Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
Hey everybody I've read this forum for a while now, but never posted..so here goes post #1. I am trying to create a simple iptables configuration script. This is for ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2010
    Posts
    4

    Iptables Configuration Problem


    Hey everybody I've read this forum for a while now, but never posted..so here goes post #1.

    I am trying to create a simple iptables configuration script. This is for a machine that only needs to be able to ping other machines and get upgrades via http. Note that it doesn't need to be able to be pinged back and isn't a web server.

    So far I this is what I have:


    #!/bin/bash


    # Primary network interface

    iface='wlan0'


    # Flush, Delete, and Zero all current chains

    iptables -F
    iptables -Z
    iptables -X


    # Only accept input and output traffic

    iptables -P OUTPUT ACCEPT
    iptables -P INPUT ACCEPT
    iptables -P FORWARD DROP


    # Make new chains for output (p-out) and input (p-in)

    iptables -N p-out
    iptables -N p-in


    # Redirect all output traffic to 'p-out' and all input traffic to 'p-in'

    iptables -A OUTPUT -j p-out
    iptables -A INPUT -j p-in


    # Block all input and output traffic

    iptables -A p-out -o $iface -j DROP
    iptables -A p-in -i $iface -j DROP


    # Accept all LOOPBACK (lo) traffic

    iptables -A p-out -o lo -j ACCEPT
    iptables -A p-in -i lo -j ACCEPT


    # Allow pinging

    iptables -A p-out -o $iface -p icmp -m icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A p-in -i $iface -p icmp -m icmp --icmp-type 8 -m state --state ESTABLISHED -j ACCEPT


    # Allow HTTP
    iptables -A p-out -o $iface -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A p-in -i $iface -p tcp -m tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT

    Unfortunately this does not work. I can ping 'localhost' and thats about all I can do with this script. I was hoping somebody could point out what I did wrong. Also any tips on how to reduce this even further would be great.

  2. #2
    RDU
    RDU is offline
    Just Joined!
    Join Date
    Aug 2010
    Posts
    89
    Hello,

    Order is important, you put 2 lines with drop all before your accept. These two line should go to the end, or you could use DROP policy by default (but be carefull to allow all on the lo interface.
    Second, for http, you should check dport 80 and not sport
    Third, don't forget to allow outgoing DNS (UDP/53) to resolve name and maybe also incoming SSH to manage your box.

    I would do something like this :

    #!/bin/bash

    # Flush, Delete, and Zero all current chains
    iptables -F
    iptables -Z
    iptables -X

    # Drop everything exept what we'll want explicitely
    iptables -P OUTPUT DROP
    iptables -P INPUT DROP
    iptables -P FORWARD DROP

    # Accept all LOOPBACK (lo) traffic
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT

    # Allow Established cnx
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allow outgoing ICMP (pinging)
    iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT

    # Allow outgoing HTTP (update)
    iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

    # Allow outgoing DNS (Name resolving)
    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

    # Allow incoming SSH (Management) from local subnet (change 10.0.0.1/24)
    iptables -A INPUT -p tcp --dport 22 -s 10.0.0.1/24 -j ACCEPT

    # Block all input and output traffic (not necessary as we do DROP policy but to be sure it's always good to finish like this)
    iptables -A OUTPUT -j DROP
    iptables -A INPUT -j DROP

  3. #3
    Just Joined!
    Join Date
    Aug 2010
    Posts
    4
    Thanks. But it's still not working. Here is what I have, most of this is from wiki.debian.org/iptables.

    #!/bin/bash

    # Primary network interface
    iface='wlan0'

    # Flush, Zero, and Delete all current chains
    iptables -F
    iptables -Z
    iptables -X

    # Only accept input and output traffic
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP

    # Accept all LOOPBACK (lo) traffic drop all traffic to 127/8 that doesn't use lo
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j DROP
    iptables -A OUTPUT -o lo -j ACCEPT

    # Accepts all established inbound connections
    iptables -A INPUT -i $iface -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT $iface -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allow pinging
    iptables -A OUTPUT -o $iface -p icmp --icmp-type 8 -j ACCEPT


    ## Now open necessary ports

    # Allow SSH
    iptables -A OUTPUT -o $iface -p tcp -m tcp --sport 22 -j ACCEPT

    # Allow DNS
    iptables -A OUTPUT -o $iface -p tcp -m tcp --sport 53 -j ACCEPT

    # Allow HTTP
    iptables -A OUTPUT -o $iface -p tcp -m tcp --sport 80 -j ACCEPT
    Then I run this:

    /sbin/iptables -vL
    ...and get this:

    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    5 145 ACCEPT all -- lo any anywhere anywhere
    0 0 DROP all -- !lo any anywhere loopback/8
    0 0 ACCEPT all -- wlan0 any anywhere anywhere state RELATED,ESTABLISHED

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy DROP 8 packets, 480 bytes)
    pkts bytes target prot opt in out source destination
    5 145 ACCEPT all -- any lo anywhere anywhere
    0 0 ACCEPT all -- any wlan0 anywhere anywhere state RELATED,ESTABLISHED
    0 0 ACCEPT icmp -- any wlan0 anywhere anywhere icmp echo-request
    0 0 ACCEPT tcp -- any wlan0 anywhere anywhere tcp spt:ssh
    0 0 ACCEPT tcp -- any wlan0 anywhere anywhere tcp spt:domain
    0 0 ACCEPT tcp -- any wlan0 anywhere anywhere tcp spt:www
    Okay from this I can ping the router and 127.0.0.1. But no luck with the web browser. However, if I change ESTABLISHED,RELATED to NEW,ESTABLISHED,RELATED I can browse. Unfortunately, this also allows me to use FTP, Skype, and just about everything else. Any help is much appreciated. I have looked up so many different pages and read quite a bit, what am I missing here!!!

  4. $spacer_open
    $spacer_close
  5. #4
    RDU
    RDU is offline
    Just Joined!
    Join Date
    Aug 2010
    Posts
    89
    Sure, DON'T add NEW to the RELATED,ESTABLISHED rules or you will open EVERYTHING.

    You should change SPORT (source port) to DPORT (Destination port) in the 3 last iptables cmd because HTTP is port 80 on the Destination server with an unknown port as Source.

  6. #5
    Just Joined!
    Join Date
    Aug 2010
    Posts
    4
    Okay this is confusing...this is what I am thinking:

    OUTPUT:
    Source: localhost/80
    Destination: unknown
    INPUT:
    Source: unknown
    Destination: localhost/80

    Quote Originally Posted by RDU View Post
    You should change SPORT (source port) to DPORT (Destination port) in the 3 last iptables cmd because HTTP is port 80 on the Destination server with an unknown port as Source.

  7. #6
    RDU
    RDU is offline
    Just Joined!
    Join Date
    Aug 2010
    Posts
    89
    Quote Originally Posted by parihar View Post
    Okay this is confusing...this is what I am thinking:

    OUTPUT:
    Source: localhost/80
    Destination: unknown
    INPUT:
    Source: unknown
    Destination: localhost/80

    If you want to browse a webserver it's like this :

    Your PC port TCP/unknown ----> Server at port 80

    So you've to accept on OUTPUT : -p TCP --dport 80
    and established cnx on INPUT


    Take in mind that you have to almost always use DPORT and not sport (even for incoming cnx) and put a rule only for the SYN packet (OUTPUT for outgoing cnx OR INPUT for incoming cnx). The remaining is taken care by the 2 ESTABLISHED rules.

  8. #7
    RDU
    RDU is offline
    Just Joined!
    Join Date
    Aug 2010
    Posts
    89
    Also, for your information :

    This is the state meaning :

    NEW : 1 packet of a new cnx
    ESTABLISHED : this is the remaining of the cnx
    RELATED : a new cnx but related to a preview one (e.g. FTP has a control cnx, and then open new cnx when data transfert occur).

  9. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Try the following which allows everything out and only established connection back.

    Code:
    iptables -F
    iptables -Z
    iptables -X
    
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    
    iptables -A INPUT ESTABLISHED,RELATED -j ACCEPT
    For the ICMP protocol you might want to take a look at THIS page

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  10. #9
    Just Joined!
    Join Date
    Aug 2010
    Posts
    4
    Thanks for the link Lazydog...I guess I need type 0 (reply) and 8 (request) for pinging purposes.

    As for my iptables configuration I'm sorry I wasn't specific on what I was trying to do. What you guys showed me works, unfortunately I am just trying to open only a few outbound connections and a few inbound connections. Each connection should have specific parameters. For example:

    On my laptop I want to web browse (I am just showing port 80 but there will be more 443, 20, 21-add some FTP access, etc.):

    # HTTP - for normal web browsing
    iptables -A INPUT -p tcp -m tcp --sport 80 -j -m state --state ESTABLISHED ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT


    but then I want to be able to ssh into and from this machine:

    # SSH
    iptables -A INPUT -p tcp -m tcp --sport 3242 -j -m state --state NEW,ESTABLISHED ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --dport 3242 -m state --state NEW,ESTABLISHED -j ACCEPT


    So what I am trying to achieve is a separate state parameters for each port number. I hope this explains my mind set a little bit.

  11. #10
    RDU
    RDU is offline
    Just Joined!
    Join Date
    Aug 2010
    Posts
    89
    Lazydog:This will work but it's VERY (too much) open. It's never a good idea to open too much output.

    Parihar:This is much complicated and it will mess you (it's already wrong in what you give here). And with this mess you could make mistake that will have stuff open without you to know it. In one word : Keep it simple !
    1.Take care of the cnx initiation only in your rule and allow ALL ESTABLISHED and RELATED cnx (kernel will take care for you and you need only 1 rule per cnx).
    2.Doing that, you need only ICMP type 8 (request). Reply will be handled by the connection tracking of the kernel.
    3.For ssh, you need two rule, 1 for outgoing cnx and 1 for incoming cnx (each of them using DPORT, you're wrong with your INPUT rule using SPORT).
    4.-m tcp can be removed on each line, TCP and UDP module are automaticaly loaded if needed.
    5.For FTP, just accept the outgoing port tcp/21. All the rest is RELATED (or you will have to open port 1024 - 65535 as it's dynamic). But you have to load a kernel module :
    # modprobe nf_conntrack_ftp
    See all cnx tracking module protocole available for your kernel is
    /lib/modules/2.6.33......../kernel/net/netfilter/
    Recent kernel support a lot of protocol.
    6.If you want to play furter take a look at ipset wich is fine to agregate object (network, port, ip address, ...) but is not supported already on all distro (Latest mandriva have it).

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •