Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.
Basic iptables client firewall implementation
I'm trying to implement a very basic client firewall that allows ports 22 and 80 in and out, and DNS out on port 53 udp. I've followed along with several resources but can't seem to get DNS to work. To simplify the output a little I've left in SSH only, the following is the output of `iptables -L` after running my script:
The script used to generate the rules is attached.
Thanks a lot for any suggestions.
fw.sh
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- ns1 admin udp spt:domain dpts:1024:65535
ACCEPT tcp -- ns1 admin tcp spt:domain dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
ssh tcp -- anywhere admin tcp spt:ssh dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
ssh tcp -- anywhere admin tcp spts:1024:65535 dpt:ssh
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- admin ns1 udp spts:1024:65535 dpt:domain
ACCEPT tcp -- admin ns1 tcp spts:1024:65535 dpt:domain
ssh tcp -- admin anywhere tcp spts:1024:65535 dpt:ssh state NEW
ssh tcp -- admin anywhere tcp spt:ssh dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain ssh (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
The script used to generate the rules is attached.
Thanks a lot for any suggestions.
fw.sh
Asked:
Who is Participating?
I've made a couple of changes based on your comments and now DNS works but traffic on 22 and 80 still do not. The listing of rules is now:
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
ACCEPT udp -- 10.4.0.1 10.4.0.112 udp spt:53 dpts:1024:65535
ACCEPT tcp -- 10.4.0.1 10.4.0.112 tcp spt:53 dpts:1024:65535flags:! 0x17/0x02
ssh tcp -- 0.0.0.0/0 10.4.0.112 tcp spt:22 dpts:1024:65535flags:! 0x17/0x02
ssh tcp -- 0.0.0.0/0 10.4.0.112 tcp spts:1024:65535 dpt:22
www tcp -- 0.0.0.0/0 10.4.0.112 tcp spt:80 dpts:1024:65535flags:! 0x17/0x02
www tcp -- 0.0.0.0/0 10.4.0.112 tcp spts:1024:65535 dpt:80
syn tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
ACCEPT udp -- 10.4.0.112 10.4.0.1 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 10.4.0.112 10.4.0.1 tcp spts:1024:65535 dpt:53
ssh tcp -- 10.4.0.112 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW
ssh tcp -- 10.4.0.112 0.0.0.0/0 tcp spt:22 dpts:1024:65535flags:! 0x17/0x02
www tcp -- 10.4.0.112 0.0.0.0/0 tcp spts:1024:65535 dpt:80
www tcp -- 10.4.0.112 0.0.0.0/0 tcp spt:80 dpts:1024:65535flags:! 0x17/0x02
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ssh (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain syn (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain www (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
After reordering the rules again everything is working, the final listing is:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 10.4.0.1 10.4.0.112 udp spt:53 dpts:1024:65535
ACCEPT tcp -- 10.4.0.1 10.4.0.112 tcp spt:53 dpts:1024:65535flags:! 0x17/0x02
SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
WWW tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW,ESTABLISHED
WWW tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 80,443 state ESTABLISHED
icmp icmp -- 0.0.0.0/0 10.4.0.112 icmptype 0 state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 10.4.0.112 10.4.0.1 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 10.4.0.112 10.4.0.1 tcp spts:1024:65535 dpt:53
SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
WWW tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 80,443 state ESTABLISHED
WWW tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW,ESTABLISHED
icmp icmp -- 10.4.0.112 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain SSH (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain WWW (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain icmp (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Which rules would you say are extra? This isn't really intended for anything specific, I'm really just trying to understand iptables better.
You would have a single rule as top rule allowing established and related traffic in without regard to the dport. From anywhere to anywhere on the INPUT.
The order of the rules should be arranged to minimize per packet evaluation.
Iptables can be use to protect the system or behave as a firewall to protect the network.
You may find it usefull.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#.UQLWBXy9KSM
This outlines the flow chart of packets entering and exiting the system or a network.
Using chains I.e. a chaina in INPUT and FORWARD means you add a rule into chaina such as
-p tcp -m tcp -dport 22 -j ACCEPT
This will result in allowing an inbound ssh connection to enter (INPUT) and pass (FORWARD) to the service running on the system.
The other way you would need to add individual rules to each of the two tables.
The order of the rules should be arranged to minimize per packet evaluation.
Iptables can be use to protect the system or behave as a firewall to protect the network.
You may find it usefull.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#.UQLWBXy9KSM
This outlines the flow chart of packets entering and exiting the system or a network.
Using chains I.e. a chaina in INPUT and FORWARD means you add a rule into chaina such as
-p tcp -m tcp -dport 22 -j ACCEPT
This will result in allowing an inbound ssh connection to enter (INPUT) and pass (FORWARD) to the service running on the system.
The other way you would need to add individual rules to each of the two tables.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month4 days, 15 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
https://help.ubuntu.com/community/IptablesHowTo
Your current setup the first rule on INPUT is to allow all traffic in.
Your forward top rule is LOG everything being passed without actuall passing anything.
Wat is this device? Are you configuring a Linux box as a router/firewall?
Look at fwbuilder.org