iptables: allowing only listed hosts to connect to a port - Networking

This is a discussion on iptables: allowing only listed hosts to connect to a port - Networking ; I want to allow only hosts from the local area network and certain external networks to be able to access a specific port number. I have created a script firewall.sh, as follows: #!/bin/sh ALLOWED=" 10.0.0.0/8 192.168.0.0/16 51.0.0.0/8 62.30.0.0/16 80.0.0.0/13 " ...

+ Reply to Thread
Results 1 to 16 of 16

Thread: iptables: allowing only listed hosts to connect to a port

  1. iptables: allowing only listed hosts to connect to a port

    I want to allow only hosts from the local area network and certain
    external networks to be able to access a specific port number. I have created
    a script firewall.sh, as follows:

    #!/bin/sh

    ALLOWED="
    10.0.0.0/8
    192.168.0.0/16
    51.0.0.0/8
    62.30.0.0/16
    80.0.0.0/13
    "

    for addr in $ALLOWED
    do
    iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
    done

    iptables -A INPUT -p tcp --dport 7500 -jDROP

    After running the script iptables -L -n reveals:

    Chain INPUT (policy ACCEPT)
    ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
    ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
    ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
    ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
    ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500

    I find that hosts outside of the list are still able to access the port.
    Is the last entry in the table correct?

    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
    |
    Should this read "anywhere"?

    Why isn't my filter working?

    Please advise.

    Mark.

    --
    Mark Hobley,
    393 Quinton Road West,
    Quinton, BIRMINGHAM.
    B32 1QE.

  2. Re: iptables: allowing only listed hosts to connect to a port

    On Wednesday 2 July 2008 23:06, Mark Hobley wrote:

    > I want to allow only hosts from the local area network and certain
    > external networks to be able to access a specific port number. I have
    > created a script firewall.sh, as follows:
    >
    > #!/bin/sh
    >
    > ALLOWED="
    > 10.0.0.0/8
    > 192.168.0.0/16
    > 51.0.0.0/8
    > 62.30.0.0/16
    > 80.0.0.0/13
    > "
    >
    > for addr in $ALLOWED
    > do
    > iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
    > done
    >
    > iptables -A INPUT -p tcp --dport 7500 -jDROP
    >
    > After running the script iptables -L -n reveals:
    >
    > Chain INPUT (policy ACCEPT)
    > ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
    > ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
    > ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
    > ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
    > ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500
    > DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
    >
    > I find that hosts outside of the list are still able to access the port.


    Set a DROP default policy for the INPUT chain:

    iptables -P INPUT -j DROP

    (usually this is done before allowing anything)

    this will drop anything not explicitly allowed, so be careful if you run
    that command while you are remotely connected.


  3. Re: iptables: allowing only listed hosts to connect to a port

    pk wrote:

    > Set a DROP default policy for the INPUT chain:


    Doesn't this affect the overall networking policy for every port number?

    On the whole, I want my network traffic unfiltered (allowed by default).
    However there are certain ports that I want traffic blocked on, unless I
    specifically allow it.

    Maybe I need some sort of allow by default for some ports, but drop by
    default for other ports type of policy. (Is that possible?)

    > iptables -P INPUT -j DROP
    >
    > (usually this is done before allowing anything)
    >
    > this will drop anything not explicitly allowed, so be careful if you run
    > that command while you are remotely connected.


    I am remotely connected (though not via port 7500 which is a different
    kind of service and nothing to do with my remote connection). I am
    concerned that that will zap all of my network services. This is a busy server.

    I only want to make changes to port 7500.

    Regards,

    Mark.

    --
    Mark Hobley,
    393 Quinton Road West,
    Quinton, BIRMINGHAM.
    B32 1QE.

  4. Re: iptables: allowing only listed hosts to connect to a port

    "Mark Hobley" wrote in message
    news:ebctj5-rqg.ln1@neptune.markhobley.yi.org...

    > > Set a DROP default policy for the INPUT chain:

    >
    > Doesn't this affect the overall networking policy for every port number?


    No, it only affects the default policy for the INPUT chain on that
    interface. Deny all, allow only what is specified.

    > On the whole, I want my network traffic unfiltered (allowed by default).


    Only an incompetent fool of an administrator would want such an unfiltered
    traffic.



  5. Re: iptables: allowing only listed hosts to connect to a port

    h.stroph wrote:

    > Only an incompetent fool of an administrator would want such an unfiltered
    > traffic.


    This particular computer is a public access machine and the traffic is
    already being filtered by a remote hardware based firewall device and
    intermediate routing devices. The specific filtering on port 7500 is
    being done locally on the machine in supplement to the external
    firewalling due to a limitation of the external hardware based firewall,
    which is not able to handle a lengthy access list chain against the
    forwarded 7500 service port. The computer is providing public access web
    services, news feeds, email, internet relay chat, game services and internal
    networking services, such as internal client access, and network file services
    on several port numbers.

    I don't want a change to the iptables list to affect those services. All I
    want to do through iptables is limit access to port 7500 to those networks on
    the access list. I want the remaining networking ports to remain operational,
    as they are now. I would have made these restrictions on one of the
    external firewalling devices rather than on the local machine had this been
    possible.

    Regards,

    Mark.

    --
    Mark Hobley,
    393 Quinton Road West,
    Quinton, BIRMINGHAM.
    B32 1QE.

  6. Re: iptables: allowing only listed hosts to connect to a port

    Hello,

    Mark Hobley a écrit :
    >
    > After running the script iptables -L -n reveals:
    >
    > Chain INPUT (policy ACCEPT)
    > ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
    > ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
    > ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
    > ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
    > ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500
    > DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
    >
    > I find that hosts outside of the list are still able to access the port.


    Weird. Are there other rules in the ruleset ? What happens if you remove
    all the ACCEPT rules and leave only the DROP rule ?

    > Is the last entry in the table correct?
    >
    > DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
    > |
    > Should this read "anywhere"?


    With the -n option it is the "anywhere" in the other lines which should
    read "0.0.0.0/0".

  7. Re: iptables: allowing only listed hosts to connect to a port

    Pascal Hambourg wrote:

    > Weird. Are there other rules in the ruleset ? What happens if you remove
    > all the ACCEPT rules and leave only the DROP rule ?


    There are no additional rules in the ruleset. The setup script is as
    posted.

    If I just have the drop line, all traffic to the port is dropped.

    If I invert the script as follows:

    iptables -A INPUT -p tcp --dport 7500 -jDROP

    for addr in $ALLOWED
    do
    iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
    done

    This produces a filter table as follows:

    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
    ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
    ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
    ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
    ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
    ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500

    However, in this scenario, all network traffic to port 7500 remains
    blocked, even from the accepted ports, presumable because the first rule
    produces a match, and the rest of the table is then ignored.

    iptables -V reveals:

    iptables v1.3.6

    cat /proc/version reveals:

    Linux version 2.6.18-6-486 (Debian 2.6.18.dfsg.1-18etch6)

    Regards,

    Mark.

    --
    Mark Hobley,
    393 Quinton Road West,
    Quinton, BIRMINGHAM.
    B32 1QE.

  8. Re: iptables: allowing only listed hosts to connect to a port

    Mark Hobley a écrit :
    >
    > If I just have the drop line, all traffic to the port is dropped.


    Just as expected. Are you really really 100% sure that hosts outside the
    list ranges can connect to the port ?

    > If I invert the script as follows:
    >
    > iptables -A INPUT -p tcp --dport 7500 -jDROP
    >
    > for addr in $ALLOWED
    > do
    > iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
    > done
    >
    > This produces a filter table as follows:
    >
    > DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
    > ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
    > ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
    > ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
    > ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
    > ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500
    >
    > However, in this scenario, all network traffic to port 7500 remains
    > blocked, even from the accepted ports, presumable because the first rule
    > produces a match, and the rest of the table is then ignored.


    Just as expected.

  9. Re: iptables: allowing only listed hosts to connect to a port

    Mark Hobley wrote:

    > Pascal Hambourg wrote:
    >
    >> Weird. Are there other rules in the ruleset ? What happens if you remove
    >> all the ACCEPT rules and leave only the DROP rule ?

    >
    > There are no additional rules in the ruleset. The setup script is as
    > posted.
    >
    > If I just have the drop line, all traffic to the port is dropped.
    >
    > If I invert the script as follows:
    >
    > iptables -A INPUT -p tcp --dport 7500 -jDROP
    >
    > for addr in $ALLOWED
    > do
    > iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
    > done
    >
    > This produces a filter table as follows:
    >
    > DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
    > ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
    > ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
    > ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
    > ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
    > ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500
    >
    > However, in this scenario, all network traffic to port 7500 remains
    > blocked, even from the accepted ports, presumable because the first rule
    > produces a match, and the rest of the table is then ignored.
    >
    > iptables -V reveals:
    >
    > iptables v1.3.6
    >
    > cat /proc/version reveals:
    >
    > Linux version 2.6.18-6-486 (Debian 2.6.18.dfsg.1-18etch6)
    >
    > Regards,
    >
    > Mark.
    >


    Yes working correctly.
    The first rule drops the packet and the other rules then match nothing.

    --
    Tayo'y mga Pinoy

  10. Re: iptables: allowing only listed hosts to connect to a port

    Baho Utot wrote:
    > Mark Hobley wrote:
    >
    >> Pascal Hambourg wrote:
    >>
    >>> Weird. Are there other rules in the ruleset ? What happens if you remove
    >>> all the ACCEPT rules and leave only the DROP rule ?

    >> There are no additional rules in the ruleset. The setup script is as
    >> posted.
    >>
    >> If I just have the drop line, all traffic to the port is dropped.
    >>
    >> If I invert the script as follows:
    >>
    >> iptables -A INPUT -p tcp --dport 7500 -jDROP
    >>
    >> for addr in $ALLOWED
    >> do
    >> iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
    >> done
    >>
    >> This produces a filter table as follows:
    >>
    >> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
    >> ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
    >> ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
    >> ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
    >> ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
    >> ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500
    >>
    >> However, in this scenario, all network traffic to port 7500 remains
    >> blocked, even from the accepted ports, presumable because the first rule
    >> produces a match, and the rest of the table is then ignored.
    >>
    >> iptables -V reveals:
    >>
    >> iptables v1.3.6
    >>
    >> cat /proc/version reveals:
    >>
    >> Linux version 2.6.18-6-486 (Debian 2.6.18.dfsg.1-18etch6)
    >>
    >> Regards,
    >>
    >> Mark.
    >>

    >
    > Yes working correctly.
    > The first rule drops the packet and the other rules then match nothing.
    >


    Erm shouldn't the DROP rule be at after the accept rules?

  11. Re: iptables: allowing only listed hosts to connect to a port

    Pascal Hambourg wrote:
    > Just as expected. Are you really really 100% sure that hosts outside the
    > list ranges can connect to the port ?


    I am using tcpdump -nA port 7500 on the machine. This shows entries from
    various hosts outside of the allowable range. An example is shown below:

    08:10:54.949811 IP 216.139.243.81.1630 > 10.0.0.8.7500: P 1:1208(1207)
    ack 1 win 65535

    The address 216.139.243.81 is not on my access list. I want to restrict
    traffic on that port to hosts within the selected territories of the
    United Kingdom of Great Britain.

    The 216.139.243.81 access above is coming from a Microsoft Windows based
    robot in Texas, USA.

    I have a list of ISP internet network addresses, that I want to use as the
    permitted access list against the port.

    Regards,

    Mark.

    --
    Mark Hobley,
    393 Quinton Road West,
    Quinton, BIRMINGHAM.
    B32 1QE.

  12. Re: iptables: allowing only listed hosts to connect to a port

    Mark Hobley a écrit :
    > Pascal Hambourg wrote:
    >
    >>Just as expected. Are you really really 100% sure that hosts outside the
    >>list ranges can connect to the port ?

    >
    > I am using tcpdump -nA port 7500 on the machine. This shows entries from
    > various hosts outside of the allowable range.


    Tcpdump captures traffic at the interface, before incoming packets enter
    the iptables chains and after outgoing packets leave the iptables
    chains. It shows all incoming SYN requests from any source, but I guess
    only allowed sources get a SYN/ACK reply.

    In short :

    interface --- iptables --- TCP/IP stack --- process
    ^
    |
    tcpdump is here

  13. Re: iptables: allowing only listed hosts to connect to a port

    Chipmunk wrote:

    > Baho Utot wrote:
    >> Mark Hobley wrote:
    >>
    >>> Pascal Hambourg wrote:
    >>>
    >>>> Weird. Are there other rules in the ruleset ? What happens if you
    >>>> remove all the ACCEPT rules and leave only the DROP rule ?
    >>> There are no additional rules in the ruleset. The setup script is as
    >>> posted.
    >>>
    >>> If I just have the drop line, all traffic to the port is dropped.
    >>>
    >>> If I invert the script as follows:
    >>>
    >>> iptables -A INPUT -p tcp --dport 7500 -jDROP
    >>>
    >>> for addr in $ALLOWED
    >>> do
    >>> iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
    >>> done
    >>>
    >>> This produces a filter table as follows:
    >>>
    >>> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
    >>> dpt:7500
    >>> ACCEPT tcp -- 10.0.0.0/8 anywhere tcp
    >>> dpt:7500
    >>> ACCEPT tcp -- 192.168.0.0/16 anywhere tcp
    >>> dpt:7500
    >>> ACCEPT tcp -- 51.0.0.0/8 anywhere tcp
    >>> dpt:7500
    >>> ACCEPT tcp -- 62.30.0.0/16 anywhere tcp
    >>> dpt:7500
    >>> ACCEPT tcp -- 80.0.0.0/13 anywhere tcp
    >>> dpt:7500
    >>>
    >>> However, in this scenario, all network traffic to port 7500 remains
    >>> blocked, even from the accepted ports, presumable because the first rule
    >>> produces a match, and the rest of the table is then ignored.
    >>>
    >>> iptables -V reveals:
    >>>
    >>> iptables v1.3.6
    >>>
    >>> cat /proc/version reveals:
    >>>
    >>> Linux version 2.6.18-6-486 (Debian 2.6.18.dfsg.1-18etch6)
    >>>
    >>> Regards,
    >>>
    >>> Mark.
    >>>

    >>
    >> Yes working correctly.
    >> The first rule drops the packet and the other rules then match nothing.
    >>

    >
    > Erm shouldn't the DROP rule be at after the accept rules?


    Yes that's just what I said. The first rule drops the packet the others see
    nothing. Conclusion IPTABLES and script working as written. The order of
    the rules matters -----> producing exactly what he described

    --
    Tayo'y mga Pinoy

  14. Re: iptables: allowing only listed hosts to connect to a port

    Pascal Hambourg wrote:
    > Tcpdump captures traffic at the interface, before incoming packets enter
    > the iptables chains and after outgoing packets leave the iptables
    > chains. It shows all incoming SYN requests from any source, but I guess
    > only allowed sources get a SYN/ACK reply.
    >
    > In short :
    >
    > interface --- iptables --- TCP/IP stack --- process
    > ^
    > |
    > tcpdump is here


    Hmmm, for some reason, the traffic is reaching the application process,
    because tcpdump also shows reply traffic coming from the server process
    to the unauthorized client:

    21:22:07.637908 IP 202.100.82.9.22091 > 10.0.0.8.7500: F 2082:2082(0)
    ack 3973 win 65535
    E..().@.p....dR
    ....VK.@}D......P...T.........
    21:22:07.638071 IP 10.0.0.8.7500 > 202.100.82.9.22091: . ack 2083 win
    11680
    E..(..@.@..[
    .....dR .@VK....}D..P.-.'...

    Could it be that the traffic is not being recognized as tcp type
    traffic? I am also wondering if there is some sort of limit in iptables
    causing it to somehow bomb out before the final drop line is reached. In
    reality my allow list has some 2000 or so British networks listed (taken from
    http://www.countryipblocks.net). The list appears to be complete if I do
    iptables -L -n. This lists shows all the networks, and tne final drop
    line, so I know that my script is populating iptables.

    I am performing further tests.

    Regards,

    Mark.

    --
    Mark Hobley,
    393 Quinton Road West,
    Quinton, BIRMINGHAM.
    B32 1QE.

  15. Re: iptables: allowing only listed hosts to connect to a port

    On Fri, 04 Jul 2008 21:30:24 +0100, Mark Hobley passed an empty day by
    writing:

    > Pascal Hambourg wrote:
    >> Tcpdump captures traffic at the interface, before incoming packets
    >> enter the iptables chains and after outgoing packets leave the iptables
    >> chains. It shows all incoming SYN requests from any source, but I guess
    >> only allowed sources get a SYN/ACK reply.
    >>
    >> In short :
    >>
    >> interface --- iptables --- TCP/IP stack --- process
    >> ^
    >> |
    >> tcpdump is here

    >
    > Hmmm, for some reason, the traffic is reaching the application process,
    > because tcpdump also shows reply traffic coming from the server process
    > to the unauthorized client:
    >
    > 21:22:07.637908 IP 202.100.82.9.22091 > 10.0.0.8.7500: F 2082:2082(0)
    > ack 3973 win 65535
    > E..().@.p....dR
    > ...VK.@}D......P...T.........
    > 21:22:07.638071 IP 10.0.0.8.7500 > 202.100.82.9.22091: . ack 2083 win
    > 11680
    > E..(..@.@..[
    > ....dR .@VK....}D..P.-.'...
    >
    > Could it be that the traffic is not being recognized as tcp type
    > traffic? I am also wondering if there is some sort of limit in iptables
    > causing it to somehow bomb out before the final drop line is reached. In
    > reality my allow list has some 2000 or so British networks listed (taken
    > from http://www.countryipblocks.net). The list appears to be complete if
    > I do iptables -L -n. This lists shows all the networks, and tne final
    > drop line, so I know that my script is populating iptables.
    >
    > I am performing further tests.
    >
    > Regards,
    >
    > Mark.


    That is an interesting site Mark. The only flaw in the plan is most
    attackers use a chain of proxies and bypass this kind of filtering.


    --
    begin oefixed_in_2005.exe

  16. Re: iptables: allowing only listed hosts to connect to a port

    Klunk wrote:
    > That is an interesting site Mark. The only flaw in the plan is most
    > attackers use a chain of proxies and bypass this kind of filtering.


    Yeah. I would like to see doornumber and postcode in all hostnames, so
    that owners of compromised machines could be notified.

    Mark.

    --
    Mark Hobley,
    393 Quinton Road West,
    Quinton, BIRMINGHAM.
    B32 1QE.

+ Reply to Thread