Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Help with custom iptables script

    Hello all,
    I have an iptables script I set up; and I'm having one main issue. I want it to deny outbound access to all except the groups and users specified, but I can still ping, etc. If someone could help me figure out where I"m going wrong, I'd really appriciate it, either with this or with other suggestions on the script. Below is the code.
    #configuration settings:
    #DIR: the directory where configuration files are stored.
    #TCPPorts: a list of ports to allow to the firewall.
    #UDPPorts: a list of ports to allow to the firewall.
    #initialization functions.
    echo "Running initialization functions and flushing firewall rules:"
    iptables -F
    iptables -Z
    iptables -X
    echo "Creating chains:"
    iptables -N oblacklist #output blacklist
    iptables -N iblacklist #input blacklist
    echo "Setting default policies:"
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    #input blacklist
    echo "Setting up input blacklist:"
    for i in `cat ${DIR}iblacklist`;do iptables -A iblacklist -m iprange --src-range ${i} -j DROP;done
    iptables -A iblacklist -j RETURN
    #output blacklist
    echo "Setting up output blacklist:"
    for i in `cat ${DIR}oblacklist`;do iptables -A oblacklist -m iprange --dst-range ${i} -j DROP;done
    iptables -A oblacklist -j RETURN
    echo "Jumping to blacklist chain:"
    iptables -A INPUT -j iblacklist
    echo "Allowing for established packets:"
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    echo "Opening specified TCP ports:"
    for i in ${TCPPORTS};do echo "Opening TCP port ${i}";iptables -A INPUT -p tcp --dport ${i} -j ACCEPT;done
    echo "Opening specified UDP ports:"
    for i in ${UDPPORTS};do echo "Opening UDP port ${i}.";iptables -A INPUT -p udp --dport ${i} -j ACCEPT;done
    echo "Limiting ssh connections:"
    iptables -A INPUT -p tcp --dport 22 -m limit --limit 2/m -m state --state NEW -j ACCEPT
    echo "Limiting all other connections:"
    iptables -A INPUT -m state --state NEW -m limit --limit 20/m -j ACCEPT
    echo "Ignoring ICMP ping responses:"
    iptables -A INPUT --protocol icmp --icmp-type echo-request -j DROP
    echo "Ignoring broadcasts:"
    iptables -A INPUT -m addrtype --src-type BROADCAST -j DROP
    echo "Jumping to blacklist chain:"
    iptables -A OUTPUT -j oblacklist
    echo "Allowing for new and established packets outbound:"
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    echo "Limiting outbound connections to new 5/m:"
    iptables -A OUTPUT -m state --state NEW -m limit --limit 5/m -j ACCEPT
    echo "Ignoring broadcasts:"
    iptables -A OUTPUT -m addrtype --dst-type BROADCAST -j DROP
    echo "Ignoring packets of invalid state:"
    iptables -A OUTPUT -m state --state INVALID -j DROP
    echo "Denying outbound access to all but root and network on all but port 80:"
    iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -m owner --gid-owner 104 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -m owner --gid-owner 104 -j ACCEPT
    echo "Allowing root and network groups all outbound access:"
    iptables -A OUTPUT -m owner --gid-owner 0 -j ACCEPT
    iptables -A OUTPUT -m owner --gid-owner 105 -j ACCEPT
    #blacklist configuration
    #call each input and output ruleset
    #main function
    echo "Initializing firewall."
    echo "Initialization done."
    #entrypoint code
    case "$1" in
    stop ) echo "Cleaining up firewall";iptables -F;iptables -Z;iptables -X;iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT;exit 0;;
    restart | start ) main;;
    * ) echo "Invalid argument provided. Valid arguments are stop|restart, and stop.";;

  2. #2
    My guess is that
    echo "Limiting outbound connections to new 5/m:"
    iptables -A OUTPUT -m state --state NEW -m limit --limit 5/m -j ACCEPT
    is the culprit.
    If i'm reading this right, it allows any new connections as long as they're within the limit.
    Last edited by trutheality; 03-23-2010 at 03:47 AM. Reason: bad code tag

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    The Keystone State
    I haven't dug too deep into your rules but it looks like you are going about this all wrong. Instead of blocking this or that you should be blocking everything and then only opening up what you require/need.


    The adventure of a life time.

    Linux User #296285
    Get Counted


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts