We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Course Of The Month
1 day, 22 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Basic iptables client firewall implementation
Posted on 2013-01-24
I'm trying to implement a very basic client firewall that allows ports 22 and 80 in and out, and DNS out on port 53 udp. I've followed along with several resources but can't seem to get DNS to work. To simplify the output a little I've left in SSH only, the following is the output of `iptables -L` after running my script:
The script used to generate the rules is attached.
Thanks a lot for any suggestions.
fw.sh
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- ns1 admin udp spt:domain dpts:1024:65535
ACCEPT tcp -- ns1 admin tcp spt:domain dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
ssh tcp -- anywhere admin tcp spt:ssh dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
ssh tcp -- anywhere admin tcp spts:1024:65535 dpt:ssh
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- admin ns1 udp spts:1024:65535 dpt:domain
ACCEPT tcp -- admin ns1 tcp spts:1024:65535 dpt:domain
ssh tcp -- admin anywhere tcp spts:1024:65535 dpt:ssh state NEW
ssh tcp -- admin anywhere tcp spt:ssh dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain ssh (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
The script used to generate the rules is attached.
Thanks a lot for any suggestions.
fw.sh
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
3
7 Comments
Active today
You should refer to the following.
https://help.ubuntu.com/community/IptablesHowTo
Your current setup the first rule on INPUT is to allow all traffic in.
Your forward top rule is LOG everything being passed without actuall passing anything.
Wat is this device? Are you configuring a Linux box as a router/firewall?
Look at fwbuilder.org
https://help.ubuntu.com/community/IptablesHowTo
Your current setup the first rule on INPUT is to allow all traffic in.
Your forward top rule is LOG everything being passed without actuall passing anything.
Wat is this device? Are you configuring a Linux box as a router/firewall?
Look at fwbuilder.org
I've made a couple of changes based on your comments and now DNS works but traffic on 22 and 80 still do not. The listing of rules is now:
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
ACCEPT udp -- 10.4.0.1 10.4.0.112 udp spt:53 dpts:1024:65535
ACCEPT tcp -- 10.4.0.1 10.4.0.112 tcp spt:53 dpts:1024:65535flags:! 0x17/0x02
ssh tcp -- 0.0.0.0/0 10.4.0.112 tcp spt:22 dpts:1024:65535flags:! 0x17/0x02
ssh tcp -- 0.0.0.0/0 10.4.0.112 tcp spts:1024:65535 dpt:22
www tcp -- 0.0.0.0/0 10.4.0.112 tcp spt:80 dpts:1024:65535flags:! 0x17/0x02
www tcp -- 0.0.0.0/0 10.4.0.112 tcp spts:1024:65535 dpt:80
syn tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
ACCEPT udp -- 10.4.0.112 10.4.0.1 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 10.4.0.112 10.4.0.1 tcp spts:1024:65535 dpt:53
ssh tcp -- 10.4.0.112 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW
ssh tcp -- 10.4.0.112 0.0.0.0/0 tcp spt:22 dpts:1024:65535flags:! 0x17/0x02
www tcp -- 10.4.0.112 0.0.0.0/0 tcp spts:1024:65535 dpt:80
www tcp -- 10.4.0.112 0.0.0.0/0 tcp spt:80 dpts:1024:65535flags:! 0x17/0x02
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ssh (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain syn (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain www (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
After reordering the rules again everything is working, the final listing is:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 10.4.0.1 10.4.0.112 udp spt:53 dpts:1024:65535
ACCEPT tcp -- 10.4.0.1 10.4.0.112 tcp spt:53 dpts:1024:65535flags:! 0x17/0x02
SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
WWW tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW,ESTABLISHED
WWW tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 80,443 state ESTABLISHED
icmp icmp -- 0.0.0.0/0 10.4.0.112 icmptype 0 state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 10.4.0.112 10.4.0.1 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 10.4.0.112 10.4.0.1 tcp spts:1024:65535 dpt:53
SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
WWW tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 80,443 state ESTABLISHED
WWW tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW,ESTABLISHED
icmp icmp -- 10.4.0.112 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain SSH (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain WWW (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain icmp (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Active today
This seems as a setup for single system firewall.
You have unnecessary extra established rules.
You have unnecessary extra established rules.
Which rules would you say are extra? This isn't really intended for anything specific, I'm really just trying to understand iptables better.
Active today
You would have a single rule as top rule allowing established and related traffic in without regard to the dport. From anywhere to anywhere on the INPUT.
The order of the rules should be arranged to minimize per packet evaluation.
Iptables can be use to protect the system or behave as a firewall to protect the network.
You may find it usefull.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#.UQLWBXy9KSM
This outlines the flow chart of packets entering and exiting the system or a network.
Using chains I.e. a chaina in INPUT and FORWARD means you add a rule into chaina such as
-p tcp -m tcp -dport 22 -j ACCEPT
This will result in allowing an inbound ssh connection to enter (INPUT) and pass (FORWARD) to the service running on the system.
The other way you would need to add individual rules to each of the two tables.
The order of the rules should be arranged to minimize per packet evaluation.
Iptables can be use to protect the system or behave as a firewall to protect the network.
You may find it usefull.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#.UQLWBXy9KSM
This outlines the flow chart of packets entering and exiting the system or a network.
Using chains I.e. a chaina in INPUT and FORWARD means you add a rule into chaina such as
-p tcp -m tcp -dport 22 -j ACCEPT
This will result in allowing an inbound ssh connection to enter (INPUT) and pass (FORWARD) to the service running on the system.
The other way you would need to add individual rules to each of the two tables.
Featured Post
The purpose of this paper is to provide you background on SQL Server. Itās your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years. You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will giveā¦
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn how to navigate the file tree with the shell.
Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to moveā¦
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month1 day, 22 hours left to enroll
717 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.