Need iptables help

[jpdeaton]

I am very new to this. I am trying to setup iptables for my laptop on a home network. I've basically done as much as i can without help. Once i execute all the rules I lose all internet. I'm not asking for anyone to write it for me, I just need to be pointed in the right direction. I've read a few of the tutorial IP tables threads as well as the stick.

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Code:

Chain INPUT (policy DROP)
	target     prot opt source               destination         

	Chain FORWARD (policy DROP)
	target     prot opt source               destination         

	Chain OUTPUT (policy DROP)
	target     prot opt source               destination

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Code:

Chain INPUT (policy DROP)
	target     prot opt source               destination         
	ACCEPT     all  --  anywhere             anywhere ctstate RELATED,ESTABLISHED 

	Chain FORWARD (policy DROP)
	target     prot opt source               destination         

	Chain OUTPUT (policy DROP)
	target     prot opt source               destination         
	ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW --dport 67 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW --dport 67 -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW --dport 68 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW --dport 68 -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

Code:

Chain INPUT (policy DROP)
	target     prot opt source               destination         
	ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED 
	ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www state NEW 
	ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:bootps 
	ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:bootpc 
	ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 

	Chain FORWARD (policy DROP)
	target     prot opt source               destination         

	Chain OUTPUT (policy DROP)
	target     prot opt source               destination         
	ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED 
	ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
	ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain 
	ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain 
	ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:bootps 
	ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:bootpc

I run -netstat -atpvn(I cannot load a page in the browser)

Code:

tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      980/cupsd       
tcp        0      1 192.168.1.3:46xx6       xx.xxx.216.119:80       SYN_SENT    3066/firefox    
tcp        0      1 192.168.1.3:33xxx       xx.xxx.94.12:80         SYN_SENT    3083/chrome     
tcp        0      0 192.168.1.3:xxxxx       xxx.xxx.167.5:443        TIME_WAIT   -               
tcp        0      1 192.168.1.3:4xx63       xxx.x.55.72:80          SYN_SENT    3083/chrome     
tcp        0      0 192.168.1.3:35xx8       xx.xxx.159.139:443      ESTABLISHED 3083/chrome     
tcp        0      0 192.168.1.3:3xx02       xx.xxx.159.139:443      TIME_WAIT   -               
tcp        0      1 192.168.1.3:4xx76       xxx.xx.52.190:80         SYN_SENT    3083/chrome     
tcp        0      1 192.168.1.3:3xx13       xx.xxx.65.125:5222      SYN_SENT    3083/chrome     
tcp        0      1 192.168.1.3:3xx75       xx.xx9.x4.12:80         SYN_SENT    3083/chrome     
tcp        0      1 192.168.1.3:3xx73       xx.xxx.x4.12:80         SYN_SENT    3083/chrome     
tcp        0      1 192.168.1.3:5xx73       xxx.xxx.52.196:80       SYN_SENT    3083/chrome     
tcp        0      0 192.168.1.3:36xx6       xx.xxx.47.103:4xx      TIME_WAIT   -               
tcp        0      1 192.168.1.3:38xx1       xx.xxx.xx9.239:80       SYN_SENT    3083/chrome     
tcp        0      0 192.168.1.3:60xx1       xx.xx.181.105:44x       TIME_WAIT   -               
tcp        0      1 192.168.1.3:38xx9       xx.xxx.23x.239:80       SYN_SENT    3083/chrome     
tcp        0      1 192.168.1.3:575xx       1xx.x.xx.1xx:80         SYN_SENT    3083/chrome    
tcp        0      1 192.168.1.3:57xxx       xxx.xxx.x2.1xx:80       SYN_SENT    3083/chrome     
tcp        0      1 192.168.1.3:389xx       xx.xxx.x5.xx5:522xx      SYN_SENT    3083/chrome     
tcp        0      0 192.168.1.3:548xx       xxx.1xx.x4.81:44xx       ESTABLISHED 3083/chrome     
tcp        0      1 192.168.1.3:407xx       xxx.x.x8.xx0:80         SYN_SENT    3083/chrome     
tcp        0      1 192.168.1.3:508xx       xx.xx5.x5.1xx:8x        SYN_SENT    3083/chrome     
tcp        1      0 192.168.1.3:398xx       7x.1xx.4x.xx5:xx3       CLOSE_WAIT  2261/gvfsd-http 
tcp        0      1 192.168.1.3:575xx       1xx.7.x9.xx0:80         SYN_SENT    3083/chrome     
tcp        0      1 192.168.1.3:415xx       1xx.7.5x.7x:80          SYN_SENT    3083/chrome     
tcp        0      1 192.168.1.3:331xx       x1.xx9.x4.x2:80         SYN_SENT    3083/chrome     
tcp        0      1 192.168.1.3:465xx       xx.1xx.2xx.xx9:80       SYN_SENT    3066/firefox    
tcp        0      1 192.168.1.3:415xx       xxx.xx.x5.7x:80          SYN_SENT    3083/chrome     
tcp        0      0 192.168.1.3:602xx       xx.1x.xx7.5:x3        TIME_WAIT   -               
tcp        0      0 192.168.1.3:548xx       xxx.1x4.9x.8x:44x       TIME_WAIT   -               
tcp        0      1 192.168.1.3:xxxxx       xx.xx.xx.7x:8x          SYN_SENT    3083/chrome     
tcp        0      1 192.168.1.3:xxxxx       x1x.x.7x.xx0:80         SYN_SENT    3083/chrome     
tcp6       0      0 ::1:631                 :::*                    LISTEN      980/cupsd

When i clear all the rules I don't have internet... i get this error:

This webpage is not available
The server at ubuntuforums.org can't be found, because the DNS lookup failed. DNS is the network service that translates a website's name to its Internet address. This error is most often caused by having no connection to the Internet or a misconfigured network. It can also be caused by an unresponsive DNS server or a firewall preventing Google Chrome from accessing the network. Once I restart i get internet back.

[CharlesA]

Are you using that machine as a proxy or something?

[Dangertux]

Try this script and tell me if it works.

Code:

#!/bin/bash

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 67 -j ACCEPT
iptables -A OUTPUT -p udp --dport 67 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

# Add any other ports you need to reach external services in the format above

Hope this helps

[jpdeaton]

awesome that works! what's the best way to save the script and have it load at startup? Are there any other ways to add security through iptables that is fairly simple?

Thanks

[Dangertux]

It's not a proxy, it's mainly used for browsing, I just want a strong firewall.
I'll give that script a try. I know there has to be an easier way to do it than copy/pasting each line into the terminal.. do you know of anything?

copy and past that whole block of text into a file call it iptables.sh

do the following in a terminal

Code:

sudo chmod 755 iptables.sh
sudo ./iptables.sh

[jpdeaton]

I saved it in my user forum... should I change it from ./home to ./home/bluntmaster? Or do I need to move the file? ok well only ./iptables.sh works.

Any idea what this connection is that netstat shows?

tcp6 0 0 ::1:631 :::* LISTEN

[Dangertux]

I saved it in my user forum... should I change it from ./home to ./home/bluntmaster? Or do I need to move the file? ok well only ./iptables.sh works.

Any idea what this connection is that netstat shows?

tcp6 0 0 ::1:631 :::* LISTEN

That is the Common Unix Printing Service otherwise known as CUPS


As far as making you rules persistent

Making your rules persistent :

If you want these rules to be restored on every reboot you can do the following.
code : sudo iptables-save > /etc/iptables.rules
Code:
sudo nano /etc/network/interfaces
Assuming wlan0 is the interface you use to connect to the network add the following at the end of the block. Alternatively you can add it to any interface you want and the rules will be loaded when that interface is brought up. Keep in mind this does not change the nature of the rules, or how they are applied.

Code:
pre-up iptables-restore < /etc/iptables.rules
Then save the file.

This bit of information as well as other ways for making your iptables rules persistent can be found here : https://help.ubuntu.com/community/IptablesHowTo

We're done.

From my thread here http://ubuntuforums.org/showthread.php?t=1876124

[jpdeaton]

Are you using that machine as a proxy or something?

No, it's mainly for web browsing.

I got the whole saving/startup thing figured out but I'm not sure the best way to log... it seems a lot of the methods involve changing the existing scripts.

[CharlesA]

I just use iptables-apply with a rules file (created with iptables-save) instead of a script, and have it applied when the interface comes up.

http://www.cyberciti.biz/tips/how-do...brings-up.html

[jpdeaton]

Thanks everyone.

Now that I have a firewall up and running what would be the next step towards making my laptop more secure? There's so much info I don't know where to start.

maybe apparmor?