Iptables internet access problem

Printable View

08-18-2010
codge

Iptables internet access problem

I have a problem with a iptables firewall, if I use this file below I have limited internet access. ie I can't use google.com or google.co.uk as a homepage but I can use cuil.com/

I can access debian forums but not this forum this problem happens on a lot of other sites. ( I can't post the urls)

If I edit the firewall by adding “iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT” Then I have full access. Does anyone know why this is. This is on a desktop i only need internet access

regards

Code:

############################################################### ### Remove all previous rules, and delete any user defined chains ### iptables -X iptables -F iptables -t nat -X iptables -t nat -F iptables -t mangle -X iptables -t mangle -F ############################################################### ### Set the default policies to drop ### iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ############################################################## ###drop spoofed packets-causes slow connection ### #iptables -A INPUT --in-interface lo --source 127.0.0.0/8 -j DROP ############################################################### ### Define interfaces here ### # Enter the designation for the Internal Interface's INTIF=eth0 # Enter the IP address of the Internal Interface INTIP=192.***.*.**/24 # Enter the designation for the Internal Interface's EXTIF=eth1 # Enter the IP address of the external Interface EXTIP=81.***.**.* ############################################################### ### BAD GUYS (Block Source IP Address) ### #iptables -A INPUT -s 82.94.249.158 -j DROP ###porn-hub### iptables -A INPUT -s 146.82.202.179 -j DROP iptables -A INPUT -s 146.82.202.170 -j DROP iptables -A INPUT -s 146.82.203.166 -j DROP iptables -A INPUT -s 146.82.203.203 -j DROP iptables -A INPUT -s 146.82.203.243 -j DROP iptables -A INPUT -s 146.82.202.180 -j DROP iptables -A INPUT -s 146.82.203.228 -j DROP iptables -A INPUT -s 146.82.203.242 -j DROP iptables -A INPUT -s 146.82.204.113 -j DROP iptables -A INPUT -s 146.82.200.125 -j DROP iptables -A INPUT -s 146.82.203.230 -j DROP iptables -A INPUT -s 146.82.202.154 -j DROP iptables -A INPUT -s 146.82.204.17 -j DROP iptables -A INPUT -s 146.82.204.131 -j DROP iptables -A INPUT -s 146.82.204.35 -j DROP iptables -A INPUT -s 146.82.202.169 -j DROP iptables -A INPUT -s 146.82.204.47 -j DROP ############################################################### ### Allow Established connections ### iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ############################################################### ### Accept all LOOPBACK (lo) traffic ### iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ############################################################### ### Drop broken packets ### iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP ############################################################### ### INBOUND Rules: Allow ONLY NEW packets on these ports ###. # Web browser and shell use port 80 # iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 123 -j ACCEPT iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 443 -j ACCEPT ############################################################### ### OUTBOUND Rules: Allow ONLY NEW packets on these ports ###. iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT ############################################################### ### Don't Allow all ICMP Traffic (optional) - IN, OUT and THROUGH ### iptables -A INPUT -p icmp --icmp-type any -j DROP iptables -A OUTPUT -p icmp --icmp-type any -j DROP iptables -A FORWARD -p icmp --icmp-type any -j DROP ############################################################## ### Log everything else, Required for psad ### iptables -A INPUT -j LOG iptables -A FORWARD -j LOG ############################################################### ### If you have fwsnort installed### #fwsnort #/etc/fwsnort/fwsnort.sh
08-18-2010
codge

If i use this as my output rules i get full connection is this acceptable?

Code:

### OUTBOUND Rules: Allow ONLY NEW packets on these ports ###. iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

with this:

Code:

### Allow Established connections ### iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
08-19-2010
Lazydog

The first question is are you hosting anything that would require out side access to your system? If no then you should not be allowing anything but ESTABLISHED,RELATED connections.

The reason you are having issues is I beleive you are confusing the INPUT and OUTPUT statements.

INPUT is what is coming into the system
OUTPUT is what is leaving the system.

If your system only has 1 ethernet connection then I do not believe you need to FORWARD anything and FORWARD rules cvan be removed also.

Because yopu already have ESTABLISHED,RELATED rules for OUTPUT then you don't need to include them in your rules that follow. They can be simply NEW ie.,

Code:

iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

Rule order is VERY important!!

Firewall rules are read from top to bottom and executed in that order. So anything that comes after a DROP will never be executed in a chain. A chain is your INPUT or OUTPUT or FORWARD. It can also be user defined.

To get to your origianl question. The reason everything was being dropped before you added the output rule for NEW,ESTABLISHED,RELATED is because of your policy setting. In your case it was set to DROP. What happens is when a packet enters the firewall rules the are match against every rule until one matches and is executed. In your case there were no rules for NEW packets so the last rule, the policy, was applied. Thus all packest were dropped.

If you would like to read up on IPTABLES this TUTORIAL is a very good one.
08-19-2010
codge

Thanks for the reply, I am not hosting anything on this computer all i need is to do is access the internet and to update via apt-get (debian). I continued to adjust the firewall after i posted here. I did alter the firewall to only new on the output, the problem with internet access was because i did not add iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT to the firewall. So the problem was dns related i presume. Is there anything i can do to this configuration below to make it more secure? Thank you.

regards

Code:

#!/bin/bash echo -n "### Loading iptables firewall ###" ############################################################### ### Remove all previous rules, and delete any user defined chains ### iptables -X iptables -F iptables -t nat -X iptables -t nat -F iptables -t mangle -X iptables -t mangle -F ############################################################### ### Set the default policies to drop ### iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ############################################################### ### Define interfaces here ### # Enter the designation for the Internal Interface's INTIF=eth0 # Enter the IP address of the Internal Interface INTIP=192.***.*.**/24 # Enter the designation for the Internal Interface's EXTIF=eth1 # Enter the IP address of the external Interface EXTIP=81.***.**.* ############################################################### ### BAD GUYS (Block Source IP Address) ### ###porn-hub### iptables -A INPUT -s 146.82.202.179 -j DROP iptables -A INPUT -s 146.82.202.170 -j DROP iptables -A INPUT -s 146.82.203.166 -j DROP iptables -A INPUT -s 146.82.203.203 -j DROP iptables -A INPUT -s 146.82.203.243 -j DROP iptables -A INPUT -s 146.82.202.180 -j DROP iptables -A INPUT -s 146.82.203.228 -j DROP iptables -A INPUT -s 146.82.203.242 -j DROP iptables -A INPUT -s 146.82.204.113 -j DROP iptables -A INPUT -s 146.82.200.125 -j DROP iptables -A INPUT -s 146.82.203.230 -j DROP iptables -A INPUT -s 146.82.202.154 -j DROP iptables -A INPUT -s 146.82.204.17 -j DROP iptables -A INPUT -s 146.82.204.131 -j DROP iptables -A INPUT -s 146.82.204.35 -j DROP iptables -A INPUT -s 146.82.202.169 -j DROP iptables -A INPUT -s 146.82.204.47 -j DROP ############################################################### ### Allow Established connections ### iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ############################################################### ### Accept all LOOPBACK (lo) traffic ### iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ############################################################### ### Drop broken packets ### iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP ############################################################### ### INBOUND Rules: Allow ONLY NEW packets on these ports ###. # Web browser and shell use port 80 # iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 123 -j ACCEPT #iptables -A INPUT -i eth0 -s 192.***.*.**/24 -p tcp --dport 443 -j ACCEPT ############################################################### ### OUTBOUND Rules: Allow ONLY NEW packets on these ports ###. iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT ############################################################### ### Don't Allow all ICMP Traffic (optional) - IN, OUT and THROUGH ### iptables -A INPUT -p icmp --icmp-type any -j DROP iptables -A OUTPUT -p icmp --icmp-type any -j DROP iptables -A FORWARD -p icmp --icmp-type any -j DROP ############################################################## ### Log everything else, Required for psad ### iptables -A INPUT -j LOG iptables -A FORWARD -j LOG ############################################################### ### If you have fwsnort installed### #fwsnort #/etc/fwsnort/fwsnort.sh echo "### Firewall Loaded ###" exit 0
08-20-2010
Lazydog

If you are hosting nothing but would like the system to have full access to the internet then you simple only need the following rules:

Code:

iptables -X iptables -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -j DROP #some would say this is not needed but I like to be safe

This will allow all your connections out and only the replies back in.
The only time you would need all the rules you have listed below is when you are looking to allow some new connection in.
You should take a look at the tutorial I posted.
08-20-2010
codge

Thank you for your help, I am reading through the tutorial now.

regards