Jump to content
mudmanc4

Locked out using iptables

Recommended Posts

Since I've not been absent minded enough in the past to actually lock myself out of a server (aside those younger days of 'forgetting the root pass" -- this is a first for me, yes I'm a locked out virgin. Special hey ? 

 

And don't do this if you want continued access via root, or anything else. Sure http and https are available for public facing, but thats it.

So , I ran ---

 

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

 

After saving iptables permanently , opened another shell logged in with the new user also created to take the place of root with the proper permissions, login was fine for that user. 

 

After reboot I realized what I had mistakenly forgotten in the chain. See it ? lol Yes thats right , the ssh port - duh-me ?  And a couple other things that render the hosts reporting scripts locked out, ah yes there it is - dummy lol

 

As I can see it , the only way to get access would be to have host flush iptables from main server node root. Yes, no ? Idea's ?

Share this post


Link to post
Share on other sites

lol yes. 

 

 Good thing I had a snapshot. As if it mattered, this is a testing environment at the moment. Already back coasting along. I did not bother contacting the host about the non working KVM or to administer the box for me, just scratched it and re imaged. 

 

They use PPTP which afaik is been depreciated, and is insecure, so chances are they simply have not taken it off the options. Kind of false advertising though. If in fact thats the case and not something I don't know. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Similar Content

    • By mudmanc4
      Simple right, drop your config in the openvpn directory, not forgetting auth-user-pass /dir/to/foo within the conf file, and the VPN will start on boot.
      Not so much. Thanks to systemd (as I understand it at this point) which I do not even see any realistic reason for systemd at this point.
       
      Manually start the connection right, openvpn config.conf (or whatever name and flags you desire or require)
       
      Now this all works out of the box on debian, that special flavor I find myself using as a daily OS.
       
      Add opensuse 42.1 = poof, zilch, sure, the vpn makes connection, yet no traffic. Right off the bat this explains a firewall, aka iptables will require masquerading. No problem right, that's where I've hit the wall. So I flush all iptables by running vi flush-iptables.sh
      #!/bin/sh echo "Flushing iptables rules..." sleep 1 iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT  
      Then make the script executable:
      chmod -x flush-iptables.sh And run the script:
      ./flush-iptables.sh  
      Now I need to open a few things up so I use this script to allow the VPN through:
      vi openvpn-iptables.sh  
      Then:
      #!/bin/sh # Accept responses to pings iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT # Respond to pings iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT # Accept traceroutes iptables -A INPUT -p udp -m udp --dport 34000:35000 -j ACCEPT #Enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward #Allow all TUN iptables -A INPUT -i tun+ -j ACCEPT iptables -A OUTPUT -o tun+ -j ACCEPT iptables -A FORWARD -o tun+ -j ACCEPT #Accept connections on 34448 iptables -A INPUT -p udp --dport 34448 -j ACCEPT #Apply forwarding iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.10.2.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.10.2.0/24 -o eth0 -j MASQUERADE # Display iptables -L -v  
      Make the file executable:
      chmod -x openvpn-iptables.sh  
      Run it:
      ./openvpn-iptables  
      Run #iptables-save for persistent
      Should be good to go, but I've gone wrong somewhere.
       
      The VPN connects, but does not masquerade nor forward through eth0, checking wireshark it's as bland as bland shows the connections to the VPN server but that's about it. Kills eth0 (I have not set only for network in the vpn config) but that matters not in this situation. 
       
      Anyone complete this solution?
      EDIT:
      The config file works flawless on two other machines locally, OSX as well as Debian.
      I've tried using network manager GUI gnome, as well as wicked, no such luck, something is overriding iptables, or I have them completely incorrect.
       
      Here is the display:
      Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 64 5568 ACCEPT all -- lo any anywhere anywhere 946K 1228M ACCEPT all -- any any anywhere anywhere ctstate ESTABLISHED 135 9180 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED 0 0 input_int all -- tun0 any anywhere anywhere 1466 61996 input_ext all -- any any anywhere anywhere 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET " 0 0 DROP all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 0 0 forward_int all -- tun0 any anywhere anywhere 0 0 forward_ext all -- eth0 any anywhere anywhere 0 0 forward_ext all -- wlan0 any anywhere anywhere 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING " 0 0 DROP all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 610K packets, 58M bytes) pkts bytes target prot opt in out source destination 64 5568 ACCEPT all -- any lo anywhere anywhere Chain forward_ext (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp echo-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp parameter-problem 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp timestamp-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp address-mask-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp protocol-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp redirect 0 0 ACCEPT all -- eth0 tun0 anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- wlan0 tun0 anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 DROP all -- any any anywhere anywhere PKTTYPE = multicast 0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT " 0 0 LOG icmp -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT " 0 0 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-FWDext-DROP-DEFLT " 0 0 DROP all -- any any anywhere anywhere Chain forward_int (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp echo-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp parameter-problem 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp timestamp-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp address-mask-reply 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp protocol-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED,ESTABLISHED icmp redirect 0 0 ACCEPT all -- tun0 eth0 anywhere anywhere ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT all -- tun0 wlan0 anywhere anywhere ctstate NEW,RELATED,ESTABLISHED 0 0 DROP all -- any any anywhere anywhere PKTTYPE = multicast 0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-FWDint-DROP-DEFLT " 0 0 LOG icmp -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWDint-DROP-DEFLT " 0 0 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-FWDint-DROP-DEFLT " 0 0 reject_func all -- any any anywhere anywhere Chain input_ext (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 33 4340 DROP all -- any any anywhere anywhere PKTTYPE = multicast 0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " 0 0 LOG icmp -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " 4 388 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " 1433 57656 DROP all -- any any anywhere anywhere Chain input_int (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere Chain reject_func (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset 0 0 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-proto-unreachable  
×
×
  • Create New...