IpTables Question for Eth1

Redhat 9.
Kernel 2.6.11-7
iptables v.1.2.7a
Apache/2.0.40

I have two nic's installed; they are seen by the system as Eth0 and Eth1.
Both work properly, are on different subnets, 192.168.0 and 192.168.2,
respectively, and routing /or forwarding between them is not an issue.

This box is used primarily for providing local network services: ssh, ftp,
http, smb for file storage, etc., and development/learning.

I need to provide access to Eth1 only for http (Apache). I wish to lock
out access to all other services and methods of access over this interface,
while keeping Eth0 as it is, with unlimited full access
(I assume based on the current, default ruleset:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
)

I've looked a few guides and tutorials, no one seems to have a canned
tutorial addressing this situation that I could adapt. I would actually
like to enhance the scheme, after I get it so that just http access is
available, so that I can access some additional services thru Eth1 based on
login -- certain privileged users could access based on either login or by
MAC address of the client computer?

I'll hope that these requirements are actually trivial, but I just can't
seem to penetrate the iptables - learning curve - fog...someone please give
me a quick kick in the..... :)


/..

--

find / -iname "*gw*" -exec rm -rf {} \;

In heaven, there is no beer,
That's why we drink it here,
And when we're all gone from here,
Our friends will be drinking all the beer!
-- Famous old Czech song about beer --

By Wed, 20 Apr 2005 07:53:28 -0400, /..
decided to post "IpTables Question for Eth1" to
comp.os.linux.networking:

>Redhat 9.
>Kernel 2.6.11-7
>iptables v.1.2.7a
>Apache/2.0.40
>
>I have two nic's installed; they are seen by the system as Eth0 and Eth1.
>Both work properly, are on different subnets, 192.168.0 and 192.168.2,
>respectively, and routing /or forwarding between them is not an issue.
>
>This box is used primarily for providing local network services: ssh, ftp,
>http, smb for file storage, etc., and development/learning. I'm adding to this
>web-serving via a wireless a.p., hooked to eth1.
>
>I need to provide access to Eth1 only for http (Apache). I wish to lock
>out access to all other services and methods of access over this interface,
>while keeping Eth0 as it is, with unlimited full access
>(I assume based on the current, default ruleset:
>Chain INPUT (policy ACCEPT)
>target prot opt source destination
>
>Chain FORWARD (policy ACCEPT)
>target prot opt source destination
>
>Chain OUTPUT (policy ACCEPT)
>target prot opt source destination
>)
>
>I've looked a few guides and tutorials, no one seems to have a canned
>tutorial addressing this situation that I could adapt.

Ok, I think I made enough sense of the man file to come up with a way
to close all ports on eth1 (except 80 and 10000 for tcp/udp) for all
connections. Does this ruleset look complete? Is it broken in some way?
Should I block outgoing ports as well, excepting some range for return
connections? Use right now is for web-server only.

I'd like to allow, by MAC address, one machine to ssh in. Is opening port
22 INPUT sufficient for this? If I block outgoing ports, which should I
allow to operate the ssh connection?

Finally, is UDP necessary for the web-server? Should I look into
connection tracking for web and ssh connections?
<can you tell I'm new to the subject?> :)


## -- ACCEPT rules
iptables -A INPUT -p tcp -i eth1 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --dport 80 -j ACCEPT

iptables -A INPUT -p tcp -i eth1 --dport 10000 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --dport 10000 -j ACCEPT

## -- DENY rules
iptables -A INPUT -p tcp -i eth1 --dport 0:79 -j REJECT
iptables -A INPUT -p udp -i eth1 --dport 0:79 -j REJECT

iptables -A INPUT -p tcp -i eth1 --dport 81:9999 -j REJECT
iptables -A INPUT -p udp -i eth1 --dport 81:9999 -j REJECT

iptables -A INPUT -p tcp -i eth1 --dport 10001: -j REJECT
iptables -A INPUT -p udp -i eth1 --dport 10001: -j REJECT


--

find / -iname "*gw*" -exec rm -rf {} \;

In heaven, there is no beer,
That's why we drink it here,
And when we're all gone from here,
Our friends will be drinking all the beer!
-- Famous old Czech song about beer --

/, mié20050420@19:05:53(CEST):
>
> I'd like to allow, by MAC address, one machine to ssh in. Is opening port
> 22 INPUT sufficient for this?

Yes, using the mac module to do the actual matching against the desired MAC.


> Finally, is UDP necessary for the web-server?

No. HTTP operates con 80/TCP only. If you want to use SSL, you'll also want
to open 443/TCP though.


> ## -- DENY rules
> iptables -A INPUT -p tcp -i eth1 --dport 0:79 -j REJECT
> iptables -A INPUT -p udp -i eth1 --dport 0:79 -j REJECT
>
> iptables -A INPUT -p tcp -i eth1 --dport 81:9999 -j REJECT
> iptables -A INPUT -p udp -i eth1 --dport 81:9999 -j REJECT
>
> iptables -A INPUT -p tcp -i eth1 --dport 10001: -j REJECT
> iptables -A INPUT -p udp -i eth1 --dport 10001: -j REJECT

There's no need to specify individual ports or protocols since packets
reaching this rules are not either dport 80/TCP nor 10000/TCP. So doing
just:

iptables -A INPUT -i eth1 -j REJECT

is enough.

wrt to outgoing packets, it's not bad policy to do '-P OUTPUT DROP' and open
destination IP's/ports explicitly so a user eventually compromising the
system won't be able to download anything from the net. In this case,
accepting packets with /source/ ports 80 and 10000 would be enough.

Another approach would be to use the state module, then allowing only NEW
and ESTABLISHED packets with dports 80 and 10000, dropping anything else and
not allowing anything outgoing.


--
David Serrano

By Wed, 20 Apr 2005 17:24:40 +0000 (UTC), "David Serrano (Hue-Bond)"
<responder_solo_en_el_grupo@yahoo.es> decided to post
"Re: IpTables Question for Eth1" to comp.os.linux.networking:

>/, mié20050420@19:05:53(CEST):
>>
>> I'd like to allow, by MAC address, one machine to ssh in. Is opening port
>> 22 INPUT sufficient for this?
>
>Yes, using the mac module to do the actual matching against the desired MAC.
>
>
>> Finally, is UDP necessary for the web-server?
>
>No. HTTP operates con 80/TCP only. If you want to use SSL, you'll also want
>to open 443/TCP though.
>
>
>> ## -- DENY rules
>> iptables -A INPUT -p tcp -i eth1 --dport 0:79 -j REJECT
>> iptables -A INPUT -p udp -i eth1 --dport 0:79 -j REJECT
>>
>> iptables -A INPUT -p tcp -i eth1 --dport 81:9999 -j REJECT
>> iptables -A INPUT -p udp -i eth1 --dport 81:9999 -j REJECT
>>
>> iptables -A INPUT -p tcp -i eth1 --dport 10001: -j REJECT
>> iptables -A INPUT -p udp -i eth1 --dport 10001: -j REJECT
>
>There's no need to specify individual ports or protocols since packets
>reaching this rules are not either dport 80/TCP nor 10000/TCP. So doing
>just:
>
>iptables -A INPUT -i eth1 -j REJECT
>
>is enough.
>
>wrt to outgoing packets, it's not bad policy to do '-P OUTPUT DROP' and open
>destination IP's/ports explicitly so a user eventually compromising the
>system won't be able to download anything from the net. In this case,
>accepting packets with /source/ ports 80 and 10000 would be enough.
>
>Another approach would be to use the state module, then allowing only NEW
>and ESTABLISHED packets with dports 80 and 10000, dropping anything else and
>not allowing anything outgoing.


Thanks. That's a big help. Before getting your message, I've come to this
script, which is working as intended (below). I will try to update it per
your suggestions.

I've seen on usenet, I think, that good it's good practice to use DROP or
REJECT by default as policy, say for INPUT and OUTPUT. But when I do this
for INPUT, everything gets funky -- some www request packets get through,
but not all, and essentially, my php scripts fail to complete and send out
pages. I'm reading more, hoping I can append some logging for nearly
everything in hopes of seeing what fails with INPUT:policy:DROP.
/var/log/messages is the only place I seen any record of actions by
default, and nothing was applicable (wrong timestamps).
Looks like I could drop some of the protocol specifics.

#!/bin/bash
# clear (flush) existing chains and rules:
iptables -F

# remove old chains: (kills any error messages)
iptables -X AWDSET
iptables -X AMD64

# new chains: (in case e.g. reboot, explicit create)
iptables -N AWDSET
iptables -N AMD64

# policies:
## iptables -P INPUT DROP
iptables -P FORWARD DROP

##--------------------------------------INPUT rules--##
# use AMD64 chain for this MAC address:
iptables -A INPUT -m mac --mac-source 00:xx:xx:xx:xx:xx -j AMD64

iptables -A INPUT -i eth0 -p tcp -j ACCEPT
iptables -A INPUT -i eth0 -p udp -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j ACCEPT

iptables -A INPUT -i eth1 -p tcp -j AWDSET
iptables -A INPUT -i eth1 -p udp -j AWDSET
iptables -A INPUT -i eth1 -p icmp -j AWDSET

iptables -A INPUT -p tcp -i eth1 --dport 0: -j DROP
iptables -A INPUT -p udp -i eth1 --dport 0: -j DROP
iptables -A INPUT -p icmp -i eth1 -j DROP

##--------------------------------------AMD64 rules--##
# allow (ssh) connection on port22
iptables -A AMD64 -p tcp -i eth1 --dport 22 -j ACCEPT
iptables -A AMD64 -p udp -i eth1 --dport 22 -j ACCEPT

# open http + https
iptables -A AMD64 -p tcp -i eth1 --dport 80 -j ACCEPT
iptables -A AMD64 -p udp -i eth1 --dport 80 -j ACCEPT
iptables -A AMD64 -p tcp -i eth1 --dport 10000 -j ACCEPT

# open icmp
iptables -A AMD64 -p icmp -i eth1 -j ACCEPT

# close all other ports:
iptables -A AMD64 -p tcp -i eth1 --dport 0: -j DROP
iptables -A AMD64 -p udp -i eth1 --dport 0: -j DROP

##-------------------------------------AWDSET rules--##
# open http + https:
iptables -A AWDSET -p tcp -i eth1 --dport 80 -j ACCEPT
iptables -A AWDSET -p udp -i eth1 --dport 80 -j ACCEPT
iptables -A AWDSET -p tcp -i eth1 --dport 10000 -j ACCEPT

# close all other ports:
iptables -A AWDSET -p tcp -i eth1 --dport 0: -j DROP
iptables -A AWDSET -p tcp -i eth1 --dport 0: -j DROP



--

find / -iname "*gw*" -exec rm -rf {} \;

In heaven, there is no beer,
That's why we drink it here,
And when we're all gone from here,
Our friends will be drinking all the beer!
-- Famous old Czech song about beer --