Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Iptables rule help

  1. #11
    Join Date
    Mar 2011
    Beans
    671

    Re: Iptables rule help

    I'm using DNSCrypt, and I have it running as a separate user. It needs outbound access. I used a rule to stop all inbound access that is NEW/INVALID and it stopped resolving. So I added an inbound rule for UDP on 53, now it works.

  2. #12
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,271
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Iptables rule help

    If you put the allow-all for the loopback interface lo, as suggested in post #7 above, you won't need the port 53 rule. Doing it as you currently are allows anyone on the internet to get into your system via port 53, but your local resolver running as a different user will use the loopback interface (which as the name implies simply loops output back to input without ever going outside your system) and so won't be trapped by the "NEW,INVALID" rule.

    Even better, perhaps, would be to add the "-i eth0" or "-i wan0" parameter to your three INPUT rules, so that they apply only to the specific interface that connects to the outside world. There are many many ways to remove the fur from the feline, when dealing with iptables -- which is part of why it can be so confusing.
    Last edited by JKyleOKC; June 27th, 2013 at 10:46 PM. Reason: fat fingers
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  3. #13
    Join Date
    Mar 2011
    Beans
    671

    Re: Iptables rule help

    Interesting. Thank you.

  4. #14
    Join Date
    Jun 2013
    Beans
    8

    Red face Re: Iptables rule help

    Thank You to ALL

  5. #15
    Join Date
    Jun 2013
    Beans
    8

    Red face Re: Iptables rule help

    .
    Last edited by linuxcenter; June 30th, 2013 at 11:50 AM.

  6. #16
    Join Date
    Jun 2013
    Beans
    8

    Red face Re: Iptables rule help

    .
    Last edited by linuxcenter; June 30th, 2013 at 11:50 AM.

  7. #17
    Join Date
    Jun 2013
    Beans
    8

    Red face Re: Iptables rule help

    OK How about these rules ?


    Rule 1: want to block all Incoming/Input connections, from port range 0 to 65535.

    iptables -A INPUT -p tcp -m multiport --sports 0-65535 --dports 0-65535 -j DROP

    Rule 2: In Outgoing/Output allow only tcp port 80,443, udp 53 & block all the remaining ports 0 to 65535

    iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -d 0/0 --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT

    iptables -A OUTPUT -p udp -m multiport --sports 53 --dports 53 -m state --state NEW,ESTABLISHED -j ACCEPT

    iptables -A OUTPUT -j DROP


    ================================================== =====================

    blocking ping attempts
    iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

    blocking dos attacks

    iptables -A INPUT -p udp -m state --state NEW -m recent --update --seconds 1 --hitcount 5 --name DDOS --rsource -j DROP

    Last edited by linuxcenter; June 30th, 2013 at 12:11 PM.

  8. #18
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    9,571
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Iptables rule help

    Quote Originally Posted by linuxcenter View Post
    OK How about these rules ?
    You're making this much more complicated than it need be. Stop worrying about blocking ports and block by IP address or interface.

    First, you need to put all the rules that allow acceptable traffic ahead of the blocking rules. Second, it's clear to me that you have a limited understanding of how IP traffic works. Let's start with this:

    iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -d 0/0 --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
    This will never work because the outbound requests to web servers do not originate from ports 80 and 443 on the client machine. The client always chooses a random unprivileged port above 1023 for outbound traffic. Ordinary users cannot bind to a port below 1024; only root can do that. So clients use high ports for outbound requests. Also, "-d 0/0" is unnecessary since that is the iptables default.

    In any event, if you want to block all incoming traffic to an interface just use:

    Code:
    /sbin/iptables -A INPUT -i eth0 -j DROP
    That blocks everything arriving on the Ethernet interface eth0.

    Now as for the OUTPUT rule, is this machine designed to be a firewall router with two interface cards, one pointing to the Internet and one pointing to the LAN? Or are you trying to block packets leaving the machine itself? If it is a router with, say, eth0 pointing to the Internet and eth1 pointing inside, use

    Code:
    /sbin/iptables -A INPUT -i eth1 -p tcp --dport 80  -j ACCEPT
    /sbin/iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT
    /sbin/iptables -A INPUT -i eth1 -j DROP
    Now people behind the box can reach remote websites but nothing else.

    It's a lot easier to specify just the minimal set of rules required to permit what you want to permit then block everything else.
    Last edited by SeijiSensei; June 30th, 2013 at 03:44 PM.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  9. #19
    Join Date
    Jun 2013
    Beans
    8

    Re: Iptables rule help

    Im on LAN, now can i be specific about outgoing rules allow only dport and sport to be 80,443.
    If im not hosting a website why do i need ?

    /sbin/iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
    /sbin/iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT

  10. #20
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Iptables rule help

    As said earlier, your machine communicates with remote servers by picking a random high numbered port. If you wanted to filter traffic, go off the destination port, not both source and destination port. That goes for the Output chain.

    As far as the INPUT chain goes, if you aren't hosting any services, it should be fine to drop or reject anything incoming that isn't established or related.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •