Find the answer to your Linux question:
Results 1 to 3 of 3
Hello all, I have an iptables script I set up; and I'm having one main issue. I want it to deny outbound access to all except the groups and users ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2009
    Posts
    5

    Help with custom iptables script


    Hello all,
    I have an iptables script I set up; and I'm having one main issue. I want it to deny outbound access to all except the groups and users specified, but I can still ping, etc. If someone could help me figure out where I"m going wrong, I'd really appriciate it, either with this or with other suggestions on the script. Below is the code.
    Code:
    #!/bin/bash
    #configuration settings:
    #DIR: the directory where configuration files are stored.
    DIR="/etc/firewall/"
    #TCPPorts: a list of ports to allow to the firewall.
    TCPPORTS="22"
    #UDPPorts: a list of ports to allow to the firewall.
    UDPPORTS=""
    
    #initialization functions.
    init()
    {
    echo "Running initialization functions and flushing firewall rules:"
    iptables -F
    iptables -Z
    iptables -X
    echo "Creating chains:"
    iptables -N oblacklist #output blacklist
    iptables -N iblacklist #input blacklist
    echo "Setting default policies:"
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    }
    
    #input blacklist
    iblacklist()
    {
    echo "Setting up input blacklist:"
    for i in `cat ${DIR}iblacklist`;do iptables -A iblacklist -m iprange --src-range ${i} -j DROP;done
    iptables -A iblacklist -j RETURN
    }
    
    #output blacklist
    oblacklist()
    {
    echo "Setting up output blacklist:"
    for i in `cat ${DIR}oblacklist`;do iptables -A oblacklist -m iprange --dst-range ${i} -j DROP;done
    iptables -A oblacklist -j RETURN
    }
    
    irule()
    {
    echo "Jumping to blacklist chain:"
    iptables -A INPUT -j iblacklist
    echo "Allowing for established packets:"
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    echo "Opening specified TCP ports:"
    for i in ${TCPPORTS};do echo "Opening TCP port ${i}";iptables -A INPUT -p tcp --dport ${i} -j ACCEPT;done
    echo "Opening specified UDP ports:"
    for i in ${UDPPORTS};do echo "Opening UDP port ${i}.";iptables -A INPUT -p udp --dport ${i} -j ACCEPT;done
    echo "Limiting ssh connections:"
    iptables -A INPUT -p tcp --dport 22 -m limit --limit 2/m -m state --state NEW -j ACCEPT
    echo "Limiting all other connections:"
    iptables -A INPUT -m state --state NEW -m limit --limit 20/m -j ACCEPT
    echo "Ignoring ICMP ping responses:"
    iptables -A INPUT --protocol icmp --icmp-type echo-request -j DROP
    echo "Ignoring broadcasts:"
    iptables -A INPUT -m addrtype --src-type BROADCAST -j DROP
    }
    
    orule()
    {
    echo "Jumping to blacklist chain:"
    iptables -A OUTPUT -j oblacklist
    echo "Allowing for new and established packets outbound:"
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    echo "Limiting outbound connections to new 5/m:"
    iptables -A OUTPUT -m state --state NEW -m limit --limit 5/m -j ACCEPT
    echo "Ignoring broadcasts:"
    iptables -A OUTPUT -m addrtype --dst-type BROADCAST -j DROP
    echo "Ignoring packets of invalid state:"
    iptables -A OUTPUT -m state --state INVALID -j DROP
    echo "Denying outbound access to all but root and network on all but port 80:"
    iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -m owner --gid-owner 104 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -m owner --gid-owner 104 -j ACCEPT
    echo "Allowing root and network groups all outbound access:"
    iptables -A OUTPUT -m owner --gid-owner 0 -j ACCEPT
    iptables -A OUTPUT -m owner --gid-owner 105 -j ACCEPT
    }
    
    #blacklist configuration
    blacklist()
    {
    iblacklist
    oblacklist
    }
    
    #call each input and output ruleset
    ruleset()
    {
    irule
    orule
    }
    
    #main function
    main()
    {
    echo "Initializing firewall."
    init
    blacklist
    ruleset
    echo "Initialization done."
    }
    
    #entrypoint code
    case "$1" in
    stop ) echo "Cleaining up firewall";iptables -F;iptables -Z;iptables -X;iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT;exit 0;;
    restart | start ) main;;
    * ) echo "Invalid argument provided. Valid arguments are stop|restart, and stop.";;
    esac

  2. #2
    Just Joined!
    Join Date
    May 2008
    Posts
    36
    My guess is that
    Code:
    echo "Limiting outbound connections to new 5/m:"
    iptables -A OUTPUT -m state --state NEW -m limit --limit 5/m -j ACCEPT
    is the culprit.
    If i'm reading this right, it allows any new connections as long as they're within the limit.
    Last edited by trutheality; 03-23-2010 at 04:47 AM. Reason: bad code tag

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    I haven't dug too deep into your rules but it looks like you are going about this all wrong. Instead of blocking this or that you should be blocking everything and then only opening up what you require/need.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •