Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Iptables rules

  1. #1
    Join Date
    Mar 2011
    Beans
    680

    Iptables rules

    -A INPUT -i lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m state --state INVALID,NEW -j REJECT --reject-with icmp-port-unreachable
    -A OUTPUT -p udp -m owner --uid-owner 106 -m udp --dport 443 -j ACCEPT
    -A OUTPUT -m owner --uid-owner 106 -j DROP
    #-A OUTPUT -m owner --uid-owner 1000 -p tcp -m multiport --dports 80,443,5222 -j ACCEPT
    #-A OUTPUT -m owner --uid-owner 1000 -p udp -m multiport --dports 80,443,5222 -j ACCEPT
    #-A OUTPUT -m owner --uid-owner 1000 -j DROP

    1000 is my user, and those are commented out right now. When I enable them and enforce I can't seem to get my browser to load any pages.
    sig

  2. #2
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: Need a bit of help with my iptables rules

    Your rule set is incomplete and that makes it less efficient to correct errors. Try to post 'iptables-save' output as that's the complete rule set (except for ipset, xt_recent or similar listings) that's in use. The easiest way IMHO to troubleshoot rule problems is to have "-j LOG --log-prefix "whatever " logging rules precede any decision rules.

  3. #3
    prodigy_ is offline May the Ubuntu Be With You!
    Join Date
    Mar 2008
    Beans
    1,219

    Re: Need a bit of help with my iptables rules

    It doesn't look like you're building an enterprise firewall so what's the point of filtering output? Malware protection? If so, I'd say don't bother as long as you allow port 80.

  4. #4
    Join Date
    Mar 2011
    Beans
    680

    Re: Need a bit of help with my iptables rules

    Here is the full output (commented out lines are what break internet)

    # Generated by iptables-save v1.4.12 on Wed Aug 21 06:25:22 2013*filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [265:42591]
    -A INPUT -i lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m state --state INVALID,NEW -j REJECT --reject-with icmp-port-unreachable
    -A OUTPUT -p udp -m owner --uid-owner 106 -m udp --dport 443 -j ACCEPT
    -A OUTPUT -m owner --uid-owner 106 -j DROP
    #-A OUTPUT -m owner --uid-owner 1000 -p tcp -m multiport --dports 80,443,5222 -j ACCEPT
    #-A OUTPUT -m owner --uid-owner 1000 -p udp -m multiport --dports 80,443,5222 -j ACCEPT
    #-A OUTPUT -m owner --uid-owner 1000 -j DROP
    COMMIT
    # Completed on Wed Aug 21 06:25:22 2013
    @prodigy,

    I like to practice on my own system. It's less about security and more about wanting to know how to do these things for when I need to.
    sig

  5. #5
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Need a bit of help with my iptables rules

    When you say your browser won't load any pages, does that include if you try to access a website via IP address?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  6. #6
    Join Date
    Mar 2011
    Beans
    680

    Re: Need a bit of help with my iptables rules

    Yes, even when I access via IP. I think DNS resolution works fine, and my DNS resolver runs as a separate user (that's the 53 access in the rules).
    sig

  7. #7
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Need a bit of help with my iptables rules

    Quote Originally Posted by Hungry Man View Post
    Yes, even when I access via IP. I think DNS resolution works fine, and my DNS resolver runs as a separate user (that's the 53 access in the rules).
    Huh. I think the best thing to do is to turn on logging and see what the firewall is actually doing.

    Other than that, try using more generic output rules by dropping the user specific bits and see if it works.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  8. #8
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    2,204
    Distro
    Ubuntu Development Release

    Re: Need a bit of help with my iptables rules

    I was curious about this thread, as it seemed to me the rule set should have worked. However, I didn't have anything to add, so didn't post. So now, I tried it for myself and I think an OUTPUT rule to accept lo stuff is needed. Here is what I have and my source script:
    Code:
    doug@doug-desktop:~$ sudo iptables -v -x -n -L
    Chain INPUT (policy ACCEPT 152 packets, 23766 bytes)
        pkts      bytes target     prot opt in     out     source               destination
         355    19132 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
          51     3048 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID,NEW reject-with icmp-port-unreachable
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     source               destination
    
    Chain OUTPUT (policy ACCEPT 387 packets, 99328 bytes)
        pkts      bytes target     prot opt in     out     source               destination
          96     7248 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 106 udp dpt:443
           0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 106
          55     5437 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 1000 multiport dports 80,443,5222
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 1000 multiport dports 80,443,5222
           0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 1000
    Code:
    #!/bin/sh
    
    # The location of the iptables program
    #
    IPTABLES=/sbin/iptables
    
    #Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
    #
    EXTIF="eth0"
    EXTIP="192.168.122.179"
    EXTNET="192.168.122.0/24"
    UNIVERSE="0.0.0.0/0"
    
    #Clearing any previous configuration
    #
    echo "  Clearing any existing rules and setting default policy to DROP.."
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -F INPUT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -F OUTPUT
    $IPTABLES -P FORWARD ACCEPT
    $IPTABLES -F FORWARD
    # Reset all IPTABLES counters
    $IPTABLES -Z
    
    # Secure Shell on port 22. I need this as I am doing everything via remote.
    $IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -j ACCEPT
    
    # Hungry Man's INPUT ACCEPT rules are not needed, because the default is ACCEPT
    $IPTABLES -A INPUT -m state --state INVALID,NEW -j REJECT --reject-with icmp-port-unreachable
    
    # loopback interface is valid.
    #
    $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
    
    # I wonder who 106 is and what this is for?
    $IPTABLES -A OUTPUT -p udp -m owner --uid-owner 106 -m udp --dport 443 -j ACCEPT
    $IPTABLES -A OUTPUT -m owner --uid-owner 106 -j DROP
    
    # Hungry Man rules in question.
    $IPTABLES -A OUTPUT -m owner --uid-owner 1000 -p tcp -m multiport --dports 80,443,5222 -j ACCEPT
    $IPTABLES -A OUTPUT -m owner --uid-owner 1000 -p udp -m multiport --dports 80,443,5222 -j ACCEPT
    $IPTABLES -A OUTPUT -m owner --uid-owner 1000 -j DROP
    
    echo test iptables rule set - Hungry Man - http://ubuntuforums.org/showthread.php?t=2173062 - done.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  9. #9
    Join Date
    Mar 2011
    Beans
    680

    Re: Iptables rules

    So you added an outbound on -lo? That's interesting. What for?

    And where does it log to?
    sig

  10. #10
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Iptables rules

    iptables will log to /var/log/syslog under whatever prefix you tell it to log as.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •