?
Solved

Basic iptables client firewall implementation

Posted on 2013-01-24
7
Medium Priority
?
1,157 Views
Last Modified: 2013-01-25
I'm trying to implement a very basic client firewall that allows ports 22 and 80 in and out, and DNS out on port 53 udp. I've followed along with several resources but can't seem to get DNS to work. To simplify the output a little I've left in SSH only, the following is the output of `iptables -L` after running my script:
Chain INPUT (policy DROP)
target     prot opt source       destination         
ACCEPT     all  --  anywhere     anywhere            
ACCEPT     udp  --  ns1          admin        udp spt:domain dpts:1024:65535
ACCEPT     tcp  --  ns1          admin        tcp spt:domain dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
ssh        tcp  --  anywhere     admin        tcp spt:ssh dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
ssh        tcp  --  anywhere     admin        tcp spts:1024:65535 dpt:ssh
LOG        all  --  anywhere     anywhere     limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere     anywhere            

Chain FORWARD (policy DROP)
target     prot opt source       destination         
LOG        all  --  anywhere     anywhere     limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere     anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source       destination         
ACCEPT     all  --  anywhere     anywhere            
ACCEPT     udp  --  admin        ns1          udp spts:1024:65535 dpt:domain
ACCEPT     tcp  --  admin        ns1          tcp spts:1024:65535 dpt:domain
ssh        tcp  --  admin        anywhere     tcp spts:1024:65535 dpt:ssh state NEW
ssh        tcp  --  admin        anywhere     tcp spt:ssh dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
LOG        all  --  anywhere     anywhere     limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere     anywhere            

Chain ssh (4 references)
target     prot opt source       destination         
ACCEPT     all  --  anywhere     anywhere

Open in new window


The script used to generate the rules is attached.

Thanks a lot for any suggestions.
fw.sh
0
Comment
Question by:coanda
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
arnold earned 1500 total points
ID: 38817221
You should refer to the following.
https://help.ubuntu.com/community/IptablesHowTo

Your current setup the first rule on INPUT is to allow all traffic in.
Your forward top rule is LOG everything being passed without actuall passing anything.

Wat is this device? Are you configuring a Linux box as a router/firewall?

Look at fwbuilder.org
0
 
LVL 79

Expert Comment

by:arnold
ID: 38817232
Look at
iptables -t filter -L
iptables -t nat -L
0
 
LVL 3

Author Comment

by:coanda
ID: 38817789
I've made a couple of changes based on your comments and now DNS works but traffic on 22 and 80 still do not. The listing of rules is now:
Chain INPUT (policy DROP)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
ACCEPT     udp  --  10.4.0.1             10.4.0.112           udp spt:53 dpts:1024:65535
ACCEPT     tcp  --  10.4.0.1             10.4.0.112           tcp spt:53 dpts:1024:65535flags:! 0x17/0x02
ssh        tcp  --  0.0.0.0/0            10.4.0.112           tcp spt:22 dpts:1024:65535flags:! 0x17/0x02
ssh        tcp  --  0.0.0.0/0            10.4.0.112           tcp spts:1024:65535 dpt:22
www        tcp  --  0.0.0.0/0            10.4.0.112           tcp spt:80 dpts:1024:65535flags:! 0x17/0x02
www        tcp  --  0.0.0.0/0            10.4.0.112           tcp spts:1024:65535 dpt:80
syn        tcp  --  0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x02
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
ACCEPT     udp  --  10.4.0.112           10.4.0.1             udp spts:1024:65535 dpt:53
ACCEPT     tcp  --  10.4.0.112           10.4.0.1             tcp spts:1024:65535 dpt:53
ssh        tcp  --  10.4.0.112           0.0.0.0/0            tcp spts:1024:65535 dpt:22 state NEW
ssh        tcp  --  10.4.0.112           0.0.0.0/0            tcp spt:22 dpts:1024:65535flags:! 0x17/0x02
www        tcp  --  10.4.0.112           0.0.0.0/0            tcp spts:1024:65535 dpt:80
www        tcp  --  10.4.0.112           0.0.0.0/0            tcp spt:80 dpts:1024:65535flags:! 0x17/0x02
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain ssh (4 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain syn (1 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain www (4 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Open in new window

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:coanda
ID: 38817968
After reordering the rules again everything is working, the final listing is:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  10.4.0.1             10.4.0.112           udp spt:53 dpts:1024:65535
ACCEPT     tcp  --  10.4.0.1             10.4.0.112           tcp spt:53 dpts:1024:65535flags:! 0x17/0x02
SSH        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
SSH        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED
WWW        tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 state NEW,ESTABLISHED
WWW        tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 80,443 state ESTABLISHED
icmp       icmp --  0.0.0.0/0            10.4.0.112           icmptype 0 state RELATED,ESTABLISHED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  10.4.0.112           10.4.0.1             udp spts:1024:65535 dpt:53
ACCEPT     tcp  --  10.4.0.112           10.4.0.1             tcp spts:1024:65535 dpt:53
SSH        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED
SSH        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
WWW        tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 80,443 state ESTABLISHED
WWW        tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 state NEW,ESTABLISHED
icmp       icmp --  10.4.0.112           0.0.0.0/0            icmptype 8 state NEW,RELATED,ESTABLISHED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain SSH (4 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain WWW (4 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain icmp (2 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Open in new window

0
 
LVL 79

Expert Comment

by:arnold
ID: 38818693
This seems as a setup for single system firewall.
You have unnecessary extra established rules.
0
 
LVL 3

Author Comment

by:coanda
ID: 38819799
Which rules would you say are extra? This isn't really intended for anything specific, I'm really just trying to understand iptables better.
0
 
LVL 79

Expert Comment

by:arnold
ID: 38819885
You would have a single rule as top rule allowing established and related traffic in without regard to the dport. From anywhere to anywhere on the INPUT.

The order of the rules should be arranged to minimize per packet evaluation.

Iptables can be use to protect the system or behave as a firewall to protect the network.


You may find it usefull.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#.UQLWBXy9KSM

This outlines the flow chart of packets entering and exiting the system or a network.

Using chains I.e. a chaina in INPUT and FORWARD means you add a rule into chaina such as
-p tcp -m tcp -dport 22 -j ACCEPT
This will result in allowing an inbound ssh connection to enter (INPUT) and pass (FORWARD) to the service running on the system.
The other way you would need to add individual rules to each of the two tables.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question