Help with custom iptables script

[sorressean]

Hello all,
I have an iptables script I set up; and I'm having one main issue. I want it to deny outbound access to all except the groups and users specified, but I can still ping, etc. If someone could help me figure out where I"m going wrong, I'd really appriciate it, either with this or with other suggestions on the script. Below is the code.

Code:

#!/bin/bash
#configuration settings:
#DIR: the directory where configuration files are stored.
DIR="/etc/firewall/"
#TCPPorts: a list of ports to allow to the firewall.
TCPPORTS="22"
#UDPPorts: a list of ports to allow to the firewall.
UDPPORTS=""

#initialization functions.
init()
{
echo "Running initialization functions and flushing firewall rules:"
iptables -F
iptables -Z
iptables -X
echo "Creating chains:"
iptables -N oblacklist #output blacklist
iptables -N iblacklist #input blacklist
echo "Setting default policies:"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
}

#input blacklist
iblacklist()
{
echo "Setting up input blacklist:"
for i in `cat ${DIR}iblacklist`;do iptables -A iblacklist -m iprange --src-range ${i} -j DROP;done
iptables -A iblacklist -j RETURN
}

#output blacklist
oblacklist()
{
echo "Setting up output blacklist:"
for i in `cat ${DIR}oblacklist`;do iptables -A oblacklist -m iprange --dst-range ${i} -j DROP;done
iptables -A oblacklist -j RETURN
}

irule()
{
echo "Jumping to blacklist chain:"
iptables -A INPUT -j iblacklist
echo "Allowing for established packets:"
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Opening specified TCP ports:"
for i in ${TCPPORTS};do echo "Opening TCP port ${i}";iptables -A INPUT -p tcp --dport ${i} -j ACCEPT;done
echo "Opening specified UDP ports:"
for i in ${UDPPORTS};do echo "Opening UDP port ${i}.";iptables -A INPUT -p udp --dport ${i} -j ACCEPT;done
echo "Limiting ssh connections:"
iptables -A INPUT -p tcp --dport 22 -m limit --limit 2/m -m state --state NEW -j ACCEPT
echo "Limiting all other connections:"
iptables -A INPUT -m state --state NEW -m limit --limit 20/m -j ACCEPT
echo "Ignoring ICMP ping responses:"
iptables -A INPUT --protocol icmp --icmp-type echo-request -j DROP
echo "Ignoring broadcasts:"
iptables -A INPUT -m addrtype --src-type BROADCAST -j DROP
}

orule()
{
echo "Jumping to blacklist chain:"
iptables -A OUTPUT -j oblacklist
echo "Allowing for new and established packets outbound:"
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
echo "Limiting outbound connections to new 5/m:"
iptables -A OUTPUT -m state --state NEW -m limit --limit 5/m -j ACCEPT
echo "Ignoring broadcasts:"
iptables -A OUTPUT -m addrtype --dst-type BROADCAST -j DROP
echo "Ignoring packets of invalid state:"
iptables -A OUTPUT -m state --state INVALID -j DROP
echo "Denying outbound access to all but root and network on all but port 80:"
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -m owner --gid-owner 104 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -m owner --gid-owner 104 -j ACCEPT
echo "Allowing root and network groups all outbound access:"
iptables -A OUTPUT -m owner --gid-owner 0 -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner 105 -j ACCEPT
}

#blacklist configuration
blacklist()
{
iblacklist
oblacklist
}

#call each input and output ruleset
ruleset()
{
irule
orule
}

#main function
main()
{
echo "Initializing firewall."
init
blacklist
ruleset
echo "Initialization done."
}

#entrypoint code
case "$1" in
stop ) echo "Cleaining up firewall";iptables -F;iptables -Z;iptables -X;iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT;exit 0;;
restart | start ) main;;
* ) echo "Invalid argument provided. Valid arguments are stop|restart, and stop.";;
esac

[trutheality]

My guess is that

Code:

echo "Limiting outbound connections to new 5/m:"
iptables -A OUTPUT -m state --state NEW -m limit --limit 5/m -j ACCEPT

is the culprit.
If i'm reading this right, it allows any new connections as long as they're within the limit.

[Lazydog]

I haven't dug too deep into your rules but it looks like you are going about this all wrong. Instead of blocking this or that you should be blocking everything and then only opening up what you require/need.