Page 5 of 7 FirstFirst ... 34567 LastLast
Results 41 to 50 of 69

Thread: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

  1. #41
    Join Date
    Mar 2008
    Beans
    30

    Thumbs down Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    typo

    "2.2- Explanation about the script structure
    Some of you may be surprised by the structure used for the script so i will explain. Rather than handling the INPUT and OUTPUT chain directly as it is most often done i use tow intermediary chains called FIREWALL and TRUSTED."

    u meant two didnt u? i was initially confused there thinking wtf is tow.

    thanks this is a really good script, really helped me applying all the rules.

    quick q. how is icmp treated. Does the no icmp bit at the start of the script drop icmp packets or reject.

    also this rule:
    iptables -I INPUT -p tcp -m state --state NEW -m limit --limit 30/minute --limit -burst 5 -j ACCEPT

    I would include in the script as?:
    iptables -I TRUSTED -p tcp -m state --state NEW -m limit --limit 30/minute --limit -burst 5 -j ACCEPT

    would it be able to limit acks i know there are scanners out there that can send acks to ports and which reply wich werent expecting one and reply with rest(and the scanner then knows som1 is at the ip address). I think its already implemented in the script or would i have to add --tcp-flags SYN,ACK,RST SYN to most of the rules?

    thanks again fo rthis guide ive hit firestarters limitations and this has really helped
    Last edited by Randomperson_1000; June 18th, 2009 at 02:37 AM.

  2. #42
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Thanks for pointing out my typo

    Yes the icmp bit deactivate all icmp stuff so you are sure to not accept any icmp traffic.
    For your second question i have no answer because i never gave this a thought. But to get an answer the packet would have to be allowed to go through the output filtering which is less likely to happen IMO. Anyway to best way would just be to make some test, maybe nmap could be enough for this purpose.
    When adding rules to the TRUSTED chain you must tell if it is applied on input packets (-i eth0) or output packets (-o eth0) if you don't specify it the rule will apply on both.

    Anyway if you digg on the question and get a clear answer to your question please share it, i would be pleased to add your contribution to the tutorial.
    Last edited by frodon; June 18th, 2009 at 08:19 AM.

  3. #43
    Join Date
    Mar 2008
    Beans
    30

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    i guess i should 1st learn the basics for some reason after a day of hair pulling i cant torrent

    i want utorrent to use only one port(in wine for some reason it opens up any port it can)
    ive set up the rules like this:

    iptables -A TRUSTED -i wlan1 -p tcp -m tcp --sport 61224 -j ACCEPT
    iptables -A TRUSTED -o wlan1 -p dup -m udp --sport 61224 -j ACCEPT

    this should allow in and out connections on wlan1 where the connections are going in and out from port 61224 but when i do this the port doesnt open nmap shows it as filtered and the port is correctly forwarded on my router everything works fine when i flush the rules or change the policy to default allow out traffic
    any suggestions how i would open this port and limit it to send info from just port 61224 i.e listening and sending on that port. Ive even tried the rules u suggested in your script and below where it sys how to open new ports but still the port doesnt open
    Last edited by Randomperson_1000; June 19th, 2009 at 01:27 AM.

  4. #44
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    First if you want to test your config with nma you must do it from another computer it will prevent many common mistakes.

    Here is an example of opening port for azureus :
    # azureus
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 34333 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 34333 -j ACCEPT
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 34333 -j ACCEPT
    iptables -A TRUSTED -o eth0 -p udp -m udp --dport 34333 -j ACCEPT
    You need to open the port you use in tcp and udp, as input and as ouput.

    Never use sport for an incoming connection filtering except if you are sure of what you do. In most cases you will only need dport. Allowing incoming connection with sport xxxx means that you accept connection from a distant computer which sent a frame from port xxxx even if the targeted is yyyy. At home i only use sport for some output filtering but never for input filtering.
    Last edited by frodon; June 19th, 2009 at 07:30 AM.

  5. #45
    Join Date
    Mar 2008
    Beans
    30

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    it still doesnt work for the moment just so i can use torrent i have allowed outgoing traffic by default.

    for some reason when i run nmap from my computer it shows that the port is open but on my router it is still filtered. The port has been forwarded correctly. Everything works fine when I allow outgoing by default or even if i use firestarter, do u have any ideas what could be wrong.

    I was thinking maybe i have to load some extra modules at the start of the script maybe ipwireless (i think this is another module) im using wireless. Or maybe i have to use another command like PREROUTING an example is here:
    http://www.linuxforums.org/forum/lin...orwarding.html

    btw thanks for all your help so far

  6. #46
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Wait a minute you still have firestarter installed ? If it's the case the behaviour of the firewall may be unpredictable.

    As the script allow loopback traffic, nmap results are not trustable if nmap is run from the computer on which the firewall to test is.

    I'm 100% sure the lines i gave you for your torrent client works as i used them myself and they have always worked great. If you don't mind post your iptables script so i can have a look at it.

    PREROUTING rules are useful for connection sharing otherwise you should not need them.

    Anyway don't worry, setting output filtering is always more tricky as you need to know exactly what to allow and why you allow it, however it will give you real knowledge
    Last edited by frodon; June 20th, 2009 at 10:08 AM.

  7. #47
    Join Date
    Mar 2008
    Beans
    30

    Wink Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    well here it is ive commented out the stuff i dont use. I dont have firestarter running i removed it and the rules of the script are loaded up at startup. Im going to test nmap with another comp. as soon as possible.

    #!/bin/bash

    # No spoofing !!!
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo 1 > $filtre
    done
    fi

    # No icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe ip_conntrack_irc
    modprobe ip_conntrack_ftp
    modprobe iptable_filter
    modprobe iptable_nat
    # added next modprobe for troubleshooting
    modprobe ipwireless
    # Remove all rules
    iptables -F
    iptables -X

    # first set the default behaviour => accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT

    # New chains
    iptables -N FIREWALL
    iptables -N TRUSTED

    # Log chain
    iptables -N LOG_DROP
    iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
    iptables -A LOG_DROP -j DROP

    # Allow ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i wlan1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow self communication
    iptables -A FIREWALL -i lo -j ACCEPT
    iptables -A FIREWALL -o lo -j ACCEPT
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    # DROP all other packets
    iptables -A FIREWALL -j DROP

    # Send all through the FIREWALL chain
    iptables -A INPUT -j FIREWALL
    iptables -A FORWARD -j DROP
    iptables -A OUTPUT -j FIREWALL

    # Allow dns
    iptables -A TRUSTED -o wlan1 -p udp -m udp --dport 53 -j ACCEPT
    iptables -A TRUSTED -o wlan1 -p tcp -m tcp --dport 53 -j ACCEPT

    # Allow http
    iptables -A TRUSTED -o wlan1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

    # Allow https
    iptables -A TRUSTED -o wlan1 -p udp -m udp --dport 443 -j ACCEPT
    iptables -A TRUSTED -o wlan1 -p tcp -m tcp --dport 443 -j ACCEPT

    #Allow IRC IDENT & DCC
    iptables -A TRUSTED -o wlan1 -p tcp -m tcp --dport 6667 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT

    # Allow pop3s
    iptables -A TRUSTED -o wlan1 -p udp -m udp --dport 995 -j ACCEPT
    iptables -A TRUSTED -o wlan1 -p tcp -m tcp --dport 995 -j ACCEPT

    # Allow imap2
    #iptables -A TRUSTED -o eth0 -p udp -m udp --dport 143 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 143 -j ACCEPT

    # Allow imap3
    #iptables -A TRUSTED -o eth0 -p udp -m udp --dport 220 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 220 -j ACCEPT

    # Allow newsgroup
    #iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 119 -j ACCEPT

    # Allow smtp
    #iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 25 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 465 -j ACCEPT

    # Allow ftp
    iptables -A TRUSTED -o wlan1 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A TRUSTED -o wlan1 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
    # iptables -A TRUSTED -o wlan1 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allow MSN
    iptables -A TRUSTED -o wlan1 -p tcp -m tcp --dport 1863 -j ACCEPT

    # bittorrent
    iptables -A TRUSTED -i wlan1 -p tcp -m tcp --dport 52197 -j ACCEPT
    iptables -A TRUSTED -i wlan1 -p udp -m udp --dport 52197 -j ACCEPT
    iptables -A TRUSTED -o wlan1 -p tcp -m tcp --dport 52197 -j ACCEPT
    iptables -A TRUSTED -o wlan1 -p udp -m udp --dport 52197 -j ACCEPT
    # azureus
    #iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 64433 -j ACCEPT
    #iptables -A TRUSTED -i eth0 -p udp -m udp --dport 64433 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 64433 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p udp -m udp --dport 64433 -j ACCEPT

    # STEAM
    #iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 27020:27050 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p udp -m udp --dport 27000:27015 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p udp -m udp --dport 1200 -j ACCEPT

    # enemy territory
    #iptables -A TRUSTED -o eth0 -p udp -m udp --dport 27950:27970 -j ACCEPT

    # ekiga
    #iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 5000:5061 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p udp -m udp --sport 5000:5061 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 5060 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p udp -m udp --dport 5060 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 5061 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p udp -m udp --dport 5061 -j ACCEPT

    # Teamspeak
    #iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 8767 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 8767 -j ACCEPT
    #iptables -A TRUSTED -i eth0 -p udp -m udp --dport 8767 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p udp -m udp --dport 8767 -j ACCEPT

    # nicotine
    #iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 2234:2239 -j ACCEPT
    #iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 2234:2239 -j ACCEPT

    # whois
    iptables -A TRUSTED -o wlan1 -p tcp -m tcp --dport 43 -j ACCEPT

    # telnet
    iptables -A TRUSTED -o wlan1 -p tcp -m tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT

    # End message
    echo " [End iptables rules setting]"

    okay just to clarify somethng if i change all output to TRUSTED then everything works fine seems theres some output problems when i run netstat it does ineed say that the port for bitorrent it is listening on.
    Last edited by Randomperson_1000; June 20th, 2009 at 06:22 PM.

  8. #48
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Hum, all seems fine, your torrent client should work well on port 52197.

    As a powerful debug solution you can replace "iptables -A FIREWALL -j DROP" by "iptables -A FIREWALL -j LOG_DROP" to log droped packets (instructions in first post). So that you will be able to see the packets rejected and hopefully understand which port need to be opened.

    But once again i find it strange that your torrent client don't work as these are really simple rules.

  9. #49
    Join Date
    Mar 2008
    Beans
    30

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    i think i got it working canyouseeme.org reports so

    well im not sure but all i did was start logging ( i had set up logging b4 but never used it) i included the line u told me and it started working

    when i remove that line it stops working weird i think i might disable logging and then see if the script works.

    utorrent still reports the port isnt forwarded but im dl and ul at full speeds. Tried deluge which reports everything is okay. Im getting alot of dropped packets though going to have to investigate. I think im going to switch clients to deluge utorrent seems to be messing up a bit

    thanks for all your help iptables dont seem that complicated anymore and thanks for the super fast replies

  10. #50
    Join Date
    Apr 2010
    Location
    sudan
    Beans
    25
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    hello there , I am new in ubuntu and security and just hit this tutorial,
    this is really interesting and very helpful tutorial .... I have a little question ... Is No spoofing in the following lines is as same functionality as in your script? , If so hope you explain that to me
    # anti spoofing rule
    $IPTABLES -N In_RULE_0
    for i_eth0 in $i_eth0_list
    do
    test -n "$i_eth0" && $IPTABLES -A INPUT -i eth0 -s $i_eth0 -j In_RULE_0
    done
    $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -j In_RULE_0
    $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -j In_RULE_0
    for i_eth0 in $i_eth0_list
    do
    test -n "$i_eth0" && $IPTABLES -A FORWARD -i eth0 -s $i_eth0 -j In_RULE_0
    done
    $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -j In_RULE_0
    $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -j In_RULE_0
    $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
    $IPTABLES -A In_RULE_0 -j DROP

    thanx

Page 5 of 7 FirstFirst ... 34567 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •