LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-25-2010, 10:43 PM   #1
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Rep: Reputation: 51
A question regarding iptables rules and OUTPUT filters


Hi!

I put together the following filter set :
Code:
#!/bin/sh

###To understand this script, reference the No Starch Press Linux Firewalls Book.

MODPROBE=/sbin/modprobe
IPT=/sbin/iptables
IPTSV=/sbin/iptables-save
IPT6=/sbin/ip6tables
IPT6SV=/sbin/ip6tables-save

### flush / drop policy sets
echo "[+] Flushing existing rules with DEFAULT of DROP [+]"
echo "[+] IPv4 [+]"
	$IPT -F
	$IPT -F -t nat
	$IPT -X
	$IPT -P INPUT DROP
	$IPT -P OUTPUT DROP
	$IPT -P FORWARD DROP

echo "[+] IPv6 [+]"
	$IPT6 -F
	$IPT6 -F -t nat
	$IPT6 -X
	$IPT6 -P INPUT DROP
	$IPT6 -P OUTPUT DROP
	$IPT6 -P FORWARD DROP
	
###Module Loading: many of these may already be loaded. Also, running lsmod will aide in tracking down issues with module loading.
echo "[+] Loading modules for state tracking [+]"
	$MODPROBE ip_conntrack
	$MODPROBE iptable_nat
	$MODPROBE ip_conntrack_ftp
	$MODPROBE ip_nat_ftp

###INPUT rules: Allowing only ESTABLISHED / RELATED 
echo "[+] Setting up INPUT table [+]"
	$IPT -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
	$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP	
	$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	
###INPUT rules: anti-spoofing rules. How to set up anti-spoofing rules on single-homed system.

###INPUT rules: INPUT from internal network, or specific services.
        $IPT -A INPUT -p tcp -m multiport --ports 137:139,445 -j ACCEPT
        $IPT -A INPUT -p udp -m multiport --ports 13:139,445 -j ACCEPT
###INPUT rules: LOG rules.
	$IPT -A INPUT -i ! lo -j LOG --log-prefix "DROP" --log-ip-options --log-tcp-options
	
echo "[+] Done [+]"

###OUTPUT rules
echo "[+] Setting up OUTPUT table [+]"
	$IPT -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
	$IPT -A OUTPUT -m conntrack --ctstate INVALID -j DROP

###OUTPUT rules: Allowed out
	$IPT -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 21 --syn -m conntrack --ctstate NEW -j ACCEPT
	#$IPT -A OUTPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 25 --syn -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 43 --syn -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 4321 --syn -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
	$IPT -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp -m multiport --ports 137:139,445 -j ACCEPT
        $IPT -A OUTPUT -p udp -m multiport --ports 137:139,445 -j ACCEPT
###OUTPUT rules: LOG rule
	$IPT -A OUTPUT -o ! lo -j LOG --log-prefix "DROPED OUTBOUND" --log-ip-options --log-tcp-options
I wanted to know how to allow certain APPLICATIONS through the OUTBOUND tables. For example, I wish to be able to use tools such as nmap,tracepath, and traceroute. However, I am not sure where to look to understand the ports to open. I was starting to think that maybe rather than ports to open it would need to be somehthing like tcp flags that would ned to be allowed. Any way, I have tried google and am still haing problems.
I started wanting to use these tools due to getting ready for my network+ and security+ certs. I would really appreciate the help.
 
Old 08-27-2010, 06:39 PM   #2
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,395
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
/etc/services normally contains a fairly complete list of ports used by standard services. I think there is at least one version that is vetted by IANA or some such organization.

--- rod.
 
1 members found this post helpful.
Old 08-27-2010, 10:29 PM   #3
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Original Poster
Rep: Reputation: 51
thanks man. Guess I should have looked at some man pages. Nmap at least seems to be --source-port ( wow.. ) . thanks for trying to address my stupid question.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Output conection Public IP - Iptables, Route Rules andreirp Linux - Networking 10 02-09-2009 03:59 AM
iptables rules question... fw12 Linux - Security 4 02-25-2007 10:11 PM
Question about iptables rules huanvnn Linux - Security 4 06-02-2006 09:05 PM
Question about IPtables/firewall rules ilan1 Linux - Security 3 02-20-2006 11:58 PM
iptables OUTPUT rules: DROP by process (PID)? gregory76 Linux - Security 6 07-11-2003 04:28 PM


All times are GMT -5. The time now is 11:12 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration