IPTABLES a SFTP

Sekcia: Konfigurácia 12.02.2015 | 15:27
Avatar djkowi Raspbian / Debian / Xbian  Používateľ

Ahojte,
poprosím vás o pomoc.

Z mojej aplikácie pristupujem pomocou knižnice JSCH na vzdialený SFTP server (port 22). Problém nastáva pri pokuse zahadzovať v IPTABLES všetku komunikáciu (INPUT). Po načítaní pravidiel (iptables-restore) komunikácia s SFTP trvá cca. 2 minúty.
Pokúšal som sa povoliť port 22, ale neúspešne.

Viete mi poradiť na čo by som sa mal zamerať?

Ďakujem.

# Generated by iptables-save v1.4.14 on Thu Feb 12 10:43:35 2015
*filter
:INPUT DROP [30:2635]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8:608]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state NEW -j ACCEPT
-A INPUT -s 10.10.10.2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
-A LOGGING -j DROP
COMMIT
# Completed on Thu Feb 12 10:43:35 2015
    • RE: IPTABLES a SFTP 12.02.2015 | 15:33
      Avatar Andrej Lacho Debian, CentOS ...  Administrátor

      Hod sem logy aspoň.

    • RE: IPTABLES a SFTP 12.02.2015 | 16:35
      Avatar ll   Návštevník

      a co chces dosiahnut, vobec mi to nie je z tvojho dotazu jasne

    • RE: IPTABLES a SFTP 13.02.2015 | 09:15
      Avatar djkowi Raspbian / Debian / Xbian  Používateľ

      Snažím sa zablokovať všetku komunikáciu smerom dnu. Po povolení pravidla pre IPTABLES sa všetko čo ide dnu zahadzuje, ale prihlásenie na vzdialený SFTP server z tohto zariadenia trvá cca. 2 minúty (predpokladám do vypršania nejakého timeoutu)

      Feb 13 08:00:47 raspberrypi kernel: [  113.885837] ip_tables: (C) 2000-2006 Netfilter Core Team
      Feb 13 08:00:47 raspberrypi kernel: [  113.926619] nf_conntrack version 0.5.0 (11912 buckets, 47648 max)
      Feb 13 08:00:54 raspberrypi kernel: [  120.811413] IPTables-Dropped: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58230 DF PROTO=TCP SPT=41149 DPT=34257 WINDOW=43690 RES=0x00 SYN URGP=0 
      Feb 13 08:00:55 raspberrypi kernel: [  121.819031] IPTables-Dropped: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58231 DF PROTO=TCP SPT=41149 DPT=34257 WINDOW=43690 RES=0x00 SYN URGP=0 
      Feb 13 08:00:57 raspberrypi kernel: [  123.828997] IPTables-Dropped: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58232 DF PROTO=TCP SPT=41149 DPT=34257 WINDOW=43690 RES=0x00 SYN URGP=0 
      Feb 13 08:01:01 raspberrypi kernel: [  127.839049] IPTables-Dropped: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58233 DF PROTO=TCP SPT=41149 DPT=34257 WINDOW=43690 RES=0x00 SYN URGP=0 
      Feb 13 08:01:09 raspberrypi kernel: [  135.849093] IPTables-Dropped: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58234 DF PROTO=TCP SPT=41149 DPT=34257 WINDOW=43690 RES=0x00 SYN URGP=0 
      Feb 13 08:01:25 raspberrypi kernel: [  151.889082] IPTables-Dropped: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58235 DF PROTO=TCP SPT=41149 DPT=34257 WINDOW=43690 RES=0x00 SYN URGP=0 
      Feb 13 08:01:56 raspberrypi kernel: [  182.935743] IPTables-Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:5d:1d:43:94:08:00:45:00:00:44:0d:fe:00:00:80:11:18:97 SRC=10.10.10.11 DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=3582 PROTO=UDP SPT=49163 DPT=1947 LEN=48 
      Feb 13 08:02:34 raspberrypi kernel: [  221.159101] IPTables-Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:5d:1d:43:94:08:00:45:00:00:44:0e:14:00:00:80:11:18:81 SRC=10.10.10.11 DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=3604 PROTO=UDP SPT=49163 DPT=1947 LEN=48 
      Feb 13 08:03:13 raspberrypi kernel: [  259.789200] IPTables-Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:5d:1d:43:94:08:00:45:00:00:44:0e:1c:00:00:80:11:18:79 SRC=10.10.10.11 DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=3612 PROTO=UDP SPT=49163 DPT=1947 LEN=48 
    • RE: IPTABLES a SFTP 13.02.2015 | 11:15
      Avatar bedňa LegacyIce-antiX  Administrátor

      -A INPUT -p tcp --dport 22 -j ACCEPT

      Táto správa neobsahuje vírus, pretože nepoužívam MS Windows. http://kernelultras.org
    • RE: IPTABLES a SFTP 13.02.2015 | 16:12
      Avatar djkowi Raspbian / Debian / Xbian  Používateľ

      vďaka, ale bez zmeny. 192.168.1.14 je môj notebook....jediné čo v logu vidím je localhost. Po povolení 127.0.0.1 samozrejme pripojenie na vzdialené SFTP funguje, ale tak isto sa dokážem pripojiť aj na ostatné porty.

      :INPUT DROP [30:2635]
      :FORWARD ACCEPT [0:0]
      :OUTPUT ACCEPT [8:608]
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p icmp -m state --state NEW -j ACCEPT
      -A INPUT -p tcp --dport 22 -j ACCEPT

      Feb 13 15:02:23 raspberrypi kernel: [  236.004666] IPTables-Dropped: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55428 DF PROTO=TCP SPT=39407 DPT=59310 WINDOW=43690 RES=0x00 SYN URGP=0 
      Feb 13 15:02:24 raspberrypi kernel: [  236.999215] IPTables-Dropped: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55429 DF PROTO=TCP SPT=39407 DPT=59310 WINDOW=43690 RES=0x00 SYN URGP=0 
      Feb 13 15:02:26 raspberrypi kernel: [  238.999209] IPTables-Dropped: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55430 DF PROTO=TCP SPT=39407 DPT=59310 WINDOW=43690 RES=0x00 SYN URGP=0 
      Feb 13 15:02:27 raspberrypi kernel: [  240.468923] IPTables-Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:b8:27:eb:4b:dc:c3:08:00:45:00:00:c8:3c:56:40:00:40:11:79:71 SRC=192.168.1.14 DST=192.168.1.255 LEN=200 TOS=0x00 PREC=0x00 TTL=64 ID=15446 DF PROTO=UDP SPT=631 DPT=631 LEN=180 
      Feb 13 15:02:28 raspberrypi kernel: [  241.473403] IPTables-Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:b8:27:eb:4b:dc:c3:08:00:45:00:00:e8:3c:57:40:00:40:11:79:50 SRC=192.168.1.14 DST=192.168.1.255 LEN=232 TOS=0x00 PREC=0x00 TTL=64 ID=15447 DF PROTO=UDP SPT=631 DPT=631 LEN=212 
      Feb 13 15:02:54 raspberrypi kernel: [  267.089283] IPTables-Dropped: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55433 DF PROTO=TCP SPT=39407 DPT=59310 WINDOW=43690 RES=0x00 SYN URGP=0 
      Feb 13 15:03:26 raspberrypi kernel: [  299.169279] IPTables-Dropped: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55434 DF PROTO=TCP SPT=39407 DPT=59310 WINDOW=43690 RES=0x00 SYN URGP=0 
      Feb 13 15:04:01 raspberrypi kernel: [  333.781746] IPTables-Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:b8:27:eb:4b:dc:c3:08:00:45:00:00:c8:3c:5c:40:00:40:11:79:6b SRC=192.168.1.14 DST=192.168.1.255 LEN=200 TOS=0x00 PREC=0x00 TTL=64 ID=15452 DF PROTO=UDP SPT=631 DPT=631 LEN=180 
      Feb 13 15:04:32 raspberrypi kernel: [  364.885243] IPTables-Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:b8:27:eb:4b:dc:c3:08:00:45:00:00:c8:3c:60:40:00:40:11:79:67 SRC=192.168.1.14 DST=192.168.1.255 LEN=200 TOS=0x00 PREC=0x00 TTL=64 ID=15456 DF PROTO=UDP SPT=631 DPT=631 LEN=180 
      
    • RE: IPTABLES a SFTP 13.02.2015 | 16:56
      Avatar Lukáš Staňa Arch, CentOS, Debian  Používateľ

      Len tak trepnem, ale skús povoliť na INPUT loopback, toto daj niekam na začiatok:

      -A INPUT -i lo -j ACCEPT
    • RE: IPTABLES a SFTP 13.02.2015 | 16:58
      Avatar Lukáš Staňa Arch, CentOS, Debian  Používateľ

      A pravidlo:

      -A INPUT -s 10.10.10.2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

      môžeš zredukovať na:

      -A INPUT -s 10.10.10.2 -m state --state NEW -j ACCEPT

      lebo RELATED,ESTABLISHED matchne už v prvom pravidle, takže je to redundantné a môže ťa to zmiasť

      • RE: IPTABLES a SFTP 13.02.2015 | 17:04
        Avatar djkowi Raspbian / Debian / Xbian  Používateľ

        to pravidlo som úplne odstránil, mal som ho tam len dočasne na test

      • RE: IPTABLES a SFTP 13.02.2015 | 17:08
        Avatar djkowi Raspbian / Debian / Xbian  Používateľ

        Toto je stav, kedy sa aplikácia (v raspberry) k SFTP serveru (vzdialený) pripojí bez zdržania, ale ja sa dokážem zároveň pripojiť do raspberry (čomu sa snažím zabrániť).

        # Generated by iptables-save v1.4.14 on Thu Feb 12 10:43:35 2015
        *filter
        :INPUT DROP [30:2635]
        :FORWARD ACCEPT [0:0]
        :OUTPUT ACCEPT [8:608]
        -A INPUT -i lo -j ACCEPT
        -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        -A INPUT -p icmp -m state --state NEW -j ACCEPT
        -N LOGGING
        -A INPUT -j LOGGING
        -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
        -A LOGGING -j DROP
        COMMIT
        # Completed on Thu Feb 12 10:43:35 2015

    • RE: IPTABLES a SFTP 13.02.2015 | 17:03
      Avatar djkowi Raspbian / Debian / Xbian  Používateľ

      stále sa to správa rovnako - SFTP sa aplikácia pripojí rýchlo, ale zároveň sa aj ja dokážem pripojiť na zariadenie (čo chcem eliminovať).

      • RE: IPTABLES a SFTP 13.02.2015 | 22:16
        Avatar samalama   Návštevník

        a co tak

        iptables -nvL

        • RE: IPTABLES a SFTP 14.02.2015 | 10:49
          Avatar djkowi Raspbian / Debian / Xbian  Používateľ

          posledné pravidlo, ktoré som sem pridal sa chová presne ako potrebujem, ale iba pri prvom načítaní (iptables-restore volám z mojej aplikácie). Po načítaní pravidla na povolene všetkej komunikácie a znovu načítanie pravidla na zakázanie INPUT komunikácie už nefunguje tak ako by som potreboval. Nebude problém niekde tu?

          # Generated by iptables-save v1.4.14 on Thu Feb 12 10:50:51 2015
          *mangle
          :PREROUTING ACCEPT [70:7529]
          :INPUT ACCEPT [70:7529]
          :FORWARD ACCEPT [0:0]
          :OUTPUT ACCEPT [55:11929]
          :POSTROUTING ACCEPT [55:11929]
          COMMIT
          # Completed on Thu Feb 12 10:50:51 2015
          # Generated by iptables-save v1.4.14 on Thu Feb 12 10:50:51 2015
          *nat
          :PREROUTING ACCEPT [16:1280]
          :INPUT ACCEPT [9:872]
          :OUTPUT ACCEPT [9:678]
          :POSTROUTING ACCEPT [9:678]
          COMMIT
          # Completed on Thu Feb 12 10:50:51 2015
          # Generated by iptables-save v1.4.14 on Thu Feb 12 10:50:51 2015
          *filter
          :INPUT ACCEPT [25:2590]
          :FORWARD ACCEPT [0:0]
          :OUTPUT ACCEPT [16:2296]
          COMMIT
          # Completed on Thu Feb 12 10:50:51 2015

          Načítané pravidlo pre zakázanie INPUT:

          pi@raspberrypi ~ $ sudo iptables -nvL
          Chain INPUT (policy DROP 0 packets, 0 bytes)
           pkts bytes target     prot opt in     out     source               destination
              6   328 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
             75  6355 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
              0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
              0     0 LOGGING    all  --  *      *       0.0.0.0/0            0.0.0.0/0
          
          Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
           pkts bytes target     prot opt in     out     source               destination
          
          Chain OUTPUT (policy ACCEPT 110 packets, 15639 bytes)
           pkts bytes target     prot opt in     out     source               destination
          
          Chain LOGGING (1 references)
           pkts bytes target     prot opt in     out     source               destination
              0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 2/min burst 5 LOG flags 0 level 4 prefix "IPTables-Dropped: "
              0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
          
          • RE: IPTABLES a SFTP 14.02.2015 | 10:57
            Avatar djkowi Raspbian / Debian / Xbian  Používateľ

            ok, ďakujem všetkým za pomoc - problém bol v tom, že som si komunikáciu overoval z pripojenej aplikácie (putty) - po načítaní pravidla komunikácia s SFTP funguje, pokusy o nové pripojenia k raspberry sú zablokované.

            -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
            Ak to správne chápem, tak toto pravidlo udržiava nadviazané pripojenia povolené.

            # Generated by iptables-save v1.4.14 on Thu Feb 12 10:43:35 2015
            *filter
            :INPUT DROP [30:2635]
            :FORWARD ACCEPT [0:0]
            :OUTPUT ACCEPT [8:608]
            -A INPUT -i lo -j ACCEPT
            -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
            -A INPUT -p icmp -m state --state NEW -j ACCEPT
            -N LOGGING
            -A INPUT -j LOGGING
            -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
            -A LOGGING -j DROP
            COMMIT
            # Completed on Thu Feb 12 10:43:35 2015

            Ešte raz vďaka za pomoc.