Firewalled too much..

jmoschetti45 · 03-09-2007, 07:10 PM

Apparently I've firewalled myself enough not to be able to resolve domain names. Not sure why though, but heres the settings:

[root@radio276 ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `BANDWIDTH_IN:'
ACCEPT all -- localhost.localdomain localhost.localdomain
DROP tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtps
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:qmqp
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:atmtcp
DROP tcp -- !localhost.localdomain anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:irdmi
DROP tcp -- anywhere anywhere tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp

Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `BANDWIDTH_OUT:'
LOG all -- anywhere anywhere LOG level debug prefix `BANDWIDTH_IN:'

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `BANDWIDTH_OUT:'

musicman_ace · 03-09-2007, 07:52 PM

DNS uses port 53. I never really liked reading Iptable from that view, to me its much more complicated that looking at the actual rules.

jmoschetti45 · 03-09-2007, 08:04 PM

Opening port 53 doesn't seem to help

gilead · 03-09-2007, 09:07 PM

You'll need to open UDP port 53 for DNS.

jmoschetti45 · 03-09-2007, 09:12 PM

I did. I figured it was UDP not TCP.

gilead · 03-09-2007, 10:40 PM

Does that mean it's working now? If not, are your rules something like the following for UDP port 53?

Code:

iptables -t filter -A OUTPUT -p UDP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT  -p UDP --sport 53 -m state --state ESTABLISHED     -j ACCEPT

jmoschetti45 · 03-09-2007, 10:47 PM

ESTABLISHED helped a bit, now it hangs at making an http connection

jmoschetti45 · 03-09-2007, 10:59 PM

Applied the same idea to http/https/ftp. That fixed that. Any other common protocols I should add?

win32sux · 03-10-2007, 06:57 AM

Quote:

Originally Posted by jmoschetti45

Applied the same idea to http/https/ftp. That fixed that. Any other common protocols I should add?

are you referring to the ESTABLISHED rule?? if so, i'd recommend you just add a rule like this:

Code:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

to the top of your INPUT chain and you won't have to worry about making RELATED,ESTABLISHED rules for particular services (they would only need rules for packets of state NEW)... for example:

Code:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP --dport 443 -m state --state NEW -j ACCEPT
# Etc, etc, etc...

jmoschetti45 · 03-10-2007, 04:48 PM

Thanks! Seems to be working fine now.

jmoschetti45 · 03-13-2007, 07:49 PM

Whats a good port range to allow for passive ftp?

win32sux · 03-14-2007, 01:58 AM

Quote:

Originally Posted by jmoschetti45

Whats a good port range to allow for passive ftp?

thankfully, there is no need to open a port range for this (unlike back in the ipchains days), because it would be a security weakness... you only need port 21 to send packets of state NEW to ACCEPT, the rest is handled by the RELATED,ESTABLISHED rule at the top of the chain... ftp connection tracking will allow netfilter to inspect the tcp packets and detect which random port is being used for the passive ftp connection, hence no need for netfilter to have prior knowledge or opened port ranges... if your kernel doesn't have ftp conntrack support built-in then load the module/helper on your own:

Code:

/sbin/modprobe ip_conntrack_ftp