Iptables rules

agriz · #1 5th December 2011, 04:40 PM

Code:

# 1. Delete all existing rules
iptables -F

# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3. Allow incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPT

# 4. Allow incoming HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# 5. Allow incoming HTTPS
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 7. Allow FTP PORT 
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

I have this iptables rules.
I have some facebook apps in my site which is not working with this settings.

facebook apps, yum, wget -- these are not working with my iptables settings. I am not able to fix it.

Which rule would allow yum, wget and facebook apps (I think it is curl used for fb apps)

AndrewSerk · #2 5th December 2011, 06:10 PM

iptables -P OUTPUT DROP is droping all non- established/listed outbound traffic. The quick and easy fix is to change the DROP to ACCEPT in that rule.

agriz · #3 5th December 2011, 06:13 PM

Yes, I checked that. When i make the DROP to ACCEPT it is working.
But is it secured?

Is it possible to have something like this?

Quote:

iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

bodhi.zazen · #4 5th December 2011, 08:06 PM

Quote:

Originally Posted by agriz

Yes, I checked that. When i make the DROP to ACCEPT it is working.
But is it secured?

Is it possible to have something like this?

You can add those sorts of rules if you wish, and some people feel it is more secure to do so, others feel it is too much hassle.

You probably want --dport rather then --sport

You can specify as much or as little as required by your paranois

Code:

# allow http and https :

iptables -A OUTPUT -m state \
  --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \
  -m multiport --dports 80,443 --sport 1024:65535 \
  -j ACCEPT

That is all one line, "\" breaks it up to be (hopefully) more readable and easier to understand.

agriz · #5 5th December 2011, 08:21 PM

Quote:

multiport can only have one option
Try `iptables -h' or 'iptables --help' for more information.

I entered your line as a single line however.

Quote:

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m multiport --dports 80,443 --sport 1024:65535 -j ACCEPT

bodhi.zazen · #6 5th December 2011, 08:31 PM

Move the "--sport 1024:65535"

Code:

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --sport 1024:65535 -m multiport --dports 80,443 -j ACCEPT

agriz · #7 5th December 2011, 09:19 PM

Yum is working. But still facebook app is not working. ?!

bodhi.zazen · #8 5th December 2011, 09:39 PM

Quote:

Originally Posted by agriz

Yum is working. But still facebook app is not working. ?!

I do not know about facebook, what port is it using ? Check your logs.

Filtering OUTPUT takes a little extra effort, as you can see. You still need rules for any other services you use, anything from ftp to ssh to samba to nfs . DNS working ?

agriz · #9 5th December 2011, 10:12 PM

I didn't set up the dns. I have to.
Facebook apps are generally using curl, and it is https.

I don't see any apache error log for this.

EDIT

Should i allow DNS through IPTABLES when i set it up?
If so, what is the port? How do i allow DNS in iptables?

right now, nslookup gives back the ipaddress

agriz · #10 7th December 2011, 04:35 AM

Quote:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

I am not sure what is rule exactly doing. When i add this line, Everything works.
Can you tell me what does it do?

Evil_Bert · #11 7th December 2011, 05:59 AM

You've added a rule that allows inbound traffic that is RELATED to or ESTABLISHED by existing outbound connections. For example, your computer sends a connection request to a web site (to destination port 80); this connection is registered in the connection tracking part of netfilter (the kernel software that filters network traffic); inbound traffic that matches the outbound connection is automatically permitted.

The main difference compared to the earlier rules you posted was to remove the dependence on source or destination ports.

Another way of writing that rule is:

Code:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

... or to split it specifically to allow only TCP and UDP protocols (even though UDP is technically connectionless, the conntrack helper module* records outbound UDP requests as well and will allow matching inbound replies):

Code:

iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

(* Still usually referred to as a module though most distributions compile it into the kernel permanently)

Evil_Bert · #12 7th December 2011, 06:03 AM

If you want to watch the conntrack helper module doing its thing, then, in a terminal window, run the following:

Code:

su -
iptstate

Use CTRL-c to exit iptstate.

agriz · #13 7th December 2011, 08:47 AM

Thanks for the information!

Quote:

iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT

I have these two rules added in iptables.
But still I have problem with DNS

Evil_Bert · #14 7th December 2011, 11:22 AM

How are you testing whether DNS is working?

It would help if you posted your active rules. To do that, use:

Code:

iptables -L -n -v

... and copy-and-paste the results in this thread.

agriz · #15 7th December 2011, 09:25 PM

Quote:

Chain INPUT (policy DROP 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
565 195K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 state NEW,ESTABLISHED
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW,RELATED,ESTABLISHED
83 4856 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:1234 state ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 289 packets, 55454 bytes)
pkts bytes target prot opt in out source destination
1 108 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:1234 state ESTABLISHED
0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 icmp type 0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 icmp type 8 state RELATED,ESTABLISHED
453 384K ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:10000 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:21 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 state NEW,ESTABLISHED

Above rules blocks my website.
When i enter the url, I got server not found. Once i stop the iptables, site started to work.

** 1234 is the custom ssh port.

---------- Post added at 05:37 PM ---------- Previous post was at 11:29 AM ----------

Is that correct rules?

---------- Post added at 07:53 PM ---------- Previous post was at 05:37 PM ----------

Quote:

Originally Posted by Evil_Bert

How are you testing whether DNS is working?

I am checking using

Code:

nslookup ip.address

Correct me if i am wrong

Code:

Output for nslookup ipaddress

Server:         4.2.2.2
Address:        4.2.2.2#53

** server can't find xx.xx.xx.xx.in-addr.arpa.: NXDOMAIN

Output for nslookup website.com

Code:

;; connection timed out; no servers could be reached

....

Code:

service named status

Code:

WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
rndc: connect failed: 127.0.0.1#953: connection refused
named is running...

---------- Post added at 09:25 PM ---------- Previous post was at 07:53 PM ----------

Code:

iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I OUTPUT 1 -o lo -j ACCEPT

One of my friend advised to use this two rules.
Is it good to use?
Is that rules correct, He is unsure, he said it might be the right rules.