Results 1 to 8 of 8

Thread: Iptables

  1. #1
    Join Date
    Feb 2008
    Location
    Stockholm, Sweden
    Beans
    14

    Iptables

    Hello,

    I'm using Ubuntu 12.04 as a router for a lab-environment but I cant get the firewall working properly.
    I've got port 22 open but other than that, I thought all communication would be dropped with this configuration.
    I'm suspecting one of the forward rules or postrouting might mess it up but the clients behind the firewall can still browse the internet.
    I'm trying to block all traffic preferably in and out with the option to open specific ports.
    What am I doing wrong?

    Code:
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [34:2220]
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -j DROP
    -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i eth0 -o eth1 -j ACCEPT
    COMMIT
    # Completed on Thu Nov 14 09:12:28 2013
    # Generated by iptables-save v1.4.12 on Thu Nov 14 09:12:28 2013
    *nat
    :PREROUTING ACCEPT [2944:332559]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [19:1200]
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -o eth1 -j MASQUERADE
    COMMIT
    I'm loading the iptables-rules thru /etc/network/interfaces

    Code:
    # The loopback network interface
    auto lo
    iface lo inet loopback
    pre-up iptables-restore < /etc/iptables.rules
    
    # External interface
    auto eth1
    iface eth1 inet static
    address 192.168.237.106
    netmask 255.255.255.0
    gateway 192.168.237.234
    dns-nameservers 192.168.237.2 192.168.237.8
    
    # Internal interface
    auto eth0
    iface eth0 inet static
    address 192.168.0.1
    netmask 255.255.255.0
    gateway 192.168.237.106
    dns-nameservers 192.168.237.2 192.168.237.8
    Last edited by Frobe82; November 14th, 2013 at 09:43 AM.

  2. #2
    Join Date
    Feb 2009
    Location
    Singapore
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Iptables

    Change default for INPUT chain to drop policy instead and open whatever required.

  3. #3
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,191
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Iptables

    The INPUT chain applies only to packets addressed to THIS machine. If the clients are elsewhere on the LAN, you need the FORWARD chain for their packets. Your default policy for FORWARD allows all packets from the LAN to go to the WAN, which is apparently not what you want to happen. Changing ACCEPT to DROP in your second rule for FORWARD will prevent them from reaching the WAN while allowing them to browse the LAN.

    Changing the policy for a chain will affect all packets, which apparently is not exactly what you're looking for...
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  4. #4
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,853
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Iptables

    First, you have a masquerading rule, which is designed to enable machines behind the router to have private addresses yet still communicate with upstream hosts. If you don't want any outbound traffic from those machines, you should block them all, or set the FORWARD policy to DENY (see below), or just turn off packet forwarding by setting net.ipv4.ip_forward=0 in /etc/sysctl.conf.

    If you want to block all traffic in and out, and not permit forwarding across interfaces, then make the default INPUT, FORWARD, and OUTPUT policies be DROP:

    Code:
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    then add rules to open specific ports or to forward traffic from identified machines to specific upstream hosts/ports.
    Last edited by SeijiSensei; November 15th, 2013 at 01:27 AM.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #5
    Join Date
    Feb 2008
    Location
    Stockholm, Sweden
    Beans
    14

    Re: Iptables

    Thanks for all your input and I am looking forward to more.

    My setup is a virtual machine running Ubuntu Server 12.04 with the only purpose to act as a firewall.
    I have two network adapters and the port forwarding and NAT is working well, too well. It lets everything thru.

    So all traffic inside <> outside is dropped, this is fine. I just want to address that when all policies are ACCEPT, the NAT and PORT FORWARDING does work.

    Code:
    # Generated by iptables-save v1.4.12 on Fri Nov 15 07:31:12 2013
    *nat
    :PREROUTING DROP [163:13427]
    :INPUT DROP [6:764]
    :OUTPUT DROP [1:62]
    :POSTROUTING DROP [0:0]
    -A POSTROUTING -o eth1 -j MASQUERADE
    COMMIT
    # Completed on Fri Nov 15 07:31:12 2013
    # Generated by iptables-save v1.4.12 on Fri Nov 15 07:31:12 2013
    *filter
    :INPUT DROP [16:1560]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [1:62]
    -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i eth0 -o eth1 -j ACCEPT
    COMMIT
    # Completed on Fri Nov 15 07:31:12 2013
    So my humble request now is if anyone could possibly tell me what I need to do to get things up and running since I do not understand if I need to put the rules towards the filter or the nat, and I am confused where to apply the rules regarding input/output and forward.

    For example. I am pretty sure that to enable SSH Connections from the outside I open port 22 with filter INPUT on eth1 (external interface) , and from the inside I open INPUT on eth0 (internal interface). I will try this now.
    What I would like too get some help with is how I make my LAN Machines reach the DNS servers outside the firewall and surf the web.

    Best Regards
    Frobe

  6. #6
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,470
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Iptables

    A good reference for iptables, that many of us use, is here. The answer to your ssh question (with a brute force block), and much more information, is there.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  7. #7
    Join Date
    Feb 2008
    Location
    Stockholm, Sweden
    Beans
    14

    Re: Iptables

    I've read through that link you sent but did not get much wiser.
    This is the config I am running atm.
    I've opened up for the apt-get but I do not understand why I have to apply it to both tables, filter and nat. This would mean that It will run through both tables befor the package is processed, is this correct?
    I am pondering this since I am running apt-get on the router itself and I thought it would not go via the *nat table. But apparently it does, is this normal?
    I've managed to DROP everything except for the *nat prerouting and postrouting. When I drop the prerouting the clients behind the firewall cannot reach the internet, understandable.
    I cannot find the prerouting syntax to open up for port 80, could someone lend me a hand?
    And please point out any misstakes.
    I am running out of time and I need two things.
    1. 100% closed down firewall.
    2. Instructions of how to open up the firewall for specific services (so far only port 80).

    Any help would be greatly appreciated!

    Code:
    # Generated by iptables-save v1.4.12 on Mon Nov 18 10:27:14 2013
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i eth0 -o eth1 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 443 -m state --state NEW -j ACCEPT
    COMMIT
    # Completed on Mon Nov 18 10:27:14 2013
    # Generated by iptables-save v1.4.12 on Mon Nov 18 10:27:14 2013
    *nat
    :PREROUTING DROP [2236:207998]
    :INPUT DROP [0:0]
    :OUTPUT DROP [0:0]
    :POSTROUTING DROP [0:0]
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 443 -m state --state NEW -j ACCEPT
    -A POSTROUTING -o eth1 -j MASQUERADE
    COMMIT
    # Completed on Mon Nov 18 10:27:14 2013

  8. #8
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,470
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Iptables

    Just set default DROP policies for INPUT, OUTPUT, and FORWARD, as Seiji mentioned above. Leave the PREROUTING and POSTROUTING default policies alone, or as ACCEPT.
    You deal with allowing your local clients access to the internet or not via the FORWARD chain.

    So, I am saying delete this line:
    Code:
    -A FORWARD -i eth0 -o eth1 -j ACCEPT
    and add lines with specifically what you want to do, i.e.:
    Code:
    -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
    Which you might think I need to specify a source interface or address or something, but I don't think so, because the only way to hit the rule is from your local clients (but I didn't test it). You probably want port 443 also.

    I don't know your network, so you might need to allow some other stuff via the FORWARD chain for basic LAN operation, such as port 53 (DNS) and udp ports 67 and 68 for dhcp.

    Don't you want tcp instead of udp for this line:
    Code:
    -A OUTPUT -p udp -m udp --dport 443 -m state --state NEW -j ACCEPT
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •