[colug-432] iptables

Steve VanSlyck s.vanslyck at postpro.net
Wed May 13 20:27:01 EDT 2015 

So I added those two lines and then could still not install nano:

*yum install nano* ** * * [cut] * * ** **Trying other mirror.* *
*http://mirrors.kernel.org/centos/6.6/os/x86_64/Packages/nano-2.0.9-7.el6.x86_64.rpm**:
[Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'mirrors.kernel.org'"
* *Trying other mirror. *

*Error Downloading Packages: * * nano-2.0.9-7.el6.x86_64: failure:
Packages/nano-2.0.9-7.el6.x86_64.rpm from base: [Errno 256] No more
mirrors to try.*

I did some googling and was told to check the *ifcfg-eth0* file, which I
had never messed with:

*[root at vslaw2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 | more *
*DEVICE='eth0' * *TYPE=Ethernet * *BOOTPROTO=none * *ONBOOT='yes' *
*HWADDR=04:01:50:5d:bd:01 * *IPADDR=104.131.31.216 *
*NETMASK=255.255.192.0 * *GATEWAY=104.131.0.1 * *NM_CONTROLLED='yes' *
*DNS1=8.8.8.8 * *DNS2=8.8.4.4 * *[root at vslaw2 ~]#*

Do I still have iptables wrong? Maybe this is a result of the
still-unifixed ppp0 issue?


*[root at vslaw2 ~]# iptables -L -nv * *Chain INPUT (policy DROP 8 packets,
379 bytes) * * pkts bytes target prot opt in out source destination * *
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 * * 0 0 DROP icmp -- * *
0.0.0.0/0 0.0.0.0/0 icmp type 8 * * 0 0 ACCEPT all -- ppp0 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED * * 244 18832 ACCEPT tcp -- * *
107.132.57.128 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED * * 1 40 DROP
tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 * * 0 0 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp dpt:80 * * 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443 *

*Chain FORWARD (policy DROP 0 packets, 0 bytes) * * pkts bytes target
prot opt in out source destination *

*Chain OUTPUT (policy DROP 1176 packets, 80892 bytes) * * pkts bytes
target prot opt in out source destination * * 0 0 ACCEPT all -- * lo
0.0.0.0/0 0.0.0.0/0 * * 0 0 ACCEPT all -- * ppp0 0.0.0.0/0 0.0.0.0/0 *
* 212 30848 ACCEPT tcp -- * * 0.0.0.0/0 107.132.57.128 tcp spt:22
state ESTABLISHED * * 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
dpt:80 * * 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 *
*[root at vslaw2 ~]# *



On Wed, May 13, 2015, at 16:50, Steve VanSlyck wrote:
> So . on the first issue . I need to add these two out rules?
>
> *read -p "Allow outbound http traffic?"* *iptables -A OUTPUT -p tcp -m
> tcp --dport 80 -j ACCEPT# Allow *out*bound http traffic*
>
> *read -p "Allow *out*bound https traffic?"* *iptables -A OUTPUT -p tcp
> -m tcp --dport 443 -j ACCEPT# Allow *out*bound https traffic*
>
> *read -p "Allow inbound http traffic?"* *iptables -A INPUT -p tcp -m
> tcp --dport 80 -j ACCEPT# Allow inbound http traffic*
>
> *read -p "Allow inbound https traffic?"* *iptables -A INPUT -p tcp -m
> tcp --dport 443 -j ACCEPT# Allow inbound https traffic*
>
>
>
> On Wed, May 13, 2015, at 16:20, Rick Hornsby wrote:
>>
>>> On May 13, 2015, at 15:02, Steve VanSlyck <s.vanslyck at postpro.net>
>>> wrote:
>>>
>>> I cannot figure out why yum is being blocked. I understood it
>>> requried only ports 80 and 443. The below is from my script:
>> ...
>>> *read -p "Allow http traffic?"* *iptables -A INPUT -p tcp -m tcp
>>> --dport 80 -j ACCEPT*
>>>
>>> *read -p "Allow https traffic?"* *iptables -A INPUT -p tcp -m tcp
>>> --dport 443 -j ACCEPT*
>>
>> Looks like your INPUT and OUTPUT are backwards.
>>
>> You need to allow OUTBOUND traffic to ports 80 and/or 443 to access
>> remote yum repositories. But you are also using a paranoid DROP
>> policy on your output chain.
>>
>> Something else I noticed -
>>
>>> *iptables -A OUTPUT -o ppp0 -j ACCEPT*
>>
>> It looks like you're only allowing all outbound traffic on the
>> interface ppp0, which is not normally what I'd expect to see unless
>> you're using some kind of dialup or VPN *outbound* to provide the
>> host connectivity. Usually if an interface is being specified, I'd
>> expect to see eth0, or in the case of CentOS 7 something along the
>> lines of enp0s3. Either changing this, or fixing the two rules that
>> you highlighted will probably do the trick.
>>
>>
>> one other note - at least for testing purposes you might want to use
>> REJECT instead of DROP. When you use DROP the firewall does exactly
>> what the word implies - it silently drops the packets to the floor
>> and the application has no idea anything is wrong. It is forced to
>> time out waiting for a response that will never come. With REJECT
>> iptables sends an ICMP response immediately. That should help speed
>> up your development and troubleshooting greatly.
>>
>> http://ipset.netfilter.org/iptables.man.html
>>
>>
>>>
>>> *read -p "Flush all current rules?"* *iptables -F*
>>>
>>> *read -p "Accept connections to the loopback interface
>>> (localhost)?"* *iptables -A INPUT -i lo -j ACCEPT*
>>>
>>> *read -p "Accept connections from the loopback interface
>>> (localhost)?"* *iptables -A OUTPUT -o lo -j ACCEPT*
>>>
>>> *read -p "Allow outgoing connections?"* *iptables -A OUTPUT -o ppp0
>>> -j ACCEPT*
>>>
>>> *read -p "Drop all pings?"* *iptables -A INPUT -p icmp --icmp-type
>>> echo-request -j DROP*
>>>
>>> *read -p "Accept requested inbound traffic?"* *iptables -A INPUT -i
>>> ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT*
>>>
>>> *read -p "Accept new and established ssh from specified IP?"*
>>> *iptables -A INPUT -p tcp -s 107.132.57.128 --dport ssh -m state
>>> --state NEW,ESTABLISHED -j ACCEPT*
>>>
>>> *read -p "Allow established ssh to specified IP?"* *iptables -A
>>> OUTPUT -p tcp -d 107.132.57.128 --sport 22 -m state --state
>>> ESTABLISHED -j ACCEPT*
>>>
>>> *read -p "Drop all other ssh attempts?"* *iptables -A INPUT -p tcp
>>> --dport ssh -j DROP*
>>>
>>> *read -p "Allow http traffic?"* *iptables -A INPUT -p tcp -m tcp
>>> --dport 80 -j ACCEPT*
>>>
>>> *read -p "Allow https traffic?"* *iptables -A INPUT -p tcp -m tcp
>>> --dport 443 -j ACCEPT*
>>>
>>> *read -p "Set policy: Drop forwarding connections?"* *iptables -P
>>> FORWARD DROP*
>>>
>>> *read -p "Set policy: Drop other incoming connections?"* *iptables
>>> -P INPUT DROP*
>>>
>>> *read -p "Set policy: Drop outgoing connections?"* *iptables -P
>>> OUTPUT DROP*
>>> _______________________________________________
>>> colug-432 mailing list colug-432 at colug.net
>>> http://lists.colug.net/mailman/listinfo/colug-432
>>
>> _________________________________________________
>> colug-432 mailing list colug-432 at colug.net
>> http://lists.colug.net/mailman/listinfo/colug-432
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20150513/0e0418a3/attachment-0001.html

More information about the colug-432 mailing list