Firewall ACLs

Discussion in 'Tips/Tricks/Mods' started by punto, Aug 15, 2006.

  1. smartcall

    smartcall ISPConfig Developer ISPConfig Developer

    subdirectory and the file gone

    The howto is good and working, but at some point ISPConfig deleted the subdirectory and the post-rule-setup.sh file.

    Most probably after the upgrade from 2.2.8 to 2.2.9

    Regards,

    Apostol
     
  2. falko

    falko Super Moderator ISPConfig Developer

    During an update ISPConfig renames /etc/Bastille to /etc/Bastille_somedate and creates a new /etc/Bastille directory, that's why the subdirectory is missing now.
     
  3. tal56

    tal56 New Member


    Sorry to drag up a old thread, but I would like to add some rules to the firewall, such as IP blocking and stuff. However it would seem from Falko's comments here that if I do it this way after each upgrade, then I have to fix the firewall again?

    I also have Webmin installed on a development server along side ISPconfig, and when I go to edit the firewall in there, it gives me the option of converting the existing ISPconfig firwall to the webmin managed one, then you can edit the webmin one from there. I've tested it and it seems ok, is there any problems with using it this way instead? Of course I did turn off the ispconfig firewall in services after I've converted it. But it seems after this is done, I can now upgrade ispconfig without having to redo the firewall additions each time?

    Thanks
     
  4. falko

    falko Super Moderator ISPConfig Developer

    Yes.

    I think this is ok as long as you tell ISPConfig not to start the ISPConfig firewall.
     
  5. daveb

    daveb Member

    I have a set of rules I use in /etc/Bastille/firewall.d/post-rule-setup.sh.
    Since the release of 2.2.16 or so my rules in post-rule-setup.sh are kept after the update.
     
  6. tal56

    tal56 New Member

    I've found this on another site to reduce brute force hacking using only iptables :

    And would like to add it to the firewall rules. Would the two lines just replace the existing reference to Port 22 on the default ISPconfig firewall rules? This seems like a good way to slow down the brute force attacks on servers.

    Also I've seen this code from the comments on the Denyhost howto. :

    Both seem like good methods without having to install any seperate software. From looking at them, which would you suggest to be the better method to add?

    Thanks
     
  7. daveb

    daveb Member

    Here is what I added to my post-rule-setup.sh for ssh.
    Code:
    /sbin/iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
    /sbin/iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
     
  8. tal56

    tal56 New Member

    Where did you add those 2 lines to the existing ispconfig firewall rule? Did you just replace the line that refers to port 22 for ssh? Thanks
     
  9. daveb

    daveb Member

    I added them to /etc/Bastille/firewall.d/post-rule-setup.sh
     
  10. tal56

    tal56 New Member

    I see. So if I just put only those 2 lines in the post-rule-setup.sh file, it should work? I need to test this out soon as I'm getting a lot of hack attemts and don't really want to disable root on ssh. Thanks
     
  11. daveb

    daveb Member

    yea I belive I had to create the dir firewall.d and file post-rule-setup.sh added my rules restarted bastille /etc/init.d/bastille_firewall restart and you can check you rules with iptables -L
     
  12. tal56

    tal56 New Member

    That sounds like exactly what i'm looking for. I'll give it a try as well and see if it helps reduce the hack attempts. I'll also post back later and let everyone know if I had to redo the rules after a upgrade as I'll be upgrading soon.
     
  13. tal56

    tal56 New Member

    Daveb,

    I've added the lines to my firewall as you explained, however I'm not certain it's working as I tried connecting to ssh through putty several times with the wrong password and it keeps letting me try. The only thing I've changed is the ETH in your line to "ETH0" for my network card.

    Here is my iptables -L output. Can you let me know if it looks ok, and how I can test this? Thanks

     
  14. chillifire

    chillifire New Member

    New iptables rules don't seem to be recognised by Bastille

    I tried to add the following two rules

    Code:
    /sbin/iptables -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 8007 -j DNAT --to-destination 10.8.0.7:8080
    /sbin/iptables -t nat -A OUTPUT -p tcp -d a.b.c.d --dport 8007 -j DNAT --to-destination 10.8.0.7:8080 
    
    based on advice received from URL="http://www.howtoforge.com/forums/showthread.php?t=23889&goto=newpost"]this post [/URL]
    (The purpose is to relay a http request from any external workstation via an OpenVPN server to an OpenVPN client which has no public IP address). a.b.c.d is obviously replaced with my public IP address on my system.

    Now, I added a file pre-chain-split.sh to a new directory firewall.d under /etc/Bastille as decribed in this post. The restart runs through just fine:
    Code:
    root@blackbird:/etc/Bastille/firewall.d# /etc/init.d/bastille-firewall restart
    Setting up IP spoofing protection... done.
    Allowing traffic from trusted interfaces... done.
    Setting up chains for public/internal interface traffic... done.
    Setting up general rules... done.
    Setting up outbound rules... done.
    
    but no iptables rule seems to be appended. The output of iptables -L -v (as shown below) is exctly as before, and a PREROUTING chain is not even mentioned.

    I deliberately put an error into pre-chain-split.sh to check whether it is even run. And yes, I get an error message, if I build in an error into the file, so we now it is executed fine.

    Any idea anyone why this might not be working for me?

    Cheers

    chillifire


    Appendix: Output of iptables -L -v
    Code:
    root@blackbird:/etc/Bastille/firewall.d# iptables -L -v
    Chain INPUT (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 DROP       tcp  --  !lo    any     anywhere             127.0.0.0/8
     1505  160K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
       37  1924 ACCEPT     all  --  lo     any     anywhere             anywhere
        0     0 DROP       all  --  any    any     BASE-ADDRESS.MCAST.NET/4  anywhere
       19  1046 PUB_IN     all  --  eth+   any     anywhere             anywhere
        0     0 PUB_IN     all  --  ppp+   any     anywhere             anywhere
        0     0 PUB_IN     all  --  slip+  any     anywhere             anywhere
        0     0 PUB_IN     all  --  venet+ any     anywhere             anywhere
        0     0 DROP       all  --  any    any     anywhere             anywhere
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
        0     0 DROP       all  --  any    any     anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT 278 packets, 24730 bytes)
     pkts bytes target     prot opt in     out     source               destination
     2361  474K PUB_OUT    all  --  any    eth+    anywhere             anywhere
        0     0 PUB_OUT    all  --  any    ppp+    anywhere             anywhere
        0     0 PUB_OUT    all  --  any    slip+   anywhere             anywhere
        0     0 PUB_OUT    all  --  any    venet+  anywhere             anywhere
    
    Chain INT_IN (0 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
        0     0 DROP       all  --  any    any     anywhere             anywhere
    
    Chain INT_OUT (0 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
        0     0 ACCEPT     all  --  any    any     anywhere             anywhere
    
    Chain PAROLE (16 references)
     pkts bytes target     prot opt in     out     source               destination
       18   976 ACCEPT     all  --  any    any     anywhere             anywhere
    
    Chain PUB_IN (4 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp destination-unreachable
        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-reply
        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp time-exceeded
        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-request
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:domain
       16   856 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:www
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:81
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:https
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:webmin
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:radius
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:radius-acct
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:mysql
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:openvpn
        2   120 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:munin
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:2812
        0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:4960
        0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:domain
        1    70 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:openvpn
        0     0 DROP       icmp --  any    any     anywhere             anywhere
        0     0 DROP       all  --  any    any     anywhere             anywhere
    
    Chain PUB_OUT (4 references)
     pkts bytes target     prot opt in     out     source               destination
     2357  472K ACCEPT     all  --  any    any     anywhere             anywhere
    
     
  15. falko

    falko Super Moderator ISPConfig Developer

  16. chillifire

    chillifire New Member

    Not sure I understand?

    Hi falko,

    I am not sure I understand your response. Try what?

    Looking at your link (earlier posts of this very same thread), suggests to put iptable rules into a file "pre-chain-split.sh" in directory /etc/Bastille/firewall.d, which is exactly what I have done. Is there something else in this post I have overlooked that you want me to try?

    Cheers
     
    Last edited: Jun 9, 2008
  17. just.another.alex

    just.another.alex New Member

    To display the content in the "nat" table (where POSTROUTING and PREROUTING chains are), you should issue an:
    Code:
    /sbin/iptables -t nat -L
     
  18. chillifire

    chillifire New Member

    Great

    Thanks, now I can see them. It was actually working; I just could not see the entries with iptables -L -v
    I had to enter iptables -t nat -L for it to work

    Thanks

    Hanno

    PS: I consider myself a reasonable intelligent person, but this iptables business is witchcraft to me, and developed by a pretty deviant witch at that. Is there a decent online tutorial or book that teaches iptables that you can recommend? Please don’t point out the often quoted http://http://iptables-tutorial.frozentux.net/iptables-tutorial.html as this must have been written by that deviant witch :)
     

Share This Page