Linux Firewall

10 posts / 0 new

Topic locked

#1 Thu, 04/25/2013 - 08:51

DoubleSpeed

Linux Firewall

Within Webmin the module to manage the Linux Firewall has a set of default rules for services e.g. FTP, SSH etc and by default these are not limited to source IP addresses. I want to restrict both SSH & FTP to one or 2 IP addresses so to test this for SSH in the Source address or network I changed drop down to equals (from ignored) and entered one IP address and saved however this didn't stop me from connecting from a different IP address, what am I doing wrong?

#2 Tue, 04/30/2013 - 15:16

DoubleSpeed

Can anyone help on this?

#3 Tue, 04/30/2013 - 19:01

andreychek

Howdy,

You may just need to hit the "Apply Configuration" button on the bottom of the screen.

If you log in over SSH, and run "iptables -L -n", you should see the rule you added. If you don't, that means the rule wasn't yet applied.

-Eric

#4 Wed, 05/01/2013 - 04:08

DoubleSpeed

Just to confirm I am using the apply in the main screen

I am adding the rule to the...

Incoming packets (INPUT) - Only applies to packets addressed to this host

Running iptables -L -n

I do see my rule for SSH with the IP address specified...

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp -- 188.92.238.166 0.0.0.0/0 tcp dpt:22

However I can still SSH in from a different IP

Am I adding the rule correctly in the "Incoming packets (INPUT)" and do I need to add another rule to explicitly deny SSH from other IP's?

#5 Wed, 05/01/2013 - 09:28

andreychek

Can you paste in the full output of "iptables -L -n"?

-Eric

#6 Wed, 05/01/2013 - 09:54

DoubleSpeed

# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:20
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:21
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20000
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
ACCEPT     tcp  --  188.92.238.166       0.0.0.0/0           tcp dpt:22
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
[root@rs1 ~]#

#7 Wed, 05/01/2013 - 17:26

andreychek

In your "RH-Firewall-1-INPUT" chain, there's rules there that would allow any packet destined for port 22.

If you wish to restrict access to just this one IP, you'd probably need to remove the port 22 allow rule in the RH-Firewall-1-INPUT chain.

-Eric

#8 Thu, 05/02/2013 - 01:23

DoubleSpeed

OK so should I be applying my rules to the Chain RH-Firewall-1-INPUT rather than the Chain INPUT, is that what you are saying?

#9 Thu, 05/02/2013 - 08:35

andreychek

Well, both chains are valid.

The problem you appear to be seeing, is that the other chain contains an allow rule, allowing all port 22 traffic.

So it doesn't matter if you create an allow rule for just one IP address, as all port 22 traffic is being allowed.

What you may need to do is go into that other chain, and remove the rule allowing all port 22 traffic.

-Eric

#10 Thu, 05/02/2013 - 13:04

DoubleSpeed

Thanks for your help on this I've got it working now!

Topic locked