HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

**Catz3705** · April 4th, 2008

frodon:

In a very quick assessment and based on some of your assertions, I elected to work directly with iptables. Command line coding offered the most precise way to tune the firewall eventhough it required some quick training and research. I'm not a stranger to this since I've been actively programing since the early days of Microsoft BASIC and DOS. Not everyone wants to be bothered with the tediousness and precision of coding; Firestarter GUI is one of the obvious alternatives for the lay user.

El_Belgicano should be able to run "iptables -l "(lower case L) in a terminal window as root or with "sudo" and list the existing rules. The results can be pasted between CODE tags in a message for examination. This would involve disengaging from Firestarter and directly addressing iptables.

If El_Belgicano's server, like my system, is behind a firewalled router and ISP provided connection device, his system should not be visible to the internet at large. He could "flush" the rules and lay out an entirely new custom scheme including mutual recognition and accessibility of his network platforms.

Myabilities in network administration and technical construction lacks depth at this time and I humbly defer to those with greater skills . . .

To El_Belgicano: be diligent and patient; you'll get the rewards!

-met-
Catz3705

**El_Belgicano** · April 5th, 2008

@ Catz3705:
You're right on the router point, most of the time I'm connected to my home network who's set up behind a firewall, but I also connect to another network and I'm not sure about the security there, firestarter gets crazy by times (when I had it) with alerts about "connection attempt blocked" ... so I'm concerned about that network

anyway, thanks for the fast support

my rules:

Code:

#!/bin/bash

# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi 

# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#load some modules you may need
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat 
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp

# Remove all rules and chains
iptables -F
iptables -X

# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Create 2 chains, it allows to write a clean script
iptables -N FIREWALL
iptables -N TRUSTED

# Allow ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback traffic
iptables -A FIREWALL -i lo -j ACCEPT
# Send all package to the TRUSTED chain
iptables -A FIREWALL -j TRUSTED
# DROP all other packets
iptables -A FIREWALL -j DROP

# Send all INPUT packets to the FIREWALL chain
iptables -A INPUT -j FIREWALL
# DROP all forward packets, we don't share internet connection in this example
iptables -A FORWARD -j DROP

##############
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p udp --dport 80 -j DROP

iptables -A TRUSTED -p udp -m udp --dport 4374 -j ACCEPT
iptables -A TRUSTED -p tcp -m tcp --dport 4374 -j ACCEPT

iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p udp --dport 23 -j DROP

iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT 
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
##############

# End message
echo " [End iptables rules setting]"

**Catz3705** · April 6th, 2008

El_Belgicano:

First of all, due to my limited expertise, It strongly suggest that you review and direct specific questions to frodon concerning your network security issues -- which are by no means trivial.

I would also suggest that you check out the tutorial moderated by Ned Slider on PC Perspectives, http://forums.pcper.com/showthread.php?t=432469, "Linux Firewall (iptables) Tutorial". Just as frodon has done earlier in his tutorial, Ned Slider presents step-by-step iptables firewall preparation in uncomplicated language illustrated with pasteable examples for direct application. [Note: Ned Slider is writing in the CentOS system context. Illustrations and examples found in his tutorial will have to be adapted to Ubuntu iptables command structure]

Slider's explaination of *what* he is doing with particular coding imparts educational depth rather than exercises in blind cutting and pasting.

( In my humble experience, knowing what and why you are doing something gets you out of trouble later on and, in some instances, may prevent exposure to the malady in the first place. "Forewarned is forearmed!" (I don't know who said that, it maybe cliche, but it's good advice. . . ))

As I see your query, you are looking to protect your personal LAN and permit Trusted contact with an external network.

I would conjecture that the examples I cited earlier in post #213 could definitely be used for your personal LAN (taking into consideration the CentOS context and where it may apply to Ubuntu) as I have directly used them successfully on an experimental setup. There are some port manipulations in the Slider article that would also be worth some study.

frodon suggested also using MAC address screening (as did Ned Slider) to give an additional tier of security to the Trusted IP recognition process. Your friendly external network would likely have to provide you with this info. I don't know if the blocking process is carried out quietly or is verbose which produces the annoying alerts that you experienced. Firewall systems typically log probe attempts that are blocked as well as deliver overt warnings.

Eventhough I have written in generalities, I hope this brief discussion will point you to the details that you want to incorporate into your firewall development.

A sus ordenes,

-met-
Catz3705

**frodon** · April 6th, 2008

These rules :

Code:

##############
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p udp --dport 80 -j DROP

iptables -A TRUSTED -p udp -m udp --dport 4374 -j ACCEPT
iptables -A TRUSTED -p tcp -m tcp --dport 4374 -j ACCEPT

iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p udp --dport 23 -j DROP

iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT 
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
#############

should be rather like the following if you wanr to keep the spirit of the script :

Code:

iptables -A TRUSTED -p tcp --dport 80 -j DROP
iptables -A TRUSTED -p udp --dport 80 -j DROP

iptables -A TRUSTED -p udp -m udp --dport 4374 -j ACCEPT
iptables -A TRUSTED -p tcp -m tcp --dport 4374 -j ACCEPT

iptables -A TRUSTED -p tcp --dport 23 -j DROP
iptables -A TRUSTED -p udp --dport 23 -j DROP

iptables -A TRUSTED -p udp -m udp --sport 53 -j ACCEPT 
iptables -A TRUSTED -p tcp -m tcp --sport 53 -j ACCEPT

No need to add OUTPUT chain rules as the script don't block outgoing traffic, in the same way no need to handle INPUT chain directly as all input packets are send to the TRUSTED chain, so you can just handle the TRUSTED chain for this purpose which is how the script is suposed to be extended.

**Catz3705** · April 6th, 2008

frodon:

After some experimentation with my Ubuntu platforms with manually applied, temporary code, I've implemented your firewall solution on one of the systems for permanent use.

The initial run did not allow the home LAN to be visible (this was anticipated). Some trial and error coding brought up the two Ubuntu platforms and a final modification of your code from our first post yielded the remaining Windows XP test system:

Originally Posted by frodon

iptables -A TRUSTED -p tcp -s 192.168.2.* -j ACCEPT should do it i think.
the firewal type sudo /etc/init.d/firewall stop

My changes were:

Code:

# Allow ip 
iptables -A TRUSTED -p tcp -s 192.168.2.0/24 -j ACCEPT
iptables -A TRUSTED -p tcp -s 192.168.2.1 -m mac --mac-source [applicable mac address inserted] -j ACCEPT

The results were the same as when I applied the sample codes:

Code:

# Accept packets from trusted IP addresses
>>>>iptables -A INPUT -s 192.168.0.4 -j ACCEPT # change the IP address as appropriate
....
Code:
# Accept packets from trusted IP addresses
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # using standard slash notation
>>>>iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT # using a subnet mask
....
Finally, as well as filtering against a single IP address, we can also match against the MAC address for the given device . . . .Here we use the mac module to check the mac address of the source of the packet in addition to it's IP address:

Code:
# Accept packets from trusted IP addresses
>>>>iptables -A INPUT -s 192.168.0.4 -m mac --mac-source 00:50:8D:FD:E6:32 -j ACCEPT
....( ref: Slider, PC Perspectives)

BTW this coding that you supplied did work once your firewall solution was in place:

Originally Posted by frodon

It's the main problem with dynamic adresses and home network. I think the rule i gave you doesn't work but i'm sure allowing a range of IP is possible with iptables.

You can try that, i never tested this though :

Code:

iptables -A TRUSTED -i eth0 -m iprange --src-range 192.168.2.100-192.168.2.255 -j ACCEPT

....

(It picked up the Ubuntu platforms and omitted the Win XP system.
It probably needed to be tweaked to include the full range from 192.168.2.1 thru 255.
The two lines that I mentioned above plus "iprange" addition seemed responsible for making all the test platforms visible
including the network and workgroup.)

I modified it and added it to the "Allow ip" section of "firewall.bash" as:

Code:

 
iptables -A TRUSTED -i eth0 -m iprange --src-range 192.168.2.1-192.168.2.255 -j ACCEPT

Rebooting the system revealed the new firewall to be active and functional. NmapFE also showed the new firewall to be functioning as to scans.

I should be able to distribute the firewall solution to the other Ubuntu platforms in my network as needed.

Thanks again for the excellent programming and tutorial --- and most of all, your considerate and timely responses,

-met-
Catz3705

**durus** · April 7th, 2008

Hi I am trying to fix a rule to allow connections to my vsftpd server with TLS/SSLconnections. Do you have any idea of how i can fix this ?

**frodon** · April 7th, 2008

it depends on which port you run your FTP server, anyway all the answers about your problem are in page 18 of this thread.
Always think to search in this thread using the search features, many questions have been answered already and many problem solved.

**durus** · April 8th, 2008

Thank you. It works now for active connections but no passive connections with this settings

Code:

iptables -A ALLOWED_PORT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A ALLOWED_PORT -i eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A ALLOWED_PORT -i eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A ALLOWED_PORT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

But I do not understand how it works, can someone explain ?
1. Why do I care about sport at all ? Is it not enough to only care about my server ports ?
2. Is not this insecure ?

Code:

iptables -A ALLOWED_PORT -i eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

Does this mean that after a connection he can connect to witch ever port he wants on my computer if he chose to use port 20 ?
I thought that I should use dport for all in trafic and sport/dport for all out traffic.

**frodon** · April 8th, 2008

For the 3 first rules sport is indeed useless and one should use dport instead, sport are more used when filtering outgoing connection which is not the case here.
If you ask me i would tell you that the simple fact to run a service make your computer more vulnerable so you can limit the risk but not eradicate it.

For passive ports you may need to add the ip_conntrack module before the ip_conntrack_ftp one.

For me you don't need to allow ESTABLISHED and RELATED as they are already allowed earlier in the script so for me only the first line is useful and at home i only open dport 21 in input to allow ftp traffic.

BTW i guess ALLOWED_PORT is a chain you created right ?

**durus** · April 8th, 2008

It still does not work. As you guessed ALLOWED_PORT is a chain. You can my rules here. I have not removed dose last rules as you mentioned but I will do that when every thing is working.

Code:

# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi 

# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#load some modules you may need
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat 
modprobe ip_conntrack #added for ftp passive mode ?
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp

# Remove all rules and chains
iptables -F
iptables -X

# Create chains
iptables -N FIREWALL
iptables -N TRUSTED
iptables -N ALLOWED_PORT

# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Send all INPUT packets to the FIREWALL chain
iptables -A INPUT -j FIREWALL

# DROP all forward packets, we don't share internet connection in this example
iptables -A FORWARD -j DROP

# FIREWALL Chain start _____________ 

# Allow ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback traffic
iptables -A FIREWALL -i lo -j ACCEPT
# Send all packages to chains
iptables -A FIREWALL -j TRUSTED
iptables -A FIREWALL -j ALLOWED_PORT
# DROP all other packets
iptables -A FIREWALL -j DROP
# _____

# TRUSTED Chain start _____________ 
# VNC
iptables -A TRUSTED -i eth0 -s 192.168.0.2 -p tcp -m tcp --dport 5901 -j ACCEPT 

# ____

# ALLOWED_PORT chain
# SSH
iptables -A ALLOWED_PORT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
# FTP
iptables -A ALLOWED_PORT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A ALLOWED_PORT -i eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A ALLOWED_PORT -i eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A ALLOWED_PORT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT


# _____

# End message
echo " [End iptables rules setting]"

Thread: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

Thread Tools

Display

Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

Bookmarks

Bookmarks

Posting Permissions