My firewalls/iptables setup, don't think it's doing it's job
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In my router I have enabled ipv4 and ipv6 firewalls and port forwarded 51414 for torrenting. On iptables, I did not enable 51414. Yet rTorrent can still use that port and run torrents, where is my iptables layer of protection? As you can see I only accepted 137-139+445 but not 51414.
Two things:
0) Please make it a habit to post (sudo) 'iptables-save;' output instead of anything else. That lists the current rule set in an unambiguous way most users understand.
1) On your machines firewall you have a default INPUT chain policy:
Code:
Chain INPUT (policy DROP)
that should deny all traffic except it's negated by the first two rules:
Code:
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
that basically read "allow back traffic from connections this machine initiated" and "allow traffic from connections a remote machine initiated". So basically you're allowing everything.
There's some rules I can't make sense of so if you post (sudo) 'iptables-save;' output I'll craft you a rule set that makes sense (at least to me ;-p), OK?
Two things:
0) Please make it a habit to post (sudo) 'iptables-save;' output instead of anything else. That lists the current rule set in an unambiguous way most users understand.
1) On your machines firewall you have a default INPUT chain policy:
Code:
Chain INPUT (policy DROP)
that should deny all traffic except it's negated by the first two rules:
Code:
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
that basically read "allow back traffic from connections this machine initiated" and "allow traffic from connections a remote machine initiated". So basically you're allowing everything.
There's some rules I can't make sense of so if you post (sudo) 'iptables-save;' output I'll craft you a rule set that makes sense (at least to me ;-p), OK?
Here it is, and thanks a lot!
Quote:
# Generated by iptables-save v1.4.21 on Sun Oct 11 03:26:05 2015
*raw
:PREROUTING ACCEPT [261069:290277928]
:OUTPUT ACCEPT [199065:24789489]
COMMIT
# Completed on Sun Oct 11 03:26:05 2015
# Generated by iptables-save v1.4.21 on Sun Oct 11 03:26:05 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [199065:24789489]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 137 -j ACCEPT
-A TCP -p tcp -m tcp --dport 138 -j ACCEPT
-A TCP -p tcp -m tcp --dport 139 -j ACCEPT
-A TCP -p tcp -m tcp --dport 445 -j ACCEPT
COMMIT
# Completed on Sun Oct 11 03:26:05 2015
# Generated by iptables-save v1.4.21 on Sun Oct 11 03:26:05 2015
*nat
:PREROUTING ACCEPT [402:18982]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [4287:269865]
:POSTROUTING ACCEPT [4349:272345]
COMMIT
# Completed on Sun Oct 11 03:26:05 2015
# Generated by iptables-save v1.4.21 on Sun Oct 11 03:26:05 2015
*mangle
:PREROUTING ACCEPT [261069:290277928]
:INPUT ACCEPT [261067:290277582]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [199065:24789489]
:POSTROUTING ACCEPT [199172:24809179]
COMMIT
# Completed on Sun Oct 11 03:26:05 2015
# Generated by iptables-save v1.4.21 on Sun Oct 11 03:26:05 2015
*security
:INPUT ACCEPT [260469:290235616]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [199065:24789489]
COMMIT
# Completed on Sun Oct 11 03:26:05 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
# For logging: -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW --dport 51414 -m limit --limit 1/s -j LOG --log-prefix "in_tcp_BT "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -m multiport --dports 137:139,51414 -j ACCEPT
# For logging: -A INPUT -p udp -m udp -m conntrack --ctstate NEW --dport 51414 -m limit --limit 1/s -j LOG --log-prefix "in_udp_BT "
-A INPUT -p udp -m udp -m conntrack --ctstate NEW -m multiport --dports 137:139,51414 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
# -A INPUT -p tcp -j REJECT --reject-with tcp-reset
# -A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
Ditching the raw, nat and mangle tables (no rules using them.) we only keep the filter table. In filter table I put loop back device rule first so we then know remaining rules are for Ethernet devices. I removed the custom TCP and UDP chains as they only contain one rule. This also allows one to combine protocol rules (notice "multiport" module). Note I removed TCP+UDP/445 as I doubt you'll be using an AD machine? Note also the commented out rules which are redundant due to "DROP" Policy. *Also also note the "# For logging: " rules I've added but commented out so you can see (log) what (new) Bittorrent traffic is reaching you on those ports. Do note the majority of remote client BT traffic will be UDP-based, TCP for connecting to trackers.
How to test and enable this rule set?
Code:
# Prefix 'sudo' where necessary:
# First backup your old rule set:
iptables-save > /etc/iptables/iptables.rules.sav
# Now save above rule set to a (any) file, say "/etc/iptables/iptables.rules.new" and test it:
iptables-restore -v -t < /etc/iptables/iptables.rules.new
# and if no errors show activate it:
iptables-restore < /etc/iptables/iptables.rules.new
# Do test it some time and to make it permanent use:
iptables-save > /etc/iptables/iptables.rules
# *Do note saving rule sets in this way removes commented out rules.
Ditching the raw, nat and mangle tables (no rules using them.) we only keep the filter table. In filter table I put loop back device rule first so we then know remaining rules are for Ethernet devices. I removed the custom TCP and UDP chains as they only contain one rule. This also allows one to combine protocol rules (notice "multiport" module). Note I removed TCP+UDP/445 as I doubt you'll be using an AD machine? Note also the commented out rules which are redundant due to "DROP" Policy. *Also also note the "# For logging: " rules I've added but commented out so you can see (log) what (new) Bittorrent traffic is reaching you on those ports. Do note the majority of remote client BT traffic will be UDP-based, TCP for connecting to trackers.
That's strange didn't even see those two rules with accept all. I don't know how I managed to add that!
And I don't use AD but I think 445 is required to browse windows shares? this ruleset is great, I'm going to learn nmap/wireshark now so I probably don't need to use those logging rules.
And I don't use AD but I think 445 is required to browse windows shares?
Check the SMB protocol specs?
Quote:
Originally Posted by PACMANchasingme
I'm going to learn nmap/wireshark now so I probably don't need to use those logging rules.
Suit yourself. While using these logging rules is more efficient (no need for BPF filters, following sessions etc, etc) Linux is the networked OS so any exercise involving tcpdump / tshark / Wireshark is commendable, useful, beneficial in the long run.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
