Fedora Linux Support Community & Resources Center
  #1  
Old 5th December 2011, 04:40 PM
agriz Offline
Registered User
 
Join Date: May 2011
Posts: 66
windows_7chrome
Iptables rules

Code:
# 1. Delete all existing rules
iptables -F

# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3. Allow incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPT

# 4. Allow incoming HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# 5. Allow incoming HTTPS
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 7. Allow FTP PORT 
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
I have this iptables rules.
I have some facebook apps in my site which is not working with this settings.

facebook apps, yum, wget -- these are not working with my iptables settings. I am not able to fix it.

Which rule would allow yum, wget and facebook apps (I think it is curl used for fb apps)
Reply With Quote
  #2  
Old 5th December 2011, 06:10 PM
AndrewSerk Offline
Registered User
 
Join Date: Oct 2010
Posts: 889
linuxredhatfirefox
Re: Iptables rules

iptables -P OUTPUT DROP is droping all non- established/listed outbound traffic. The quick and easy fix is to change the DROP to ACCEPT in that rule.
Reply With Quote
  #3  
Old 5th December 2011, 06:13 PM
agriz Offline
Registered User
 
Join Date: May 2011
Posts: 66
windows_7chrome
Re: Iptables rules

Yes, I checked that. When i make the DROP to ACCEPT it is working.
But is it secured?

Is it possible to have something like this?

Quote:
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
Reply With Quote
  #4  
Old 5th December 2011, 08:06 PM
bodhi.zazen Offline
Registered User
 
Join Date: Jul 2006
Location: Montana
Posts: 731
windows_xp_2003firefox
Re: Iptables rules

Quote:
Originally Posted by agriz View Post
Yes, I checked that. When i make the DROP to ACCEPT it is working.
But is it secured?

Is it possible to have something like this?
You can add those sorts of rules if you wish, and some people feel it is more secure to do so, others feel it is too much hassle.

You probably want --dport rather then --sport

You can specify as much or as little as required by your paranois

Code:
# allow http and https :

iptables -A OUTPUT -m state \
  --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \
  -m multiport --dports 80,443 --sport 1024:65535 \
  -j ACCEPT
That is all one line, "\" breaks it up to be (hopefully) more readable and easier to understand.
__________________
If it is not broken, tweak it... If you break Fedora you get to keep both pieces :p
Reply With Quote
  #5  
Old 5th December 2011, 08:21 PM
agriz Offline
Registered User
 
Join Date: May 2011
Posts: 66
windows_7chrome
Re: Iptables rules

Quote:
multiport can only have one option
Try `iptables -h' or 'iptables --help' for more information.
I entered your line as a single line however.

Quote:
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m multiport --dports 80,443 --sport 1024:65535 -j ACCEPT
Reply With Quote
  #6  
Old 5th December 2011, 08:31 PM
bodhi.zazen Offline
Registered User
 
Join Date: Jul 2006
Location: Montana
Posts: 731
windows_xp_2003firefox
Re: Iptables rules

Move the "--sport 1024:65535"

Code:
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --sport 1024:65535 -m multiport --dports 80,443 -j ACCEPT
__________________
If it is not broken, tweak it... If you break Fedora you get to keep both pieces :p
Reply With Quote
  #7  
Old 5th December 2011, 09:19 PM
agriz Offline
Registered User
 
Join Date: May 2011
Posts: 66
windows_7chrome
Re: Iptables rules

Yum is working. But still facebook app is not working. ?!
Reply With Quote
  #8  
Old 5th December 2011, 09:39 PM
bodhi.zazen Offline
Registered User
 
Join Date: Jul 2006
Location: Montana
Posts: 731
windows_xp_2003firefox
Re: Iptables rules

Quote:
Originally Posted by agriz View Post
Yum is working. But still facebook app is not working. ?!
I do not know about facebook, what port is it using ? Check your logs.

Filtering OUTPUT takes a little extra effort, as you can see. You still need rules for any other services you use, anything from ftp to ssh to samba to nfs . DNS working ?
__________________
If it is not broken, tweak it... If you break Fedora you get to keep both pieces :p
Reply With Quote
  #9  
Old 5th December 2011, 10:12 PM
agriz Offline
Registered User
 
Join Date: May 2011
Posts: 66
windows_7chrome
Re: Iptables rules

I didn't set up the dns. I have to.
Facebook apps are generally using curl, and it is https.

I don't see any apache error log for this.


EDIT

Should i allow DNS through IPTABLES when i set it up?
If so, what is the port? How do i allow DNS in iptables?

right now, nslookup gives back the ipaddress

Last edited by agriz; 5th December 2011 at 11:27 PM.
Reply With Quote
  #10  
Old 7th December 2011, 04:35 AM
agriz Offline
Registered User
 
Join Date: May 2011
Posts: 66
windows_7chrome
Re: Iptables rules

Quote:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
I am not sure what is rule exactly doing. When i add this line, Everything works.
Can you tell me what does it do?
Reply With Quote
  #11  
Old 7th December 2011, 05:59 AM
Evil_Bert Offline
Retired Again - Administrator
 
Join Date: Nov 2007
Location: 'straya
Posts: 3,289
linuxfedorafirefox
Re: Iptables rules

You've added a rule that allows inbound traffic that is RELATED to or ESTABLISHED by existing outbound connections. For example, your computer sends a connection request to a web site (to destination port 80); this connection is registered in the connection tracking part of netfilter (the kernel software that filters network traffic); inbound traffic that matches the outbound connection is automatically permitted.

The main difference compared to the earlier rules you posted was to remove the dependence on source or destination ports.

Another way of writing that rule is:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
... or to split it specifically to allow only TCP and UDP protocols (even though UDP is technically connectionless, the conntrack helper module* records outbound UDP requests as well and will allow matching inbound replies):

Code:
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

(* Still usually referred to as a module though most distributions compile it into the kernel permanently)
__________________
Marching to the beat of his own conundrum.
Reply With Quote
  #12  
Old 7th December 2011, 06:03 AM
Evil_Bert Offline
Retired Again - Administrator
 
Join Date: Nov 2007
Location: 'straya
Posts: 3,289
linuxfedorafirefox
Re: Iptables rules

If you want to watch the conntrack helper module doing its thing, then, in a terminal window, run the following:

Code:
su -
iptstate
Use CTRL-c to exit iptstate.
__________________
Marching to the beat of his own conundrum.
Reply With Quote
  #13  
Old 7th December 2011, 08:47 AM
agriz Offline
Registered User
 
Join Date: May 2011
Posts: 66
windows_7chrome
Re: Iptables rules

Thanks for the information!

Quote:
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
I have these two rules added in iptables.
But still I have problem with DNS
Reply With Quote
  #14  
Old 7th December 2011, 11:22 AM
Evil_Bert Offline
Retired Again - Administrator
 
Join Date: Nov 2007
Location: 'straya
Posts: 3,289
linuxfedorafirefox
Re: Iptables rules

How are you testing whether DNS is working?

It would help if you posted your active rules. To do that, use:

Code:
iptables -L -n -v
... and copy-and-paste the results in this thread.
__________________
Marching to the beat of his own conundrum.
Reply With Quote
  #15  
Old 7th December 2011, 09:25 PM
agriz Offline
Registered User
 
Join Date: May 2011
Posts: 66
windows_7chrome
Re: Iptables rules

Quote:
Chain INPUT (policy DROP 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
565 195K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 state NEW,ESTABLISHED
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW,RELATED,ESTABLISHED
83 4856 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:1234 state ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 289 packets, 55454 bytes)
pkts bytes target prot opt in out source destination
1 108 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:1234 state ESTABLISHED
0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 icmp type 0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 icmp type 8 state RELATED,ESTABLISHED
453 384K ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:10000 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:21 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 state NEW,ESTABLISHED
Above rules blocks my website.
When i enter the url, I got server not found. Once i stop the iptables, site started to work.

** 1234 is the custom ssh port.

---------- Post added at 05:37 PM ---------- Previous post was at 11:29 AM ----------

Is that correct rules?

---------- Post added at 07:53 PM ---------- Previous post was at 05:37 PM ----------

Quote:
Originally Posted by Evil_Bert View Post
How are you testing whether DNS is working?
I am checking using

Code:
nslookup ip.address
Correct me if i am wrong

Code:
Output for nslookup ipaddress

Server:         4.2.2.2
Address:        4.2.2.2#53

** server can't find xx.xx.xx.xx.in-addr.arpa.: NXDOMAIN
Output for nslookup website.com
Code:
;; connection timed out; no servers could be reached
....

Code:
service named status
Code:
WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
rndc: connect failed: 127.0.0.1#953: connection refused
named is running...


---------- Post added at 09:25 PM ---------- Previous post was at 07:53 PM ----------

Code:
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I OUTPUT 1 -o lo -j ACCEPT
One of my friend advised to use this two rules.
Is it good to use?
Is that rules correct, He is unsure, he said it might be the right rules.

Last edited by agriz; 7th December 2011 at 08:20 PM.
Reply With Quote
Reply

Tags
iptables, rules

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables rules! hermouche Security and Privacy 7 3rd November 2011 05:26 AM
iptables rules - what is wrong with my rules? duni Servers & Networking 4 30th August 2006 07:38 PM
Where to put my own iptables rules? stuffie Security and Privacy 10 14th January 2005 08:42 AM


Current GMT-time: 01:37 (Thursday, 23-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Maholi Photos - Blackburn Photos - Tres Passos