Difference between revisions of "Iptables"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
Line 21: Line 21:
 
  iptables -A accept-@table_name -s system-ip -j ACCEPT
 
  iptables -A accept-@table_name -s system-ip -j ACCEPT
  
 +
Now, because we are dealing with iptables, we can also write a line that adds a jump ( -j) to another table. This is done by adding a non-blank memberNisNetgroup entry to our LDAP table. This will cause a jump to that set of rules instead of to the "ACCEPT" rule. So the entry "memberNisNetgroup  specials" in the table "cn=supersystems" makes an iptable rule:
 +
iptables -A accept-@supersystems -j accept-@specials
 +
This allows us to chain the tables, so you can make one table with all the servers and then write a rule to allow, say NFS access and MySQL access to all the systems that are servers without needing to re-list all the systems that are considered servers.
  
 +
'''Note:''' that the '''BACKUP SYSTEM''' makes use of the same tables! So adding a new "server" causes the backup system to try to connect to that server as well.
 +
 +
'''Note:''' that the scripts won't work if the Perl LDAP.pm module is not installed. Install it with:
 +
 +
  yum install perl-LDAP
 +
  # OR if this is not available:
 +
  perl -MCPAN -e 'install Net::LDAP'
  
Note that because we are
 
  
 
== Configuration ==
 
== Configuration ==
Line 30: Line 39:
  
 
We have customizations as follows:
 
We have customizations as follows:
* /etc/init.d/iptables-netgroups  This script runs /usr/local/bin/netgroup2iptables.pl  
+
* /etc/init.d/iptables-netgroups  This script runs /usr/local/bin/netgroup2iptables.pl (On some systems this is called /etc/init.d/iptables-npg a bit confusing, to be fixed.)
 
* /usr/local/bin/netgroup2iptables.pl  A perl scripts which pulls the netgroup information from the LDAP. It uses "iptables-save" (system command) to get the current iptables.
 
* /usr/local/bin/netgroup2iptables.pl  A perl scripts which pulls the netgroup information from the LDAP. It uses "iptables-save" (system command) to get the current iptables.
 
* /etc/sysconfig/iptables-npg  The iptables that the iptables-config points to for the data.
 
* /etc/sysconfig/iptables-npg  The iptables that the iptables-config points to for the data.
 +
 +
So new rules for allowing access must be set in /etc/sysconfig/iptables-npg and you must never use the "iptables save" command!
 +
 +
== Iptables Details ==
 +
 +
Iptables is an increadibly powerful system that allows filtering and forwarding and all sorts of fancy stuff. With sufficient smarts it can be used to create tunnels and forwarding and all sorts of weirdness. Since we don't want weirdness, please control yourself and don't write rules that say forward all the http traffick on pepper to einstein!
 +
 +
The basic functionality of iptables is contained in it's tables, which contains a "chain" of rules. This means that it flows through the chain until it hits a rule that matches, at which point it jumps (-j) to the next chain. The main
  
 
  NOTE: Change the lines:
 
  NOTE: Change the lines:
 
  -A INPUT -i eth0 -j ACCEPT
 
  -A INPUT -i eth0 -j ACCEPT
  -A INPUT -i ! eth1 -s 10.0.0.0/24 -j REJECT --reject-with icmp-net-prohibited
+
  -A INPUT -i ! eth0 -s 10.0.0.0/24 -j REJECT --reject-with icmp-net-prohibited
 +
 
 
  To be eth0 or eth1 whatever nic is looking at the FARM NET.
 
  To be eth0 or eth1 whatever nic is looking at the FARM NET.
  
 
Note that this system has a vulnerability: The iptables-npg can become corrupted on an /etc/init.d/iptables save command.
 
Note that this system has a vulnerability: The iptables-npg can become corrupted on an /etc/init.d/iptables save command.
 
Note that the scripts won't work if the Perl LDAP.pm module is not installed. Install it with:
 
 
  yum install perl-LDAP
 
  # OR if this is not available:
 
  perl -MCPAN -e 'install Net::LDAP'
 
 
== Details ==
 
These should be added. Specifically, who what where why things are blocked would be nice. It'd be nice to see if it's possible to move to a simpler setup — one that doesn't require LDAP bootstrapping ugliness.
 

Revision as of 13:56, 4 June 2009

Iptables

Very Advanced Sysadmins Only!!!

Make sure you DOCUMENT every tiny little change you make!!!
OK, I am done yelling at you, but seriously, this is where we have made many mistakes, and they can be very serious, either locking people out or blowing our security wide open. These configurations are very powerful and thus very dangerous.

Introduction

The iptables is part of the standard Red-Hat / Linux firewall. The usual way to configure this is through the guis, but BEWARE, we have a customized setup, so don't use the ****ing guis. The reason for the customization is that this allows us to use netgroups, i.e. we pull lists of system names from the LDAP database and allow certain services to every system in that list. The other reason not to use the gui is that it is too easy to think you know what you are doing, while you have no clue.

The LDAP Connection

To get a set of rules from LDAP we have a custom Perl script that gets these rules from the LDAP tables called "Netgroup". In this area of LDAP are a number of tables of object class "NisNetgroup" (and "top"), which contain a set of "NisNetgroupTriple" entries. For each table the scripts /usr/local/bin/netgroups2iptables.pl will make a corresponding iptables table. To see the resulting rules added to the iptables, type:

/usr/local/bin/netgroup2iptables.pl -v -dump

For the proper functioning of our iptables, it is thus pertinent (that is a fancy word for very important) that the LDAP server is running and the connection to LDAP can be made. After the iptables are started the init system then needs to execute:

/etc/init.d/iptables-netgroups start

(On some systems this will be called "iptables-npg").

For each line in each table you will then get a new iptables rule that states:

iptables -A accept-@table_name -s system-ip -j ACCEPT

Now, because we are dealing with iptables, we can also write a line that adds a jump ( -j) to another table. This is done by adding a non-blank memberNisNetgroup entry to our LDAP table. This will cause a jump to that set of rules instead of to the "ACCEPT" rule. So the entry "memberNisNetgroup specials" in the table "cn=supersystems" makes an iptable rule:

iptables -A accept-@supersystems -j accept-@specials

This allows us to chain the tables, so you can make one table with all the servers and then write a rule to allow, say NFS access and MySQL access to all the systems that are servers without needing to re-list all the systems that are considered servers.

Note: that the BACKUP SYSTEM makes use of the same tables! So adding a new "server" causes the backup system to try to connect to that server as well.

Note: that the scripts won't work if the Perl LDAP.pm module is not installed. Install it with:

 yum install perl-LDAP
 # OR if this is not available:
 perl -MCPAN -e 'install Net::LDAP'


Configuration

The normal configuration for the iptables is in /etc/sysconfig/iptables and /etc/sysconfig/iptables-config. The startup script is /etc/init.d/iptables

We have customizations as follows:

  • /etc/init.d/iptables-netgroups This script runs /usr/local/bin/netgroup2iptables.pl (On some systems this is called /etc/init.d/iptables-npg a bit confusing, to be fixed.)
  • /usr/local/bin/netgroup2iptables.pl A perl scripts which pulls the netgroup information from the LDAP. It uses "iptables-save" (system command) to get the current iptables.
  • /etc/sysconfig/iptables-npg The iptables that the iptables-config points to for the data.

So new rules for allowing access must be set in /etc/sysconfig/iptables-npg and you must never use the "iptables save" command!

Iptables Details

Iptables is an increadibly powerful system that allows filtering and forwarding and all sorts of fancy stuff. With sufficient smarts it can be used to create tunnels and forwarding and all sorts of weirdness. Since we don't want weirdness, please control yourself and don't write rules that say forward all the http traffick on pepper to einstein!

The basic functionality of iptables is contained in it's tables, which contains a "chain" of rules. This means that it flows through the chain until it hits a rule that matches, at which point it jumps (-j) to the next chain. The main

NOTE: Change the lines:
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i ! eth0 -s 10.0.0.0/24 -j REJECT --reject-with icmp-net-prohibited
To be eth0 or eth1 whatever nic is looking at the FARM NET.

Note that this system has a vulnerability: The iptables-npg can become corrupted on an /etc/init.d/iptables save command.