Page 10 of 29 FirstFirst ... 8910111220 ... LastLast
Results 91 to 100 of 286

Thread: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

  1. #91
    Join Date
    Feb 2006
    Location
    Singapore
    Beans
    53
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Hi,

    I'm having some problems with my iptables configuration and outgoing SMTP (outgoing mail is sent to an external SMTP server).

    My router is an Ubuntu router just set up recently. All the computers in my network can receive email, but cannot send. The settings are fine, and I know it's the router that's dropping my packets, because syslog shows that it is blocking SMTP packets.

    The output of "iptables -L" is shown below

    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    bad_tcp_packets  tcp  --  anywhere             anywhere            
    ACCEPT     all  --  10.0.0.0/24          anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     udp  --  anywhere             anywhere            udp spt:bootpc dpt:bootps 
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    tcp_packets  tcp  --  anywhere             anywhere            
    udp_packets  udp  --  anywhere             anywhere            
    icmp_packets  icmp --  anywhere             anywhere            
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 3 LOG level debug prefix `IPT INPUT packet died: ' 
    bad_tcp_packets  tcp  --  anywhere             anywhere            
    ACCEPT     all  --  10.0.0.0/24          anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     udp  --  anywhere             anywhere            udp spt:bootpc dpt:bootps 
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    tcp_packets  tcp  --  anywhere             anywhere            
    udp_packets  udp  --  anywhere             anywhere            
    icmp_packets  icmp --  anywhere             anywhere            
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 3 LOG level debug prefix `IPT INPUT packet died: ' 
    ACCEPT     tcp  --  anywhere             anywhere            tcp spt:smtp dpts:1024:65535 state RELATED,ESTABLISHED 
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:5999:x11 
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU 
    bad_tcp_packets  tcp  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 3 LOG level debug prefix `IPT FORWARD packet died: ' 
    bad_tcp_packets  tcp  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 3 LOG level debug prefix `IPT FORWARD packet died: ' 
    
    Chain OUTPUT (policy DROP)
    target     prot opt source               destination         
    bad_tcp_packets  tcp  --  anywhere             anywhere            
    ACCEPT     all  --  localhost            anywhere            
    ACCEPT     all  --  10.0.0.2             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 3 LOG level debug prefix `IPT OUTPUT packet died: ' 
    bad_tcp_packets  tcp  --  anywhere             anywhere            
    ACCEPT     all  --  localhost            anywhere            
    ACCEPT     all  --  10.0.0.2             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 3 LOG level debug prefix `IPT OUTPUT packet died: ' 
    ACCEPT     tcp  --  10.0.0.0/24          anywhere            tcp spts:1024:65535 dpt:smtp 
    
    Chain allowed (9 references)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
    ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    DROP       tcp  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
    ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    DROP       tcp  --  anywhere             anywhere            
    
    Chain bad_tcp_packets (6 references)
    target     prot opt source               destination         
    REJECT     tcp  --  anywhere             anywhere            tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset 
    LOG        tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix `New not syn:' 
    DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 
    REJECT     tcp  --  anywhere             anywhere            tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset 
    LOG        tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix `New not syn:' 
    DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 
    
    Chain icmp_packets (2 references)
    target     prot opt source               destination         
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
    
    Chain tcp_packets (2 references)
    target     prot opt source               destination         
    allowed    tcp  --  anywhere             anywhere            tcp dpt:ftp 
    allowed    tcp  --  anywhere             anywhere            tcp dpt:ssh 
    allowed    tcp  --  anywhere             anywhere            tcp dpt:www 
    allowed    tcp  --  anywhere             anywhere            tcp dpt:auth 
    allowed    tcp  --  anywhere             anywhere            tcp dpt:ftp 
    allowed    tcp  --  anywhere             anywhere            tcp dpt:ssh 
    allowed    tcp  --  anywhere             anywhere            tcp dpt:www 
    allowed    tcp  --  anywhere             anywhere            tcp dpt:auth 
    allowed    tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:smtp 
    
    Chain udp_packets (2 references)
    target     prot opt source               destination         
    ACCEPT     udp  --  anywhere             anywhere            udp spt:domain 
    ACCEPT     udp  --  anywhere             anywhere            udp spt:domainAny help is appreciated.
    Please help! Thanks

  2. #92
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Quote Originally Posted by adamonline View Post

    I added a few things, as you can see. Accepting NEW and INVALID packets (for debugging purposes), allowing ssh port 22, and allowing http port 80; both udp and tcp, and both sport and dport.

    I am using the default ports for both the http and ssh daemons.

    Any thoughts, Frodon? And thanks again

    EDIT: apt-get update didn't work, either! But did when I disabled the firewall. That's weird, it works fine on THIS computer and I have the same script, but without the changes you see here.
    Try with this line for the ssh server :
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

  3. #93
    Join Date
    Mar 2007
    Location
    UK
    Beans
    4
    Distro
    Kubuntu 5.10

    Smile Re: HOWTO: Set a custom firewall (iptables) and Tips

    hi guys ! what books do you recommend to get on iptables and chains ? as im really new to this and would like to write my own code but i dont have a clue what to do !

    what i would like to desing a firewall to do all sorts of cmd's like stop ICMP so ppl can't ping me, start and stop FTP etc ! any help would be really nice

    Thanks for ur time

  4. #94
    Join Date
    Oct 2006
    Location
    Wisconsin
    Beans
    455
    Distro
    Kubuntu

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Quick question... how do I allow a range of local IP's to connect to me? (192.168.1.*) ??

  5. #95
    Join Date
    Oct 2006
    Location
    Wisconsin
    Beans
    455
    Distro
    Kubuntu

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Does anyone have a solution to this? Or is this not possible and I have to still work within the framework of opening per-port access even to private IP ranges for home networks?

  6. #96
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Try to put a line to deny an IP and put "*" characters where it's needed, it never tested this but it may work.

  7. #97
    Join Date
    Oct 2006
    Location
    /home
    Beans
    189

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Quote Originally Posted by durus View Post

    And the thing that it is read row by row, i cant understand this, first the chain FIREWALL is read, and then we are sending all input packets back to chain FIREWALL again ? Why send back packets were we have been ? are you shore that it is not read like this, but written in the other way for easy reading ?

    Code:
    #!/bin/bash
    # No spoofing
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo 1 > $filtre
    done
    fi 
    
    # No icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
    #load some modules you may need
    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe iptable_filter
    modprobe iptable_nat 
    
    # Remove all rules and chains
    iptables -F
    iptables -X
    
    # first set the default behaviour => accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    
    # Create 2 chains, it allows to write a clean script
    iptables -N FIREWALL
    iptables -N TRUSTED
    
    #################
    # Send all INPUT packets to the FIREWALL chain
    iptables -A INPUT -j FIREWALL #JUMPS to FIREWALL ?
    # DROP all forward packets, we don't share internet connection in this example
    iptables -A FORWARD -j DROP 
    ##############
    
    # Allow ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow loopback traffic
    iptables -A FIREWALL -i lo -j ACCEPT
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED # JUMPS to TRUSTED ?
    
    ################
    # Allow https
    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 443 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 443 -j ACCEPT
    ###############
    
    # DROP all other packets
    iptables -A FIREWALL -j DROP
    
    
    # End message
    echo " [End iptables rules setting]"
    Hi. I have the exact doubts expressed by durus on post #63 of this thread.

    Can you please through some light on this subject?

    cheers

  8. #98
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Not sure to see what is not clear but i'll try to explain in a simple way (i hope )

    First the firewall and trusted chain are created (e.g. iptables -N FIREWALL) and not used yet then you describe the FIREWALL chain which is just the basic rule needed to allow the most wanted connections aka the one you open yourself and then the loopback traffic (when you connect to yourself, it's localhost) and finally send the rest (packets which are not allowed yet due the FIREWALL rules restrictions) to the TRUSTED chain for all the more specific rules.

    At this step you can add the "iptables -A FIREWALL -j DROP" rule because you did all you wanted to do with the FIREWALL chain already so you just drop all in the FIREWALL chain at this step.

    Then we specify to send all the INPUT packets through the FIREWALL chain (which is describe a little bit after). That means that all the INPUT packets will be handled by the FIREWALL chain.

    And the last part are the specific TRUSTED rules that you may need to add depending what specific software you use on your computer.

    When you start the firewall all the rules are set and the packets will follow the path you described. See iptables as a firewall description tool, lines are read one by one because you put them in a script manner but you can permute some parts to ease the reading if you wish although there's some obvious usage like to create the chain first before setting a rules on it otherwise the iptables command will return that the chain don't exist.

  9. #99
    Join Date
    Oct 2006
    Location
    /home
    Beans
    189

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Thank you for clarifying this issue. Now I understand the mechanics of your great script.

    I have just one more question:

    With a couple of simple modifications, II would like to use your own script, published here:
    The only problem is that I'm behind a router. My gateway IP address is 192.168.1.1. And my Ubuntu box IP address is 192.168.1.2.

    I would be very grateful if you could tell me what kind of changes (and where they should be introduced) I need to do to your own script, in order to have in consideration the fact that I'm behind the router.

    I don't know if because of this situation I have to create another Chain of if it is only a matter of adding some line somewhere...

    cheers
    Last edited by frodon; July 27th, 2010 at 10:27 AM. Reason: obsolete link

  10. #100
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    It should work like it is i think, BTW i never wanted to publish my own firewall script for obvious security reasons (at least not saying it is the script i use) so the link you put in your previous post don't exist anymore.
    Try it it should work but this script filter outgoing traffic as well so it's in general less easier to use it because you need to open one by one almost each service port you use because of the outgoing traffic filtering.
    Last edited by frodon; April 11th, 2007 at 10:43 PM.

Page 10 of 29 FirstFirst ... 8910111220 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •