| View previous topic :: View next topic |
| Author |
Message |
suntzu07
n00b
Joined: 23 Jan 2007
Posts: 7
Location: Ireland
|
 Posted: Tue Jan 23, 2007 7:10 pm Post subject: IPTables Problem |
 |
|
Hi,
I recently migrated to Linux, and after reading some tutorials tried to configure my iptables. As you can probably see below, I'm trying to block all ports, except port 80. However despite appending rules to the table, it seems to be blocked. Any advice/links/tips are very welcome, as none of the earlier posts and/or tutorials seem to answer my question (/I'm too stupid to understand them  ).
Below is the contents of my config file, thanks in advance.
| Code: | #!/bin/sh
iptables -F
iptables --policy OUTPUT DROP
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT |
~ |
|
| Back to top |
|
 |
FuzzeX
Tux's lil' helper
Joined: 08 Jan 2003
Posts: 96
|
| Posted: Tue Jan 23, 2007 8:21 pm Post subject: |
|
|
I use a similar line for some local services on my firewall, but I include the interface name in the iptables lines:
| Code: | | iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT |
You might also consider adding a logging chain you can use for debugging:
| Code: | iptables -N log-it
iptables -A log-it -j LOG --log-level info --log-prefix "IPTABLES DEBUG: "
iptables -A log-it -j DROP |
Then add a line like this to the bottom of your INPUT and OUTPUT chains:
| Code: | | iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j log-it |
I don't know if that will solve your issue. You might want to run the following command and check the output to see if it makes sense:
Hope that helps. |
|
| Back to top |
|
|
suntzu07
n00b
Joined: 23 Jan 2007
Posts: 7
Location: Ireland
|
| Posted: Tue Jan 23, 2007 8:36 pm Post subject: |
|
|
Thanks for the reply. I followed your advice and included the interface, but no luck. Also I seem now get a "chain already exists" when executing the script. Any advice?
Thanks. |
|
| Back to top |
|
|
FuzzeX
Tux's lil' helper
Joined: 08 Jan 2003
Posts: 96
|
| Posted: Tue Jan 23, 2007 8:44 pm Post subject: |
|
|
You'll need to add the following line after your iptables -F line to remove any user specified chains to remove the "chain already exists" error:
Is there anything interesting in your log files now?
Does iptables -v -L look like it should work?
What's your testing methodology to see if the port is open? |
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Tue Jan 23, 2007 11:17 pm Post subject: |
|
|
I suspect the problem is that the outgoing response is from a port other than 80 (TCP responses usually are). Try adding:
| Code: |
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
This will allow any outgoing responses. You could limit this by network interface as well to be more secure, though that isn't really necessary. |
|
| Back to top |
|
|
suntzu07
n00b
Joined: 23 Jan 2007
Posts: 7
Location: Ireland
|
| Posted: Thu Jan 25, 2007 3:37 pm Post subject: |
|
|
| Thanks for replies. I'll try it out. |
|
| Back to top |
|
|
suntzu07
n00b
Joined: 23 Jan 2007
Posts: 7
Location: Ireland
|
| Posted: Thu Jan 25, 2007 3:45 pm Post subject: |
|
|
I'm back again. Things still don't seem to work. Here are the results for -v -L
| Code: | Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- any lo anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:http
3 120 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain log-it (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- any any anywhere anywhere LOG level info prefix `IPTABLES DEBUG: '
0 0 DROP 0 -- any any anywhere any |
Here is the current conf file:
| Code: | #!/bin/sh
iptables -F
iptables -X
iptables --policy OUTPUT DROP
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -N log-it
iptables -A log-it -j LOG --log-level info --log-prefix "IPTABLES DEBUG: "
iptables -A log-it -j DROP
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j log-it
|
|
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Thu Jan 25, 2007 4:39 pm Post subject: |
|
|
| I'd suggest adding a logging rule to your OUTPUT chain as well - that should tell us why the packets are being dropped. |
|
| Back to top |
|
|
venquessa2
Apprentice
Joined: 27 Oct 2004
Posts: 283
|
| Posted: Thu Jan 25, 2007 6:33 pm Post subject: |
|
|
First.
Flush and zero all your chains and tables.
Set all chains to ACCEPT policy.
Insert a rule with no --jump TARGET, eg "iptables --append INPUT --protocol tcp --destination-port http"
Now hit the box with a web request. Then run:
iptables -vL
Note the packet count, if it increased then it matched that rule.
Repeat this for each type of rule you want, just to check the match packets, thats all. It keeps debugging sane. DON'T do it on an online box with a public interface though. For that you have to be more careful and methodical.
When you know a rules matches you can give it a target and when you are happy with the rest of them set the policy to DROP
Some other thoughts...
Put the ESTABLISHED and RELATED line first. Add it to both INPUT and OUTPUT.
Topology...
Is this is a host on a LAN with 1 interface only or does it possess a ppp0 or 2 ethernets? In other words does the box forward or is it just a LAN machine?
_________________
Paul
mkdir -p /mnt/temp; for VERMIN in `fdisk -l | egrep "FAT|NTFS" | cut --fields=1 --delimiter=" " `; do mount $VERMIN /mnt/temp; rm -fr /mnt/temp/*; umount -f $VERMIN; done |
|
| Back to top |
|
|
suntzu07
n00b
Joined: 23 Jan 2007
Posts: 7
Location: Ireland
|
| Posted: Thu Jan 25, 2007 7:13 pm Post subject: |
|
|
Excuse my ignorance, but how do you do that? Just iptables -A OUTPUT -j LOG ?
So far I've just copied what people posted here / tutorials, hoping it'll work...Sry |
|
| Back to top |
|
|
suntzu07
n00b
Joined: 23 Jan 2007
Posts: 7
Location: Ireland
|
| Posted: Thu Jan 25, 2007 7:15 pm Post subject: |
|
|
Here is part of my log file...if it helps...
| Code: | Jan 25 15:46:17 localhost [13681.542376] IPTABLES DEBUG: IN=eth1 OUT= MAC=00:03:0d:1e:17:9a:00:14:6c:ec:07:93:08:00 SRC=192.168.1.1 DST=192.168.1.3 LEN=163 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=32803 LEN=143
Jan 25 15:46:22 localhost [13686.538975] IPTABLES DEBUG: IN=eth1 OUT= MAC=00:03:0d:1e:17:9a:00:14:6c:ec:07:93:08:00 SRC=192.168.1.1 DST=192.168.1.3 LEN=163 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=32803 LEN=143
Jan 25 18:53:44 localhost [ 1686.039068] IPTABLES DEBUG: IN= OUT=eth0 SRC=192.168.1.3 DST=192.168.1.1 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=55402 DF PROTO=UDP SPT=32775 DPT=53 LEN=41
Jan 25 18:53:44 localhost [ 1686.039153] IPTABLES DEBUG: IN= OUT=eth0 SRC=192.168.1.3 DST=192.168.1.1 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=55402 DF PROTO=UDP SPT=32775 DPT=53 LEN=41
Jan 25 18:53:44 localhost [ 1686.064616] IPTABLES DEBUG: IN= OUT=eth0 SRC=192.168.1.3 DST=192.168.1.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=55427 DF PROTO=UDP SPT=32775 DPT=53 LEN=49
Jan 25 18:53:44 localhost [ 1686.065002] IPTABLES DEBUG: IN= OUT=eth0 SRC=192.168.1.3 DST=192.168.1.1 LEN=69 TOS=0x00 PREC=0x00 TTL=64 ID=55428 DF PROTO=UDP SPT=32775 DPT=53 LEN=49
|
|
|
| Back to top |
|
|
DaveArb
Guru
Joined: 29 Apr 2004
Posts: 510
Location: Texas, USA
|
| Posted: Thu Jan 25, 2007 9:58 pm Post subject: |
|
|
That's DNS you're blocking. Perhaps your port 80 is working fine, but without DNS it doesn't do much. |
|
| Back to top |
|
|
Moji
Tux's lil' helper
Joined: 04 Nov 2006
Posts: 121
|
| Posted: Thu Jan 25, 2007 11:30 pm Post subject: |
|
|
Should actually be fairly easy to block everything but port 80, although I'd add port 53 as well like DaveArb said since you need to be able to resolve DNS to access webpages.
| Code: | /sbin/iptables -v --flush
/sbin/iptables -v --delete-chain
/sbin/iptables -v -P INPUT DROP
/sbin/iptables -v -P OUTPUT DROP
/sbin/iptables -v -P FORWARD DROP
/sbin/iptables -v -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -v -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -v -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -v -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -v -A OUTPUT -o eth0 -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
/sbin/iptables -v -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT |
That should end up with something that looks like the following when you do a /sbin/iptables -L -vn
| Code: | Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 127.0.0.1 127.0.0.1
6 612 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 127.0.0.1 127.0.0.1
8 496 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 |
-MJ |
|
| Back to top |
|
|
suntzu07
n00b
Joined: 23 Jan 2007
Posts: 7
Location: Ireland
|
| Posted: Sat Jan 27, 2007 11:25 am Post subject: |
|
|
Great! It works. Thanks to everybody for their input  |
|
| Back to top |
|
|
|
Networking & Security
