LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-12-2006, 12:36 AM   #1
nadroj
Senior Member
 
Registered: Jan 2005
Location: Canada
Distribution: ubuntu
Posts: 2,539

Rep: Reputation: 59
iptables: allow only web-browsing


EDIT: ** please see post #9 for my updated script if anyone is using this for reference.**

iv never really needed a firewall on my windows or linux machine.. but i want to give iptables a shot.

what i want to do is block EVERYTHING coming into the computer except for information regarding web browsing. im quite new to iptables so sorry if im screwing everything up and bear with me.

i initially thought i needed two rules:
1 - accept tcp packets with sourceport 80
2 - drop everything else

i tried this and it didnt work. i would try and browse to 'google.com' but it wouldnt work. i then tried to browse to '[googleIPAddress]/index.html' and it worked. this made me remember that i was blocking the DNS ports for the HTTP request. i then added a rule for tcp and udp dns packets to accept. this is what i have come up with all together:
Quote:
#!/bin/bash
# MY FIREWALL SCRIPT:
# - block all incoming traffic, EXCEPT: tcp http, tcp dns, udp dns
IPT=/usr/sbin/iptables

$IPT -F
$IPT -A INPUT -t filter -p tcp --sport http -j ACCEPT
$IPT -A INPUT -t filter -p tcp --sport 53 -j ACCEPT
$IPT -A INPUT -t filter -p udp --sport 53 -j ACCEPT
$IPT -A INPUT -t filter -p tcp --sport https -j ACCEPT
$IPT -A INPUT -t filter -p udp --sport https -j ACCEPT
$IPT -A INPUT -t filter -p all -j DROP
echo Firewall configured.
by the way, the rule to drop all packets should be _last_, correct? meaning, if none of the previous rules dont match, then do that one (which will of course match).

anyways, i then ran this script and it seems to be working fine (so far)--i can use any web browser i have, as normal.

also, i have ran afew online security scans and most of them froze.. this seems to tell me it couldnt even start to do what it wanted to do (ie scan for udp/tcp open ports), meaning high[er] security for me, correct? either that or my browser isnt compatible with the site.

do you think the script i have is fine for my only firewall to allow only webbrowsing? is there any rule you can think of that i should change/add/remove? i will also be wanting to modify this to allow for kopete or any other program i want, but if i can get this correctly i should be able to figure out the rest my self.

by the way, im not using a router.
Thanks

EDIT: well i already see a problem: i cant access hotmail.com, ill have to look into it.
UPDATE: fixed the hotmail problem. its because it need tcp & udp https ports open too. iv updated the quote above to match my changes.

Last edited by nadroj; 05-16-2006 at 09:02 PM.
 
Old 05-12-2006, 01:54 AM   #2
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
Hi nadroj,

Have you given a thought that if you download any program from the net and it is a trojan / rootkit?
You may have stopped incoming traffic but what about outgoing?
You should block all outgoing traffic too, except for the ports which you need to use.

(Also add the updated firewall code in the quote so that future readers of the thread may find it useful)

Bye
 
Old 05-12-2006, 05:27 AM   #3
jayakrishnan
Member
 
Registered: Feb 2002
Location: India
Distribution: Slacky 12.1, XP
Posts: 991

Rep: Reputation: 30
Ur rule drops everything , the drop rule should be first rule in the there ,

No?
 
Old 05-12-2006, 07:25 AM   #4
RanDrake10
Member
 
Registered: Oct 2004
Location: Florida
Distribution: Debian
Posts: 319

Rep: Reputation: 30
Port 443 is for https.
Also 'iptables -nvL' will give you a list of what is set.
 
Old 05-12-2006, 12:35 PM   #5
nadroj
Senior Member
 
Registered: Jan 2005
Location: Canada
Distribution: ubuntu
Posts: 2,539

Original Poster
Rep: Reputation: 59
RanDrake10:
ya, i searched for the port number for https and found that too. id rather just put https than the port number, which is allowed, and is why i did what i did. here is the output of the command (for the INPUT chain, the others dont have any rules):
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  580  386K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:53
   34 10538 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53
   29 12866 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:443
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:443
   54  3153 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
jayakrishnan:
what do you mean my rules drop everything? i set them to drop everything but what i have specified. i thought the drop rule needs to be the last rule.. can someone clarify please?

imagineers7:
i thought about this, but, do i _need_ to block outgoing traffic? if i have it setup to block all the incoming traffic (except what i specified), then it doesnt matter what is going out--only what i want to come in will come in. or am i wrong on this too? and yes, when i get this all sorted out ill update the quote

one question i have is this: "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)". the FORWARD chain is also 0,0, but the OUTPUT chain is not. i can understand the values for FORWARD and OUTPUT.. but why would INPUT be 0, if its accepting these HTTP and DNS packets.

Thanks all

Last edited by nadroj; 05-12-2006 at 12:40 PM.
 
Old 05-12-2006, 06:34 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally Posted by nadroj
i thought the drop rule needs to be the last rule.. can someone clarify please?
It does need to be last. The rules will be processed in sequential order so if you put the drop rule as the first rule in the firewall then *all* packets will match in and *all* will be dropped.

Quote:
Originally Posted by nadroj
one question i have is this: "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)". the FORWARD chain is also 0,0, but the OUTPUT chain is not. i can understand the values for FORWARD and OUTPUT.. but why would INPUT be 0, if its accepting these HTTP and DNS packets.
That is the counter for the number of packets and total bytes that have been processed by the default policy rule for that chain. The policy rule will technically be the last rule in the chain, so if no packets are matched by any other rule in that chain, then the default policy rule will be used to process the packet. However, in the case of your INPUT chain you have a "catch-all" drop rule right before the default policy, so all packets that don't match any other rule will match that one and will be dropped before reaching the default policy rule. If you look at the counter for the last rule in that chain, you can see that it has matched a fair number of packets. So technically this last rule is redundant and you should get rid of it and just set your default policy to DROP for the INPUT chain.

Also, their is actually a major hole in your firewall that is a common mistake for people writing their first firewall. If I were scanning your machine and configured my scanner to use port 53 as the source port, I could completely scan every port on your entire machine without the firewall blocking anything. If you are going to filter based on source ports, then you need to restrict the destination port as well. IMO you should take advantage of iptables state tracking capabilities and simply allow only packets on the INPUT chain that are of the ESTABLISHED or RELATED states. Then configure your OUTPUT chain to only allow outgoing traffic on the http,https, and dns ports. That way the only incoming traffic that is accepted are replies to connections you've initiated on a limited number of ports.
 
Old 05-12-2006, 11:11 PM   #7
nadroj
Senior Member
 
Registered: Jan 2005
Location: Canada
Distribution: ubuntu
Posts: 2,539

Original Poster
Rep: Reputation: 59
Capt:
REGARDING COUNTER:
ok, thanks for clearing up the drop-all policy being first or last.. it makes sense.
so ill drop my last policy and add 'iptables -P INPUT DROP' to set the default policy for INPUT to DROP all packets, as you suggested.

REGARDING FIREWALL FLAW:
but your port scanner scanner wouldnt be communicating via DNS response packets, which means my firewall WOULD block it? or am i wrong? (most likely )
ill try and work on modifying the rules and add afew to the OUTPUT chain, as you recommended. after i get that working, ill try and update my first post to match my [future] current setup for the rules.

do you (or anyone else) see any other flaws or other rules i should add, for what i want to do?

thanks all
 
Old 05-12-2006, 11:39 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally Posted by nadroj
Capt:
REGARDING FIREWALL FLAW:
but your port scanner scanner wouldnt be communicating via DNS response packets, which means my firewall WOULD block it?
That's the problem with relying entirely on port filtering; iptables doesn't do any kind of application layer filtering so it's not looking at the packet and asking whether it "looks" like a DNS or HTTP packet. It's simply looking at whether the packet header has a source port of 53 or 80. In general, port scanners don't need the application that's listening on a particular port to understand the packet, they just need the OS's TCP/IP stack to respond in some way (with a SYN or RST for example). So regardless of the contents of the packet I'm sending, all I would need to do is set the source port to 53 and then increment the destination port from 1-65535 and each packet would match the DNS rule and be passed through the firewall.

Quote:
do you (or anyone else) see any other flaws or other rules i should add, for what i want to do?
Post your ruleset once you've modified them.
 
Old 05-16-2006, 02:46 PM   #9
nadroj
Senior Member
 
Registered: Jan 2005
Location: Canada
Distribution: ubuntu
Posts: 2,539

Original Poster
Rep: Reputation: 59
k Thanks Capt.

i modified my rules as you suggested and its working as it was before.
i set the -P option for the INPUT chain as you suggested to DROP.. however i could still use kopete, for example.. so i used '-P OUTPUT DROP' as well.. and it seems to be working. here is my script:
Code:
#!/bin/bash
IPT=/usr/sbin/iptables

# flush all current rules
$IPT -F
# set default policy on INPUT and OUTPUT chains to DROP packets that dont match the rules
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
# only accept packets on the INPUT chain that are ESTABLISHED or RELATED to a current connection
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow ONLY packets with the following protocols and port numbers to be sent out
$IPT -A OUTPUT -t filter -p tcp --dport http -j ACCEPT
$IPT -A OUTPUT -t filter -p tcp --dport 53 -j ACCEPT
$IPT -A OUTPUT -t filter -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -t filter -p tcp --dport https -j ACCEPT
$IPT -A OUTPUT -t filter -p udp --dport https -j ACCEPT
echo Firewall configured.
i dont need to worry about the source port, right?

heres the output of 'iptables -L'
Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere            udp dpt:https
ok any comments on my current setup now? Thanks.

EDIT: also, for the FORWARD chain, would it be better to just set the default policy to DROP? Im not using a router, just a DSL modem. My computer is the only one using the WAN IP from our ISP, so a packet would never come to my computer to be forwarded (routed) to another router, correct?

Last edited by nadroj; 05-16-2006 at 03:01 PM.
 
Old 05-16-2006, 06:40 PM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally Posted by nadroj
however i could still use kopete, for example.. so i used '-P OUTPUT DROP' as well..
Yeah, with the Default OUTPUT policy being ACCEPT then everything would be allowed, so you want it as DROP.

Quote:
and it seems to be working. here is my script:
Looks good. You may want to allow RELATED traffic on the OUTPUT chain as well. Certain types of error messages (like ICMP source quench) would be blocked from being sent by your machine. Depending on your setup you may never have a problem, but it could cause issues randomly that are difficult to diagnose.

Quote:
i dont need to worry about the source port, right?
Nope. The source port is going to vary over a wide range of ports, so you'd need to specify all of 1024-65535 (or at least whatever is set in /proc). The security benefit of doing so is relatively minor.

Quote:
for the FORWARD chain, would it be better to just set the default policy to DROP? Im not using a router, just a DSL modem. My computer is the only one using the WAN IP from our ISP, so a packet would never come to my computer to be forwarded (routed) to another router, correct?
Theoretically, yes you are correct in that packets shouldn't ever get forwarded in your setup. However, I would set it to DROP anyway.
 
Old 05-16-2006, 08:58 PM   #11
nadroj
Senior Member
 
Registered: Jan 2005
Location: Canada
Distribution: ubuntu
Posts: 2,539

Original Poster
Rep: Reputation: 59
Quote:
Looks good. You may want to allow RELATED traffic on the OUTPUT chain as well. Certain types of error messages (like ICMP source quench) would be blocked from being sent by your machine. Depending on your setup you may never have a problem, but it could cause issues randomly that are difficult to diagnose.
ok ill try and leave my setup as shown in my previous post.. if i get weird error messages or haults in my network activity then ill add it. should i put it before my other OUTPUT rules or as the last OUTPUT rule?
Quote:
Theoretically, yes you are correct in that packets shouldn't ever get forwarded in your setup. However, I would set it to DROP anyway.
ok i was just making sure. i didnt want to block other user's packets by being selfish and not FORWARDing any.. but, again, this would never happen because i dont even use a router. anything sent to my NIC is destined for it, not to be forwarded anyway.

my next step is to look into kopete and how it operates so i can allow that traffic as well, then that should be all i need for my firewall. i wont bother with other software or antivirus, etc, tools.. just my iptables script.

OK Capt', thanks alot. iptables is pretty neat and very powerful.. and now, after afew days, i seem to understand it pretty well, thanks to your, and afew others', help.

Last edited by nadroj; 05-16-2006 at 09:00 PM.
 
Old 05-16-2006, 09:44 PM   #12
RanDrake10
Member
 
Registered: Oct 2004
Location: Florida
Distribution: Debian
Posts: 319

Rep: Reputation: 30
Here is a little bash script I made for my firewall, if you want to look at it for any help.
Also if anybody else has any suggestions, send them to me.

http://randrake.homelinux.net/files/Firewall.html
 
Old 05-16-2006, 10:25 PM   #13
nadroj
Senior Member
 
Registered: Jan 2005
Location: Canada
Distribution: ubuntu
Posts: 2,539

Original Poster
Rep: Reputation: 59
hmm, the links not working.
 
Old 05-17-2006, 03:01 AM   #14
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE 13.1 / 12.3_64-KDE, Ubuntu 14.04, Fedora 20, Mint 17, Chakra
Posts: 3,678

Rep: Reputation: Disabled
It does for me. Thanks @all for an instructive thread, btw.
 
Old 05-17-2006, 01:33 PM   #15
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Dual boot :: Slackware 14.1 64bit multilib | Kali linux 64bit multi lib
Posts: 189

Rep: Reputation: 42
Quote:
Originally Posted by nadroj
Code:
#!/bin/bash
IPT=/usr/sbin/iptables

# flush all current rules
$IPT -F
# set default policy on INPUT and OUTPUT chains to DROP packets that dont match the rules
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
# only accept packets on the INPUT chain that are ESTABLISHED or RELATED to a current connection
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow ONLY packets with the following protocols and port numbers to be sent out
$IPT -A OUTPUT -t filter -p tcp --dport http -j ACCEPT
$IPT -A OUTPUT -t filter -p tcp --dport 53 -j ACCEPT
$IPT -A OUTPUT -t filter -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -t filter -p tcp --dport https -j ACCEPT
$IPT -A OUTPUT -t filter -p udp --dport https -j ACCEPT
echo Firewall configured.
Shouldnt there be rules like these for dropping bad packets etc ?
Code:
$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
and ..
Code:
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Cheers, ///..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Web browsing with Konqueror hand of fate Linux - Software 10 05-04-2006 12:20 PM
Text Web Browsing? Mulsiphix Linux - Newbie 7 01-18-2006 02:33 PM
Guarddog iptables and DHCP conflict (web-browsing impossible) nomind Linux - Networking 6 09-08-2005 07:18 PM
Web browsing... ade Linux - General 3 01-11-2003 08:58 AM
Web browsing prob dcm1878 Linux - Networking 1 06-20-2002 05:58 AM


All times are GMT -5. The time now is 03:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration