[KLUG Members] iptables
Bert Obbink
members@kalamazoolinux.org
Thu, 01 Aug 2002 17:00:13 +0200
Bruce Smith heeft geschreven:
>>>>I want to close the ident port (113) for all incomming
>>>>connections except for thoose there is already a connection open. Some
>>>>mail servers appear to need a open ident port before accepting email, or
>>>>at least need significant more time to accept email. How can I make
>>>>netfiler to accept incomming requests to this port when there is already
>>>>an active (smtp) connection?
>>>>
>>>>
>>>>
>>After doing some firewall digging, I believe that this can be done by
>>setting up the following rules:
>>
>>iptables -A INPUT -i ${EXTERN} -p tcp --dport 113 -m state --state
>>RELATED -j ACCEPT
>>
>>
>
>I don't know if iptables is smart enough to know that a connection to
>port 25 is related to port 113, so I don't know if the first line will
>work or not. It should be easy enough to test if you start logging
>certain connections and rejects.
>
>
I've got it working for telnet and ftp. On a system I am setting up for
connections to customar systems I defined the following rules:
<snip>
iptables -t nat -A POSTROUTING -o ${EXTERN} -j MASQUERADE # (J.1) mask outgoing traffic
iptables -A FORWARD -p udp -j DROP # (J.2) drop udp
iptables -A FORWARD -i ${EXTERN} -o ${INTERN} -p tcp --dport 0:1023 -j DROP # (J.3) all incomming traffic to ports < 1024
iptables -A FORWARD -i ${EXTERN} -o ${INTERN} -p tcp --syn -j DROP # (J.4) all incomming connection requests
iptables -A FORWARD -i ${INTERN} -o ${EXTERN} -p tcp --sport 6000:6100 -j DROP # (J.5) all X windows traffic
iptables -A FORWARD -i ${INTERN} -o ${EXTERN} -p tcp --sport 7741 -j DROP # (J.6) LISA
iptables -A FORWARD -i ${EXTERN} -o ${INTERN} -p tcp --dport 1024:65535 -m state ! --state INVALID -j ACCEPT # (J.7)
iptables -A FORWARD -i ${INTERN} -o ${EXTERN} -p tcp --dport 1024:65535 -m state ! --state INVALID -j ACCEPT # (J.8)
iptables -A FORWARD -i ${INTERN} -o ${EXTERN} -s ${LOKADR} -d ! ${LOKADR} -p tcp --dport 23 -j ACCEPT # (J.9) telnet
iptables -A FORWARD -i ${INTERN} -o ${EXTERN} -s ${LOKADR} -d ! ${LOKADR} -p tcp --dport 20:21 -j ACCEPT # (J.10) ftp
iptables -A FORWARD -i ${INTERN} -o ${EXTERN} -s ${LOKADR} -d ! ${LOKADR} -p tcp --dport 4000 -j ACCEPT # (J.11) TCM
iptables -A FORWARD -i ${INTERN} -o ${EXTERN} -s ${LOKADR} -d ! ${LOKADR} -p tcp --dport 5631:5632 -j ACCEPT # (J.12) pcany-where
iptables -A FORWARD -i ${INTERN} -o ${EXTERN} -s ${LOKADR} -d ! ${LOKADR} -p tcp --dport 5900 -j ACCEPT # (J.13) vnc
</snip>
Interresting are lines J.7 and J.8 these lines only allow traffic on the
higher port ranges if it concerns non INVALID traffic. According to
'man iptables' all packets not related to any existing connection are of
state INVALID. So only allowing non invalid traffic, should only enable
related traffic. This seems to work for all traffic defined in lines J.9
to J.13
If I understand iptables well enough (?) there should be no other
traffic possible at all, than thoose set op via lines J.9 to J.13.
n.b. Lines J.5 and J.6 are not needed because the policy is to DROP but
are put there before I had lines J.7 and J.8 operational.
LOKADR is ofcourse the local ip network.
I have not tested port 113 yet, but this shoud work accordingly.
>
>
>>iptables -A INPUT -i ${EXTERN} -p tcp --dport 113 -j DROP
>>
>>
>
>The second line should jump to REJECT instead of DROP!
>Otherwise you may still experience annoying delays in email delivery.
>
If the rules make any sense it could be set to DROP, because only
systems to which there is already an active connection are allowed to
query port 113. All other connections can be droped.
>
>
Bert.