iptables: allowing only listed hosts to connect to a port

I want to allow only hosts from the local area network and certain
external networks to be able to access a specific port number. I have created
a script firewall.sh, as follows:

#!/bin/sh

ALLOWED="
10.0.0.0/8
192.168.0.0/16
51.0.0.0/8
62.30.0.0/16
80.0.0.0/13
"

for addr in $ALLOWED
do
iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
done

iptables -A INPUT -p tcp --dport 7500 -jDROP

After running the script iptables -L -n reveals:

Chain INPUT (policy ACCEPT)
ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500

I find that hosts outside of the list are still able to access the port.
Is the last entry in the table correct?

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
|
Should this read "anywhere"?

Why isn't my filter working?

Please advise.

Mark.

--
Mark Hobley,
393 Quinton Road West,
Quinton, BIRMINGHAM.
B32 1QE.

On Wednesday 2 July 2008 23:06, Mark Hobley wrote:

> I want to allow only hosts from the local area network and certain
> external networks to be able to access a specific port number. I have
> created a script firewall.sh, as follows:
>
> #!/bin/sh
>
> ALLOWED="
> 10.0.0.0/8
> 192.168.0.0/16
> 51.0.0.0/8
> 62.30.0.0/16
> 80.0.0.0/13
> "
>
> for addr in $ALLOWED
> do
> iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
> done
>
> iptables -A INPUT -p tcp --dport 7500 -jDROP
>
> After running the script iptables -L -n reveals:
>
> Chain INPUT (policy ACCEPT)
> ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
> ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
> ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
> ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
> ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
>
> I find that hosts outside of the list are still able to access the port.

Set a DROP default policy for the INPUT chain:

iptables -P INPUT -j DROP

(usually this is done before allowing anything)

this will drop anything not explicitly allowed, so be careful if you run
that command while you are remotely connected.

pk <(E-Mail Removed)> wrote:

> Set a DROP default policy for the INPUT chain:

Doesn't this affect the overall networking policy for every port number?

On the whole, I want my network traffic unfiltered (allowed by default).
However there are certain ports that I want traffic blocked on, unless I
specifically allow it.

Maybe I need some sort of allow by default for some ports, but drop by
default for other ports type of policy. (Is that possible?)

> iptables -P INPUT -j DROP
>
> (usually this is done before allowing anything)
>
> this will drop anything not explicitly allowed, so be careful if you run
> that command while you are remotely connected.

I am remotely connected (though not via port 7500 which is a different
kind of service and nothing to do with my remote connection). I am
concerned that that will zap all of my network services. This is a busy server.

I only want to make changes to port 7500.

Regards,

Mark.

--
Mark Hobley,
393 Quinton Road West,
Quinton, BIRMINGHAM.
B32 1QE.

"Mark Hobley" <(E-Mail Removed)> wrote in message
news:ebctj5-(E-Mail Removed)...

> > Set a DROP default policy for the INPUT chain:
>
> Doesn't this affect the overall networking policy for every port number?

No, it only affects the default policy for the INPUT chain on that
interface. Deny all, allow only what is specified.

> On the whole, I want my network traffic unfiltered (allowed by default).

Only an incompetent fool of an administrator would want such an unfiltered
traffic.

h.stroph <(E-Mail Removed)> wrote:

> Only an incompetent fool of an administrator would want such an unfiltered
> traffic.

This particular computer is a public access machine and the traffic is
already being filtered by a remote hardware based firewall device and
intermediate routing devices. The specific filtering on port 7500 is
being done locally on the machine in supplement to the external
firewalling due to a limitation of the external hardware based firewall,
which is not able to handle a lengthy access list chain against the
forwarded 7500 service port. The computer is providing public access web
services, news feeds, email, internet relay chat, game services and internal
networking services, such as internal client access, and network file services
on several port numbers.

I don't want a change to the iptables list to affect those services. All I
want to do through iptables is limit access to port 7500 to those networks on
the access list. I want the remaining networking ports to remain operational,
as they are now. I would have made these restrictions on one of the
external firewalling devices rather than on the local machine had this been
possible.

Regards,

Mark.

--
Mark Hobley,
393 Quinton Road West,
Quinton, BIRMINGHAM.
B32 1QE.

Hello,

Mark Hobley a écrit :
>
> After running the script iptables -L -n reveals:
>
> Chain INPUT (policy ACCEPT)
> ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
> ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
> ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
> ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
> ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
>
> I find that hosts outside of the list are still able to access the port.

Weird. Are there other rules in the ruleset ? What happens if you remove
all the ACCEPT rules and leave only the DROP rule ?

> Is the last entry in the table correct?
>
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
> |
> Should this read "anywhere"?

With the -n option it is the "anywhere" in the other lines which should
read "0.0.0.0/0".

Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:

> Weird. Are there other rules in the ruleset ? What happens if you remove
> all the ACCEPT rules and leave only the DROP rule ?

There are no additional rules in the ruleset. The setup script is as
posted.

If I just have the drop line, all traffic to the port is dropped.

If I invert the script as follows:

iptables -A INPUT -p tcp --dport 7500 -jDROP

for addr in $ALLOWED
do
iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
done

This produces a filter table as follows:

DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500

However, in this scenario, all network traffic to port 7500 remains
blocked, even from the accepted ports, presumable because the first rule
produces a match, and the rest of the table is then ignored.

iptables -V reveals:

iptables v1.3.6

cat /proc/version reveals:

Linux version 2.6.18-6-486 (Debian 2.6.18.dfsg.1-18etch6)

Regards,

Mark.

--
Mark Hobley,
393 Quinton Road West,
Quinton, BIRMINGHAM.
B32 1QE.

Mark Hobley a écrit :
>
> If I just have the drop line, all traffic to the port is dropped.

Just as expected. Are you really really 100% sure that hosts outside the
list ranges can connect to the port ?

> If I invert the script as follows:
>
> iptables -A INPUT -p tcp --dport 7500 -jDROP
>
> for addr in $ALLOWED
> do
> iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
> done
>
> This produces a filter table as follows:
>
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
> ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
> ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
> ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
> ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
> ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500
>
> However, in this scenario, all network traffic to port 7500 remains
> blocked, even from the accepted ports, presumable because the first rule
> produces a match, and the rest of the table is then ignored.

Just as expected.

Mark Hobley wrote:

> Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:
>
>> Weird. Are there other rules in the ruleset ? What happens if you remove
>> all the ACCEPT rules and leave only the DROP rule ?
>
> There are no additional rules in the ruleset. The setup script is as
> posted.
>
> If I just have the drop line, all traffic to the port is dropped.
>
> If I invert the script as follows:
>
> iptables -A INPUT -p tcp --dport 7500 -jDROP
>
> for addr in $ALLOWED
> do
> iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
> done
>
> This produces a filter table as follows:
>
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
> ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
> ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
> ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
> ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
> ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500
>
> However, in this scenario, all network traffic to port 7500 remains
> blocked, even from the accepted ports, presumable because the first rule
> produces a match, and the rest of the table is then ignored.
>
> iptables -V reveals:
>
> iptables v1.3.6
>
> cat /proc/version reveals:
>
> Linux version 2.6.18-6-486 (Debian 2.6.18.dfsg.1-18etch6)
>
> Regards,
>
> Mark.
>

Yes working correctly.
The first rule drops the packet and the other rules then match nothing.

--
Tayo'y mga Pinoy

Baho Utot wrote:
> Mark Hobley wrote:
>
>> Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:
>>
>>> Weird. Are there other rules in the ruleset ? What happens if you remove
>>> all the ACCEPT rules and leave only the DROP rule ?
>> There are no additional rules in the ruleset. The setup script is as
>> posted.
>>
>> If I just have the drop line, all traffic to the port is dropped.
>>
>> If I invert the script as follows:
>>
>> iptables -A INPUT -p tcp --dport 7500 -jDROP
>>
>> for addr in $ALLOWED
>> do
>> iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
>> done
>>
>> This produces a filter table as follows:
>>
>> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
>> ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
>> ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
>> ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
>> ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
>> ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500
>>
>> However, in this scenario, all network traffic to port 7500 remains
>> blocked, even from the accepted ports, presumable because the first rule
>> produces a match, and the rest of the table is then ignored.
>>
>> iptables -V reveals:
>>
>> iptables v1.3.6
>>
>> cat /proc/version reveals:
>>
>> Linux version 2.6.18-6-486 (Debian 2.6.18.dfsg.1-18etch6)
>>
>> Regards,
>>
>> Mark.
>>
>
> Yes working correctly.
> The first rule drops the packet and the other rules then match nothing.
>

Erm shouldn't the DROP rule be at after the accept rules?