Blocking almost everything with iptables
Hello.
For several days I've been trying to create firewall rules in iptables for my router. I've tried several scripts found on the net but I cant get it to work. What I want it to do is to: *Deny everything from the outside, except a few specified rules (like established connections and such) *Deny all traffic out, except the traffic on a few specified ports *Masqurade the local LAN Example: I want to be able to ssh (dosnt matter on what port) to the firewall. I also want the firewall to block all the traffic from the inside that that I havnt allowed, in case one of the machines gets compromised. I would like to point out that I'll happy write the rules myself, to hopefully learn something, so if someone could explain how to do it it would be really appriceated. If you want to write the rules anyway, if thats easier, thats fine. Please just try to have a few comments explaining what they do. I'm posting my own rules here, for you to take a look if you like. Code:
iptables -P INPUT DROP Sorry for my bad english. Thanks in advanced. |
Here's a script to get you started (based on the one I use myself at home):
Code:
#!/bin/sh |
thx alot for the rules:D
I'm using Gentoo 2007. I'll try the rules out and come back to tell how it went:) |
ok, so I copied the rules and made the script executeable.
Theres one but tho, when I execute the script nothing happends. iptables -L dont show anything, any by that i mean nothing at all. theres just a "new line" after that. Not the usual text about the different chains and such. What am I doing wrong? Its not only this script that acts like this btw. Edit: Forgot to say that even the scripts that used to work (even if I managed to lock myself out with them) isnt working. Tried make a normal script with: Code:
#!/bin/bash I've tried substitute all $IPT with iptables and so on, still nothing. Thanks for help if anyone got experience with this, all iptables scripts works like this. Sorry if this is in the wrong forum. |
You don't need to replace the $IPTs. Just make sure the IPT="" at the top has the right path to your iptables binary. Do you not get some sort of error message when you execute? You're doing this as root, right? Ummm... wait a second... You're saying you get absolutely nothing when you do a "iptables -L"? Something is definitely not right somewhere. Does you kernel have proper iptables support? Not sure what could be wrong.
PS: I just tested the script and it executes fine here. |
I do have proper support for iptables i think, atleat I have almost everything loaded into the kernel (from iptables).
Lets just say I've compiled the kernel for as much support for iptables as possible. Also, I've compiled it for dns and dhcp support if that could help in anyway of figuring this problem out. Is there any way to post my kernel config? Except for cat /usr/src/linux/.config (since its _very_ long and dont really say anything if you dont know the names of the modules). Thanks in advanced. Edit: Yes, I'm doing this as root. And I get absolutly noting from executing the scripts. |
The whole config would be too large to post. Maybe grep it for "NETFILTER" and stuff like that. Here's mine FWIW:
Code:
win32sux@candystore:~$ cat /boot/config-2.6.22-14-generic | grep NETFILTER Code:
win32sux@candystore:~$ cat /boot/config-2.6.22-14-generic | grep IPTABLES Code:
win32sux@candystore:~$ cat /boot/config-2.6.22-14-generic | grep _NF_ |
Solved it:)
After recompiling iptables it works again:) Thx for the help=) |
Ok, sorry to be back. The problem is that I cant do anything but ssh on the WAN interface, in and out. When trying to ping or surf or whatever it always timeout. When I remove the rules, everything is fine again. I admit, I did edit the script but only stuff that I thought was safe... However when I try to ping or nslookup on a dns it finds the IP adress of the dnsname, even those that I havnt visited so apperently some traffic is going out and back. Also when I try to surf links is trying to connect so i guess the packets are going to the server but not back.
While trying to fix this firewall I'm behind a hardware router, this is how it looks like: http://static3.filefront.com/images/...rrmgueohyr.jpg After editing the script to the following have both me and my friends tried to figure out whats wrong: Code:
#!/bin/sh Edit: How do I link images? :S [img] doesnt work like i phpBB... |
Quote:
Quote:
|
I am ssh:ing from the other machine in the picture, 192.168.0.2, into the gentoo router WAN interface.
Sorry that it didnt cross my mind to check the logs, should have been obvious... Anyway, heres the output of it: Code:
Nov 7 22:00:01 firewall cron[32202]: PAM [dlerror: /lib/security/pam_limits.so: symbol pam_syslog, version LIBPAM_EXTENSION_1.0 not defined in file libpam.so.0 with link time reference] /var/log/messages is the correct file to read, right? /var/log/dmesg contains the following(did only paste the last lines): Code:
Netfilter messages via NETLINK v0.30. btw, can I have the logs from iptables in a separate logfile? |
Actually I was expecting to see "DROP" entries in the /var/log/syslog file.
You should try to SSH to the LAN side in addition to the WAN side. |
made a cat /var/log/messages | grep DROP (dont have any /var/log/syslog , syslog-ng conf file is only refering to this file anyway).
Here is some of the results (did cut most of it and replaced my MAC adresses): MAC with only xx = eth0 (LAN interface) MAC with only yy = the interface in my box thats connected to the gentoo directly (on the gentoos LAN, eth0, interface) Code:
Nov 8 21:14:51 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=16883 PROTO=UDP SPT=137 DPT=137 LEN=76 eth0: LAN interface eth1: WAN interface 192.168.0.2 My comp on the WAN network (seen from the gentoobox' view) 10.0.0.100 My comp on the LAN network (seen from the gentoobox' view) 10.0.0.1 Gentoo eth0 (LAN) firewall=Gentoobox' hostname Edit: found the following line aswell: Code:
Nov 8 21:16:56 firewall INPUT DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.255.255.255 LEN=244 TOS=0x00 PREC=0x00 TTL=128 ID=23322 PROTO=UDP SPT=138 DPT=138 LEN=224 Did it bring any light? |
Those look like Samba packets. You don't have any Samba rules, so the script seems to be working as it should.
|
Quote:
|
All times are GMT -5. The time now is 02:58 AM. |