NET::HTTP behind a firewall?

joe · October 3, 2006, 10:56pm

I recently deployed an app to my production server that accesses other
websites via NET::HTTP. Due to my firewall (iptables), the app is unable
to access the other sites.

What ports should I open/changes should I make to my firewall config
script (KISS) to enable ruby to make the appropriate outgoing requests?

Thanks,
Kris

joe · October 3, 2006, 10:58pm

Open port 80 outgoing.

joe · October 3, 2006, 11:16pm

Joe R. wrote:

I recently deployed an app to my production server that accesses other
websites via NET::HTTP. Due to my firewall (iptables), the app is unable
to access the other sites.

What? Your firewall blocks outgoing port 80 requests? This is possible
but
unlikely. Can you browse the Internet using a Web browser on this
machine?

Basically the answer to your question is to allow outgoing port 80
requests.

joe · October 3, 2006, 11:38pm

On 10/3/06, Joe R. [email protected] wrote:

I recently deployed an app to my production server that accesses other
websites via NET::HTTP. Due to my firewall (iptables), the app is unable
to access the other sites.

What ports should I open/changes should I make to my firewall config
script (KISS) to enable ruby to make the appropriate outgoing requests?

Thanks,
Kris

This sounds like a dumb enough question that I have to ask how you know
the
problem is caused by iptables. Is there a proxy, NAT-translator or
another
firewall upstream from your prod server?

joe · October 3, 2006, 11:52pm

requests?

Outgoing connections are almost always made on high ports. It doesn’t
matter what you’re using to connect out, the fact that you’re making
a client request to some remote server on some port, will cause your
client ip:port to be <ip you’re going out over>:<some high port,
probably over 10000>.

So be sure you open up say 10000 - 65535 outgoing tcp

If this still doesn’t work, there’s probably some sort of transparent
firewall between your router and your destination blocking this.

joe · October 4, 2006, 12:30am

On 10/3/06, Jeremy T. [email protected] wrote:

Outgoing connections are almost always made on high ports. It doesn’t
matter what you’re using to connect out, the fact that you’re making
a client request to some remote server on some port, will cause your
client ip:port to be <ip you’re going out over>:<some high port,
probably over 10000>.

So be sure you open up say 10000 - 65535 outgoing tcp

The port bound to the local side of the TCP connection will
(probably) be
an ephemeral port. From the firewall’s point of view, the outbound rule
will
specify the remote port, which is still 80. (It’s possible but not very
useful to constrain outbound traffic based on the local port.)
Firewalls
are smart enough to associate local ports with remote ports in regard to
specific connections, so I don’t think your suggestion will help.

The OP tells us that iptables is blocking his traffic. I’m inferring
(perhaps incorrectly) that it worked in testing and started failing in
prod.
Unless the prod shop mandates a severely locked-down iptables config,
then
either the OP has no access to the iptables config, or he doesn’t know
how
to configure iptables, or else some other component is blocking the
traffic.

joe · October 4, 2006, 12:32am

Jeremy T. wrote:

requests?

Outgoing connections are almost always made on high ports. It doesn’t
matter what you’re using to connect out, the fact that you’re making
a client request to some remote server on some port, will cause your
client ip:port to be <ip you’re going out over>:<some high port,
probably over 10000>.

So be sure you open up say 10000 - 65535 outgoing tcp

If this still doesn’t work, there’s probably some sort of transparent
firewall between your router and your destination blocking this.

Jeremy, thanks for the help. I knew the outgoing connections were made
on higher ports but I was not sure which range of ports they would be
made on and I wanted to keep my config as tight as possible. I also
wanted to know if there was a way to allow a specific process (such as
the one running ruby) to access all outgoing ports.

Francis, thanks for your support.

joe · October 4, 2006, 12:41am

On 06-10-03, at 18:32, Joe R. wrote:

Jeremy, thanks for the help. I knew the outgoing connections were made
on higher ports but I was not sure which range of ports they would be
made on and I wanted to keep my config as tight as possible. I also
wanted to know if there was a way to allow a specific process (such as
the one running ruby) to access all outgoing ports.

I’m not familiar with iptables, so I cannot tell you. But considering
that for instance, OpenBSD’s pf allows you to specify user, I would
be shocked if iptables hasn’t copied that idea.

joe · October 4, 2006, 1:05am

On 10/3/06, Joe R. [email protected] wrote:

Joe R. wrote:

TCP OUT

for tcp_out in $TCP_OUT; do
$IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp -m state --state NEW
–sport $UNPRIVPORTS --dport $tcp_out -j ACCEPT
done

Is your routing is configured such that your external servers are
reachable
through eth1? Can you ping anything from this server? Can you telnet to
the
affected external web servers on port 80? Can you traceroute to them
(either
using ICMP or UDP)? Did your code work correctly on a test server that
didn’t have this firewall config? What’s the output from iptables -L? As
far
as the local (ephemeral) port is concerned, this rule will let anything
out
that is locally bound to any port higher than 1024, which should be ok.

joe · October 4, 2006, 5:06am

Yes, eth1 is the public nic. I can not ping anything with the firewall
enabled. I can access all the tcp_in ports from external machines.
tracert is not working on my workstation right now, it times out to any
host on the second hop.

My code works properly on my workstations, development servers, and even
the production server without the firewall config enabled.

Is it possible that NET:HTTP is attempting to use a local port that is
lower than NPRIVPORTS allows?

Thanks for your help Francis.

Thanks,
Kris

Francis C. wrote:

On 10/3/06, Joe R. [email protected] wrote:

Joe R. wrote:

TCP OUT

for tcp_out in $TCP_OUT; do
$IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp -m state --state NEW
–sport $UNPRIVPORTS --dport $tcp_out -j ACCEPT
done

Is your routing is configured such that your external servers are
reachable
through eth1? Can you ping anything from this server? Can you telnet to
the
affected external web servers on port 80? Can you traceroute to them
(either
using ICMP or UDP)? Did your code work correctly on a test server that
didn’t have this firewall config? What’s the output from iptables -L? As
far
as the local (ephemeral) port is concerned, this rule will let anything
out
that is locally bound to any port higher than 1024, which should be ok.

joe · October 4, 2006, 5:09am

and here is the output of iptables -L…

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere
DROP tcp – anywhere anywhere tcp
flags:FIN,SYN,R
ST,PSH,ACK,URG/NONE
DROP tcp – anywhere anywhere tcp
flags:FIN,SYN/F
IN,SYN
DROP tcp – anywhere anywhere tcp
flags:SYN,RST/S
YN,RST
DROP tcp – anywhere anywhere tcp
flags:FIN,RST/F
IN,RST
DROP tcp – anywhere anywhere tcp
flags:FIN,ACK/F
IN
DROP tcp – anywhere anywhere tcp
flags:PSH,ACK/P
SH
DROP tcp – anywhere anywhere tcp
flags:ACK,URG/U
RG
ACCEPT all – anywhere anywhere state
RELATED,ESTAB
LISHED
DROP all – anywhere anywhere state
INVALID
DROP all – 10.0.0.0/8 anywhere
DROP all – 172.16.0.0/12 anywhere
DROP all – 127.0.0.0/8 anywhere
DROP all – 255.255.255.255 anywhere
DROP all – anywhere 0.0.0.0
DROP all – anywhere 255.255.255.255
DROP all – 224.0.0.0/4 anywhere
ACCEPT udp – anywhere 224.0.0.0/4
ACCEPT igmp – anywhere 224.0.0.0/4
DROP all – anywhere 224.0.0.0/4
DROP all – 240.0.0.0/4 anywhere
DROP all – 0.0.0.0/8 anywhere
DROP all – 169.254.0.0/16 anywhere
DROP all – 192.0.2.0/24 anywhere
REJECT tcp – anywhere anywhere tcp
dpt:auth reject
-with icmp-port-unreachable
REJECT udp – anywhere anywhere udp
dpt:auth reject
-with icmp-port-unreachable
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:ftp-data
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:ftp
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:smtp
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:domain
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:http
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:pop3
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:imap
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:https
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:pop3s
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:mysql
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:8443
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:10000
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:19638
ACCEPT udp – anywhere anywhere state NEW
udp spts:
1024:65535 dpt:domain
ACCEPT tcp – anywhere mydomain* state NEW tcp
spts:
1024:65535 dpt:ssh
ACCEPT icmp – anywhere mydomain* state NEW icmp
echo
-request
ACCEPT udp – anywhere anywhere udp
spt:domain dpt:
domain state NEW
ACCEPT tcp – anywhere anywhere tcp
spt:domain dpt:
domain state NEW

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere state
RELATED,ESTAB
LISHED
DROP all – anywhere anywhere state
INVALID
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:ftp
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:ssh
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:smtp
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:time
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:nicname
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:domain
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:http
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:https
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:
1024:65535 dpt:55000
ACCEPT udp – anywhere anywhere state NEW
udp spts:
1024:65535 dpt:domain
ACCEPT udp – anywhere anywhere udp
spt:domain dpt:
domain state NEW
ACCEPT tcp – anywhere anywhere tcp
spt:domain dpt:
domain state NEW
[root@ptp1 ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere
DROP tcp – anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp – anywhere anywhere tcp
flags:FIN,SYN/FIN,SYN
DROP tcp – anywhere anywhere tcp
flags:SYN,RST/SYN,RST
DROP tcp – anywhere anywhere tcp
flags:FIN,RST/FIN,RST
DROP tcp – anywhere anywhere tcp
flags:FIN,ACK/FIN
DROP tcp – anywhere anywhere tcp
flags:PSH,ACK/PSH
DROP tcp – anywhere anywhere tcp
flags:ACK,URG/URG
ACCEPT all – anywhere anywhere state
RELATED,ESTABLISHED
DROP all – anywhere anywhere state
INVALID
DROP all – 10.0.0.0/8 anywhere
DROP all – 172.16.0.0/12 anywhere
DROP all – 127.0.0.0/8 anywhere
DROP all – 255.255.255.255 anywhere
DROP all – anywhere 0.0.0.0
DROP all – anywhere 255.255.255.255
DROP all – 224.0.0.0/4 anywhere
ACCEPT udp – anywhere 224.0.0.0/4
ACCEPT igmp – anywhere 224.0.0.0/4
DROP all – anywhere 224.0.0.0/4
DROP all – 240.0.0.0/4 anywhere
DROP all – 0.0.0.0/8 anywhere
DROP all – 169.254.0.0/16 anywhere
DROP all – 192.0.2.0/24 anywhere
REJECT tcp – anywhere anywhere tcp
dpt:auth reject-with icmp-port-unreachable
REJECT udp – anywhere anywhere udp
dpt:auth reject-with icmp-port-unreachable
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:ftp-data
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:ftp
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:smtp
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:domain
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:http
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:pop3
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:imap
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:https
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:pop3s
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:mysql
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:8443
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:10000
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:19638
ACCEPT udp – anywhere anywhere state NEW
udp spts:1024:65535 dpt:domain
ACCEPT tcp – anywhere mydomain state NEW tcp
spts:1024:65535 dpt:ssh
ACCEPT icmp – anywhere mydomain state NEW icmp
echo-request
ACCEPT udp – anywhere anywhere udp
spt:domain dpt:domain state NEW
ACCEPT tcp – anywhere anywhere tcp
spt:domain dpt:domain state NEW

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere state
RELATED,ESTABLISHED
DROP all – anywhere anywhere state
INVALID
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:ftp
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:ssh
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:smtp
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:time
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:nicname
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:domain
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:http
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:https
ACCEPT tcp – anywhere anywhere state NEW
tcp spts:1024:65535 dpt:55000
ACCEPT udp – anywhere anywhere state NEW
udp spts:1024:65535 dpt:domain
ACCEPT udp – anywhere anywhere udp
spt:domain dpt:domain state NEW
ACCEPT tcp – anywhere anywhere tcp
spt:domain dpt:domain state NEW

Joe R. wrote:

Yes, eth1 is the public nic. I can not ping anything with the firewall
enabled. I can access all the tcp_in ports from external machines.
tracert is not working on my workstation right now, it times out to any
host on the second hop.

My code works properly on my workstations, development servers, and even
the production server without the firewall config enabled.

Is it possible that NET:HTTP is attempting to use a local port that is
lower than NPRIVPORTS allows?

Thanks for your help Francis.

Thanks,
Kris

Francis C. wrote:

On 10/3/06, Joe R. [email protected] wrote:

Joe R. wrote:

TCP OUT

for tcp_out in $TCP_OUT; do
$IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp -m state --state NEW
–sport $UNPRIVPORTS --dport $tcp_out -j ACCEPT
done

Is your routing is configured such that your external servers are
reachable
through eth1? Can you ping anything from this server? Can you telnet to
the
affected external web servers on port 80? Can you traceroute to them
(either
using ICMP or UDP)? Did your code work correctly on a test server that
didn’t have this firewall config? What’s the output from iptables -L? As
far
as the local (ephemeral) port is concerned, this rule will let anything
out
that is locally bound to any port higher than 1024, which should be ok.

joe · October 4, 2006, 12:41am

Joe R. wrote:

Jeremy T. wrote:

requests?

Outgoing connections are almost always made on high ports. It doesn’t
matter what you’re using to connect out, the fact that you’re making
a client request to some remote server on some port, will cause your
client ip:port to be <ip you’re going out over>:<some high port,
probably over 10000>.

So be sure you open up say 10000 - 65535 outgoing tcp

If this still doesn’t work, there’s probably some sort of transparent
firewall between your router and your destination blocking this.

Jeremy, thanks for the help. I knew the outgoing connections were made
on higher ports but I was not sure which range of ports they would be
made on and I wanted to keep my config as tight as possible. I also
wanted to know if there was a way to allow a specific process (such as
the one running ruby) to access all outgoing ports.

Francis, thanks for your support.

Francis, I do not know much about iptables so I am using the KISS script
to manage iptables. I am not that stupid and have obviously tried to
open 80 and 443. I suppose I could read more about configuring iptables
manually but KISS has worked fine for all the other applications I am
running for a year and I would rather stick with it. If you don’t mind,
I would appreciate it if you could tell me if their is a problem with
KISS config that is causing iptables to constrain outbound traffic based
on the local port. Here is my kiss config…

#!/bin/bash

Yahoo | Mail, Weather, Search, Politics, News, Finance, Sports & Videos

##############################################################################

Optional KISS Configurtion Variables:

BLOCK_LIST=“”
TCP_IN=“20 21 25 53 80 110 143 443 995 3306 8443 10000 19638”
TCP_OUT=“21 22 25 37 43 53 80 443 55000”
UDP_IN=“53”
UDP_OUT=“53”
TCP_IN_TRUSTED=“22”
TRUSTED_IPS=“0.0.0.0/0”
SERVER_IPS=“0.0.0.0/0”

##############################################################################

PUB_IFACE=“eth1”
PRIV_IFACE=“eth0”

Please note that only the PRIVATE_IP needs to be found as PUB_IFACE

IP is detected in the MAIN_IP variable below.

if [ ! “$PRIV_IFACE” == “” ]; then
PRIVATE_IP=ifconfig $PRIV_IFACE | grep "inet addr" | cut -d: -f2 | awk '{print $1}'
fi

##############################################################################

ALL DONE WITH CONFIGURATIONS!

No real need to modify anything for the remainder of this file except

to

maybe remove the comments from certains lines at the end of this file.

Some variables here. Modify if needed for your system.

IPTABLES=“/sbin/iptables”
MODPROBE=“/sbin/modprobe”
LOOPBACK=“127.0.0.0/8”
CLASS_A=“10.0.0.0/8”
CLASS_B=“172.16.0.0/12”
CLASS_C=“192.168.0.0/16”
CLASS_D_MULTICAST=“224.0.0.0/4”
CLASS_E_RESERVED_NET=“240.0.0.0/4”
BROADCAST_SRC=“0.0.0.0”
BROADCAST_DEST=“255.255.255.255”
PRIVPORTS=“0:1023”
UNPRIVPORTS=“1024:65535”

##############################################################################

Determine if iptables and modprobe exist

if [ ! -e “$IPTABLES” ]; then
echo “$IPTABLES does not exist. Firewall script aborted!”
exit 1
fi
if [ ! -e “$MODPROBE” ]; then
echo “$MODPROBE does not exist. Firewall script aborted!”
exit 1
fi

##############################################################################

Determine MAIN_IP & SERVER_IPS if needed

MAIN_IP=ifconfig $PUB_IFACE | grep "inet addr" | cut -d: -f2 | awk '{print $1}'
if [ “$MAIN_IP” == “” ]; then
echo “Could not determine MAIN_IP. Firewall script aborted!”
exit 1
fi
if [ “$SERVER_IPS” == “” ]; then
SERVER_IPS=$MAIN_IP
fi
if [ “$SERVER_IPS” == “” ]; then
echo “Could not determine SERVER_IPS. Firewall script aborted!”
exit 1
fi

##############################################################################

Arguments:

if [ “$1” == “stop” ] || [ “$1” == “-stop” ] || [ “$1” == “–stop” ];
then
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -L -n
echo “”
echo “”
echo -e “\033[31mKISS My Firewall - Stopped!”
echo -e -n "\033[0m "
echo “”
exit 0
fi
if [ “$1” == “status” ] || [ “$1” == “-status” ] || [ “$1” == “–status”
]; then
NUM_LINES=$IPTABLES -L -n | wc -l | awk '{print $1}'
$IPTABLES -L -n
echo “”
echo “”
if [ “$NUM_LINES” -le “15” ]; then
echo -e “\033[31mKISS My Firewall - Stopped!”
else
echo -e “\033[32mKISS My Firewall - Running!”
fi
echo -e -n "\033[0m "
echo “”
exit 0
fi

##############################################################################

We don’t want ipchains loaded:

IPCHAINS=/sbin/lsmod | grep ipchains
if [ ! “$IPCHAINS” == “” ]; then
/sbin/rmmod ipchains
fi

##############################################################################

Note: KISS requires that ip_tables, ipt_state, and ipt_multiport

exist:
if [ ! -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ip_tables.ko” ] || [ ! -e
“/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko” ] || [
! -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_multiport.ko” ]; then
echo “Since the ip_tables, ipt_state, and/or ipt_multiport modules
do not exist, KISS can not function. Firewall script aborted!”
exit 1
fi

All is well, load modules:

if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ip_tables.ko” ]; then
$MODPROBE ip_tables
fi
if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_state.ko” ]; then
$MODPROBE ipt_state
fi
if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_multiport.ko” ]; then
$MODPROBE ipt_multiport
fi
if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ip_tables.ko” ]; then
$MODPROBE ip_tables
fi
if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_state.ko” ]; then
$MODPROBE ipt_state
fi
if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_multiport.ko” ]; then
$MODPROBE ipt_multiport
fi
if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/iptable_filter.ko” ]; then
$MODPROBE iptable_filter
fi
if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_unclean.ko” ]; then
$MODPROBE ipt_unclean
fi
if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_limit.ko” ]; then
$MODPROBE ipt_limit
fi
if [ -e “/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_LOG.ko”
]; then
$MODPROBE ipt_LOG
fi
if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_REJECT.ko” ]; then
$MODPROBE ipt_REJECT
fi
if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ip_conntrack.ko” ]; then
$MODPROBE ip_conntrack
fi
if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ip_conntrack_irc.ko” ]; then
$MODPROBE ip_conntrack_irc
fi
if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko” ]; then
$MODPROBE ip_conntrack_ftp
fi
if [ -e “/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/iptable_mangle.ko” ]; then
$MODPROBE iptable_mangle
fi

##############################################################################

Remove any existing rules from all chains

$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES -t mangle --flush

Allow unlimited traffic on the loopback interface

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

Set the default policy to DROP

$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP

DO NOT MODIFY THESE!

If you set these to DROP, you will be locked out of your server.

$IPTABLES -t nat --policy PREROUTING ACCEPT
$IPTABLES -t nat --policy OUTPUT ACCEPT
$IPTABLES -t nat --policy POSTROUTING ACCEPT
$IPTABLES -t mangle --policy PREROUTING ACCEPT
$IPTABLES -t mangle --policy OUTPUT ACCEPT

Remove any pre-existing user-defined chains

$IPTABLES --delete-chain
$IPTABLES -t nat --delete-chain
$IPTABLES -t mangle --delete-chain

##############################################################################

Enable broadcast echo Protection

if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi

Disable Source Routed Packets

if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
echo “0” > /proc/sys/net/ipv4/conf/all/accept_source_route
fi

Enable TCP SYN Cookie Protection

if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo “1” > /proc/sys/net/ipv4/tcp_syncookies
fi

Disable ICMP Redirect Acceptance

if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
echo “0” > /proc/sys/net/ipv4/conf/all/accept_redirects
fi

Don’t send Redirect Messages

if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo “0” > /proc/sys/net/ipv4/conf/all/send_redirects
fi

Drop Spoofed Packets coming in on an interface, which if replied to,

would

result in the reply going out a different interface.

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo “1” > /proc/sys/net/ipv4/conf/all/rp_filter
fi

Log packets with impossible addresses

if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
echo “1” > /proc/sys/net/ipv4/conf/all/log_martians
fi

Reduce DoS’ing ability by reducing timeouts

if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]; then
echo “1800” > /proc/sys/net/ipv4/tcp_fin_timeout
fi
if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]; then
echo “1800” > /proc/sys/net/ipv4/tcp_keepalive_time
fi
if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then
echo “0” > /proc/sys/net/ipv4/tcp_window_scaling
fi
if [ -e /proc/sys/net/ipv4/tcp_sack ]; then
echo “0” > /proc/sys/net/ipv4/tcp_sack
fi

##############################################################################

Silently Drop Stealth Scans

All of the bits are cleared

$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

SYN and FIN are both set

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

SYN and RST are both set

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

FIN and RST are both set

$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

FIN is the only bit set, without the expected accompanying ACK

$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

PSH is the only bit set, without the expected accompanying ACK

$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

URG is the only bit set, without the expected accompanying ACK

$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

##############################################################################

Provide some syn-flood protection

THIS CODE SLOWS DOWN WEB PAGE LOADS DRAMATICALLY!!!

Only enable this code if you find that you are the victim of a

syn-flood

attack!

#$IPTABLES -N syn-flood
#$IPTABLES -A INPUT -p tcp --syn -j syn-flood
#$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
#$IPTABLES -A syn-flood -j DROP

##############################################################################

BLOCK_LIST

To add someone to this block list, use the BLOCK_LIST configuration

variable

above.

We block here, before our stateful packet inspection below, because if

the

offender is already logged in, he won’t be kicked out. Note also that

we

include the offender’s IP in the OUTPUT chain. This should help to

reduce

the threat a little bit more.

for blocked_ip in $BLOCK_LIST; do
# Lock him out:
$IPTABLES -A INPUT -s $blocked_ip -j DROP
# Make sure that he never hears from us again:
$IPTABLES -A OUTPUT -d $blocked_ip -j DROP
done

##############################################################################

To define your private network, use the PRIV_IFACE configuration

variable above.

We allow all traffic in and out of the private network

if [ ! “$PRIV_IFACE” == “”]; then
$IPTABLES -A INPUT -s 0/0 -e $PRIV_IFACE -d $PRIVATE_IP -p ALL -j
ACCEPT
fi

##############################################################################

Use Connection State to Bypass Rule Checking

By accepting established and related connections, we don’t need to

explicitly set various input and output rules. For example, by

accepting an

established and related output connection, we don’t need to specify

that

the firewall needs to open a hole back out to client when the client

requests SSH access.

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

##############################################################################

Source Address Spoofing and Other Bad Addresses

Refuse Spoofed packets pretending to be from the external interface’s

IP
#for server_ips in $SERVER_IPS; do

$IPTABLES -A INPUT -i $PUB_IFACE -s $server_ips -j DROP

#done
#for server_ips in $SERVER_IPS; do

for subnet_broadcast in $SUBNET_BROADCAST; do

$IPTABLES -A INPUT -i $PUB_IFACE -s $server_ips -d

!$subnet_broadcast -j DROP

done

#done

Refuse packets claiming to be from a Class A private network

$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_A -j DROP

Refuse packets claiming to be from a Class B private network

$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_B -j DROP

Refuse packets claiming to be from a Class C private network

#$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_C -j DROP

Refuse packets claiming to be from the loopback interface

$IPTABLES -A INPUT -i $PUB_IFACE -s $LOOPBACK -j DROP

Refuse malformed broadcast packets

$IPTABLES -A INPUT -i $PUB_IFACE -s $BROADCAST_DEST -j DROP
$IPTABLES -A INPUT -i $PUB_IFACE -d $BROADCAST_SRC -j DROP

Refuse directed broadcasts

Used to map networks and in Denial of Service attacks

#for subnet_base in $SUBNET_BASE; do

$IPTABLES -A INPUT -i $PUB_IFACE -d $subnet_base -j DROP

#done
#for subnet_broadcast in $SUBNET_BROADCAST; do

$IPTABLES -A INPUT -i $PUB_IFACE -d $subnet_broadcast -j DROP

#done

Refuse limited broadcasts

$IPTABLES -A INPUT -i $PUB_IFACE -d $BROADCAST_DEST -j DROP

Refuse Class D multicast addresses - illegal as a source address

#$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_D_MULTICAST -j DROP
#$IPTABLES -A INPUT -i $PUB_IFACE -p ! udp -d $CLASS_D_MULTICAST -j DROP
#$IPTABLES -A INPUT -i $PUB_IFACE -p udp -d $CLASS_D_MULTICAST -j ACCEPT

$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_D_MULTICAST -j DROP
$IPTABLES -A INPUT -i $PUB_IFACE -p udp -d $CLASS_D_MULTICAST -j ACCEPT
$IPTABLES -A INPUT -i $PUB_IFACE -p 2 -d $CLASS_D_MULTICAST -j ACCEPT
$IPTABLES -A INPUT -i $PUB_IFACE -p all -d $CLASS_D_MULTICAST -j DROP

Refuse Class E reserved IP addresses

$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_E_RESERVED_NET -j DROP

Refuse addresses defined as reserved by the IANA

0...* - Can’t be blocked unilaterally with DHCP

169.254.0.0/16 - Link Local Networks

192.0.2.0/24 - TEST-NET

$IPTABLES -A INPUT -i $PUB_IFACE -s 0.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $PUB_IFACE -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -i $PUB_IFACE -s 192.0.2.0/24 -j DROP

##############################################################################

Now we can open up some holes in our firewall…

##############################################################################

If we are not accepting 113 (ident), then we explicitly reject it!

if [ “$(echo $IN_PORTS | tr ‘,’ ‘\n’ | grep -w 113)” == “” ]; then
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --dport 113 -j REJECT
$IPTABLES -A INPUT -p udp -s 0/0 -d 0/0 --dport 113 -j REJECT
fi

##############################################################################

TCP IN

for tcp_in in $TCP_IN; do
for server_ips in $SERVER_IPS; do
$IPTABLES -A INPUT -i $PUB_IFACE -s 0/0 -d $server_ips -p tcp -m
state --state NEW --sport $UNPRIVPORTS --dport $tcp_in -j ACCEPT
done
done

##############################################################################

TCP OUT

for tcp_out in $TCP_OUT; do
$IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp -m state --state NEW
–sport $UNPRIVPORTS --dport $tcp_out -j ACCEPT
done

##############################################################################

UDP IN

for udp_in in $UDP_IN; do
for server_ips in $SERVER_IPS; do
$IPTABLES -A INPUT -i $PUB_IFACE -s 0/0 -d $server_ips -p udp -m
state --state NEW --sport $UNPRIVPORTS --dport $udp_in -j ACCEPT
done
done

##############################################################################

UDP OUT

for udp_out in $UDP_OUT; do
$IPTABLES -A OUTPUT -o $PUB_IFACE -p udp -m state --state NEW
–sport $UNPRIVPORTS --dport $udp_out -j ACCEPT
done

##############################################################################

TCP IN TRUSTED

#for tcp_in_trusted in $TCP_IN_TRUSTED; do

for server_ips in $SERVER_IPS; do

for trusted_ips in $TRUSTED_IPS; do

$IPTABLES -A INPUT -i $PUB_IFACE -s $trusted_ips -d

$server_ips -p tcp -m state --state NEW --sport $UNPRIVPORTS --dport
$tcp_in_trusted -j ACCEPT

done

#done
for tcp_in_trusted in $TCP_IN_TRUSTED; do
for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -i $PUB_IFACE -s $trusted_ips -d $MAIN_IP -p
tcp -m state --state NEW --sport $UNPRIVPORTS --dport $tcp_in_trusted -j
ACCEPT
done
done

##############################################################################

Allow pinging of this server’s MAIN_IP by trusted IPs only.

for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i $PUB_IFACE -m
state --state NEW -p icmp --icmp-type ping -j ACCEPT
done

##############################################################################

OUTPUT - PORT 113 - IDENTD

#for server_ips in $SERVER_IPS; do

$IPTABLES -A OUTPUT -o $PUB_IFACE -s $server_ips -p tcp --syn --sport

$UNPRIVPORTS --dport 113 -m state --state NEW -j REJECT --reject-with
tcp-reset
#done

##############################################################################

Uncomment to allow DNS zone transfers

$IPTABLES -A INPUT -i $PUB_IFACE -p udp --sport 53 --dport 53 -m state
–state NEW -j ACCEPT
$IPTABLES -A INPUT -i $PUB_IFACE -p tcp --sport 53 --dport 53 -m state
–state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $PUB_IFACE -p udp --sport 53 --dport 53 -m state
–state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp --sport 53 --dport 53 -m state
–state NEW -j ACCEPT

##############################################################################

Uncomment to allow for outgoing ping

#$IPTABLES -A OUTPUT -o $PUB_IFACE -s $MAIN_IP -m state --state NEW -p
icmp --icmp-type ping -j ACCEPT

##############################################################################

Uncomment to allow outgoing traceroutes

#$IPTABLES -A OUTPUT -o $PUB_IFACE -p udp -s $MAIN_IP --sport
32769:65535 --dport 33434:33523 -m state --state NEW -j ACCEPT

$IPTABLES -L -n
echo “”
echo “”
echo -e “\033[32mKISS My Firewall - Running!”
echo -e -n "\033[0m "
echo “”

exit 0

joe · October 4, 2006, 5:35am

Try www.dewahost.com

joe · October 4, 2006, 5:31am

I was hosting with site5 but their support was terrible I finally had to
cancel service, they never responded to support questions. I finally
spent
some money a dedicated host running rails on suse linux with redplaid
hosting and it has been so much more reliable.

joe · October 4, 2006, 6:07am

On 10/3/06, Joe R. [email protected] wrote:

and here is the output of iptables -L…

DROP tcp – anywhere anywhere tcp
flags:FIN,SYN/FIN,SYN

Take a look at that rule, near the top of the INPUT chain. That tells me
that you won’t be able to accept TCP connections because you’ve turned
down
any packet with the SYN flag set. Have you tried adding some LOG rules
to
your config so you can tell what’s going on?

I don’t know much about “KISS” but I think with a bit of research you
can
write yourself a far simpler iptables config that will be just as secure
as
this purportedly is.

joe · October 4, 2006, 7:23am

Looks like they have the same problem as site5. Will they allow me to
run
edge rails under apache 2.2 with mysql 5.0? It doesn’t look like it from
their website. If I wanted to host some simple kindergarten website it
looks ok, but I want to exploit the full power of rails, only way I’ve
been
able to accomplish that is a dedicated host. For now I think I’ll stay
at
redplaid, less headaches and better support and even better SUSE has a
built in encrypted filesystem that just works. It makes my job of
securing
our data much easier.

joe · October 4, 2006, 6:09am

On 10/3/06, Joe R. [email protected] wrote:

Sorry, I meant you won’t be able to complete TCP connections that you
initiate.

joe · October 4, 2006, 8:34am

Not sure what is going on with this thread but hopefully this post makes
it to the correct location…

I checked the logs and all it says is basically that NET::HTTP cannot
resolve the host, so there isn’t enough information to figure out
exactly why the connection is failing. I will give the SYN flag a try
and also look into understanding iptables on my own without the KISS
script. Thanks again for your help.

Francis C. wrote:

On 10/3/06, Joe R. [email protected] wrote:

Sorry, I meant you won’t be able to complete TCP connections that you
initiate.

joe · October 4, 2006, 9:36am

I tried removing the SYN rules and various other ones with no luck. I
also tried allowing all outgoing ports above 10000 with no luck. However
when I allowed outgoing ports below 10000 it worked. Not sure why yet
but I will attempt to figure out the exact port it needs a little later.

Joe R. wrote:

Not sure what is going on with this thread but hopefully this post makes
it to the correct location…

I checked the logs and all it says is basically that NET::HTTP cannot
resolve the host, so there isn’t enough information to figure out
exactly why the connection is failing. I will give the SYN flag a try
and also look into understanding iptables on my own without the KISS
script. Thanks again for your help.

Francis C. wrote:

On 10/3/06, Joe R. [email protected] wrote:

Sorry, I meant you won’t be able to complete TCP connections that you
initiate.

joe · October 4, 2006, 11:46am

Joe R. wrote:

Not sure what is going on with this thread but hopefully this post makes
it to the correct location…

I checked the logs and all it says is basically that NET::HTTP cannot
resolve the host,

In that case, look into how your system resolves names into IP
addresses. Do
you have a local name server or do you rely on your ISP’s name server?
Is
the required port(s) open?

so there isn’t enough information to figure out
exactly why the connection is failing.

There is enough to know the problem is name resolution.