
 pkts bytes target     prot opt in     out     source               destination
 2357  472K ACCEPT     all  --  any    any     anywhere             anywhere
Reply With Quote
  #35  
Old 9th June 2008, 13:38
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,745 Times in 2,578 Posts
Default

Can you try this? http://www.howtoforge.com/forums/showthread.php?t=6209
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #36  
Old 9th June 2008, 14:10
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Default Not sure I understand?

Hi falko,

I am not sure I understand your response. Try what?

Looking at your link (earlier posts of this very same thread), suggests to put iptable rules into a file "pre-chain-split.sh" in directory /etc/Bastille/firewall.d, which is exactly what I have done. Is there something else in this post I have overlooked that you want me to try?

Cheers

Last edited by chillifire; 9th June 2008 at 20:36.
Reply With Quote
  #37  
Old 9th June 2008, 18:27
just.another.alex just.another.alex is offline
Junior Member
 
Join Date: Sep 2007
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via AIM to just.another.alex
Default

To display the content in the "nat" table (where POSTROUTING and PREROUTING chains are), you should issue an:
Code:
/sbin/iptables -t nat -L
Reply With Quote
  #38  
Old 10th June 2008, 00:33
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
 
Default Great

Thanks, now I can see them. It was actually working; I just could not see the entries with iptables -L -v
I had to enter iptables -t nat -L for it to work

Thanks

Hanno

PS: I consider myself a reasonable intelligent person, but this iptables business is witchcraft to me, and developed by a pretty deviant witch at that. Is there a decent online tutorial or book that teaches iptables that you can recommend? Please don’t point out the often quoted http://http://iptables-tutorial.froz...-tutorial.html as this must have been written by that deviant witch
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
High Availability (Load Balancing) behind a firewall geek.de.nz Server Operation 7 4th January 2011 14:58
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 22:42
Firewall script ColdDoT Server Operation 1 9th May 2006 00:50
The Perfect Setup - SUSE 9.3 (firewall?!) bogdinator HOWTO-Related Questions 7 12th December 2005 13:31
I need a suitable firewall. agul Server Operation 4 23rd November 2005 01:12


All times are GMT +2. The time now is 08:59.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.