Iptables rules

**Hungry Man** · September 8th, 2013

-A INPUT -i lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID,NEW -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p udp -m owner --uid-owner 106 -m udp --dport 443 -j ACCEPT
-A OUTPUT -m owner --uid-owner 106 -j DROP
#-A OUTPUT -m owner --uid-owner 1000 -p tcp -m multiport --dports 80,443,5222 -j ACCEPT
#-A OUTPUT -m owner --uid-owner 1000 -p udp -m multiport --dports 80,443,5222 -j ACCEPT
#-A OUTPUT -m owner --uid-owner 1000 -j DROP

1000 is my user, and those are commented out right now. When I enable them and enforce I can't seem to get my browser to load any pages.

**unspawn** · September 8th, 2013

Your rule set is incomplete and that makes it less efficient to correct errors. Try to post 'iptables-save' output as that's the complete rule set (except for ipset, xt_recent or similar listings) that's in use. The easiest way IMHO to troubleshoot rule problems is to have "-j LOG --log-prefix "whatever " logging rules precede any decision rules.

**prodigy_** · September 8th, 2013

It doesn't look like you're building an enterprise firewall so what's the point of filtering output? Malware protection? If so, I'd say don't bother as long as you allow port 80.

**Hungry Man** · September 8th, 2013

Here is the full output (commented out lines are what break internet)

# Generated by iptables-save v1.4.12 on Wed Aug 21 06:25:22 2013*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [265:42591]
-A INPUT -i lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID,NEW -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p udp -m owner --uid-owner 106 -m udp --dport 443 -j ACCEPT
-A OUTPUT -m owner --uid-owner 106 -j DROP
#-A OUTPUT -m owner --uid-owner 1000 -p tcp -m multiport --dports 80,443,5222 -j ACCEPT
#-A OUTPUT -m owner --uid-owner 1000 -p udp -m multiport --dports 80,443,5222 -j ACCEPT
#-A OUTPUT -m owner --uid-owner 1000 -j DROP
COMMIT
# Completed on Wed Aug 21 06:25:22 2013

@prodigy,

I like to practice on my own system. It's less about security and more about wanting to know how to do these things for when I need to.

**CharlesA** · September 8th, 2013

When you say your browser won't load any pages, does that include if you try to access a website via IP address?

**Hungry Man** · September 8th, 2013

Yes, even when I access via IP. I think DNS resolution works fine, and my DNS resolver runs as a separate user (that's the 53 access in the rules).

**CharlesA** · September 8th, 2013

Originally Posted by Hungry Man

Yes, even when I access via IP. I think DNS resolution works fine, and my DNS resolver runs as a separate user (that's the 53 access in the rules).

Huh. I think the best thing to do is to turn on logging and see what the firewall is actually doing.

Other than that, try using more generic output rules by dropping the user specific bits and see if it works.

**Doug S** · September 10th, 2013

I was curious about this thread, as it seemed to me the rule set should have worked. However, I didn't have anything to add, so didn't post. So now, I tried it for myself and I think an OUTPUT rule to accept lo stuff is needed. Here is what I have and my source script:

Code:

doug@doug-desktop:~$ sudo iptables -v -x -n -L
Chain INPUT (policy ACCEPT 152 packets, 23766 bytes)
    pkts      bytes target     prot opt in     out     source               destination
     355    19132 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
      51     3048 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID,NEW reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 387 packets, 99328 bytes)
    pkts      bytes target     prot opt in     out     source               destination
      96     7248 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 106 udp dpt:443
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 106
      55     5437 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 1000 multiport dports 80,443,5222
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 1000 multiport dports 80,443,5222
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 1000

Code:

#!/bin/sh

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
EXTIF="eth0"
EXTIP="192.168.122.179"
EXTNET="192.168.122.0/24"
UNIVERSE="0.0.0.0/0"

#Clearing any previous configuration
#
echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
# Reset all IPTABLES counters
$IPTABLES -Z

# Secure Shell on port 22. I need this as I am doing everything via remote.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -j ACCEPT

# Hungry Man's INPUT ACCEPT rules are not needed, because the default is ACCEPT
$IPTABLES -A INPUT -m state --state INVALID,NEW -j REJECT --reject-with icmp-port-unreachable

# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# I wonder who 106 is and what this is for?
$IPTABLES -A OUTPUT -p udp -m owner --uid-owner 106 -m udp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -m owner --uid-owner 106 -j DROP

# Hungry Man rules in question.
$IPTABLES -A OUTPUT -m owner --uid-owner 1000 -p tcp -m multiport --dports 80,443,5222 -j ACCEPT
$IPTABLES -A OUTPUT -m owner --uid-owner 1000 -p udp -m multiport --dports 80,443,5222 -j ACCEPT
$IPTABLES -A OUTPUT -m owner --uid-owner 1000 -j DROP

echo test iptables rule set - Hungry Man - http://ubuntuforums.org/showthread.php?t=2173062 - done.

**Hungry Man** · September 10th, 2013

So you added an outbound on -lo? That's interesting. What for?

And where does it log to?

**CharlesA** · September 10th, 2013

iptables will log to /var/log/syslog under whatever prefix you tell it to log as.

Thread: Iptables rules

Thread Tools

Display

Iptables rules

Re: Need a bit of help with my iptables rules

Re: Need a bit of help with my iptables rules

Re: Need a bit of help with my iptables rules

Re: Need a bit of help with my iptables rules

Re: Need a bit of help with my iptables rules

Re: Need a bit of help with my iptables rules

Re: Need a bit of help with my iptables rules

Re: Iptables rules

Re: Iptables rules

Bookmarks

Bookmarks

Posting Permissions