Need help with iptables

**Markus** · 01-21-2004, 05:05 PM

I found a script at http://www.knoppix.net/forum/viewtopic.php?t=5424#24865
but would really like to stop all traffic that I haven't asked for but be able to run bittorrent.
Any suggestions?

And it seems my iptables isn't starting at all (or I can't find info in syslog).

I have a file named rc.firewall which I placed in /etc/init.d
In /etc/bootmisc.sh I placed a line at the end:

Code:

/etc/init.d/rc.firewall

This is the lsmod:

Code:

Module                  Size  Used by    Not tainted
ipt_REJECT              3256   5  (autoclean)
ipt_state                632   6  (autoclean)
ip_conntrack           18952   1  (autoclean) [ipt_state]
iptable_filter          1736   1  (autoclean)
ip_tables              11576   3  [ipt_REJECT ipt_state iptable_filter]
i810                   63776  14
agpgart                38296   7
autofs4                 8756   0  (unused)
af_packet              13448   0
nls_cp437               4348   1
nls_iso8859-1           2844   1
ntfs                   51168   0  (unused)
msdos                   4652   0  (unused)
i810_audio             25064   0  (unused)
ac97_codec             11884   0  [i810_audio]
soundcore               3428   2  [i810_audio]
8139too                17096   1
mii                     2240   0  [8139too]
crc32                   2816   0  [8139too]
serial                 51972   0
usb-uhci               21836   0  (unused)
usbcore                57472   1  [usb-uhci]
apm                     9768   1
rtc                     6908   0
ext3                   63940   2
jbd                    46100   2  [ext3]

This is the file rc.firewall:

Code:

#!/bin/sh 

# Trace, exit at 1st err 
set -x -e 

# Flush 1st 
iptables -F 

# Deletes any tables that you've created, and leaves the 
# default (input, output, forward, etc.) 
iptables -X 

# Allow loopback access. This rule must come before the rules denying 
# port access!! 
iptables -A INPUT -i lo -p all -j ACCEPT 
iptables -A OUTPUT -o lo -p all -j ACCEPT 
##iptables -A INPUT -i lo -j ACCEPT 


#This allows all data that has been sent out for the computer running the 
# firewall to come back (for all of ICMP/TCP/UDP). 
#For example, if a ping request is made it will allow the reply back 
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp 
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp 
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp 

# Drop outside ping 
iptables -A INPUT -p icmp -j DROP

#These lines add rules (-A) to the OUTPUT and INPUT tables 
# that match state as well. However, this time it only matches 
# packets that are related to packets that have already been 
# passed, or packets that are a part of an already-established 
# connection (-m state --state RELATED,ESTABLISHED) and allows 
# them to be accepted (-j ACCEPT). Think of this as a 
# combination of yahoo sending its web page to you and you 
# asking for a second one. 
#/* You would need to load at least the ip_conntrack, iptable_filter and 
#ipt_state modules, and would probably want to load the ip_conntrack_ftp 
#module too. 
#These rules should block incoming traffic which isn't associated to a 
#connection which you've initiated from your machine. 
#*/ 

iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A INPUT -m state --state  RELATED,ESTABLISHED -j ACCEPT 

# Allow ssh 
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT 

#Drop incoming FTP requests - xxx uncomment 
iptables -A INPUT -p tcp -i eth0 --dport 20 -j DROP
iptables -A INPUT -p tcp -i eth0 --dport 21 -j DROP
iptables -A INPUT -p tcp -i ppp0 --dport 20 -j REJECT 
iptables -A INPUT -p tcp -i ppp0 --dport 21 -j REJECT 

## Allow Squid from local net 
# iptables -A INPUT -s 0/0 -p tcp --dport 8080 -j REJECT 
# iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3128 -j ACCEPT 
# iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 3128 -j ACCEPT 
# iptables -A INPUT -s 0/0 -p tcp --dport 3128 -j REJECT 

# Allow BitTorrent connections 
# xxx 2003.1012 modified for only 3 ports (was 6881:6889) 
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6881:6883 -j ACCEPT 
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6969 -j ACCEPT 

# Allow 1 VNC 
# iptables -A INPUT -i eth0 -p tcp --dport 5902 -j ACCEPT 

##### 
##### BLOCKING 
##### 

#Example: Block all ports, besides port 22 to allow sshd: 
##/sbin/iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT 
###/sbin/iptables -A INPUT -p tcp --syn -j DROP 

#Block all ports,besides port 22, and only allow predefined IP to access that 
#port. 
##/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT 
##/sbin/iptables -A INPUT -p tcp --syn -j DROP 

#/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT 
#allow connection to sshd from IP 192.168.1.100 
#/sbin/iptables -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT 
#allow httpd server to be accessed by world 
#/sbin/iptables -A INPUT -p tcp --syn -j DROP 
#block all ports (besides the limitations of above) 

#More elaborate rules can be created that control access to specific subnets, 
#or even specific nodes, within a LAN. You can also restrict certain dubious 
#services such as trojans, worms, and other client/server viruses from 
#contacting their server. For example, there are some trojans that scan 
#networks for services on ports from 31337 to 31340 (called the elite ports 
#in cracking lingo). Since there are no legitimate services that communicate 
#via these non-standard ports, blocking it can effectively diminish the 
#chances that potentially infected nodes on your network independently 
#communicate with their remote master servers. Note that the following rule 
#is only useful if your default OUTPUT policy is set to ACCEPT. If you set 
#OUTPUT policy to DROP, then this rule is not needed. 

#iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP 
# Remember, dport can only be used with -ptcp or -pudp specific. 
iptables -A INPUT -i ppp0 -p tcp --dport 31337 --sport 31337 -j DROP 
iptables -A OUTPUT -o ppp0 -p tcp --dport 31337 --sport 31337 -j DROP 

#FORWARD rules can be implemented to restrict certain types of traffic to the 
#LAN only, such as local network file shares through NFS or Samba. The 
#following rules reject outside connections to Samba shares: 

iptables -A FORWARD -p tcp --sport 137:139 -j DROP 
iptables -A FORWARD -p udp --sport 137:139 -j DROP 


# remote interface, claiming to be local machines, IP spoofing, get lost 
# This turns out to be same as non-routable IPs 
##iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -d 0.0.0.0/0 -j DROP 
# New way: 
# Block nonroutable IPs 
iptables -A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP 
iptables -A INPUT -s 127.0.0.0/8 -i ppp0 -j DROP 
iptables -A INPUT -s 172.16.0.0/12 -i ppp0 -j DROP 
iptables -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP 

#"A" for append, "INPUT" to specify the state for the condition (coming, 
#going, or forwarding), and "sport" for source port. 

# Block common Windoze ports / specific ports 
iptables -A INPUT -s 0/0 -p tcp --sport 69 -j DROP 
iptables -A INPUT -s 0/0 -p tcp --sport 135 -j DROP 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 139 -j REJECT  # Block Windows file sharing 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 445 -j REJECT  # Block Windows file sharing 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 1214 -j REJECT # Block Kazaa 
iptables -A INPUT -s 0/0 -p tcp --sport 4444 -j DROP 


# Block incoming Blaster Worm traffic on ports 153 and 707 
# Chgd eth0 to ppp0, added -p tcp and got it to work :) 
iptables -A INPUT -i ppp0 -p tcp --dport 153 -j DROP 
iptables -A INPUT -i ppp0 -p tcp --dport 707 -j DROP 

# Block infected machines from spreading Blaster Worm on 153 and 707 
##/sbin/iptables -A OUTPUT -o ppp0 --dport 153 -j DROP 
##/sbin/iptables -A OUTPUT -o ppp0 --dport 707 -j DROP 


# !! Consider dropping all traffic to port 25 (mail) 
# Block ports 127, 137, 138 and 139 (Sambe/windows) - blocked in FORWARD, above 




# Fallthru 

# Default rule 
# Sets the default policy (-P) for INPUT packets to DROP. If a 
# packet comes into your interface and doesn't match any other 
# rules, the default policy takes effect and the packet is dropped. 
iptables -P INPUT DROP 


# Default rule 
# Sets the default policy (-P) for FORWARD packets to DROP. If 
# a packet needs to be routed from one interface to another 
# (such as a firewall/router with two network cards) and 
# doesn't match any other rules, the default policy takes 
# effect and the packet is dropped. 
iptables -P FORWARD DROP 

# Final rule (stopgap) 
iptables -A INPUT -p tcp --tcp-flags ALL SYN -j DROP 

exit; 



# References: 
# http://nekohako.xware.cx/tech/adsl-2.4.html 
# http://www.redhat.com/docs/manuals/l...ide/ch-fw.html 
# http://uug.byu.edu/pipermail/uug-lis...il/002060.html 
# http://www.linuxchix.org/pipermail/t...st/016116.html 
# http://linuxwiki.de/FlorianWoegerer/Notizen 
# http://www.linuxforum.com/forums/ind...t=0&#entry5637 
# http://www.ltsp.org/contrib/vnc.html 

## Orig ssh mess: 
# Allow ssh 
iptables -A INPUT -p tcp --sport 22 -j ACCEPT 
iptables -A INPUT -p udp --sport 22 -j ACCEPT 
# XXX added below 
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT 
iptables -A OUTPUT -p udp --dport 22 -j ACCEPT 
#(Orig:) 
##iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT 
##iptables -A OUTPUT -p udp --sport 22 -j ACCEPT 

# Added more 
##iptables -A INPUT -i eth0 -p udp --dport 22 -j ACCEPT 
##iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT 
##iptables -A OUTPUT -o eth0 -p udp --dport 22 -j ACCEPT 
##iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT 

# UNUSED: 
#To take the restrictions a step further, block all outside connections that 
#attempt to spoof private IP address ranges to infiltrate your LAN. If a LAN 
#uses the 192.168.1.0/24 range, a rule can set the Internet facing network 
#device (for example, eth0) to drop any packets to that device with an 
#address in your LAN IP range. Because it is recommended to reject forwarded 
#packets as a default policy, any other spoofed IP address to the 
#external-facing device (eth0) will be rejected automatically. 
# 
##iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i eth0 -j DROP 
##iptables -A FORWARD -p udp -s 192.168.1.0/24 -i eth0 -j DROP 
# xxx corrected 
##iptables -A FORWARD -p tcp -s 192.168.0.0/24 -i ppp0 -j DROP 
##iptables -A FORWARD -p udp -s 192.168.0.0/24 -i ppp0 -j DROP 
##iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i ppp0 -j DROP 
##iptables -A FORWARD -p udp -s 192.168.1.0/24 -i ppp0 -j DROP 

# Block common Windoze ports / specific ports 
# (this just doesnt wrk) 
# I bet the reason is because -j DENY doesn't exist. Chg to DROP. 
# Got it working :) 
##iptables -A INPUT -s 0/0 -p tcp --sport 69 -j DENY 
##iptables -A INPUT -s 0/0 -p tcp --sport 135 -j DENY 
##iptables -A INPUT -s 0/0 -p tcp --sport 4444 -j DENY 

#  for transprent proxy 
#> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
#> --to-port 3128

**Markus** · 01-21-2004, 06:01 PM

Well, now I tried $ping localhost and it replied with all packets, so I did:
$echo 0 > /proc/sys/net/ipv4/ip_forward
$echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
$echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

.... which took care of the ping problem, but I don't get it; why did my computer answer.

This is $iptables -L

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state ESTABLISHED
DROP       icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp dpt:ftp-data
DROP       tcp  --  anywhere             anywhere            tcp dpt:ftp
REJECT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:ftp reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6881:6883
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6969
DROP       tcp  --  anywhere             anywhere            tcp spt:31337 dpt:31337
DROP       all  --  10.0.0.0/8           anywhere
DROP       all  --  127.0.0.0/8          anywhere
DROP       all  --  172.16.0.0/12        anywhere
DROP       all  --  192.168.0.0/16       anywhere
DROP       tcp  --  anywhere             anywhere            tcp spt:69
DROP       tcp  --  anywhere             anywhere            tcp spt:135
REJECT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere            tcp dpt:1214 reject-with icmp-port-unreachable
DROP       tcp  --  anywhere             anywhere            tcp spt:4444
DROP       tcp  --  anywhere             anywhere            tcp dpt:153
DROP       tcp  --  anywhere             anywhere            tcp dpt:707
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp spts:netbios-ns:netbios-ssn
DROP       udp  --  anywhere             anywhere            udp spts:netbios-ns:netbios-ssn

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp spt:31337 dpt:31337

**gowator** · 01-21-2004, 06:23 PM

hmm complex beast IP tables....
have to admit I use webmin to admin it.....
Its usually the order of ACCEPT and DROP/REJECT that's a gotcha....

inparticualr
DROP all -- 127.0.0.0/8
hence you can't ping yourself.
Also you are dropping all theRFC addresses therefore you won't have any LAN access unless you have real IP's...
(10.0,172.16 and 192.16

**Markus** · 01-21-2004, 06:44 PM

Its usually the order of ACCEPT and DROP/REJECT that's a gotcha...

Sounds reasonable. I'll just toss them around and have a look at what happens.

DROP all -- 127.0.0.0/8
hence you can't ping yourself.

Well, actually I thought I could, but then I realized that I have a rule that says ACCEPT for established pings,
so in theory I can ping my machine and it answers but shouldn't answers anyone else's pings, "theory" while I really don't have a clue about all this

Also you are dropping all theRFC addresses therefore you won't have any LAN access unless you have real IP's...
(10.0,172.16 and 192.16

Oops, Thanks!

**gowator** · 01-21-2004, 08:27 PM

Marcus, Im not an expert, its almost always the order of the ACCEPT and DROP.
Thus at the moment your blocking 127.0.0.1 and that is the localhost.

I always use WEBMIN becuase it sorts out the correct order for you and saves a lot of head scratching >D

darn, I really must fix this keyboard.....

**Markus** · 01-21-2004, 08:58 PM

Well, back to the drawing board with this one, still not working.

I'll have a closer look at webmin.

Thanks,
Markus

**Markus** · 01-24-2004, 07:27 PM

Weeeellll, smaller seems to be better also in this case.
Cooked up a new rc.firewall with help from a friend.
If someone is interested in a firewall for a single workstation, this is it.
And if someone notices a fault, please tell

rc.firewall:

Code:

#policies
$IPTABLES -F INPUT
$IPTABLES -P INPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -F

#accept internal net and loopback, and some external
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# open ports
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 6881:6883 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 6889 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -m udp --dport 6881:6883 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -m udp --dport 6889 -j ACCEPT