I'm using DNSCrypt, and I have it running as a separate user. It needs outbound access. I used a rule to stop all inbound access that is NEW/INVALID and it stopped resolving. So I added an inbound rule for UDP on 53, now it works.
I'm using DNSCrypt, and I have it running as a separate user. It needs outbound access. I used a rule to stop all inbound access that is NEW/INVALID and it stopped resolving. So I added an inbound rule for UDP on 53, now it works.
sig
If you put the allow-all for the loopback interface lo, as suggested in post #7 above, you won't need the port 53 rule. Doing it as you currently are allows anyone on the internet to get into your system via port 53, but your local resolver running as a different user will use the loopback interface (which as the name implies simply loops output back to input without ever going outside your system) and so won't be trapped by the "NEW,INVALID" rule.
Even better, perhaps, would be to add the "-i eth0" or "-i wan0" parameter to your three INPUT rules, so that they apply only to the specific interface that connects to the outside world. There are many many ways to remove the fur from the feline, when dealing with iptables -- which is part of why it can be so confusing.
Last edited by JKyleOKC; June 27th, 2013 at 10:46 PM. Reason: fat fingers
--
Jim Kyle in Oklahoma, USA
Linux Counter #259718
Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads
Interesting. Thank you.
sig
Thank You to ALL
.
Last edited by linuxcenter; June 30th, 2013 at 11:50 AM.
.
Last edited by linuxcenter; June 30th, 2013 at 11:50 AM.
OK How about these rules ?
Rule 1: want to block all Incoming/Input connections, from port range 0 to 65535.
iptables -A INPUT -p tcp -m multiport --sports 0-65535 --dports 0-65535 -j DROP
Rule 2: In Outgoing/Output allow only tcp port 80,443, udp 53 & block all the remaining ports 0 to 65535
iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -d 0/0 --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --sports 53 --dports 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j DROP
================================================== =====================
blocking ping attempts
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
blocking dos attacks
iptables -A INPUT -p udp -m state --state NEW -m recent --update --seconds 1 --hitcount 5 --name DDOS --rsource -j DROP
Last edited by linuxcenter; June 30th, 2013 at 12:11 PM.
You're making this much more complicated than it need be. Stop worrying about blocking ports and block by IP address or interface.
First, you need to put all the rules that allow acceptable traffic ahead of the blocking rules. Second, it's clear to me that you have a limited understanding of how IP traffic works. Let's start with this:
This will never work because the outbound requests to web servers do not originate from ports 80 and 443 on the client machine. The client always chooses a random unprivileged port above 1023 for outbound traffic. Ordinary users cannot bind to a port below 1024; only root can do that. So clients use high ports for outbound requests. Also, "-d 0/0" is unnecessary since that is the iptables default.iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -d 0/0 --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
In any event, if you want to block all incoming traffic to an interface just use:
That blocks everything arriving on the Ethernet interface eth0.Code:/sbin/iptables -A INPUT -i eth0 -j DROP
Now as for the OUTPUT rule, is this machine designed to be a firewall router with two interface cards, one pointing to the Internet and one pointing to the LAN? Or are you trying to block packets leaving the machine itself? If it is a router with, say, eth0 pointing to the Internet and eth1 pointing inside, use
Now people behind the box can reach remote websites but nothing else.Code:/sbin/iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT /sbin/iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT /sbin/iptables -A INPUT -i eth1 -j DROP
It's a lot easier to specify just the minimal set of rules required to permit what you want to permit then block everything else.
Last edited by SeijiSensei; June 30th, 2013 at 03:44 PM.
If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.
Blog · Linode System Administration Guides · Android Apps for Ubuntu Users
Im on LAN, now can i be specific about outgoing rules allow only dport and sport to be 80,443.
If im not hosting a website why do i need ?
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT
As said earlier, your machine communicates with remote servers by picking a random high numbered port. If you wanted to filter traffic, go off the destination port, not both source and destination port. That goes for the Output chain.
As far as the INPUT chain goes, if you aren't hosting any services, it should be fine to drop or reject anything incoming that isn't established or related.
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
Bookmarks