RHEL6–42–
IP TABLES IN LINUX -P4
IP Tables digging deeper,
Other Posts under IPTABLES series,
Well,
in previous post we successfully implemented out first IP TABLE rules,
Whenever you change the
rules, keep following in mind.
Always
save the table by following command,
[root@rhel6-server ~]# iptables-save > /etc/sysconfig/iptables
There
is huge difference between -I & -A,
wrong use of this can completely change the meaning and might be no sense of implementation.
[root@rhel6-server ~]# iptables -I INPUT
[root@rhel6-server ~]# iptables -A INPUT
-A will append the
rule at last line, so if anyhow it is allowed in above lines then this rule
will not consider.
-I always insert
the rule at first line.
Now let’s explore some
more………
In
previous post I did ACCEPT for all OUTPUT connection.
[root@rhel6-server ~]# iptables -P OUTPUT ACCEPT
As
I already allowed O/P for ssh
root@rhel6-server ~]# iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
Good,
but I thought this is not good. Why should I allow all O/P?
Hence,
I did
[root@rhel6-server ~]# iptables -P OUTPUT DROP
And
Bingo, my ssh was disconnected and I was unable to ssh further.
So,
what is solution?
#iptables -A INPUT -i eth0 -p tcp
--dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth1 -p tcp --dport
22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport
22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth1 -p tcp --sport
22 -m state --state NEW,ESTABLISHED -j ACCEPT
OR,
#iptables -A INPUT -p tcp --dport 22 -m
state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp --sport 22 -m
state --state NEW,ESTABLISHED -j ACCEPT
I
think we know/used all parameters, except
--state NEW,ESTABLISHED
When
a client requests an SSH connection FIRST TIME to server, its state is NEW, all
later SSH requests from that client would be considered as ESTABLISHED.
Now
I can DROP all OUTPUT requests,
[root@rhel6-server ~]# iptables -P OUTPUT DROP
[root@rhel6-server ~]# iptables-save > /etc/sysconfig/iptables
OK,
reached far…
Now
let’s do some more,
HOW TO DELETE IP TABLE
RULES:
[root@rhel6-server ~]# iptables -L --line-numbers
Chain INPUT (policy DROP)
num
target prot opt source destination
1 DROP all
-- anywhere anywhere state INVALID
2
ACCEPT tcp --
anywhere anywhere tcp dpt:ssh
3
ACCEPT tcp --
anywhere anywhere tcp dpt:http
4
ACCEPT icmp -- anywhere anywhere length 1:100
5
ACCEPT tcp --
anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
6 DROP icmp --
anywhere anywhere
Chain FORWARD (policy DROP)
num
target prot opt source destination
Chain OUTPUT (policy DROP)
num
target prot opt source destination
1
ACCEPT all --
anywhere anywhere
2
ACCEPT tcp --
anywhere anywhere tcp dpt:ssh
3
ACCEPT tcp --
anywhere anywhere tcp dpt:http
4
ACCEPT tcp --
anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED
5
ACCEPT icmp -- anywhere anywhere length 1:100
[root@rhel6-server ~]# iptables -D OUTPUT 5
[root@rhel6-server ~]# iptables -D INPUT 6
[root@rhel6-server ~]# iptables -L --line-numbers
Chain INPUT (policy DROP)
num
target prot opt source destination
1 DROP all
-- anywhere anywhere state INVALID
2
ACCEPT tcp --
anywhere anywhere tcp dpt:ssh
3
ACCEPT tcp --
anywhere anywhere tcp dpt:http
4
ACCEPT icmp -- anywhere anywhere length 1:100
5
ACCEPT tcp --
anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy DROP)
num
target prot opt source destination
1
ACCEPT all --
anywhere anywhere
2
ACCEPT tcp --
anywhere anywhere tcp dpt:ssh
3
ACCEPT tcp --
anywhere anywhere tcp dpt:http
4
ACCEPT tcp --
anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED
[root@rhel6-server ~]# iptables -D INPUT 4
[root@rhel6-server ~]# iptables -L --line-numbers
Chain INPUT (policy DROP)
num
target prot opt source destination
1 DROP all
-- anywhere anywhere state INVALID
2
ACCEPT tcp --
anywhere anywhere tcp dpt:ssh
3
ACCEPT tcp --
anywhere anywhere tcp dpt:http
4
ACCEPT tcp --
anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
Chain FORWARD (policy DROP)
num
target prot opt source destination
Chain OUTPUT (policy DROP)
num
target prot opt source destination
1
ACCEPT all --
anywhere anywhere
2
ACCEPT tcp --
anywhere anywhere tcp dpt:ssh
3
ACCEPT tcp --
anywhere anywhere tcp dpt:http
4
ACCEPT tcp --
anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED
[root@rhel6-server ~]# iptables-save > /etc/sysconfig/iptables
[root@rhel6-server ~]# service iptables restart
ALLOWING MYSQL:
what
rule I need to write to allow MYSQL?
I
can not direct IPTABLES to allow MYSQL directly, first we need to find out the
port on which it is working
[root@rhel6-server
~]# netstat -tulpn | grep :3306
tcp
0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 44957/mysqld
Great,
its working on 3306, now we can write rule
#iptables -A INPUT -i eth0 -s
192.168.135.137 -p tcp --destination-port 3306 -j ACCEPT
#iptables -A INPUT -i eth0 -s
192.168.135.150 -p tcp --destination-port 3306 -j ACCEPT
Added
above rules to my iptables. Then trying from client,
[root@rhel6-client1 ~]# mysql -u test -p -h 192.168.135.142
Enter password:
ERROR
2003 (HY000): Can't connect to MySQL server on '192.168.135.142' (110)
Then
I allowed,
[root@rhel6-server ~]# iptables -P INPUT ACCEPT
[root@rhel6-client1 Packages]# mysql -u test -p -h 192.168.135.142
Enter password:
Welcome
to the MySQL monitor. Commands end with
; or \g.
Your
MySQL connection id is 5
Server
version: 5.1.66 Source distribution
Copyright
(c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
Oracle
is a registered trademark of Oracle Corporation and/or its
affiliates.
Other names may be trademarks of their respective
owners.
Type
'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> exit
Bye
Great,
means without IPTables it is working,
#iptables -P INPUT ACCEPT
#iptables -A INPUT -i eth0 -s
192.168.135.137 -p tcp --destination-port 3306 -j ACCEPT
#iptables -A INPUT -i eth1 -s
192.168.135.137 -p tcp --destination-port 3306 -j ACCEPT
#iptables -A INPUT -i eth1 -s
192.168.135.147 -p tcp --destination-port 3306 -j ACCEPT
#iptables -A INPUT -i eth0 -s
192.168.135.147 -p tcp --destination-port 3306 -j ACCEPT
#iptables -P INPUT DROP
Now
it’s working…
[root@rhel6-client1 ~]# mysql -u test -p -h 192.168.135.142
Enter password:
Welcome
to the MySQL monitor. Commands end with
; or \g.
Your
MySQL connection id is 6
Server
version: 5.1.66 Source distribution
Copyright
(c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
Oracle
is a registered trademark of Oracle Corporation and/or its
affiliates.
Other names may be trademarks of their respective
owners.
Type
'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> exit
Bye
ALLOWING MYSQL CONNECTION
FROM SPECIFIC NETWORK:
#iptables -A
INPUT -i eth0 -p tcp -s 192.168.135.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport
3306 -m state --state ESTABLISHED -j ACCEPT
ALLOWING SSH FROM SPECIFIC
NETWORK:
#iptables -A INPUT -i eth0 -p tcp -s
192.168.135.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth4 -p tcp -s
192.168.199.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport
22 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth4 -p tcp --sport
22 -m state --state ESTABLISHED -j ACCEPT
Another
way,
#iptables -A INPUT ! -s 192.168.135.0/24
-p tcp --dport 22 -m state --state NEW,ESTABLISHED -j DROP
Here
we excluded the network and DROP rest connections.
ALLOWING MULTIPLE PORTS IN
ONE GO:
#iptables -A INPUT -i eth0 -p tcp -m
multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
ALLOWING FTP:
[root@rhel6-server ~]# grep ftp /etc/services
ftp-data 20/tcp
ftp-data 20/udp
#
21 is registered to ftp, but also used by fsp
ftp 21/tcp
ftp 21/udp fsp fspd
# iptables -A INPUT -m multiport -p tcp --port 20,21 -j ACCEPT
# iptables -A OUTPUT -m multiport -p tcp --port 20,21 -j ACCEPT
ALLOWING YUM:
Trying
install samba at CLIENT from SERVER,
I
already allowed FTP at server.
[root@rhel6-client1 ~]# yum install samba
Loaded plugins: product-id, refresh-packagekit,
security, subscription-manager
This system is not registered to Red Hat
Subscription Management. You can use su
bscription-manager to register.
ftp://192.168.135.142/pub/repodata/repomd.xml:
[Errno 12] Timeout on ftp://192.1
68.135.142/pub/repodata/repomd.xml: (28, 'Connection time-out')
Trying other mirror.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package samba.x86_64 0:3.6.9-151.el6 will be
installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
samba x86_64 3.6.9-151.el6 client 5.0 M
Transaction Summary
================================================================================
Install
1 Package(s)
Total download size: 5.0 M
Installed size: 18 M
Is this ok [y/N]: y
Downloading
Packages:
ftp://192.168.135.142/pub/samba-3.6.9-151.el6.x86_64.rpm:
[Errno 12] Timeout on
ftp://192.168.135.142/pub/samba-3.6.9-151.el6.x86_64.rpm: (28,
'Connection time-
out')
Trying
other mirror.
Error Downloading Packages:
samba-3.6.9-151.el6.x86_64: failure:
samba-3.6.9-151.el6.x86_64.rpm from clien
t: [Errno 256] No more mirrors to try.
Then
added following rules at SERVER side,
#iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
#iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
Now
tried again to install,
[root@rhel6-client1 ~]# yum -y install samba
Loaded plugins: product-id, refresh-packagekit,
security, subscription-manager
This system is not registered to Red Hat
Subscription Management. You can use su
bscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package samba.x86_64 0:3.6.9-151.el6 will be
installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
samba x86_64 3.6.9-151.el6 client 5.0 M
Transaction Summary
================================================================================
Install
1 Package(s)
Total download size: 5.0 M
Installed size: 18 M
Downloading Packages:
samba-3.6.9-151.el6.x86_64.rpm | 5.0 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing :
samba-3.6.9-151.el6.x86_64 1/1
Verifying :
samba-3.6.9-151.el6.x86_64 1/1
Installed:
samba.x86_64 0:3.6.9-151.el6
Complete!
[root@rhel6-client1
~]#
No comments:
Post a Comment