IP Tables configuration - Security

This is a discussion on IP Tables configuration - Security ; Hi there, I'm very inexperienced with IPTABLES, and was wondering how to add a rule to permit an external machine to ssh and use mysql on another server that is otherwise configured to reject such traffic. At the end of ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: IP Tables configuration

  1. IP Tables configuration

    Hi there,

    I'm very inexperienced with IPTABLES, and was wondering how to add a
    rule to permit an external machine to ssh and use mysql on another
    server that is otherwise configured to reject such traffic. At the
    end of the day, I want something like this to display if I do an
    iptables -L


    ACCEPT tcp -- 12.34.56.789 anywhere tcp dpt:ssh
    ACCEPT tcp -- 12.34.56.789 anywhere tcp dpt:
    8443
    ACCEPT tcp -- 12.34.56.789 anywhere tcp
    dpt:mysql

    Thanks,

    SJP


  2. Re: IP Tables configuration

    On 2007-04-06, salvador wrote:
    > I'm very inexperienced with IPTABLES, and was wondering how to add a
    > rule to permit an external machine to ssh and use mysql on another
    > server that is otherwise configured to reject such traffic. At the
    > end of the day, I want something like this to display if I do an
    > iptables -L

    Show your current config then...

    --
    Damian Szuberski

  3. Re: IP Tables configuration

    On Apr 6, 1:22 pm, Damian 'legion' Szuberski
    wrote:
    > On 2007-04-06, salvador wrote:
    > > I'm very inexperienced with IPTABLES, and was wondering how to add a
    > > rule to permit an external machine to ssh and use mysql on another
    > > server that is otherwise configured to reject such traffic. At the
    > > end of the day, I want something like this to display if I do an
    > > iptables -L

    >
    > Show your current config then...
    >
    > --
    > Damian Szuberski


    Really, what I'm asking is what command to give to enable something
    like this:

    ACCEPT tcp -- 12.34.56.789 anywhere tcp dpt:ssh


  4. Re: IP Tables configuration

    On 2007-04-06, salvador wrote:
    >> Show your current config then...

    > Really, what I'm asking is what command to give to enable something
    > like this:
    >
    > ACCEPT tcp -- 12.34.56.789 anywhere tcp dpt:ssh

    I repeat one more time:
    Show your current config then...

    --
    Damian Szuberski

  5. Re: IP Tables configuration

    On Apr 6, 4:15 pm, Damian 'legion' Szuberski
    wrote:
    > On 2007-04-06, salvador wrote:
    > >> Show your current config then...

    > > Really, what I'm asking is what command to give to enable something
    > > like this:

    >
    > > ACCEPT tcp -- 12.34.56.789 anywhere tcp dpt:ssh

    >
    > I repeat one more time:
    > Show your current config then...
    >
    > --
    > Damian Szuberski


    If you are configuring iptables on the local machine to allow in ssh
    [22], 8443 and mysql [3306] I believe you want something like this:

    iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    22 -j ACCEPT
    iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    8443 -j ACCEPT
    iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    3306 -j ACCEPT

    This would allow the ports coming into the local machine from
    12.34.56.189.


  6. Re: IP Tables configuration

    Thanks poodbrown. That was very helpful.

    On Apr 6, 9:40 pm, "poodbr...@gmail.com" wrote:
    > On Apr 6, 4:15 pm, Damian 'legion' Szuberski
    >
    > wrote:
    > > On 2007-04-06, salvador wrote:
    > > >> Show your current config then...
    > > > Really, what I'm asking is what command to give to enable something
    > > > like this:

    >
    > > > ACCEPT tcp -- 12.34.56.789 anywhere tcp dpt:ssh

    >
    > > I repeat one more time:
    > > Show your current config then...

    >
    > > --
    > > Damian Szuberski

    >
    > If you are configuring iptables on the local machine to allow in ssh
    > [22], 8443 and mysql [3306] I believe you want something like this:
    >
    > iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    > 22 -j ACCEPT
    > iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    > 8443 -j ACCEPT
    > iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    > 3306 -j ACCEPT
    >
    > This would allow the ports coming into the local machine from
    > 12.34.56.189.




  7. Re: IP Tables configuration

    On Apr 7, 6:03 pm, "salvador" wrote:
    > Thanks poodbrown. That was very helpful.
    >
    > On Apr 6, 9:40 pm, "poodbr...@gmail.com" wrote:
    >
    > > On Apr 6, 4:15 pm, Damian 'legion' Szuberski

    >
    > > wrote:
    > > > On 2007-04-06, salvador wrote:
    > > > >> Show your current config then...
    > > > > Really, what I'm asking is what command to give to enable something
    > > > > like this:

    >
    > > > > ACCEPT tcp -- 12.34.56.789 anywhere tcp dpt:ssh

    >
    > > > I repeat one more time:
    > > > Show your current config then...

    >
    > > > --
    > > > Damian Szuberski

    >
    > > If you are configuring iptables on the local machine to allow in ssh
    > > [22], 8443 and mysql [3306] I believe you want something like this:

    >
    > > iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    > > 22 -j ACCEPT
    > > iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    > > 8443 -j ACCEPT
    > > iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    > > 3306 -j ACCEPT

    >
    > > This would allow the ports coming into the local machine from
    > > 12.34.56.189.


    -But be careful where to put these rules. they may not work if there
    any other rules before them may block the traffic for example,so
    beware,and you may input them as first rules so no other earlier rule
    can affect them. may be this is the reason why afriend asked you
    before about the current rules you use. by the way i suppose that
    nobnody define particular ports which the clients may use as dynamic
    ports. like --sport 1024:65535. because they are not standard as well
    we some times configure some servers to use more ports so it can
    handle the heavy duty.
    wishes


  8. Re: IP Tables configuration

    On 6 Apr 2007 13:01:55 -0700
    "salvador" wrote:

    > I'm very inexperienced with IPTABLES, and was wondering how to add a
    > rule to permit an external machine to ssh and use mysql on another


    Read this short and clear article and you'll find answers
    to many questions related to iptables:

    http://linuxgazette.net/103/odonovan.html

    --
    Mikhail

  9. Re: IP Tables configuration

    habibielwa7id wrote:
    > On Apr 7, 6:03 pm, "salvador" wrote:
    >> Thanks poodbrown. That was very helpful.
    >>
    >> On Apr 6, 9:40 pm, "poodbr...@gmail.com" wrote:
    >>
    >>> On Apr 6, 4:15 pm, Damian 'legion' Szuberski
    >>> wrote:
    >>>> On 2007-04-06, salvador wrote:
    >>>>>> Show your current config then...
    >>>>> Really, what I'm asking is what command to give to enable something
    >>>>> like this:
    >>>>> ACCEPT tcp -- 12.34.56.789 anywhere tcp dpt:ssh
    >>>> I repeat one more time:
    >>>> Show your current config then...
    >>>> --
    >>>> Damian Szuberski
    >>> If you are configuring iptables on the local machine to allow in ssh
    >>> [22], 8443 and mysql [3306] I believe you want something like this:
    >>> iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    >>> 22 -j ACCEPT
    >>> iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    >>> 8443 -j ACCEPT
    >>> iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    >>> 3306 -j ACCEPT
    >>> This would allow the ports coming into the local machine from
    >>> 12.34.56.189.

    >
    > -But be careful where to put these rules. they may not work if there
    > any other rules before them may block the traffic for example,so
    > beware,and you may input them as first rules so no other earlier rule
    > can affect them. may be this is the reason why afriend asked you
    > before about the current rules you use. by the way i suppose that
    > nobnody define particular ports which the clients may use as dynamic
    > ports. like --sport 1024:65535. because they are not standard as well
    > we some times configure some servers to use more ports so it can
    > handle the heavy duty.
    > wishes
    >


    Try to add stateful inspection as well.
    i.E.
    iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    22 -m state NEW,RELATED,ESTABLISHED -j ACCEPT

    This will prevent INVALID traffic going through. `man iptables` or any
    iptables doc will tell you what it is about.

    Eric

  10. Re: IP Tables configuration

    Eric wrote:
    > habibielwa7id wrote:
    >> On Apr 7, 6:03 pm, "salvador" wrote:
    >>> Thanks poodbrown. That was very helpful.
    >>>
    >>> On Apr 6, 9:40 pm, "poodbr...@gmail.com" wrote:
    >>>
    >>>> On Apr 6, 4:15 pm, Damian 'legion' Szuberski
    >>>> wrote:
    >>>>> On 2007-04-06, salvador wrote:
    >>>>>>> Show your current config then...
    >>>>>> Really, what I'm asking is what command to give to enable something
    >>>>>> like this:
    >>>>>> ACCEPT tcp -- 12.34.56.789 anywhere tcp dpt:ssh
    >>>>> I repeat one more time:
    >>>>> Show your current config then...
    >>>>> --
    >>>>> Damian Szuberski
    >>>> If you are configuring iptables on the local machine to allow in ssh
    >>>> [22], 8443 and mysql [3306] I believe you want something like this:
    >>>> iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    >>>> 22 -j ACCEPT
    >>>> iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    >>>> 8443 -j ACCEPT
    >>>> iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    >>>> 3306 -j ACCEPT
    >>>> This would allow the ports coming into the local machine from
    >>>> 12.34.56.189.

    >> -But be careful where to put these rules. they may not work if there
    >> any other rules before them may block the traffic for example,so
    >> beware,and you may input them as first rules so no other earlier rule
    >> can affect them. may be this is the reason why afriend asked you
    >> before about the current rules you use. by the way i suppose that
    >> nobnody define particular ports which the clients may use as dynamic
    >> ports. like --sport 1024:65535. because they are not standard as well
    >> we some times configure some servers to use more ports so it can
    >> handle the heavy duty.
    >> wishes
    >>

    >
    > Try to add stateful inspection as well.
    > i.E.
    > iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    > 22 -m state NEW,RELATED,ESTABLISHED -j ACCEPT


    Sorry for the confusion, the rule should look like this

    iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

    > This will prevent INVALID traffic going through. `man iptables` or any
    > iptables doc will tell you what it is about.


    Eric

  11. Re: IP Tables configuration

    On Tue, 10 Apr 2007 21:58:28 +0200, Eric wrote:

    >> Try to add stateful inspection as well.
    >> i.E.
    >> iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    >> 22 -m state NEW,RELATED,ESTABLISHED -j ACCEPT

    >
    > Sorry for the confusion, the rule should look like this
    >
    > iptables -A INPUT --src 12.34.56.189 -p tcp --sport 1024:65535 --dport
    > 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


    If you really want a fast set of rules you would make the fist rule in
    INPUT, OUTPUT and FORWARD the following;

    iptables -A -m state --state ESTABLISHED,RELATED -j ACCEPT

    This would catch all Established and Related connection and allow them
    before it would have to read down the rule list for every packet.
    Remember iptables works in a top down order you should place the rules
    that will be hit the most at the top and ESTABLISHED,RELATED is the most
    hit rule.

    As a rule I don't use '--sport' just '--dport' as i really don't care
    which port it is coming from. So your SSH rule could look like this;

    iptables -A INPUT --src -p tcp --dport 22 -m state --state NEW -j ACCEPT


    --

    Regards
    Robert

    Smile... it increases your face value!


    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----

+ Reply to Thread