Solved

Basic iptables client firewall implementation

Posted on 2013-01-24
7
1,116 Views
Last Modified: 2013-01-25
I'm trying to implement a very basic client firewall that allows ports 22 and 80 in and out, and DNS out on port 53 udp. I've followed along with several resources but can't seem to get DNS to work. To simplify the output a little I've left in SSH only, the following is the output of `iptables -L` after running my script:
Chain INPUT (policy DROP)
target     prot opt source       destination         
ACCEPT     all  --  anywhere     anywhere            
ACCEPT     udp  --  ns1          admin        udp spt:domain dpts:1024:65535
ACCEPT     tcp  --  ns1          admin        tcp spt:domain dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
ssh        tcp  --  anywhere     admin        tcp spt:ssh dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
ssh        tcp  --  anywhere     admin        tcp spts:1024:65535 dpt:ssh
LOG        all  --  anywhere     anywhere     limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere     anywhere            

Chain FORWARD (policy DROP)
target     prot opt source       destination         
LOG        all  --  anywhere     anywhere     limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere     anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source       destination         
ACCEPT     all  --  anywhere     anywhere            
ACCEPT     udp  --  admin        ns1          udp spts:1024:65535 dpt:domain
ACCEPT     tcp  --  admin        ns1          tcp spts:1024:65535 dpt:domain
ssh        tcp  --  admin        anywhere     tcp spts:1024:65535 dpt:ssh state NEW
ssh        tcp  --  admin        anywhere     tcp spt:ssh dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
LOG        all  --  anywhere     anywhere     limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere     anywhere            

Chain ssh (4 references)
target     prot opt source       destination         
ACCEPT     all  --  anywhere     anywhere

Open in new window


The script used to generate the rules is attached.

Thanks a lot for any suggestions.
fw.sh
0
Comment
Question by:coanda
  • 4
  • 3
7 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 38817221
You should refer to the following.
https://help.ubuntu.com/community/IptablesHowTo

Your current setup the first rule on INPUT is to allow all traffic in.
Your forward top rule is LOG everything being passed without actuall passing anything.

Wat is this device? Are you configuring a Linux box as a router/firewall?

Look at fwbuilder.org
0
 
LVL 76

Expert Comment

by:arnold
ID: 38817232
Look at
iptables -t filter -L
iptables -t nat -L
0
 
LVL 3

Author Comment

by:coanda
ID: 38817789
I've made a couple of changes based on your comments and now DNS works but traffic on 22 and 80 still do not. The listing of rules is now:
Chain INPUT (policy DROP)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
ACCEPT     udp  --  10.4.0.1             10.4.0.112           udp spt:53 dpts:1024:65535
ACCEPT     tcp  --  10.4.0.1             10.4.0.112           tcp spt:53 dpts:1024:65535flags:! 0x17/0x02
ssh        tcp  --  0.0.0.0/0            10.4.0.112           tcp spt:22 dpts:1024:65535flags:! 0x17/0x02
ssh        tcp  --  0.0.0.0/0            10.4.0.112           tcp spts:1024:65535 dpt:22
www        tcp  --  0.0.0.0/0            10.4.0.112           tcp spt:80 dpts:1024:65535flags:! 0x17/0x02
www        tcp  --  0.0.0.0/0            10.4.0.112           tcp spts:1024:65535 dpt:80
syn        tcp  --  0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x02
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
ACCEPT     udp  --  10.4.0.112           10.4.0.1             udp spts:1024:65535 dpt:53
ACCEPT     tcp  --  10.4.0.112           10.4.0.1             tcp spts:1024:65535 dpt:53
ssh        tcp  --  10.4.0.112           0.0.0.0/0            tcp spts:1024:65535 dpt:22 state NEW
ssh        tcp  --  10.4.0.112           0.0.0.0/0            tcp spt:22 dpts:1024:65535flags:! 0x17/0x02
www        tcp  --  10.4.0.112           0.0.0.0/0            tcp spts:1024:65535 dpt:80
www        tcp  --  10.4.0.112           0.0.0.0/0            tcp spt:80 dpts:1024:65535flags:! 0x17/0x02
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain ssh (4 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain syn (1 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain www (4 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Open in new window

0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 3

Author Comment

by:coanda
ID: 38817968
After reordering the rules again everything is working, the final listing is:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  10.4.0.1             10.4.0.112           udp spt:53 dpts:1024:65535
ACCEPT     tcp  --  10.4.0.1             10.4.0.112           tcp spt:53 dpts:1024:65535flags:! 0x17/0x02
SSH        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
SSH        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED
WWW        tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 state NEW,ESTABLISHED
WWW        tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 80,443 state ESTABLISHED
icmp       icmp --  0.0.0.0/0            10.4.0.112           icmptype 0 state RELATED,ESTABLISHED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  10.4.0.112           10.4.0.1             udp spts:1024:65535 dpt:53
ACCEPT     tcp  --  10.4.0.112           10.4.0.1             tcp spts:1024:65535 dpt:53
SSH        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED
SSH        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
WWW        tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 80,443 state ESTABLISHED
WWW        tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 state NEW,ESTABLISHED
icmp       icmp --  10.4.0.112           0.0.0.0/0            icmptype 8 state NEW,RELATED,ESTABLISHED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain SSH (4 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain WWW (4 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain icmp (2 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Open in new window

0
 
LVL 76

Expert Comment

by:arnold
ID: 38818693
This seems as a setup for single system firewall.
You have unnecessary extra established rules.
0
 
LVL 3

Author Comment

by:coanda
ID: 38819799
Which rules would you say are extra? This isn't really intended for anything specific, I'm really just trying to understand iptables better.
0
 
LVL 76

Expert Comment

by:arnold
ID: 38819885
You would have a single rule as top rule allowing established and related traffic in without regard to the dport. From anywhere to anywhere on the INPUT.

The order of the rules should be arranged to minimize per packet evaluation.

Iptables can be use to protect the system or behave as a firewall to protect the network.


You may find it usefull.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#.UQLWBXy9KSM

This outlines the flow chart of packets entering and exiting the system or a network.

Using chains I.e. a chaina in INPUT and FORWARD means you add a rule into chaina such as
-p tcp -m tcp -dport 22 -j ACCEPT
This will result in allowing an inbound ssh connection to enter (INPUT) and pass (FORWARD) to the service running on the system.
The other way you would need to add individual rules to each of the two tables.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
docker invalid registry name 2 57
LDAP find expired users 8 45
How to clone solaris 10 machine 33 76
Codiing Non-Existent Links 4 28
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now