How can i make these ip-table rules work, with my openELEC system?

Dannermax · 01-13-2015, 09:09 PM

Hello alll

I have a set of IP table rules, which I am using with my raspberry pie to only allow outgoing internet traffic through a VPN connection. These are working great. But I have a media center as well, running openELEC which I also want to use with the same IP table rules. But when I apply them, all Internet connection is blocked.below are the working rules from my Respberry pi:

Code:

#!/bin/sh
/sbin/iptables -A INPUT -p tcp --dport 22 -s 192.168.1.50 -j ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 138 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 137 -j ACCEPT
/bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @$
/sbin/iptables -A OUTPUT -o eth0 -j LOG
/sbin/iptables -A OUTPUT -p udp -d 192.168.1.0/24 -m udp --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp -d 192.168.1.50 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j REJECT
/sbin/iptables -A INPUT -i tun0 -p tcp --dport 11633 -j ACCEPT
/sbin/iptables -A INPUT -i tun0 -p udp --dport 11633 -j ACCEPT
exit 0

And here are the rules I am trying to run on my openELEC system. I have changed the paths so they are correct.
Also the rule in line 11 has been changed, because it gave an Error when I executed it. And I was told this: "openelec (busybox) doesn't support I argument with xargs."
So I was told to use another line instead which you can see below.

And the rule in line 12 gives this error:
Iptables: no chain/target/Match by that name
So I just commented it out!

Code:

bin/sh
/usr/sbin/iptables -A INPUT -p tcp --dport 22 -s 192.168.1.46 -j ACCEPT
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 138 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 137 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -d vpn.provider.com -j ACCEPT
#/usr/sbin/iptables -A OUTPUT -o eth0 -j LOG
/usr/sbin/iptables -A OUTPUT -p udp -d 192.168.1.0/24 -m udp --dport 53 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp -d 192.168.1.46 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -j REJECT
/usr/sbin/iptables -A INPUT -i tun0 -p tcp --dport 11633 -j ACCEPT
/usr/sbin/iptables -A INPUT -i tun0 -p udp --dport 11633 -j ACCEPT
exit 0

I don't know if it is relevant, but I am connecting to the VPN service on my openELEC with this command:

Code:

sleep 10s
openvpn /storage/.config/vpn-config/my.vpn.provider.ovpn &

And works great without the rules
And im using a different provider,than the one on my pi. (probably not relevant)

I have tried asking for help in the forum for this system, but they are not able to help me any further .I sincerely thank You all, for your time!

EDIT
This is the log from xbmc when the IP table rules are applied and I try to search for a movie trailer:

Quote:

19:53:54 T:139944479966976 NOTICE: Previous line repeats 1 times.
19:53:54 T:139944479966976 NOTICE: Thread RSSReader start, auto delete: false
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139943368353536 NOTICE: Thread JobWorker start, auto delete: true
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.

fotoguy · 01-14-2015, 02:11 PM

Quote:

/sbin/iptables -A OUTPUT -p udp -d 192.168.1.0/24 -m udp --dport 53 -j ACCEPT

Looks like a typo error here with this line if both script

Quote:

-m udp

change this too

Quote:

/sbin/iptables -A OUTPUT -p udp -d 192.168.1.0/24 --dport 53 -j ACCEPT

Also a good idea to flush all your rules and set default policies, if you keep running the same script over and over without flushing you wont get rid of any previous rules
I would put this at the top of the script.

Quote:

/usr/sbin/iptables -F
/usr/sbin/iptables -t mangle
/usr/sbin/iptables -t nat
/usr/sbin/iptables -X
/usr/sbin/iptables -X -t mangle
/usr/sbin/iptables -X -t nat
/usr/sbin/iptables -Z
/usr/sbin/iptables -Z -t mangle
/usr/sbin/iptables -Z -t nat

/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -P OUTPUT DROP

With not getting internet connection, that might be because your getting your ip address fron a DHCP server, and when you first boot your machine it will actually not have any ipddress assigned to it, so it will send out a request on the broadcast address with a source of 0.0.0.0 and a destination of 255.255.255.255. Try this rule at the top of the script.

Quote:

/usr/sbin/iptables -A OUTPUT -o eth0 -s 0.0.0.0 -d 255.255.255.255 --sport 67:68 --dport 67:68 -j ACCEPT

Dannermax · 01-14-2015, 05:31 PM

Hi and thanks for your reply

I did what you suggested, but was returned with this one error:

Code:

enELEC:~ # ./script.sh
./script.sh: line 3: --sport: not found

The script looks like this now:

Code:

 GNU nano 2.3.5                File: script.sh

#!/bin/sh
/usr/sbin/iptables -A OUTPUT -o eth0 -s 0.0.0.0 -d 255.255.255.255 --sport 67:68 --dport 67:68 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 22 -s 192.168.1.46 -j ACCEPT
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTA$
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 $
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 138 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 137 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -d france.privateinternetaccess.com -j ACCEPT
#/usr/sbin/iptables -A OUTPUT -o eth0 -j LOG
#/usr/sbin/iptables -A OUTPUT -p icmp -m state --state NEW -m icmp --icmp-type 8
#/usr/sbin/iptables -A INPUT -s 192.168.1.0/24 -p icmp -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p udp -d 192.168.1.0/24 --dport 53 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp -d 192.168.1.46 --dport 22 -m state --st$
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -$
/usr/sbin/iptables -A OUTPUT -o eth0 -j REJECT
/usr/sbin/iptables -A INPUT -i tun0 -p tcp --dport 11633 -j ACCEPT
/usr/sbin/iptables -A INPUT -i tun0 -p udp --dport 11633 -j ACCEPT
exit 0

Dannermax · 01-16-2015, 01:56 AM

And when I add these rules to the script

Code:


#!/bin/sh
/usr/sbin/iptables -F
/usr/sbin/iptables -t mangle
/usr/sbin/iptables -t nat
/usr/sbin/iptables -X
/usr/sbin/iptables -X -t mangle
/usr/sbin/iptables -X -t nat
/usr/sbin/iptables -Z
/usr/sbin/iptables -Z -t mangle
/usr/sbin/iptables -Z -t nat

/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -P OUTPUT DROP

I get this output:

Code:

OpenELEC:~ # nano script.sh
OpenELEC:~ # ./script.sh
iptables v1.4.21: no command specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: no command specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.21: unknown option "--sport"
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: host/network `vpn.host.com' not found
Try `iptables -h' or 'iptables --help' for more information
OpenELEC:~ #

My system is set up with a static IP, and I am running the script after the system has started up, for testing purposes.what can we do next?

fotoguy · 01-17-2015, 03:34 AM

ok maybe drop the --sport --dport from the line

Quote:

/usr/sbin/iptables -A OUTPUT -o eth0 -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT

but if your running a static ipaddress, then this wont be needed. Not getting any web access maybe your DNS settings are not set correctly, your DNS information comes from your /etc/resolv.conf which is usually handled by DHCP server when your allocated and ipaddress, generally this is usually pointed to your gateway, or ISP's dns servers eg.

Quote:

nameservers 192.168.1.254
nameservers 111.222.333.444

The mangle error comes from the mangle module not be loaded, you can remove that line since your not using that module

Quote:

/usr/sbin/iptables -F
/usr/sbin/iptables -t nat
/usr/sbin/iptables -X
/usr/sbin/iptables -X -t nat
/usr/sbin/iptables -Z
/usr/sbin/iptables -Z -t nat

/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -P OUTPUT DROP

Dannermax · 01-20-2015, 01:51 AM

Right so I understand now that my problem here is a DNS issue.but I was wondering if something in my IP Table rules are creating this issue? Because I found this simple set of rules:

Code:

#!/bin/sh
# Delete all existing rules
iptables -F

# Allow from local network
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT

# Allow OpenVPN
iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT

# Deny eth0
iptables -A OUTPUT -o eth0 -j DROP

Won't this do about the same as the before mentioned rules? Because when I load these rules, I do not have any issues at all.what would you suggest that I did with this problem? My apologies for this late reply...