> On Tuesday 15 June 2004 6:00 pm, Jonathan Villa wrote:
>
>> To my understanding the following will allow any address in the x.x.x.0
>> block access
>>
>> $IPTABLES -A INPUT -p tcp --dport 22 -s xxx.xxx.xx.0/24 -j ACCEPT
>> $IPTABLES -A INPUT -p tcp --dport 3306 -s xxx.xxx.xx.0/24 -j ACCEPT
>> $IPTABLES -A INPUT -p tcp --dport 80 -s xxx.xxx.xx.0/24 -j ACCEPT
>
> I agree - the above rules should allow any IP within the xxx.xxx.xx.0/24
> Class
> C range access the firewall on port 22, 80 or 3306.
>
>> It of course is not working...
>
> Huh? Why "of course"? Come to that, why isn't it working? I use that
> sort of netmask notation all the time...
I didn't meant "of course" in a bad way, I meant it in reference to my bad
luck.
>> my temporary solution : looping through 1-254
>
> Ugh!
yes, very much.
> Show us the rest of your INPUT and OUTPUT ruleset, and tell us how you are
> testing the system (and where from).
>
> The output from "iptables -L -nvx" would be useful, as it shows us the
> rules
> in the correct order, which interfaces they apply to, and the packet /
> byte
> counts so we can see how many times particular rules have been matched.
>
> Feel free to munge IP addresses if you want to hide things from the list
> archives :)
>
here is the output for iptables -L -nvx. I've also attached a txt file in
case you want to see a cleaner output
One thing to keep in mind, since we are trying to use the machine, I had
to open up some ports to everyone :( until the issue is resolved.
Chain INPUT (policy ACCEPT 2403 packets, 206290 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state ESTABLISHED
23171 1256484 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state ESTABLISHED
1 137 ACCEPT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT tcp -- * * 127.0.0.1
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 127.0.0.1
0.0.0.0/0 tcp dpt:3306
28 1512 ACCEPT tcp -- * * 127.0.0.1
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xx.xx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xx.xx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xx.xx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:80
99 4512 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3306
1 52 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.x.xxx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xxx.x
0.0.0.0/0 tcp dpt:22
6442 564926 LOG all -- !lo * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/sec burst 5 LOG flags 0 level 4
8334 748621 DROP all -- !lo * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 69219 packets, 67312095 bytes)
pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
here's my script
#!/bin/bash
#
# Allow only access to MySQL, HTTP, and SSH
#
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the
firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
#list of ips allowed to access the server
ALLOWIPS="127.0.0.1 etc... etc..."
for ip in $ALLOWIPS;
do
$IPTABLES -A INPUT -p tcp --dport 22 -s $ip -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 3306 -s $ip -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -s $ip -j ACCEPT
done
#$IPTABLES -A INPUT -p tcp --dport 22 -s xxx.xxx.xx.0/24 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 3306 -s xxx.xxx.xx.0/24 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 80 -s xxx.XXX.XX.0/24 -j ACCEPT
#do not modify. Allows JV access from office, home, and from remote
server for the weekends JVIPS="more ips"
for jvip in $JVIPS;
do
$IPTABLES -A INPUT -p tcp --dport 22 -s $jvip -j ACCEPT
done
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
#drop anything else that does not come from the localhost interface
$IPTABLES -A INPUT -i ! lo -j DROP
#save rules
/etc/init.d/iptables save
Chain INPUT (policy ACCEPT 2403 packets, 206290 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
23171 1256484 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
1 137 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:3306
28 1512 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xx.xx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xx.xx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xx.xx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:80
99 4512 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.x.xxx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xxx.x 0.0.0.0/0 tcp dpt:22
6442 564926 LOG all -- !lo * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 LOG flags 0 level 4
8334 748621 DROP all -- !lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 69219 packets, 67312095 bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
