Find the answer to your Linux question:
Results 1 to 6 of 6
I have a problem with a iptables firewall, if I use this file below I have limited internet access. ie I can't use google.com or google.co.uk as a homepage but ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! codge's Avatar
    Join Date
    Sep 2008
    Location
    Halesowen u.k.
    Posts
    15

    Iptables internet access problem


    I have a problem with a iptables firewall, if I use this file below I have limited internet access. ie I can't use google.com or google.co.uk as a homepage but I can use cuil.com/

    I can access debian forums but not this forum this problem happens on a lot of other sites. ( I can't post the urls)

    If I edit the firewall by adding “iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT” Then I have full access. Does anyone know why this is. This is on a desktop i only need internet access

    regards

    Code:
    ###############################################################
    ### Remove all previous rules, and delete any user defined chains ###
    iptables -X
    iptables -F
    iptables -t nat -X
    iptables -t nat -F
    iptables -t mangle -X
    iptables -t mangle -F
    
    ###############################################################
    ### Set the default policies to drop ###
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    
    ##############################################################
    ###drop spoofed packets-causes slow connection ###
    #iptables -A INPUT --in-interface lo --source 127.0.0.0/8 -j DROP
    
    ###############################################################
    ### Define interfaces here ###
    # Enter the designation for the Internal Interface's
    INTIF=eth0
    # Enter the IP address of the Internal Interface
    INTIP=192.***.*.**/24
    # Enter the designation for the Internal Interface's
    EXTIF=eth1
    # Enter the IP address of the external Interface
    EXTIP=81.***.**.*
    
    ###############################################################
    ### BAD GUYS (Block Source IP Address) ###
    #iptables -A INPUT -s 82.94.249.158 -j DROP
    ###porn-hub###
    iptables -A INPUT -s 146.82.202.179 -j DROP
    iptables -A INPUT -s 146.82.202.170 -j DROP
    iptables -A INPUT -s 146.82.203.166 -j DROP
    iptables -A INPUT -s 146.82.203.203 -j DROP
    iptables -A INPUT -s 146.82.203.243 -j DROP
    iptables -A INPUT -s 146.82.202.180 -j DROP
    iptables -A INPUT -s 146.82.203.228 -j DROP
    iptables -A INPUT -s 146.82.203.242 -j DROP
    iptables -A INPUT -s 146.82.204.113 -j DROP
    iptables -A INPUT -s 146.82.200.125 -j DROP
    iptables -A INPUT -s 146.82.203.230 -j DROP
    iptables -A INPUT -s 146.82.202.154 -j DROP
    iptables -A INPUT -s 146.82.204.17 -j DROP
    iptables -A INPUT -s 146.82.204.131 -j DROP
    iptables -A INPUT -s 146.82.204.35 -j DROP
    iptables -A INPUT -s 146.82.202.169 -j DROP
    iptables -A INPUT -s 146.82.204.47 -j DROP
    
    ###############################################################
    ### Allow Established connections ###
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    ###############################################################
    ### Accept all LOOPBACK (lo) traffic ###
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    ###############################################################
    ### Drop broken packets ###
    iptables -A INPUT   -m state --state INVALID -j DROP
    iptables -A FORWARD -m state --state INVALID -j DROP
    iptables -A OUTPUT  -m state --state INVALID -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
    
    ###############################################################
    ### INBOUND Rules: Allow ONLY NEW packets on these ports ###.
    # Web browser and shell use port 80 #
    iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 123 -j ACCEPT
    iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 443 -j ACCEPT
    
    ###############################################################
    ### OUTBOUND Rules: Allow ONLY NEW packets on these ports ###.
    iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
    
    ###############################################################
    ### Don't Allow all ICMP Traffic (optional) - IN, OUT and THROUGH ###
    iptables -A INPUT -p icmp --icmp-type any -j DROP
    iptables -A OUTPUT -p icmp --icmp-type any -j DROP
    iptables -A FORWARD -p icmp --icmp-type any -j DROP
    
    ##############################################################
    ### Log everything else, Required for psad ###
    iptables -A INPUT -j LOG
    iptables -A FORWARD -j LOG
    
    ###############################################################
    ### If you have fwsnort installed###
    #fwsnort
    #/etc/fwsnort/fwsnort.sh

  2. #2
    Just Joined! codge's Avatar
    Join Date
    Sep 2008
    Location
    Halesowen u.k.
    Posts
    15
    If i use this as my output rules i get full connection is this acceptable?

    Code:
    ### OUTBOUND Rules: Allow ONLY NEW packets on these ports ###.
    iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    with this:
    Code:
     ### Allow Established connections ###
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    The first question is are you hosting anything that would require out side access to your system? If no then you should not be allowing anything but ESTABLISHED,RELATED connections.

    The reason you are having issues is I beleive you are confusing the INPUT and OUTPUT statements.

    INPUT is what is coming into the system
    OUTPUT is what is leaving the system.

    If your system only has 1 ethernet connection then I do not believe you need to FORWARD anything and FORWARD rules cvan be removed also.

    Because yopu already have ESTABLISHED,RELATED rules for OUTPUT then you don't need to include them in your rules that follow. They can be simply NEW ie.,
    Code:
    iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
    Rule order is VERY important!!

    Firewall rules are read from top to bottom and executed in that order. So anything that comes after a DROP will never be executed in a chain. A chain is your INPUT or OUTPUT or FORWARD. It can also be user defined.

    To get to your origianl question. The reason everything was being dropped before you added the output rule for NEW,ESTABLISHED,RELATED is because of your policy setting. In your case it was set to DROP. What happens is when a packet enters the firewall rules the are match against every rule until one matches and is executed. In your case there were no rules for NEW packets so the last rule, the policy, was applied. Thus all packest were dropped.

    If you would like to read up on IPTABLES this TUTORIAL is a very good one.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined! codge's Avatar
    Join Date
    Sep 2008
    Location
    Halesowen u.k.
    Posts
    15
    Thanks for the reply, I am not hosting anything on this computer all i need is to do is access the internet and to update via apt-get (debian). I continued to adjust the firewall after i posted here. I did alter the firewall to only new on the output, the problem with internet access was because i did not add iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT to the firewall. So the problem was dns related i presume. Is there anything i can do to this configuration below to make it more secure? Thank you.

    regards

    Code:
    #!/bin/bash
    
    echo -n "### Loading iptables firewall ###"
    
    ###############################################################
    ### Remove all previous rules, and delete any user defined chains ###
    iptables -X
    iptables -F
    iptables -t nat -X
    iptables -t nat -F
    iptables -t mangle -X
    iptables -t mangle -F
    
    ###############################################################
    ### Set the default policies to drop ###
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    
    ###############################################################
    ### Define interfaces here ###
    # Enter the designation for the Internal Interface's
    INTIF=eth0
    # Enter the IP address of the Internal Interface
    INTIP=192.***.*.**/24
    # Enter the designation for the Internal Interface's
    EXTIF=eth1
    # Enter the IP address of the external Interface
    EXTIP=81.***.**.*
    
    ###############################################################
    ### BAD GUYS (Block Source IP Address) ###
    ###porn-hub###
    iptables -A INPUT -s 146.82.202.179 -j DROP
    iptables -A INPUT -s 146.82.202.170 -j DROP
    iptables -A INPUT -s 146.82.203.166 -j DROP
    iptables -A INPUT -s 146.82.203.203 -j DROP
    iptables -A INPUT -s 146.82.203.243 -j DROP
    iptables -A INPUT -s 146.82.202.180 -j DROP
    iptables -A INPUT -s 146.82.203.228 -j DROP
    iptables -A INPUT -s 146.82.203.242 -j DROP
    iptables -A INPUT -s 146.82.204.113 -j DROP
    iptables -A INPUT -s 146.82.200.125 -j DROP
    iptables -A INPUT -s 146.82.203.230 -j DROP
    iptables -A INPUT -s 146.82.202.154 -j DROP
    iptables -A INPUT -s 146.82.204.17 -j DROP
    iptables -A INPUT -s 146.82.204.131 -j DROP
    iptables -A INPUT -s 146.82.204.35 -j DROP
    iptables -A INPUT -s 146.82.202.169 -j DROP
    iptables -A INPUT -s 146.82.204.47 -j DROP
    
    ###############################################################
    ### Allow Established connections ###
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    ###############################################################
    ### Accept all LOOPBACK (lo) traffic ###
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    ###############################################################
    ### Drop broken packets ###
    iptables -A INPUT   -m state --state INVALID -j DROP
    iptables -A FORWARD -m state --state INVALID -j DROP
    iptables -A OUTPUT  -m state --state INVALID -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
    iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
    
    ###############################################################
    ### INBOUND Rules: Allow ONLY NEW packets on these ports ###.
    # Web browser and shell use port 80 #
    iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 123 -j ACCEPT
    #iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 443 -j ACCEPT
    
    ###############################################################
    ### OUTBOUND Rules: Allow ONLY NEW packets on these ports ###.
    iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
    
    ###############################################################
    ### Don't Allow all ICMP Traffic (optional) - IN, OUT and THROUGH ###
    iptables -A INPUT -p icmp --icmp-type any -j DROP
    iptables -A OUTPUT -p icmp --icmp-type any -j DROP
    iptables -A FORWARD -p icmp --icmp-type any -j DROP
    
    ##############################################################
    ### Log everything else, Required for psad ###
    iptables -A INPUT -j LOG
    iptables -A FORWARD -j LOG
    
    ###############################################################
    ### If you have fwsnort installed###
    #fwsnort
    #/etc/fwsnort/fwsnort.sh
    
    echo "### Firewall Loaded ###"
    
    exit 0

  6. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    If you are hosting nothing but would like the system to have full access to the internet then you simple only need the following rules:

    Code:
    iptables -X
    iptables -F
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -j DROP #some would say this is not needed but I like to be safe
    This will allow all your connections out and only the replies back in.
    The only time you would need all the rules you have listed below is when you are looking to allow some new connection in.
    You should take a look at the tutorial I posted.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #6
    Just Joined! codge's Avatar
    Join Date
    Sep 2008
    Location
    Halesowen u.k.
    Posts
    15
    Thank you for your help, I am reading through the tutorial now.

    regards

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •