jre, thank you very much for this detailed explanation. I have already tried to copy Firestarter configuration. It works for replacing rules, but it doesn't work when you need to change default policy. I don't know why. Anyway, I decided to uninstall Firestarter and make all iptables rules with moblock scripts.
Now, whenever I stop moblock, the "remove" script flushes the iptables, remove additional chains and set the default policy (INPUT, OUTPUT and FORWARD) to DROP, thus working like Firestarter lock feature and preventing network activity while moblock is turned off. The code is below:
Code:
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
When I start moblock again, it will insert all rules in the INPUT/OUTPUT chains and create two new chains (INBOUND/OUTBOUND) which I use just for logging and dropping packets not accepted by the default chains. Here is the "insert" script:
Code:
iptables -N INBOUND
iptables -N OUTBOUND
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.x.x -j ACCEPT #router internal IP
iptables -A INPUT -s xxx.xxx.x.xx -j ACCEPT #DNS
iptables -A INPUT -s xxx.xxx.x.xxx -j ACCEPT #DNS
iptables -A INPUT -i eth0 -d 255.255.255.255 -j DROP
iptables -A INPUT -d 192.168.2.255 -j DROP
iptables -A INPUT -d 224.0.0.0/8 -j DROP
iptables -A INPUT -s 224.0.0.0/8 -j DROP
iptables -A INPUT -s 255.255.255.255 -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j INBOUND
iptables -A INPUT -j INBOUND
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -s 192.168.x.x -d xxx.xxx.x.xx -j ACCEPT #DNS
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -s 192.168.x.x -d xxx.xxx.x.xx -j ACCEPT #DNS
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -s 192.168.x.x -d xxx.xxx.x.xx -j ACCEPT #DNS
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -s 192.168.x.x -d xxx.xxx.x.xx -j ACCEPT #DNS
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -s 192.168.x.x -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 80 -s 192.168.x.x -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -s 192.168.x.x -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 443 -s 192.168.x.x -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 993 -s 192.168.x.x -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 993 -s 192.168.x.x -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 6667 -s 192.168.x.x -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 6667 -s 192.168.x.x -j ACCEPT
iptables -A OUTPUT -d 224.0.0.0/8 -j DROP
iptables -A OUTPUT -s 224.0.0.0/8 -j DROP
iptables -A OUTPUT -s 255.255.255.255 -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -d 192.168.x.x -j ACCEPT #router internal IP
iptables -A OUTPUT -d 192.168.x.x -j ACCEPT #notebook internal IP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -j OUTBOUND
iptables -A OUTPUT -j DROP
iptables -A INBOUND -j LOG --log-prefix '*** INBOUND ***' --log-level 4
iptables -A INBOUND -j DROP
iptables -A OUTBOUND -j LOG --log-prefix '*** OUTBOUND ***' --log-level 4
iptables -A OUTBOUND -j REJECT
And here the iptables output :
Code:
Current iptables rules (this may take awhile):
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 moblock_in all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match !0x14
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 192.168.x.x 0.0.0.0/0
0 0 ACCEPT all -- * * xxx.xxx.x.xx 0.0.0.0/0
0 0 ACCEPT all -- * * xxx.xxx.x.xxx 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 192.168.2.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
1 112 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 INBOUND icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INBOUND all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 moblock_fw all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match !0x14
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 168 moblock_out all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match !0x14
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 192.168.x.x xxx.xxx.x.xx tcp dpt:53
0 0 ACCEPT udp -- * eth0 192.168.x.x xxx.xxx.x.xx udp dpt:53
0 0 ACCEPT tcp -- * eth0 192.168.x.x xxx.xxx.x.xx tcp dpt:53
0 0 ACCEPT udp -- * eth0 192.168.x.x xxx.xxx.x.xx udp dpt:53
0 0 ACCEPT tcp -- * eth0 192.168.x.x 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * eth0 192.168.x.x 0.0.0.0/0 udp dpt:80
0 0 ACCEPT tcp -- * eth0 192.168.x.x 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * eth0 192.168.x.x 0.0.0.0/0 udp dpt:443
0 0 ACCEPT tcp -- * eth0 192.168.x.x 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT udp -- * eth0 192.168.x.x 0.0.0.0/0 udp dpt:993
0 0 ACCEPT tcp -- * eth0 192.168.x.x 0.0.0.0/0 tcp dpt:6667
0 0 ACCEPT udp -- * eth0 192.168.x.x 0.0.0.0/0 udp dpt:6667
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.x.x
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.x.x
1 112 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 OUTBOUND all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INBOUND (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `*** INBOUND ***'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTBOUND (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `*** OUTBOUND ***'
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain moblock_fw (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xa
0 0 RETURN all -- * * 192.168.x.0/24 192.168.x.0/24
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 239.255.255.250-239.255.255.250
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 239.255.255.250-239.255.255.250
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 224.0.0.22-224.0.0.22
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 224.0.0.22-224.0.0.22
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range xxx.xxx.x.xx-xxx.xxx.x.xx
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range xxx.xxx.x.xxx-xxx.xxx.x.xxx
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range xxx.xxx.x.xx-xxx.xxx.x.xxx
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range xxx.xxx.x.xxx-xxx.xxx.x.xxx
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.2.255-192.168.2.255
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.2.255-192.168.2.255
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.x.x-192.168.x.x
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.x.x-192.168.x.x
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 127.0.0.1-127.0.0.1
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 127.0.0.1-127.0.0.1
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 92
Chain moblock_in (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xa
0 0 RETURN all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 192.168.x.0/24 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 239.255.255.250-239.255.255.250
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 224.0.0.22-224.0.0.22
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range xxx.xxx.x.xxx-xxx.xxx.x.xxx
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range xxx.xxx.x.xxx-xxx.xxx.x.xxx
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.2.255-192.168.2.255
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.x.x-192.168.x.x
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.x.x-192.168.x.x
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 127.0.0.1-127.0.0.1
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 92
Chain moblock_out (1 references)
pkts bytes target prot opt in out source destination
1 84 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xa reject-with icmp-port-unreachable
0 0 RETURN all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 192.168.x.0/24
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 239.255.255.250-239.255.255.250
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 224.0.0.22-224.0.0.22
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range xxx.xxx.x.xxx-xxx.xxx.x.xxx
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range xxx.xxx.x.xxx-xxx.xxx.x.xxx
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.2.255-192.168.2.255
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.x.x-192.168.x.x
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.x.x-192.168.x.x
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 140.211.166.66-140.211.166.66
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 127.0.0.1-127.0.0.1
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1 84 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 92
Please check if the above printed iptables rules are correct!
* moblock is running, pid is 8071.
As far as I understand, I don't have to be concerned anymore with moblock chains being correctly inserted before the other rules, but is there any rules in my script that could conflict with moblock's marking feature?
I have another question, not related to the post above. While using the tail command to monitor moblock's log, I have noticed that sometimes moblock stops and reload itself. I receive the following message in the log.
Code:
Got SIGHUP! Dumping and resetting stats, reloading blocklist
Is this normal? I guess while doing this, moblock is letting everything to pass through...
Bookmarks