Iptables internet access problem

**codge** · 08-18-2010

I have a problem with a iptables firewall, if I use this file below I have limited internet access. ie I can't use google.com or google.co.uk as a homepage but I can use cuil.com/

I can access debian forums but not this forum this problem happens on a lot of other sites. ( I can't post the urls)

If I edit the firewall by adding “iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT” Then I have full access. Does anyone know why this is. This is on a desktop i only need internet access

regards

Code:

###############################################################
### Remove all previous rules, and delete any user defined chains ###
iptables -X
iptables -F
iptables -t nat -X
iptables -t nat -F
iptables -t mangle -X
iptables -t mangle -F

###############################################################
### Set the default policies to drop ###
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

##############################################################
###drop spoofed packets-causes slow connection ###
#iptables -A INPUT --in-interface lo --source 127.0.0.0/8 -j DROP

###############################################################
### Define interfaces here ###
# Enter the designation for the Internal Interface's
INTIF=eth0
# Enter the IP address of the Internal Interface
INTIP=192.***.*.**/24
# Enter the designation for the Internal Interface's
EXTIF=eth1
# Enter the IP address of the external Interface
EXTIP=81.***.**.*

###############################################################
### BAD GUYS (Block Source IP Address) ###
#iptables -A INPUT -s 82.94.249.158 -j DROP
###porn-hub###
iptables -A INPUT -s 146.82.202.179 -j DROP
iptables -A INPUT -s 146.82.202.170 -j DROP
iptables -A INPUT -s 146.82.203.166 -j DROP
iptables -A INPUT -s 146.82.203.203 -j DROP
iptables -A INPUT -s 146.82.203.243 -j DROP
iptables -A INPUT -s 146.82.202.180 -j DROP
iptables -A INPUT -s 146.82.203.228 -j DROP
iptables -A INPUT -s 146.82.203.242 -j DROP
iptables -A INPUT -s 146.82.204.113 -j DROP
iptables -A INPUT -s 146.82.200.125 -j DROP
iptables -A INPUT -s 146.82.203.230 -j DROP
iptables -A INPUT -s 146.82.202.154 -j DROP
iptables -A INPUT -s 146.82.204.17 -j DROP
iptables -A INPUT -s 146.82.204.131 -j DROP
iptables -A INPUT -s 146.82.204.35 -j DROP
iptables -A INPUT -s 146.82.202.169 -j DROP
iptables -A INPUT -s 146.82.204.47 -j DROP

###############################################################
### Allow Established connections ###
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

###############################################################
### Accept all LOOPBACK (lo) traffic ###
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

###############################################################
### Drop broken packets ###
iptables -A INPUT   -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT  -m state --state INVALID -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP

###############################################################
### INBOUND Rules: Allow ONLY NEW packets on these ports ###.
# Web browser and shell use port 80 #
iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 123 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 443 -j ACCEPT

###############################################################
### OUTBOUND Rules: Allow ONLY NEW packets on these ports ###.
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

###############################################################
### Don't Allow all ICMP Traffic (optional) - IN, OUT and THROUGH ###
iptables -A INPUT -p icmp --icmp-type any -j DROP
iptables -A OUTPUT -p icmp --icmp-type any -j DROP
iptables -A FORWARD -p icmp --icmp-type any -j DROP

##############################################################
### Log everything else, Required for psad ###
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

###############################################################
### If you have fwsnort installed###
#fwsnort
#/etc/fwsnort/fwsnort.sh

**codge** · 08-18-2010

If i use this as my output rules i get full connection is this acceptable?

Code:

### OUTBOUND Rules: Allow ONLY NEW packets on these ports ###.
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

with this:

Code:

 ### Allow Established connections ###
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

**Lazydog** · 08-19-2010

The first question is are you hosting anything that would require out side access to your system? If no then you should not be allowing anything but ESTABLISHED,RELATED connections.

The reason you are having issues is I beleive you are confusing the INPUT and OUTPUT statements.

INPUT is what is coming into the system
OUTPUT is what is leaving the system.

If your system only has 1 ethernet connection then I do not believe you need to FORWARD anything and FORWARD rules cvan be removed also.

Because yopu already have ESTABLISHED,RELATED rules for OUTPUT then you don't need to include them in your rules that follow. They can be simply NEW ie.,

Code:

iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

Rule order is VERY important!!

Firewall rules are read from top to bottom and executed in that order. So anything that comes after a DROP will never be executed in a chain. A chain is your INPUT or OUTPUT or FORWARD. It can also be user defined.

To get to your origianl question. The reason everything was being dropped before you added the output rule for NEW,ESTABLISHED,RELATED is because of your policy setting. In your case it was set to DROP. What happens is when a packet enters the firewall rules the are match against every rule until one matches and is executed. In your case there were no rules for NEW packets so the last rule, the policy, was applied. Thus all packest were dropped.

If you would like to read up on IPTABLES this TUTORIAL is a very good one.

**codge** · 08-19-2010

Thanks for the reply, I am not hosting anything on this computer all i need is to do is access the internet and to update via apt-get (debian). I continued to adjust the firewall after i posted here. I did alter the firewall to only new on the output, the problem with internet access was because i did not add iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT to the firewall. So the problem was dns related i presume. Is there anything i can do to this configuration below to make it more secure? Thank you.

regards

Code:

#!/bin/bash

echo -n "### Loading iptables firewall ###"

###############################################################
### Remove all previous rules, and delete any user defined chains ###
iptables -X
iptables -F
iptables -t nat -X
iptables -t nat -F
iptables -t mangle -X
iptables -t mangle -F

###############################################################
### Set the default policies to drop ###
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

###############################################################
### Define interfaces here ###
# Enter the designation for the Internal Interface's
INTIF=eth0
# Enter the IP address of the Internal Interface
INTIP=192.***.*.**/24
# Enter the designation for the Internal Interface's
EXTIF=eth1
# Enter the IP address of the external Interface
EXTIP=81.***.**.*

###############################################################
### BAD GUYS (Block Source IP Address) ###
###porn-hub###
iptables -A INPUT -s 146.82.202.179 -j DROP
iptables -A INPUT -s 146.82.202.170 -j DROP
iptables -A INPUT -s 146.82.203.166 -j DROP
iptables -A INPUT -s 146.82.203.203 -j DROP
iptables -A INPUT -s 146.82.203.243 -j DROP
iptables -A INPUT -s 146.82.202.180 -j DROP
iptables -A INPUT -s 146.82.203.228 -j DROP
iptables -A INPUT -s 146.82.203.242 -j DROP
iptables -A INPUT -s 146.82.204.113 -j DROP
iptables -A INPUT -s 146.82.200.125 -j DROP
iptables -A INPUT -s 146.82.203.230 -j DROP
iptables -A INPUT -s 146.82.202.154 -j DROP
iptables -A INPUT -s 146.82.204.17 -j DROP
iptables -A INPUT -s 146.82.204.131 -j DROP
iptables -A INPUT -s 146.82.204.35 -j DROP
iptables -A INPUT -s 146.82.202.169 -j DROP
iptables -A INPUT -s 146.82.204.47 -j DROP

###############################################################
### Allow Established connections ###
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

###############################################################
### Accept all LOOPBACK (lo) traffic ###
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

###############################################################
### Drop broken packets ###
iptables -A INPUT   -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT  -m state --state INVALID -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP

###############################################################
### INBOUND Rules: Allow ONLY NEW packets on these ports ###.
# Web browser and shell use port 80 #
iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 123 -j ACCEPT
#iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 443 -j ACCEPT

###############################################################
### OUTBOUND Rules: Allow ONLY NEW packets on these ports ###.
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

###############################################################
### Don't Allow all ICMP Traffic (optional) - IN, OUT and THROUGH ###
iptables -A INPUT -p icmp --icmp-type any -j DROP
iptables -A OUTPUT -p icmp --icmp-type any -j DROP
iptables -A FORWARD -p icmp --icmp-type any -j DROP

##############################################################
### Log everything else, Required for psad ###
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

###############################################################
### If you have fwsnort installed###
#fwsnort
#/etc/fwsnort/fwsnort.sh

echo "### Firewall Loaded ###"

exit 0

**Lazydog** · 08-20-2010

If you are hosting nothing but would like the system to have full access to the internet then you simple only need the following rules:

Code:

iptables -X
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP #some would say this is not needed but I like to be safe

This will allow all your connections out and only the replies back in.
The only time you would need all the rules you have listed below is when you are looking to allow some new connection in.
You should take a look at the tutorial I posted.

**codge** · 08-20-2010

Thank you for your help, I am reading through the tutorial now.

regards

Thread Tools

Display

Iptables internet access problem

Posting Permissions