Page 1 of 29 12311 ... LastLast
Results 1 to 10 of 286

Thread: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

  1. #1
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

    31/01/2008 the tutorial has been reviewed and the given script corrected, the previous given script were opening https and IRC port which was not required.
    For advanced users which are comfortable with this guide here is a link to another tutorial on the topic which especially written for advanced users as it explains how to set a firewall with input and output filtering :
    http://ubuntuforums.org/showthread.php?t=668148



    1- Introduction

    After getting some problems with firestarter i decided to get knowledge about iptables and how to set my own firewall script and want to share this experience for users who want to set quickly a custom firewall.
    The purpose of this guide is to provide a basic knowledge about iptables and then help to create a firewall script.
    The final step will be to make the script running on each boot.

    As another great resource you can have a look at bodhi.zazen iptables page on his website:
    http://***************/Tutorials/iptables/


    This guide will not talk about NAT things.

    2- Commands

    The first step is to know iptables commands.

    2.1- Main commands

    * -A --append : Add the rule a the end of the specified chain

    Code:
    iptables -A INPUT ...
    * -D --delete : Allow to delete a chain.
    There's 2 way to use it, you can specify the number of the chain to delete or specify the rule to delete

    Code:
    iptables -D INPUT 1 
    iptables -D INPUT --dport 80 -j DROP
    * -R --replace : Allow to replace the specified chain

    Code:
    iptables -R INPUT 1 -s 192.168.0.1 -j DROP
    * -I --insert : Allow to add a chain in a specific area of the global chain

    Code:
    iptables -I INPUT 1 --dport 80 -j ACCEPT
    * -L --list : Display the rules

    Code:
    iptables -L # Display all the rules of the FILTER chains 
    iptables -L INPUT # Display all the INPUT rules (FILTER)
    * -F --flush : Delete all the rules of a chain

    Code:
    iptables -F INPUT # Delete all the rules of the INPUT chain 
    iptables -F # Delete all the rules
    * -N --new-chain : Allow to create a new chain
    Code:
    iptables -N LOG_DROP
    * -X --delete-chain : Allow to delete a chain

    Code:
    iptables -X LOG_DROP # Delete the LOG_DROP chain 
    iptables -X # Delete the chains
    * -P --policy : Allow to specify to the kernel the default policy of a chain ACCEPT, REJECT, DROP ...
    Code:
    iptables -P INPUT DROP
    2.2- Maching commands

    The character "!" can be used to specify the oposite. For example a command to avoid all incomming tcp traffic except from the IP 10.42.42.42 is written as follow :
    Code:
    iptables -A INPUT -p tcp ! --source 10.42.42.42 -j DROP

    IP addresses could be optionally associated with their mask like that : IP-address/mask

    * -p --protocol : Specify the protocol : tcp, udp, icmp, all
    Example: DROP all icmp traffic
    Code:
    iptables -A INPUT -p icmp -j DROP
    * -m --match : Specify what you want to match : tcp, udp, state, ...
    Example: DROP tcp incomming traffic on port 143

    Code:
    iptables -A INPUT -p tcp -m tcp --sport 143 -j DROP
    * -s --source : Specify a source address to match
    Example: Allow incoming (the INPUT chain) tcp traffic comming from the IP 192.168.42.42

    Code:
    iptables -A INPUT -p tcp -s 192.168.42.42 -j ACCEPT
    * -d --destination : Specify a destination address
    Example : Allow port forwarding for tcp traffic to the IP 10.1.0.1

    Code:
    iptables -A FORWARD -p tcp -d 10.1.0.1 -j ACCEPT
    * -i --in-interface : Specify an input interface (your ethernet card generally) (only for INPUT, FORWARD and PREROUTING chains)
    Example : DROP incoming icmp traffic on eth0 input interface

    Code:
    iptables -A INPUT -p icmp -i eth0 -j DROP
    * -o --out-interface : Specify an output interface (only for OUTPUT, FORWARD and PREROUTING chains)
    Example : DROP output icmp traffic on eth0 output interface

    Code:
    iptables -A OUTPUT -p icmp -o eth0 -j DROP
    * --sport --source-port : Specify the source port or an array of ports, -m multiport allow to specify more than one port to match.
    Examples :

    Code:
    iptables -A INPUT -p tcp --sport 80 -j ACCEPT iptables -A INPUT -p udp --sport 80 -j DROP iptables -A INPUT -p tcp -m multiport --sport 3128,21,1000 -j DROP iptables -A INPUT -p tcp --sport 1024:2042 -j ACCEPT
    * --dport --destination-port : Specify a destination port or an array of ports, -m multiport allow to specify more than one port to match.
    Examples :

    Code:
    iptables -A OUPUT -p tcp --dport 110 -j DROP iptables -A OUPUT -p udp --dport 110 -j DROP iptables -A OUPUT -p tcp -m multiport --dport 110,4242,119 -j DROP iptables -A OUPUT -p tcp --dport 4925:4633 -j ACCEPT
    * --tcp-flags : Specify the tcp flag to match : SYN ACK FIN RST URG PSH ALL NONE
    Example : Allow tpc packets with SYN,ACK flag and source port 42
    Code:
    iptables -A INPUT -p tcp --sport 42 --tcp-flags SYN,ACK -j ACCEPT
    * --icmp-type : Specify the icmp type to match
    Example :

    Code:
    iptables -A INPUT -p icmp --icmp-type 8 -j DROP
    * --mac-source : Specify the MAC address to match
    Example : Drop all incoming traffic from MAC address 42:42:AA:42:42:AA

    Code:
    iptables -A INPUT --mac-source 42:42:AA:42:42:AA -j DROP
    * --state : Allow to specify the packet state to match :
    ESTABLISHED : packet associated to an established connection
    NEW : packet which ask for a new connection
    INVALID : Packet associated to an unknown connection
    RELATED : new connection but linked, really good for FTP connections

    Examples :

    Code:
    iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
    2.3- Some examples

    in those examples i assumed that your internet interface is eth0 (just replace eth0 by what it is for you).

    * Setting the default rules : here is how to set the defeult rules
    Code:
    iptables -P INPUT DROP iptables -P OUTPUT DROP 
    iptables -P FORWARD DROP
    * Allow loopback access :

    Code:
    iptables -A INPUT -i lo -j ACCEPT 
    iptables -A OUTPUT -o lo -j ACCEPT
    * Allow web traffic :

    Code:
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    * Allow dns :

    Code:
    iptables -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT 
    iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT 
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
    * Allow FTP :

    Code:
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT 
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
    iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    * Allow IRC ports :
    Code:
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 6667 -j ACCEPT 
    iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 6667 -j ACCEPT 
    iptables -A INPUT -i eth0 -p udp -m tcp --sport 133 -j ACCEPT # identification port iptables -A OUTPUT -o eth0 -p udp -m tcp --dport 133 -j ACCEPT # identification port
    * Allow or drop an IP :

    Code:
    iptables -A INPUT -s 10.123.452.36 -j ACCEPT 
    iptables -A INPUT -s 10.123.452.36 -j DROP
    * Forward your internet (eth0) connection to eth1, in the example we filter incoming packets for the LAN.

    Code:
    # Forward only established and related connections to the lan for incoming packets 
    iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT 
    # Forward all OUT connections from the lan 
    iptables -A FORWARD -o eth1 -i eth0 -j ACCEPT 
    # hide computers behind the firewall 
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
    echo 1 > /proc/sys/net/ipv4/ip_forward 
    # then DROP all the rest 
    iptables -A FORWARD -j DROP
    * Forward your internet (eth0) connection to eth1 without any filter :

    Code:
    iptables -A FORWARD -j ACCEPT 
    # hide computers behind the firewall 
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
    echo 1 > /proc/sys/net/ipv4/ip_forward
    For other services just open the correponding port(s), if you don't know which port use the service you want to enable have look in the file /etc/services.

    * Backlist a list of IPs from a file (gregor171 proposed solution) :
    http://ubuntuforums.org/showpost.php...&postcount=263


    3- The scripts

    Now it's time to write your iptables script.

    3.1-The firewall script

    This exemple will fit the needs of most users, it blocks all incoming and forward traffic and allows : web browsers, https, amule, bittorent, ftp, gaim, IRC, mail protocols (smtp, pop, imap).
    Blocking outgoing access is not needed (incoming is enough).

    * We create 2 chain the one called FIREWALL and the second is called TRUSTED

    FIREWALL chain : this chain will allow related and established incoming connection (eth0 interface), then send all other packets to the TRUSTED chain and DROP all the rest. We will send in this chain all INPUT packets.
    TRUSTED chain : In this chain you will add all the ports you may need to open depending on what you use on your computer.

    Now create the firewall script:

    Code:
    sudo gedit /etc/firewall.bash
    Now add that in the file, remove lines that are not needed for you or add some if it's needed (replace eth0 by the name of your internet interface):

    Code:
    #!/bin/bash
    
    # No spoofing
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo 1 > $filtre
    done
    fi 
    
    # No icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
    #load some modules you may need
    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe iptable_filter
    modprobe iptable_nat 
    modprobe ip_conntrack_irc
    modprobe ip_conntrack_ftp
    
    # Remove all rules and chains
    iptables -F
    iptables -X
    
    # first set the default behaviour => accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    
    # Create 2 chains, it allows to write a clean script
    iptables -N FIREWALL
    iptables -N TRUSTED
    
    # Allow ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow loopback traffic
    iptables -A FIREWALL -i lo -j ACCEPT
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    # DROP all other packets
    iptables -A FIREWALL -j DROP
    
    # Send all INPUT packets to the FIREWALL chain
    iptables -A INPUT -j FIREWALL
    # DROP all forward packets, we don't share internet connection in this example
    iptables -A FORWARD -j DROP
    
    # Allow amule
    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 5349 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 5351 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 5348 -j ACCEPT
    
    # Allow bittorrent
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT
    
    # End message
    echo " [End iptables rules setting]"
    Make the script executable:

    Code:
    sudo chmod +x /etc/firewall.bash

    * What is spoofing ? : http://en.wikipedia.org/wiki/Spoofing_attack
    * What is icmp ?: http://en.wikipedia.org/wiki/Icmp
    * For amule : http://www.amule.org/wiki/index.php/Firewall

    This should be good for most of you, if something doen't work open the port corresponding to the service you want to open (look in /etc/service to know the port number).

    To open a new port just add a new rule for the TRUSTED chain like that for tcp :
    Code:
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport port_number -j ACCEPT
    or for udp :
    Code:
    iptables -A TRUSTED -i eth0 -p udp -m udp --dport port_number -j ACCEPT
    Well you firewall script is OK


    3.2-The flush script

    This script will allow you to delete all the rules and chains, in other words it delete your firewall.

    Open the file :

    Code:
    sudo gedit /etc/flush_iptables.bash

    Put that in the file:

    Code:
    #!/bin/sh
    
    #
    # Set the default policy
    #
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    
    #
    # Set the default policy for the NAT table
    #
    iptables -t nat -P PREROUTING ACCEPT
    iptables -t nat -P POSTROUTING ACCEPT
    iptables -t nat -P OUTPUT ACCEPT
    
    #
    # Delete all rules
    #
    iptables -F
    iptables -t nat -F
    
    #
    # Delete all chains
    #
    
    iptables -X
    iptables -t nat -X
    
    # End message
    echo " [End of flush]"
    Make the file executable :

    Code:
    sudo chmod +x /etc/flush_iptables.bash
    3.3-The init.d script

    This script will allow you to handle your firewall like all other services.

    Open the file:

    Code:
    sudo gedit /etc/init.d/firewall
    Edit it like that:

    Code:
    #!/bin/bash
    
    RETVAL=0
    
    # To start the firewall
    start() {
      echo -n "Iptables rules creation: "
      /etc/firewall.bash
      RETVAL=0
    }
    
    # To stop the firewall
    stop() {
      echo -n "Removing all iptables rules: "
      /etc/flush_iptables.bash
      RETVAL=0
    }
    
    case $1 in
      start)
        start
        ;;
      stop)
        stop
        ;;
      restart)
        stop
        start
        ;;
      status)
        /sbin/iptables -L
        /sbin/iptables -t nat -L
        RETVAL=0
        ;;
      *)
        echo "Usage: firewall {start|stop|restart|status}"
        RETVAL=1
    esac
    
    exit
    Make the script executable:
    Code:
    sudo chmod +x /etc/init.d/firewall
    Now you can use these commands to start/stop/restart/status your firewall:
    Code:
    sudo /etc/init.d/firewall start 
    sudo /etc/init.d/firewall stop 
    sudo /etc/init.d/firewall restart 
    sudo /etc/init.d/firewall status
    The final step is to make your script running on each boot of your computer:
    Code:
    sudo update-rc.d firewall defaults
    Well all is done !!!!!

    4-Test if your firewall is reliable

    I strongly advice you to check your firewall just to see that all is ok.

    Perform some udp and tcp scan here :
    http://www.hackerwatch.org/probe/
    All ports should be seen as blocked
    This site is not bad too : https://grc.com/x/ne.dll?bh0bkyd2
    All port should be seen as stealth

    nmap is also a good tool, to install it :

    Code:
    sudo apt-get install nmap 
    sudo apt-get install nmapfe
    Run the GUI :

    Code:
    sudo nmapfe
    Then put your IP as target, all ports should be seen as blocked.

    5- Links & Credits

    Links :

    * http://iptables-tutorial.frozentux.n...-tutorial.html
    * http://yolinux.com/TUTORIALS/LinuxTu...rkGateway.html
    * http://supermikenews.blogspot.com/20...ll-script.html

    Credits :

    * Lea linux : http://lea-linux.org/cached/index/Accueil.html
    * GTX for showing the way
    * Internet
    * alexisdm (freenews forum).



    Thank you for any kind feedback
    Last edited by frodon; May 30th, 2010 at 01:28 PM. Reason: update matching command: see post #277

  2. #2
    Join Date
    Nov 2005
    Location
    Paris, France
    Beans
    99
    Distro
    Xubuntu 12.10 Quantal Quetzal

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Great job !
    I met some problems too, with guarddog and firestarter, and had to manage with iptables : unfortunately it was before your excellent howto...
    By the way, Kmyfirewall (in iptables interface mode)is very useful to make your own iptables script.

    Best regards.
    Computer Science is no more about computers than astronomy is about telescopes.
    E. W. Dijkstra

  3. #3
    Join Date
    Jul 2006
    Location
    Penang, Malaysia
    Beans
    64
    Distro
    Ubuntu 6.06

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    This is one of the best resource for ubuntu user.

    Great work, thks

  4. #4
    Join Date
    Jul 2006
    Location
    Penang, Malaysia
    Beans
    64
    Distro
    Ubuntu 6.06

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Everything is now able to install into it, thks. Also run remove other firewall.

    I have try with shield it but i don see stealth in it, the result i get as below;

    Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.



    Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)



    Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

    Is my setting correct? Thks

  5. #5
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Could you post your firewall script ?

    Which site did you use to test the firewall ?
    You should test with this one, ports should be seen as blocked (same thing than stealth) :
    http://scan.sygate.com/prestealthscan.html
    Last edited by frodon; July 22nd, 2006 at 01:46 PM.

  6. #6
    Join Date
    Jul 2006
    Location
    Penang, Malaysia
    Beans
    64
    Distro
    Ubuntu 6.06

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Hi;

    I now have new problems, after I reboot the system, my excess to internet is totally block, I am using adsl connection which i configure using "sudo pppoeconf", can you tell me how to set so that it will not block my internet dailup access, thks.

    Since i do not know to delete the firewall due to i cannot reach to the internet to get your delete code, i have reinstall the whole system again.

  7. #7
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    To stop the firewall :
    Code:
    sudo /etc/init.d/firewall stop
    To start it :
    Code:
    sudo /etc/init.d/firewall start
    To restart it :
    Code:
    sudo /etc/init.d/firewall restart
    Does your dialup use a specific port for connection ?
    Did your internet work when you used firestarter ?

  8. #8
    Join Date
    Jul 2006
    Location
    Penang, Malaysia
    Beans
    64
    Distro
    Ubuntu 6.06

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    I do not no which port it used, i only know that it does not use the fixed ip. Can you let me know how to check which port it used?

    Even firestarter, i have the same problems, cannot excess the internet.

    Thks.

  9. #9
    Join Date
    Jul 2006
    Location
    Penang, Malaysia
    Beans
    64
    Distro
    Ubuntu 6.06

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    I guess i have forget to use/try the stop the firewall code. Thks.

  10. #10
    Join Date
    Nov 2005
    Beans
    5

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    I added the following three lines into /etc/firewall.bash script in order to use loopback interface (localhost)

    Code:
    # Allow loopback interface traffic
    iptables -A TRUSTED -i lo -j ACCEPT
    iptables -A TRUSTED -o lo -j ACCEPT

Page 1 of 29 12311 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •