LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables and dynamic rules.... (http://www.linuxquestions.org/questions/linux-security-4/iptables-and-dynamic-rules-243508/)

ProtoformX 10-16-2004 03:04 PM

iptables and dynamic rules....
 
Hi, I'm fairly new at using iptables, but I know how to do some stuff, my questions is how do you dynamiclly open an incoming port? like I don't want any ports open really so I thought this was the best way to do just that, but how would one do so in iptables? I'm not on a network at all.

qwijibow 10-16-2004 08:07 PM

what do you mean dynamically open ?

ProtoformX 10-16-2004 08:27 PM

Well, I want to DROP all incoming pakets, but now I have a problem nothing I use will work because the server I'm trying to connect to can't send any data back to me. so I want to have my computer dynamiclly open a port.

Example: If I DROP every INPUT and OUTPUT packet but I accept port 53 tcp, 53 udp and 80 tcp OUTPUT only, but not INPUT I want my computer to randomly pick a port and open it (INPUT only) when I send a request, that way all my ports are techniclly stealthed and no ports are statically open. meaning as soon as my computer is done requesting the information it needs and the server sends it to the randomly open port I want that port closed.

Make sense?

qwijibow 10-17-2004 07:58 AM

lol.. you were right, you dont understand networks... hehe.

OKAY... a Packet (TCP UDP or ICMP) can have many different states....
state NEW means this is the first packet from a remote computer... possible a connection request.
state ESTABLISHED means this packet is part of an already started connection... for example a reply from a http GET request.
state RELATED means this packet is part of a new connection that has been started by an already ESTABLISHED connection... for example an FTP download or upload (FTP uses 2 different 'channels' a data channel and a command channel.

so a simple firewall rule would be.

#input rules....
Code:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --state state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --state state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -P INPUT DROP

this firewall input rule would drop all connection attempts, and ping attempts.
rule 1 means allow everything on the loopback device (allow the computer to talk to itself)
rules 2 allows all related and established traffic.
rules 3 allows same as 2 but for the udp protocol.
rule 4 allows ping reply's but NOT ping requests.... so you can ping other people, but they cannot ping you.
rule 5 drops everything else.

with this rule set, nobody can send information to your computer unless they are sending it as reply to a request you send to them.

as for output.... most poeple dont need to restrict output. and leave output policy to default ACCEPT...
but if you do want to restrict output.. make sure you have at least these rules...
Code:

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p tcp --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUPPUT -p icmp --icmp-type -icmp-echo-request -j ACCEPT

this is ismilar to the input rule....
note that you will need to add rules to the output rules...
there is nothing in the output rules that allows new connections... just releated ones... and nothing can be related unless a new packet is allowed out.

so add rules like

Code:

iptbales -A OUTPUT -p tcp --state NEW --dport 80 -j ACCEPT
to allow your machine to connect to remote machines on port 80 (http) for viewing web pages.


OR... you could just allow a firewall program to qutomatically configure iptables firewall for you.
programs like "firestarter" are good for newbs.

IRIGHTI 10-17-2004 10:49 AM

You know quijibow, that was the best quick explanation of the basics of iptables I think I've seen.

qwijibow 10-17-2004 01:02 PM

lol.. Cool. thanX.
always good to know im making a good contribution to the site that helped me so much when i started out 2 years ago.

ProtoformX 10-17-2004 02:53 PM

Chanks qwijibow, That totally clears things up. but what if I wanted to allow file transfers via ICQ? it uses a dynamic port < 1024 I believe. How would you get iptables to auto detect the port ICQ is trying to use, or do I have to open 1024 to 5000 ports?

qwijibow 10-17-2004 11:31 PM

hmm... in old kernels there used to be a kernel driver module to track icq connections and open the correct ports... however after kernel 2.2 (or maybe 2.0) this driver dissapeared....

im not sure if support was dropped, or wether the icq support was simply merged into the iptables main connection tracking module....

try it.. see if it works wihtout opeining all those ports.... hopefully the ICQ INPUT traffic will be allowed through the RELATED or ESTABLSIHED rule.

as for output... well... im assuming you didnt bother writing an output rules set and left it at default ACCEPT policy.

ProtoformX 10-17-2004 11:42 PM

Quote:

Originally posted by qwijibow
as for output... well... im assuming you didnt bother writing an output rules set and left it at default ACCEPT policy.
Actully I did, opened up ports for only the things I wanted to use then dropped everything else, but I can set the firewalled port on LICQ to a fixed port, then set New and Estiblished as the match peramiter.

sound right?

I wonder if this would also work for MSN and AIM?


EDIT: It doesn't work for any of them, oh well.

qwijibow 10-18-2004 02:24 PM

you dont really need to restrict output.....

the way i understand it... is you would normally set the output to allow all... then just add a few rules to block certain things you want to block.. like P2P or MSN or ICQ or HTTP to address slashdot.org to stop users wasting time..

to get it all working, providing the program only uses one connection, just just need a rule to allow the first connection request... all other tranmitions and recieving packets will get through as ESTABLISHED packets.

dont just use the destination port to allow connections.. you can also use -s (source) and -d (destination) URL's or IP's or a combination of IP's and Ports.

read "man netstat".
turn off your firewall and run netstat while serives you are using are running. netstat will give info about ports' ip address's and protocols that you can use to build firewall rules.

for example, a "netstai --all -p" shows

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name
tcp        0      0 *:631                  *:*                    LISTEN      6594/cupsd
tcp        0      0 *:1213                  *:*                    LISTEN      7408/giftd
tcp        0      0 *:1214                  *:*                    LISTEN      7408/giftd
tcp        0      0        CENCORED MY IP                        ESTABLISHED 7408/giftd
tcp        0      0 localhost:1213          localhost:33125        ESTABLISHED 7408/giftd
tcp        0      0 CENSOCORED my IP                            TIME_WAIT  -
tcp        0      0 MY IP:1863                                            ESTABLISHED 7278/kopete
tcp        0      0 localhost:33125        localhost:1213          ESTABLISHED 7407/apollon
udp        0      0 *:1214                  *:*                                7408/giftd
udp        0      0 *:bootpc                *:*                                6567/dhcpcd
udp        0      0 *:631                  *:*                                6594/cupsd

looks a bit mad.. but it shows usefull info on whats happening.

for example... the programs cupsd listening on tcp port 631.. this is printing daemon.... i dont share the printer on the network.. so i will not open a port for it... the machine can print to this printer using the iptables rule that allows it to talk to itself.

tcp port 1213 is the gift server for controlling my downloads.. no port open because only the local machine should controll downloads.

however i do open an incomming port on tcp 1214 for FastTrack / Kazzaa Downloading (PUSH)

anyways.. you get the idea.

ProtoformX 10-20-2004 07:50 AM

Chanks qwijibow


All times are GMT -5. The time now is 12:55 PM.