LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-16-2004, 03:04 PM   #1
ProtoformX
Member
 
Registered: Feb 2004
Location: Canada
Distribution: LFS SVN
Posts: 334

Rep: Reputation: 34
iptables and dynamic rules....


Hi, I'm fairly new at using iptables, but I know how to do some stuff, my questions is how do you dynamiclly open an incoming port? like I don't want any ports open really so I thought this was the best way to do just that, but how would one do so in iptables? I'm not on a network at all.
 
Old 10-16-2004, 08:07 PM   #2
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
what do you mean dynamically open ?
 
Old 10-16-2004, 08:27 PM   #3
ProtoformX
Member
 
Registered: Feb 2004
Location: Canada
Distribution: LFS SVN
Posts: 334

Original Poster
Rep: Reputation: 34
Well, I want to DROP all incoming pakets, but now I have a problem nothing I use will work because the server I'm trying to connect to can't send any data back to me. so I want to have my computer dynamiclly open a port.

Example: If I DROP every INPUT and OUTPUT packet but I accept port 53 tcp, 53 udp and 80 tcp OUTPUT only, but not INPUT I want my computer to randomly pick a port and open it (INPUT only) when I send a request, that way all my ports are techniclly stealthed and no ports are statically open. meaning as soon as my computer is done requesting the information it needs and the server sends it to the randomly open port I want that port closed.

Make sense?
 
Old 10-17-2004, 07:58 AM   #4
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
lol.. you were right, you dont understand networks... hehe.

OKAY... a Packet (TCP UDP or ICMP) can have many different states....
state NEW means this is the first packet from a remote computer... possible a connection request.
state ESTABLISHED means this packet is part of an already started connection... for example a reply from a http GET request.
state RELATED means this packet is part of a new connection that has been started by an already ESTABLISHED connection... for example an FTP download or upload (FTP uses 2 different 'channels' a data channel and a command channel.

so a simple firewall rule would be.

#input rules....
Code:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --state state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --state state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -P INPUT DROP
this firewall input rule would drop all connection attempts, and ping attempts.
rule 1 means allow everything on the loopback device (allow the computer to talk to itself)
rules 2 allows all related and established traffic.
rules 3 allows same as 2 but for the udp protocol.
rule 4 allows ping reply's but NOT ping requests.... so you can ping other people, but they cannot ping you.
rule 5 drops everything else.

with this rule set, nobody can send information to your computer unless they are sending it as reply to a request you send to them.

as for output.... most poeple dont need to restrict output. and leave output policy to default ACCEPT...
but if you do want to restrict output.. make sure you have at least these rules...
Code:
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p tcp --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUPPUT -p icmp --icmp-type -icmp-echo-request -j ACCEPT
this is ismilar to the input rule....
note that you will need to add rules to the output rules...
there is nothing in the output rules that allows new connections... just releated ones... and nothing can be related unless a new packet is allowed out.

so add rules like

Code:
iptbales -A OUTPUT -p tcp --state NEW --dport 80 -j ACCEPT
to allow your machine to connect to remote machines on port 80 (http) for viewing web pages.


OR... you could just allow a firewall program to qutomatically configure iptables firewall for you.
programs like "firestarter" are good for newbs.

Last edited by qwijibow; 10-17-2004 at 08:00 AM.
 
Old 10-17-2004, 10:49 AM   #5
IRIGHTI
Member
 
Registered: Oct 2003
Distribution: Slackware64 13.1 x86_64, Ubuntu 10.04 x86_64
Posts: 121

Rep: Reputation: 15
You know quijibow, that was the best quick explanation of the basics of iptables I think I've seen.
 
Old 10-17-2004, 01:02 PM   #6
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
lol.. Cool. thanX.
always good to know im making a good contribution to the site that helped me so much when i started out 2 years ago.
 
Old 10-17-2004, 02:53 PM   #7
ProtoformX
Member
 
Registered: Feb 2004
Location: Canada
Distribution: LFS SVN
Posts: 334

Original Poster
Rep: Reputation: 34
Chanks qwijibow, That totally clears things up. but what if I wanted to allow file transfers via ICQ? it uses a dynamic port < 1024 I believe. How would you get iptables to auto detect the port ICQ is trying to use, or do I have to open 1024 to 5000 ports?
 
Old 10-17-2004, 11:31 PM   #8
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
hmm... in old kernels there used to be a kernel driver module to track icq connections and open the correct ports... however after kernel 2.2 (or maybe 2.0) this driver dissapeared....

im not sure if support was dropped, or wether the icq support was simply merged into the iptables main connection tracking module....

try it.. see if it works wihtout opeining all those ports.... hopefully the ICQ INPUT traffic will be allowed through the RELATED or ESTABLSIHED rule.

as for output... well... im assuming you didnt bother writing an output rules set and left it at default ACCEPT policy.
 
Old 10-17-2004, 11:42 PM   #9
ProtoformX
Member
 
Registered: Feb 2004
Location: Canada
Distribution: LFS SVN
Posts: 334

Original Poster
Rep: Reputation: 34
Quote:
Originally posted by qwijibow
as for output... well... im assuming you didnt bother writing an output rules set and left it at default ACCEPT policy.
Actully I did, opened up ports for only the things I wanted to use then dropped everything else, but I can set the firewalled port on LICQ to a fixed port, then set New and Estiblished as the match peramiter.

sound right?

I wonder if this would also work for MSN and AIM?


EDIT: It doesn't work for any of them, oh well.

Last edited by ProtoformX; 10-17-2004 at 11:53 PM.
 
Old 10-18-2004, 02:24 PM   #10
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
you dont really need to restrict output.....

the way i understand it... is you would normally set the output to allow all... then just add a few rules to block certain things you want to block.. like P2P or MSN or ICQ or HTTP to address slashdot.org to stop users wasting time..

to get it all working, providing the program only uses one connection, just just need a rule to allow the first connection request... all other tranmitions and recieving packets will get through as ESTABLISHED packets.

dont just use the destination port to allow connections.. you can also use -s (source) and -d (destination) URL's or IP's or a combination of IP's and Ports.

read "man netstat".
turn off your firewall and run netstat while serives you are using are running. netstat will give info about ports' ip address's and protocols that you can use to build firewall rules.

for example, a "netstai --all -p" shows

Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:631                   *:*                     LISTEN      6594/cupsd
tcp        0      0 *:1213                  *:*                     LISTEN      7408/giftd
tcp        0      0 *:1214                  *:*                     LISTEN      7408/giftd
tcp        0      0         CENCORED MY IP                        ESTABLISHED 7408/giftd
tcp        0      0 localhost:1213          localhost:33125         ESTABLISHED 7408/giftd
tcp        0      0 CENSOCORED my IP                            TIME_WAIT   -
tcp        0      0 MY IP:1863                                            ESTABLISHED 7278/kopete
tcp        0      0 localhost:33125         localhost:1213          ESTABLISHED 7407/apollon
udp        0      0 *:1214                  *:*                                 7408/giftd
udp        0      0 *:bootpc                *:*                                 6567/dhcpcd
udp        0      0 *:631                   *:*                                 6594/cupsd
looks a bit mad.. but it shows usefull info on whats happening.

for example... the programs cupsd listening on tcp port 631.. this is printing daemon.... i dont share the printer on the network.. so i will not open a port for it... the machine can print to this printer using the iptables rule that allows it to talk to itself.

tcp port 1213 is the gift server for controlling my downloads.. no port open because only the local machine should controll downloads.

however i do open an incomming port on tcp 1214 for FastTrack / Kazzaa Downloading (PUSH)

anyways.. you get the idea.
 
Old 10-20-2004, 07:50 AM   #11
ProtoformX
Member
 
Registered: Feb 2004
Location: Canada
Distribution: LFS SVN
Posts: 334

Original Poster
Rep: Reputation: 34
Chanks qwijibow
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
dynamic iptables rules slzckboy Linux - Networking 4 10-18-2005 01:28 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
IPTables rules dkny01 Linux - Networking 6 10-23-2003 12:52 AM
Dynamic Firewall Rules DavidPhillips Linux - General 2 12-06-2001 06:41 PM
Viruses, ipchains, dynamic rules, rules with regular expressions marktaff Linux - Security 2 09-25-2001 04:01 AM


All times are GMT -5. The time now is 07:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration