Friday, 29 July 2016

Messing about with IPTables

<caveat>
I'm NOT a firewall or networking expert, so this is very much YMMV.
</caveat>

I wanted to see if/how I could use the out-of-the-box IPTables firewall to block most connectivity to a web server ( IBM HTTP Server ) whilst allowing SSH connectivity and, more importantly, allowing incoming requests from 

Flush the existing rules

iptables -F

Add a rule to allow SSH connectivity only from a specific interface and host - actually the host VM

iptables -A INPUT -i eth0 -p tcp -s 192.168.153.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Add a rule to allow connectivity from a specific interface and host and port - the F5 LTM

iptables -A INPUT -i eth1 -p tcp -s 10.128.10.0/24 --dport 8443 -m state --state NEW,ESTABLISHED -j ACCEPT

Drop all other traffic from the 192.168.153 subnet

iptables -A INPUT -s 192.168.153.0/24 -j DROP

Drop all other traffic from the 10.128.10 subnet

iptables -A INPUT -s 10.128.10.0/24 -j DROP

Save and print the configuration

iptables-save

...
# Generated by iptables-save v1.4.7 on Fri Jul 29 19:13:26 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [945:348018]
-A INPUT -s 192.168.153.1/32 -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -s 10.128.10.0/24 -i eth1 -p tcp -m tcp --dport 8443 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -s 192.168.153.0/24 -j DROP 
-A INPUT -s 10.128.10.0/24 -j DROP 
COMMIT
# Completed on Fri Jul 29 19:13:26 2016

...

I then tested this by: -

(a) ensuring that I could still connect to IHS via the F5 load balancer: -

openssl s_client -connect 10.128.10.240:443 </dev/null

SSL handshake has read 1065 bytes and written 440 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit


(b) ensuring that I could NOT connect to IHS directly: -

openssl s_client -connect 192.168.153.200:8443 </dev/null

connect: Operation timed out
connect:errno=60


Here's my not-so-secret sources: -






No comments: