A few days ago I have installed CSF on my Ubuntu host via SSH. Everything seemed to be working fine and I had the chance to play with it for a few hours. Figuring out how I close and open ports. Everything seemed to be working fine.
Today I tried to make a restriction for my 3306 mysql port and allow access only for a specific IP address. I did this by checking that it is removed from TCP_IN and TCP_OUT lines on csf.conf and inserting it on csf.allow.
This seamed not to be working as the port was appearing to be open when scanning it with nmap. After further debugging I figured out that any change that I was now making on the csf.conf and csf.allow files had no effect on the availability of the ports.
I've research further and found out that there might be some issues between the ufw firewall, iptables and csf so I stopped the ufw firewall and deleted all my iptables rules and setting them to the default values.
:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
:~$ sudo service ufw status
ufw stop/waiting
And now I just flushed, stopped and started the csf firewall:
csf -f, csf -x, csf -e
After the restart it seems like sudo iptables -L will output a huge list of rules with source as anywhere and destination as anywhere. I have no previous experience with this so I am not really sure if I am able to extract the right sensitive information but after reading about it I assumed this is not right for my situation.
On the other hand csf -L has a different output. With most source and destination ip's as 0.0.0.0/0. What I could extract from the csf -L output is that there is an INVALID Chain.
Chain INVALID (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 INVDROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
2 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
3 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
4 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
5 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
6 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
7 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
8 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
9 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
10 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW
and
Chain ALLOWIN (1 references)
num pkts bytes target prot opt in out source destination
1 210 10680 ACCEPT all -- !lo * [mysship] 0.0.0.0/0
Chain ALLOWOUT (1 references)
num pkts bytes target prot opt in out source destination
1 295 41404 ACCEPT all -- * !lo 0.0.0.0/0 [mysship]
MYSSHIP is the ip from which I connect using SSH which I've put on the csf.allow and also the ssh port is found on csf.conf TCP_IN, TCP_OUT lists.
Emm, for me i changed the policy to Drop then i allowed whatever i wanted, take a look :
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
You can add the IP# you want with -s (for source) or -d (for destinaiton) !
I am not really sure what was causing the confusion but I flushed all my previous configs from both iptables and csf. I re-installed csf than wrote all the configs one by one, testing at every step using nmap. I've also modified the TESTING_INTERVAL to 15. I think that my firewall settings were getting cleared too fast while I was keeping TESTING = 1;
Related
This is how I run the rabbitMQ image:
docker run -d --restart always --hostname host-rabbit --name cg-rabbit -p 5029:5672 -p 5020:15672 -e RABBITMQ_DEFAULT_VHOST=sample_vhost -e RABBITMQ_DEFAULT_USER=sampleuser -e RABBITMQ_DEFAULT_PASS=samplepass rabbitmq:3-management
Now in netstat -nltp:
ubuntu#infra:~$ netstat -nltp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::5020 :::* LISTEN -
tcp6 0 0 :::5029 :::* LISTEN -
I'm not sure why I see tcp6 when docker exposes ports to host and if it makes issues!
Now when I telnet from within the server I can see that port is open:
ubuntu#infra:~$ telnet MY-SERVER-IP-ADDRESS 5029
Trying MY-SERVER-IP-ADDRESS...
Connected to MY-SERVER-IP-ADDRESS.
Escape character is '^]'.
^]
telnet> Connection closed.
But in my machine when I try to telnet (or from another server):
$ telnet MY-SERVER-IP-ADDRESS 5020
Trying MY-SERVER-IP-ADDRESS...
^C
iptables -L reports:
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5020
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5029
ACCEPT tcp -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:amqp
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:15672
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
It is good to note that I have installed a redis server in server (non-docker) and I am able to telnet to it form outside.
EDIT-1:
sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !localhost/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:15672
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:amqp
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp dpt:15672 to:172.17.0.2:15672
DNAT tcp -- anywhere anywhere tcp dpt:amqp to:172.17.0.2:5672
EDIT-2:
Docker configuration:
ubuntu#infra:~$ sudo cat /var/snap/docker/796/config/daemon.json
{
"log-level": "error",
"storage-driver": "overlay2"
}
This is really odd. By flushing the NAT in iptables everything works as expected:
iptables -t nat -F
My nat before flushing:
ubuntu#infra:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !localhost/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:15672
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:amqp
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp dpt:15672 to:172.17.0.2:15672
DNAT tcp -- anywhere anywhere tcp dpt:amqp to:172.17.0.2:5672
And now after flushing everything is gone:
ubuntu#infra:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain DOCKER (0 references)
target prot opt source destination
NOTE: by restarting docker via sudo snap restart docker net rules are back again and I had to flush NATs again!
I'm trying to use iptables to create a web filter that whitelists a list of websites and blacklists everything else on a per-user basis. So one user would have full web access while another would be restricted only to the whitelist.
I am able to block all outgoing web traffic on a per-user basis, but I cannot seem to whitelist certain websites. My current FILTER table is setup as:
Chain INPUT (policy ACCEPT 778 packets, 95768 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 777 packets, 95647 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 176.32.98.166 0.0.0.0/0 owner UID match 1000
0 0 ACCEPT all -- * * 176.32.103.205 0.0.0.0/0 owner UID match 1000
0 0 ACCEPT all -- * * 205.251.242.103 0.0.0.0/0 owner UID match 1000
677 73766 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 1000 reject-with icmp-port-unreachable
This was created with the following commands:
sudo iptables -A OUTPUT -s amazon.com -m owner --uid-owner <USERNAME> -j ACCEPT
sudo iptables -A OUTPUT -m owner --uid-owner <USERNAME> -j REJECT
My understanding was that iptables would use the first rule that matches to a packet but it seems that is not the case here. All web traffic is being blocked for the user while being allowed for all other users. Is there another way to set this up?
There is an incoming traffic with port 1111/UDP from Server-A to Server-B and Server-B has multiple containers up and running and one of the containers (udp-listener) is listening on port 1111/udp and it's IP is (172.17.0.2), the issue is:
Stop container "udp-listener" with ip 172.17.0.2
Start new container like Nginx, so now Nginx has the ip 172.17.0.2
start "udp-listener" which has the next IP available 172.17.0.3
and now, the incoming traffic from Server-A is still trying to access 172.17.0.2, here is the output
$ tcpdump port 1111
17:30:09.875982 IP Server-A-IP.pvsw > 172.17.0.2.pvsw: UDP, length 49
and now if I give the "udp-listener" container IP 172.17.0.2, then is going to work again.
Any hint where can I look up, btw Server-A is not accessible and it just set to send event to server-B public IP.
what is the best practice for debugging? is there any tools or any tutorials?
I also checked IP tables for any rules, but I could not find anything, here is the result:
Chain PREROUTING (policy ACCEPT 2178 packets, 155K bytes)
pkts bytes target prot opt in out source destination
12M 805M PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
12M 805M PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
12M 805M PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
3408K 204M DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 780 packets, 46800 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 789 packets, 47332 bytes)
pkts bytes target prot opt in out source destination
6021K 361M OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 807 packets, 48412 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE udp -- * * 172.17.0.1 172.17.0.1 udp dpt:8080
0 0 MASQUERADE udp -- * * 172.17.0.2 172.17.0.1 udp dpt:1111
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
3348K 201M RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- br-4a68f517a271 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8080to:172.17.0.1:8080
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1111 to:172.17.0.2:1111
I am having some difficulties setting a default iptables script as it won't run. It shows the error: iptables: Index of deletion too big
I have tried re-ordering the rules, attempting to delete all first before adding, etc. but it doesn't seem to be helping. What am I doing wrong?
Here is the script:
#!/bin/bash
iptables -P FORWARD DROP
iptables -D FORWARD 1
iptables -P INPUT DROP
iptables -D INPUT 5
iptables -D INPUT 4
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -D INPUT 3
iptables -I INPUT -p icmp -j ACCEPT
the original IP tables looks like this:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
119 13723 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
1 60 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
I want to forward udp packets coming to port 10500 to 10600, but its not working with the following config.
My iptables looks like this,
[root#mymachine ~]# service iptables status
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
2 LOG all -- 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 4 prefix `IP DROP MULTICAST D: '
3 LOG all -- 240.0.0.0/5 0.0.0.0/0 LOG flags 0 level 4 prefix `IP DROP SPOOF E: '
4 LOG all -- 0.0.0.0/0 127.0.0.0/8 LOG flags 0 level 4 prefix `IP DROP LOOPBAK: '
Chain FORWARD (policy DROP)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10600 state NEW
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
6 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
11 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:69
12 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:514
13 DROP all -- 0.0.0.0/0 0.0.0.0/0
14 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10500
15 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10600
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT udp -- 0.0.0.0/0 192.168.80.128 udp dpt:10500 to:192.168.80.128:10600
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
also since it is CentOS , I've added the following.
net.ipv4.ip_forward = 1
Tell me where I've gone wrong.
To achieve what you're aiming for, you must add a rule for INPUT filter-table. And add REDIRECTION in nat-table
Example:
iptables -A INPUT -p tcp --dport 10600 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp --dport 10500 REDIRECT --to-port 10600
How it works:
First table is NAT PREROUTING. The traffic to tcp:10500 will be REDIRECTed to tcp:10600. After that this traffic will go to table filter INPUT, and firewall ACCEPTs it.
Try use REDIRECT.
Example: iptables -t nat -I PREROUTING 1 -s 0.0.0.0/0 -d 192.168.75.128 -p udp -m udp --dport 10500 -j REDIRECT --to-ports 10600
In Chain RH-Firewall-1-INPUT
line 13 DROP all -- 0.0.0.0/0 0.0.0.0/0 is rejecting everythihg not allowed before it. Place all your ALLOWED rules before "DROP of everything" or they will be ignored. (Line 14 - 15 must be before line 13 in Chain RH-Firewall-1-INPUT)