LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-26-2013, 12:37 AM   #1
JoseCuervo
Member
 
Registered: May 2007
Location: Delaware
Distribution: Ubuntu Server 12.04, Ubuntu 12.04.3, Tails 0.22, Kali
Posts: 61

Rep: Reputation: 17

Hello, the iptables that I created for my Ubuntu server has a gloabl deny rule that prevents Ubuntu from accessing the internet, and prevents windows computers on the network from seeing the Samba share I created. I have tried to use tcpdump to see what exactly I need to allow through the firewall, but the data is overwhelming. How can I parse the tcpdump information to show me what Ubuntu is doing, and what I need to allow? I'm completely new to this, I only learned Samba, iptables, vim, and pretty much Ubuntu in general in the last few days. That said, I can follow instructions and references fairly well.

My current iptables.rules:
Code:
# Generated by iptables-save v1.4.12 on Sun Feb 24 11:30:47 2013

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

##### Accept established traffic & loopback traffic
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

##### Accept Samba traffic from local network
-A INPUT -p udp -s 192.168.0.0/24 -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -s 192.168.0.0/24 -m udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

##### Accept SSH connections only from Viki
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m mac --mac-source 1C:6F:65:C6:5D:37 -m tcp --dport 22 -j ACCEPT

##### Accept Minecraft from local network only, for now
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 25565 -j ACCEPT

##### Reject all other INPUT traffic
#-A INPUT -j REJECT

##### Reject all forwarded traffic
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

###### Allow OUTPUT on port 80
-A OUTPUT -d 91.189.92.200/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -d 91.189.91.13/32 -p tcp -m tcp --dport 80 -j ACCEPT

##### Allow Ubuntu to access update sites
-A OUTPUT -p tcp --dport 80 -d security.ubuntu.com -j ACCEPT
-A OUTPUT -p tcp --dport 80 -d us.archive.ubuntu.com -j ACCEPT

##### Allow any OUTPUT traffic on the network
-A OUTPUT -d 192.168.0.0/24 -j ACCEPT

##### Reject all other OUTPUT traffic
#-A OUTPUT -j REJECT

COMMIT
# Completed on Sun Feb 24 11:30:47 2013
I just need a way to find out what it is I'm not allowing through so that I can uncomment my global deny rules for INPUT and OUTPUT. My end goal is to lock this server to the exact minimum necessary. Thanks in advance!

So I just installed and ran wireshark on my Ubuntu VM, and then connected my windows 7 computer and played a show over the network (from Ubuntu to Windows). Wireshark showed 1700 packets in about 15 seconds, is that right? They were all between two IP addresses, which are the VM and host I'm guessing.

Last edited by unSpawn; 02-26-2013 at 05:47 AM. Reason: NN
 
Old 02-26-2013, 03:07 AM   #2
JoseCuervo
Member
 
Registered: May 2007
Location: Delaware
Distribution: Ubuntu Server 12.04, Ubuntu 12.04.3, Tails 0.22, Kali
Posts: 61

Original Poster
Rep: Reputation: 17
After watching wireshark for a while I realized that the Ubuntu VM I was using wasn't using the same addresses as the iptable rules had stipulated. I've modified them, and it seems to be working atm.
 
Old 02-26-2013, 06:06 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Quote:
Originally Posted by JoseCuervo View Post
I have tried to use tcpdump to see what exactly I need to allow through the firewall, but the data is overwhelming. How can I parse the tcpdump information to show me what Ubuntu is doing, and what I need to allow? (..) I just need a way to find out what it is I'm not allowing through so that I can uncomment my global deny rules for INPUT and OUTPUT. My end goal is to lock this server to the exact minimum necessary.
The easiest way is to add LOG target rules before you DROP or REJECT, for example in the filter table INPUT chain:
Code:
-A INPUT -m state --state INVALID -j LOG --log-prefix "IN_drop_inv "
-A INPUT -m state --state NEW -j LOG --log-prefix "IN_drop_new "
-A INPUT -j REJECT

Quote:
Originally Posted by JoseCuervo View Post
(..) They were all between two IP addresses, which are the VM and host I'm guessing.
Commands like
Code:
ifconfig -a
ip link show
arp -a
and else router (DHCP daemon) logs, arpwatch or arphound should all be able to tell you about local addresses and those in use in your LAN so there's no need to "guess".
 
Old 02-27-2013, 02:22 AM   #4
JoseCuervo
Member
 
Registered: May 2007
Location: Delaware
Distribution: Ubuntu Server 12.04, Ubuntu 12.04.3, Tails 0.22, Kali
Posts: 61

Original Poster
Rep: Reputation: 17
Thanks unSpawn, all of those commands are useful to know. I'm unfortunately new enough that I'm asking a lot of questions, but learning fast enough that I seem to stumble onto an answer just as someone is explaining things to me. In case anyone else reads this thread and needs newbie level guidance, what I managed to do with a lot of suggestions from this site was run:
Code:
sudo tcpdump -w capturedPackets.log
which captured all of the traffic my system was seeing. I let it run for about ten minutes, made sure to do all of the things that I wanted my server to do such as updates and serving files with Samba, and then hit Control-C to end the tcpdump capture. Then I used
Code:
sudo wireshark capturedPackets.log
to examine the details of all of the traffic that I had captured. Wireshark incorporates filters that let me slowly eliminate traffic that I recognized, until I was left with what I had to allow through the firewall.
 
1 members found this post helpful.
  


Reply

Tags
iptables, server, tcpdump


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re-routing outbound traffic jessicaK Linux - Networking 7 10-14-2008 03:25 PM
Anyone know if IPCOPS can filter outbound traffic? lumix Linux - Security 1 03-25-2007 01:23 PM
Excessive Outbound Traffic chandramani Linux - Security 1 01-29-2006 11:03 AM
Logging All Incoming / Outbound Traffic technick Linux - Security 1 10-24-2005 02:32 PM
Spike in outbound traffic- where to look? htmlcoder Linux - Security 3 03-19-2005 03:13 PM


All times are GMT -5. The time now is 06:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration