LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-04-2011, 01:04 AM   #1
narnie
Member
 
Registered: Jan 2010
Distribution: Linux Mint, Ubuntu Netbook Edition, et al
Posts: 106

Rep: Reputation: 17
How iptables directs to localhost in this series of iptable rules


Hello,

I have implimented a dansguardian system using dansguardian and privoxy. I borrowed a script from Ubuntu CE that makes it where a firewall program like firehol is not needed and it doesn't need a reconfigure of the proxy settings in browsers to be changed. I really like it that way. All is working well from that standpoint. I want to fully understand HOW it works on the iptables rules, though. I have most of it. Included is the code from my /etc/init.d/dansguardian_firewall init routine. Above this, I am going to make comments and ask questions. What I ask is for someone to help me understand fully how it works, esp the postrouting nat and output nat rules that are the business end of sending all web requests to localhost where it can be managed by Dansguardian.

# I understand this flushes any -t filter rules

iptables -F

# This removes any user-created chains in -t filter

iptables -X

# This flushes any -t nat chain rules

iptables -t nat -F

# This removes and user-created -t nat chains

iptables -t nat -X

# This flushes -t mangle

iptables -t mangle -F

# This removes user-created -t mangle chains

iptables -t mangle -X

# This sets the firewall policies on FORWARD to accept, not sure what FORWARD does. Any explaination would be appreciated.

iptables -P FORWARD ACCEPT

# This sets the firewall policy to accept all outbound traffic

iptables -P OUTPUT ACCEPT

# Here is where I start having a lot of trouble. What is the postrouting mean verses prerouting, etc? What is the -t nat doing actually? Is -o because it is being directed to localhost (127.0.0.1). I understand -p tcp that this limits it to the tcp protocol (not UDP or both). --dport is short for -m tcp --dport 8080 to cause it to direct it to port 127.0.0.1:8080 where dansguardian is listening. What is -j SNAT --to 127.0.0.1 exactly doing? How is it directing to localhost in the first place? Why does it go on POSTROUTING instead of OUTPUT?

iptables -A POSTROUTING -t nat -o lo -p tcp --dport 8080 -j SNAT --to 127.0.0.1

# This is saying to make request not by root and not to 127.0.0.1 to route port 80 direct to localhost 8080 where dansguardian is listening, right? Further elaboration is appreciated. If this is so, it would make more sense to me to have this rule before the previous rule. Does it matter? If so, why? Why is it on OUTPUT and not POSTROUTING?

iptables -A OUTPUT -t nat ! -d 127.0.0.1 -p tcp --dport 80 -m owner ! --uid-owner root -j REDIRECT --to-ports 8080

# Sets the policy on incoming connects to DROP (modified by the rules below)

iptables -P INPUT DROP

# This makes inbound request to localhost accepted. Why is this necessary? If this isn't included, then web sites won't load. I'm sure it has to do with dansguardian working over localhost, but please give me a more full understanding.

iptables -A INPUT -i lo -j ACCEPT

# Here is something I really don't undrstand. If this rule isn't included, allowed and blocked web sites won't load. I removed the RELATED, and it still loaded. I removed just the ESTABLISHED, and it wouldn't load. What is it that is established that it is accepting? Much elaboration needed here.

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#I wrote many of these rules below and understand why they work. It is looking for new connect attempts to those ports that are needed for various services (I dn't run a web or mail server, so I don't leave those open).

## Open port for ssh server (22), web server (80), and mail server (25)
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

## Uncomment below to open NSF port, edit the port accoring actual setting
iptables -A INPUT -p tcp --dport 111 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 111 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 2049 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 2049 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 4045 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 4045 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 32771 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 32771 -m state --state NEW -j ACCEPT
## Open ports for NSF end

#Accept Ping request
iptables -A INPUT -p icmp -j ACCEPT

## Drop other packets, Logging, and closing firewall.

#What is this rule actually doing?

iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP

#What is this rule actually doing?

iptables -A INPUT -d 224.0.0.1 -j DROP

#What is this rule actually doing?

iptables -A INPUT -j LOG

#What is this rule actually doing?

iptables -A INPUT -j REJECT

Further explaination is much appreciated.

Kind Regards,
Narnie

Code:
#!/bin/bash
### BEGIN INIT INFO
# Provides: dansguardian_firewall
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: firewall
# Description: Start, stop or reload firewall.
### END INIT INFO
#cat /etc/init.d/dansguardian_firewall

set -e

case "$1" in
start)
echo -e "\nStarting Ubuntu CE firewall .....\n"
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A POSTROUTING -t nat -o lo -p tcp --dport 8080 -j SNAT --to 127.0.0.1
iptables -A OUTPUT -t nat ! -d 127.0.0.1 -p tcp --dport 80 -m owner ! --uid-owner root -j REDIRECT --to-ports 8080
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## Open port for ssh server (22), web server (80), and mail server (25)
iptables -A INPUT -p tcp --dport 50505 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

## Uncomment below to open NSF port, edit the port accoring actual setting
iptables -A INPUT -p tcp --dport 111 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 111 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 2049 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 2049 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 4045 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 4045 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 32771 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 32771 -m state --state NEW -j ACCEPT
## Open ports for NSF end

#Accept Ping request
iptables -A INPUT -p icmp -j ACCEPT

## Drop other packets, Logging, and closing firewall.
iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT
;;

stop)
echo -e "\nFlushing firewall and setting default policies to ACCEPT\n"
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
;;

status)
echo "FILTER POLICY"
iptables -L
echo ; echo "NAT POLICY"
iptables -t nat -L
;;

restart|force-reload)
$0 stop
$0 start
;;
*)
echo "Usage: /etc/init.d/ubuntu_ce_firewall {start|stop|restart|force-reload|status}"
exit 1
;;
esac
 
Old 10-04-2011, 02:39 AM   #2
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 134

Rep: Reputation: 30
Hi Narnie,

Let's first clarify few things.
You are not experiencing a problem on your system? Are you?
You want to understand the configuration of your iptable. You already figured out what some lines means, and you want to understand the others. For that I will recommend you to read the man pages of iptables. You are asking too many questions, that I am afraid isolated answers can lead to confusion. Read the man pages, and then come back with specific concerns if any remain.

Regards,

Tshimanga.
 
Old 10-04-2011, 03:19 AM   #3
fukawi1
Member
 
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854

Rep: Reputation: 189Reputation: 189
As tshikose said,

RTFM
then
http://www.linuxhomenetworking.com/w...Using_iptables - This link gives quite a good intro to iptables.

then, read them both again...

Then, backup those rules (if they work for you), and get your hands dirty building your own set of rules..
You may also want to have a look at hping3 and nmap (again, RTFM) for testing..

Last edited by fukawi1; 10-04-2011 at 03:23 AM.
 
Old 10-04-2011, 12:20 PM   #4
narnie
Member
 
Registered: Jan 2010
Distribution: Linux Mint, Ubuntu Netbook Edition, et al
Posts: 106

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by tshikose View Post
Hi Narnie,

Let's first clarify few things.
You are not experiencing a problem on your system? Are you?
You want to understand the configuration of your iptable. You already figured out what some lines means, and you want to understand the others. For that I will recommend you to read the man pages of iptables. You are asking too many questions, that I am afraid isolated answers can lead to confusion. Read the man pages, and then come back with specific concerns if any remain.

Regards,

Tshimanga.
No, everything is working as I want it to as it blocks unwanted sites and allows wanted sites, I just want to fully understand how. I have read the man pages re: them already. My problem is that I'm on the steep learning curve and don't have the background to understand some of the intricacies of what is going on (like the nat rules and what is the deal with the 255.255.255.255/0.0.0.255 and 224.0.0.1 rules, what are those number?).

My setup is client browser -> iptables -> Dansguardian -> privoxy -> Linksys hardware router -> world internet one machine, no server computers involved so it is filtering the traffic from one machine.

Thanks,
Narnie

Last edited by narnie; 10-04-2011 at 03:13 PM.
 
Old 10-05-2011, 05:51 AM   #5
fukawi1
Member
 
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854

Rep: Reputation: 189Reputation: 189
Mate,
I taught myself iptables from the link i posted above, and reading the man pages... and im a welder by trade, if i can do it, you can too

Quote:
(like the nat rules and what is the deal with the 255.255.255.255/0.0.0.255 and 224.0.0.1 rules, what are those number?)
Those numbers, the left side of the / is the ip address, the right side is the subnet. 255.255.255.255 is a broadcast address, used to send to all other ip's on the subnet.

http://lartc.org/howto/ is another good site to learn all this stuff, but its fairly detailed..
 
1 members found this post helpful.
Old 10-05-2011, 03:39 PM   #6
narnie
Member
 
Registered: Jan 2010
Distribution: Linux Mint, Ubuntu Netbook Edition, et al
Posts: 106

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by fukawi1 View Post
Mate,
I taught myself iptables from the link i posted above, and reading the man pages... and im a welder by trade, if i can do it, you can too

Those numbers, the left side of the / is the ip address, the right side is the subnet. 255.255.255.255 is a broadcast address, used to send to all other ip's on the subnet.

http://lartc.org/howto/ is another good site to learn all this stuff, but its fairly detailed..
Thanks, fukawi1. And also thanks for the encouragement

Narnie
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptable rules, your opinions linuxcbon Linux - Security 7 08-16-2008 05:54 PM
iptable rules for new VPS piforever Fedora 10 06-22-2007 07:02 PM
IPTable rules RecoilUK Linux - Security 1 05-27-2005 07:25 PM
Help with IPtable Rules aqoliveira Linux - Security 3 12-10-2003 10:00 AM
Iptable rules for Gnutella al_erola Linux - Security 5 03-06-2002 03:21 AM


All times are GMT -5. The time now is 09:58 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration