We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
COURSE of the MONTH
13 days, 23 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Basic iptables client firewall implementation
Posted on 2013-01-24
I'm trying to implement a very basic client firewall that allows ports 22 and 80 in and out, and DNS out on port 53 udp. I've followed along with several resources but can't seem to get DNS to work. To simplify the output a little I've left in SSH only, the following is the output of `iptables -L` after running my script:
The script used to generate the rules is attached.
Thanks a lot for any suggestions.
fw.sh
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- ns1 admin udp spt:domain dpts:1024:65535
ACCEPT tcp -- ns1 admin tcp spt:domain dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
ssh tcp -- anywhere admin tcp spt:ssh dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
ssh tcp -- anywhere admin tcp spts:1024:65535 dpt:ssh
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- admin ns1 udp spts:1024:65535 dpt:domain
ACCEPT tcp -- admin ns1 tcp spts:1024:65535 dpt:domain
ssh tcp -- admin anywhere tcp spts:1024:65535 dpt:ssh state NEW
ssh tcp -- admin anywhere tcp spt:ssh dpts:1024:65535flags:! FIN,SYN,RST,ACK/SYN
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain ssh (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
The script used to generate the rules is attached.
Thanks a lot for any suggestions.
fw.sh
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
3
7 Comments
Active today
You should refer to the following.
https://help.ubuntu.com/community/IptablesHowTo
Your current setup the first rule on INPUT is to allow all traffic in.
Your forward top rule is LOG everything being passed without actuall passing anything.
Wat is this device? Are you configuring a Linux box as a router/firewall?
Look at fwbuilder.org
https://help.ubuntu.com/community/IptablesHowTo
Your current setup the first rule on INPUT is to allow all traffic in.
Your forward top rule is LOG everything being passed without actuall passing anything.
Wat is this device? Are you configuring a Linux box as a router/firewall?
Look at fwbuilder.org
I've made a couple of changes based on your comments and now DNS works but traffic on 22 and 80 still do not. The listing of rules is now:
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
ACCEPT udp -- 10.4.0.1 10.4.0.112 udp spt:53 dpts:1024:65535
ACCEPT tcp -- 10.4.0.1 10.4.0.112 tcp spt:53 dpts:1024:65535flags:! 0x17/0x02
ssh tcp -- 0.0.0.0/0 10.4.0.112 tcp spt:22 dpts:1024:65535flags:! 0x17/0x02
ssh tcp -- 0.0.0.0/0 10.4.0.112 tcp spts:1024:65535 dpt:22
www tcp -- 0.0.0.0/0 10.4.0.112 tcp spt:80 dpts:1024:65535flags:! 0x17/0x02
www tcp -- 0.0.0.0/0 10.4.0.112 tcp spts:1024:65535 dpt:80
syn tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
ACCEPT udp -- 10.4.0.112 10.4.0.1 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 10.4.0.112 10.4.0.1 tcp spts:1024:65535 dpt:53
ssh tcp -- 10.4.0.112 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW
ssh tcp -- 10.4.0.112 0.0.0.0/0 tcp spt:22 dpts:1024:65535flags:! 0x17/0x02
www tcp -- 10.4.0.112 0.0.0.0/0 tcp spts:1024:65535 dpt:80
www tcp -- 10.4.0.112 0.0.0.0/0 tcp spt:80 dpts:1024:65535flags:! 0x17/0x02
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ssh (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain syn (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain www (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
After reordering the rules again everything is working, the final listing is:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 10.4.0.1 10.4.0.112 udp spt:53 dpts:1024:65535
ACCEPT tcp -- 10.4.0.1 10.4.0.112 tcp spt:53 dpts:1024:65535flags:! 0x17/0x02
SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
WWW tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW,ESTABLISHED
WWW tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 80,443 state ESTABLISHED
icmp icmp -- 0.0.0.0/0 10.4.0.112 icmptype 0 state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 10.4.0.112 10.4.0.1 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 10.4.0.112 10.4.0.1 tcp spts:1024:65535 dpt:53
SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
WWW tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 80,443 state ESTABLISHED
WWW tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW,ESTABLISHED
icmp icmp -- 10.4.0.112 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain SSH (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain WWW (4 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain icmp (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Active today
This seems as a setup for single system firewall.
You have unnecessary extra established rules.
You have unnecessary extra established rules.
Which rules would you say are extra? This isn't really intended for anything specific, I'm really just trying to understand iptables better.
Active today
You would have a single rule as top rule allowing established and related traffic in without regard to the dport. From anywhere to anywhere on the INPUT.
The order of the rules should be arranged to minimize per packet evaluation.
Iptables can be use to protect the system or behave as a firewall to protect the network.
You may find it usefull.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#.UQLWBXy9KSM
This outlines the flow chart of packets entering and exiting the system or a network.
Using chains I.e. a chaina in INPUT and FORWARD means you add a rule into chaina such as
-p tcp -m tcp -dport 22 -j ACCEPT
This will result in allowing an inbound ssh connection to enter (INPUT) and pass (FORWARD) to the service running on the system.
The other way you would need to add individual rules to each of the two tables.
The order of the rules should be arranged to minimize per packet evaluation.
Iptables can be use to protect the system or behave as a firewall to protect the network.
You may find it usefull.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#.UQLWBXy9KSM
This outlines the flow chart of packets entering and exiting the system or a network.
Using chains I.e. a chaina in INPUT and FORWARD means you add a rule into chaina such as
-p tcp -m tcp -dport 22 -j ACCEPT
This will result in allowing an inbound ssh connection to enter (INPUT) and pass (FORWARD) to the service running on the system.
The other way you would need to add individual rules to each of the two tables.
Featured Post
MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Setting up Secure Ubuntu server on VMware
1. Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions.
2. Power on th…
Hello EE,
Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Learn several ways to interact with files and get file information from the bash shell.
ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands.
Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Suggested Courses
Course of the Month13 days, 23 hours left to enroll
801 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.