Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Iptables rule help

  1. #1
    Join Date
    Jun 2013
    Beans
    8

    Lightbulb Iptables rule help

    Rule 1: want to block all Incoming/Input connections, from port range 0 to 65535.
    Rule 2: In Outgoing/Output allow only tcp port 80,443, udp 53 & block all the remaining ports 0 to 65535

    Additional rules for:
    blocking ping attempts
    blocking dos attacks
    blocking script attacks

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Iptables rule help

    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,271
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Iptables rule help

    Quote Originally Posted by linuxcenter View Post
    Rule 1: want to block all Incoming/Input connections, from port range 0 to 65535.
    If you actually implement such a rule, you will be unable to do anything on the internet. If you block all input connections, that will prevent your receipt of any reply to any of your outgling packets. For example, you could attempt to connect to google.com, but you would not receive the DNS reply that told you the address of Google, much less receive any reply from your http connection message.

    If the intent is to block all unsolicited input traffic, you need a rule to ACCEPT packets with status RELATED or ESTABLISHED, like this:
    Code:
    -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    Follow it with a second rule to DROP everything else:
    Code:
    -A INPUT -j DROP
    The tutorial that CharlesA referred you to is very good, but "iptables" is sufficiently complicated that any attempt to cover it is going to be massively confusing at the start. The best bet, if you want to roll your own set of rules, is to tackle one goal at a time and make sure that it's doing what you want before moving on to the next...
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  4. #4
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Iptables rule help

    Quote Originally Posted by JKyleOKC View Post
    The tutorial that CharlesA referred you to is very good, but "iptables" is sufficiently complicated that any attempt to cover it is going to be massively confusing at the start. The best bet, if you want to roll your own set of rules, is to tackle one goal at a time and make sure that it's doing what you want before moving on to the next...
    That is how I learned iptables (and locked myself out on more than one occasion...). If you are going to be dealing with firewall rules be sure you have console access to the machine in question.

    sidenote: I use REJECT instead of DROP so I don't have to sit there wondering why I keep getting timeout messages when troubleshooting.

    See here: http://www.chiark.greenend.org.uk/~p...drop-vs-reject
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #5
    Join Date
    Mar 2011
    Beans
    671

    Re: Iptables rule help

    Instead of removing ALL inbound traffic, try...

    iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -m state –state NEW -p udp –dport 53 -j ACCEPT
    iptables -A INPUT -m state –state NEW,INVALID -j REJECT

    This prevents all inbound access EXCEPT for:
    1) When traffic is solicited by a previous outbound connection
    2) To port 53 using UDP, which will allow your DNS resolution.

    For your second request:


    iptables -A OUTPUT -p tcp -m multiport --dports 443,80 -j ACCEPT
    iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -m owner -j DROP

    For the others:
    You'll need more complicated time-based rulesets. I'm too lazy. Try fail2ban, maybe.

  6. #6
    Join Date
    Mar 2011
    Beans
    671

    Re: Iptables rule help

    Instead of removing ALL inbound traffic, try...

    iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -m state –state NEW -p udp –dport 53 -j ACCEPT
    iptables -A INPUT -m state –state NEW,INVALID -j REJECT

    This prevents all inbound access EXCEPT for:
    1) When traffic is solicited by a previous outbound connection
    2) To port 53 using UDP, which will allow your DNS resolution.

    For your second request:


    iptables -A OUTPUT -p tcp -m multiport --dports 443,80 -j ACCEPT
    iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -m owner -j DROP

    For the others:
    You'll need more complicated time-based rulesets. I'm too lazy. Try fail2ban, maybe.

  7. #7
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    9,629
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Iptables rule help

    Regardless of what you choose, you almost always need to to enable traffic on the localhost interface.

    Code:
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  8. #8
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,847
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Iptables rule help

    Quote Originally Posted by Hungry Man View Post
    Instead of removing ALL inbound traffic, try...

    iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -m state –state NEW -p udp –dport 53 -j ACCEPT
    iptables -A INPUT -m state –state NEW,INVALID -j REJECT

    This prevents all inbound access EXCEPT for:
    1) When traffic is solicited by a previous outbound connection
    2) To port 53 using UDP, which will allow your DNS resolution.
    ...
    You do not need the specific --dport 53 line. Outgoing DNS requests will: get back via the RELATED,ESTABLISHED line; not be to port 53 anyway (they will be from a port 53).
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  9. #9
    Join Date
    Mar 2011
    Beans
    671

    Re: Iptables rule help

    It's necessary on my system, but I use a different resolver, so that may be why.

  10. #10
    Join Date
    Jan 2008
    Beans
    Hidden!
    Distro
    Kubuntu 13.04 Raring Ringtail

    Re: Iptables rule help

    Quote Originally Posted by Hungry Man View Post
    It's necessary on my system, but I use a different resolver, so that may be why.
    Is your host acting as DNS server for other hosts? If not, opening port 53 is not the right way to go.
    If you want your DNS queries to go through your resolver, you should be allowing connections only from localhost. Like SeijiSensei suggested above, you should not block traffic on lo.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •