IPTables Guidance needed

[DrJohnZoidberg]

Hey all,

I've recently set up a dedicated server and want to try and close down as many security holes as possible. My IPTables knowledge is very limited and would love to pick the collective brains of MyBB.

I don't want to get more public IP's, I'm natting to achieve what I need.

The setup:

- I am running Proxmox VE virtualisation.
- I have one public IP.
- I've set up a bridged network interface setup to facilitate port forwarding for the vm's. Looks something like this:

/etc/network/interfaces:

auto lo
iface lo inet loopback

# device: eth0
auto  eth0
iface eth0 inet manual
	post-up iptables-restore < /etc/iptables.up.rules

auto vmbr0
iface vmbr0 inet static
  address   78.46.x.x
  broadcast 78.46.x.x
  netmask   255.255.255.224
  gateway   78.46.x.x
  bridge_ports eth0
  bridge_stp off
  bridge_fd 0

auto vmbr1
iface vmbr1 inet static
  address 192.168.1.1
  netmask 255.255.255.0
  bridge_ports none
  bridge_stp off
  bridge_fd 0

- So basically WAN interface is vmbr0 and the internal LAN network is vmbr1. All my VMs are connected to interface vmbr1.

Okay, so that's the system setup for some background, these are now my IPTables rules:

root@persephone ~ # iptables -t filter -L -v
Chain INPUT (policy DROP 29482 packets, 1438K bytes)
 pkts bytes target     prot opt in     out     source               destination         
86945   58M ACCEPT     all  --  lo     any     anywhere             anywhere            
 168K   57M ACCEPT     tcp  --  any    any     anywhere             anywhere             tcpflags: ACK/ACK
 4584  635K ACCEPT     all  --  any    any     anywhere             anywhere             state ESTABLISHED
   10   788 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED
 3566  211K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
   33  1964 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:webmin
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:auth
 4500  288K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:8006
  171  7696 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:3128
    6   260 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpts:5900:5999

Chain FORWARD (policy ACCEPT 2924K packets, 3755M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 230K packets, 128M bytes)
 pkts bytes target     prot opt in     out     source               destination         
root@persephone ~ # iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 10340 packets, 638K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    64 DNAT       tcp  --  vmbr0  any     anywhere             anywhere             tcp dpt:7678 to:192.168.1.10:22
  624 38764 DNAT       tcp  --  vmbr0  any     anywhere             anywhere             tcp dpt:32400 to:192.168.1.10:32400
12598  806K DNAT       tcp  --  vmbr0  any     anywhere             anywhere             tcp dpt:http to:192.168.1.11:80
    1    64 DNAT       tcp  --  vmbr0  any     anywhere             anywhere             tcp dpt:7679 to:192.168.1.11:22
    1    64 DNAT       tcp  --  vmbr0  any     anywhere             anywhere             tcp dpt:7680 to:192.168.1.12:22
   88  5444 DNAT       tcp  --  vmbr0  any     anywhere             anywhere             tcp dpt:https to:192.168.1.11:443
    6   384 DNAT       tcp  --  vmbr0  any     anywhere             anywhere             tcp dpt:12321 to:192.168.1.13:12321
   82  3892 DNAT       tcp  --  vmbr0  any     anywhere             anywhere             tcp dpt:mysql to:192.168.1.13:3306

Chain POSTROUTING (policy ACCEPT 20781 packets, 1351K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1192 73851 MASQUERADE  all  --  any    vmbr0   192.168.1.0/24       anywhere            

Chain OUTPUT (policy ACCEPT 7380 packets, 496K bytes)
 pkts bytes target     prot opt in     out     source               destination

This is a very basic setup and it works fine. I've been reading though that I should set my FORWARD chain to DROP by default and create selective rules to forward traffic. Is this necessary? Can somebody fix my rules ?

TIA

 

[Lupus]

if you don't want your server to be able to forward data out if it get's compromised you will need to set the forward chain to drop, if you are using /etc/sysconfig/iptables you can just put this in -P FORWARD DROP, or you could probably type out iptables -P FORWARD DROP, than save the iptables, service iptables save.

 

[DrJohnZoidberg]

if you don't want your server to be able to forward data out if it get's compromised you will need to set the forward chain to drop, if you are using /etc/sysconfig/iptables you can just put this in -P FORWARD DROP, or you could probably type out iptables -P FORWARD DROP, than save the iptables, service iptables save.

Thanks. I'm using Webmin to administer the overall IPTables setup, it's pretty easy to set the default policy there.

If I set the default policy to DROP on FORWARD won't it break my nat config?

 

[Lupus]

It shouldn't as that would be under a postrouting or prerouting chain. Out of interest does webmin do ip6tables?

 

[DrJohnZoidberg]

It shouldn't as that would be under a postrouting or prerouting chain.

Thanks, will test it out.

Out of interest does webmin do ip6tables?

Doesn't look like it, looks like it's on a todo list: http://sourceforge.net/p/webadmin/bugs/3834/

 

[Lupus]

oh well thought I could get away with doing ip4 and ip6 tables one go

 

[DrJohnZoidberg]

I'm still struggling a bit getting my head around this. If I set the default policy to DROP on the forward chain then none of my VMs can access the internet.

Reading up a bit on this now, but no quite sure what to open up.

 

[Light]

I'm still struggling a bit getting my head around this. If I set the default policy to DROP on the forward chain then none of my VMs can access the internet.

Reading up a bit on this now, but no quite sure what to open up.

The key bit of information you seem to be missing is that the DNAT in the PREROUTING chain will result in those packets *also* being passed through the FORWARD chain.

That means if you set FORWARD to default to DROP you'll need to add rules to allow your DNATed packets through the FORWARD chain.

Hope this helps.

Edit: This page has a great diagram & explanation of the chains packets will go through https://access.redhat.com/documenta...urity_Guide/sect-Security_Guide-IPTables.html