LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-09-2006, 09:07 PM   #1
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Rep: Reputation: 30
Iptables Configuration?


- hey guys hope you can help me here.
- i block all incoming and outgoing connections in my iptables configuration. at firts i just to allow web browsing so i tried this configuration:

Quote:
iptables -A INPUT -s 0/0 -p tcp -sport 80 -j ACCEPT
iptables -A INPUT -s 0/0 -p udp -sport 80 -j ACCEPT
iptables -A INPUT -s 0/0 -p tcp -dport 80 -j ACCEPT
iptables -A INPUT -s 0/0 -p udp -dport 80 -j ACCEPT
iptables -A OUTPUT -s 0/0 -p tcp -sport 80 -j ACCEPT
iptables -A OUTPUT -s 0/0 -p udp -sport 80 -j ACCEPT
iptables -A OUTPUT -s 0/0 -p tcp -dport 80 -j ACCEPT
iptables -A OUTPUT -s 0/0 -p udp -dport 80 -j ACCEPT
at first it work then when i tried it again it nolonger works. i tried a little more reading and i think that configuration is wrong but it work before. so i narrow it down to this.

Quote:
iptables -A INPUT -s 0/0 -p tcp -dport 80 -j ACCEPT
iptables -A INPUT -s 0/0 -p udp -dport 80 -j ACCEPT
iptables -A OUTPUT -s 0/0 -p tcp -sport 80 -j ACCEPT
iptables -A OUTPUT -s 0/0 -p udp -sport 80 -j ACCEPT
but still no internet access.

can you help me here pls...
 
Old 11-09-2006, 09:41 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Then main problem likely has to do with DNS traffic or DHCP. If you are only allowing http traffic, then you are not going to be able to send or receive DNS packets and won't be able to resolve host names.

Also I would recommend against filtering based on source ports. The reason is that an attacker could easily configure his port scanner to use port 80 as the source port and would be able to scan/connect to any port on your system. IPtables has statefull filtering capability, so go ahead and use it. For all of your rules, you can replace them with:

iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED

It's probably a good idea to post your entire firewall ruleset here as well because you are going to need other things as well, like allowing local traffic over the loopback interface otherwise things like X will break.
 
Old 11-10-2006, 03:38 AM   #3
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
- thanks fot the tip. actually my only firewall ruleset is the one i posted. i am still trying to create configuration that would only allow web browsing, ftp, emails, and IM. and a security configuration that could prevent hackers from poking to our network.i am new to iptables and i would appreciate your help
 
Old 11-10-2006, 07:55 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The following would be a reasonable core ruleset to use. What type of ftp (passive/active) and IM (yahoo/MSN/etc) do you use?

#!/bin/sh

#SET DEFAULT POLICIES
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#ALLOW TRAFFIC OVER LOOPBACK INTERFACE
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#ALLOW OUTBOUND HTTP
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
#ALLOW OUTBOUND SMTP
iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#ALLOW OUTBOUND DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED

#ALLOW ONLY INCOMING REPLIES TO OUR TRAFFIC
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Old 11-10-2006, 09:45 PM   #5
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
-we use yahoo and our ftp uses passive mode
-so the meaning of this code:
Quote:
#ALLOW ONLY INCOMING REPLIES TO OUR TRAFFIC
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
is to only allow replies to request from out network and wont allow anything else.

- do i have to allow udp? what would be the effect if i block it?
 
Old 11-13-2006, 09:16 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I believe Yahoo messenger uses port 80 as well, so the OUTPUT rules allowing dport 80 should allow it. Passive FTP can be a bit more tricky due to the nature of the protocol itself. The easiest and most effective is to allow outbound traffic on the FTP control channel (dport 21), then the data channel is opened and allowed because it's related to the initial FTP connection. The problem is that it's not an easy thing for the connection tracking module to follow, so there is a specific iptables module designed for that purpose: ip_conntrack_ftp. It should already be installed, just load with 'modprobe ip_conntrack_ftp'. You can add it to your script at the top.
 
Old 11-13-2006, 09:33 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally Posted by SBN
so the meaning of this code is to only allow replies to request from out network and wont allow anything else.
It will allow replies and related traffic, like certain ICMP packets used for error handling an connection negotiation (e.g. "ICMP fragmentation needed" messeges), but again those are *only* allowed for a connection that you have initiated and once the connection is closed then the packets will be denied again.


Quote:
Originally Posted by SBN
do i have to allow udp?
As I posted it above, it would cover any protocol (tcp, udp, icmp, etc) but only for connections that are initiated by you.


Quote:
Originally Posted by SBN
what would be the effect if i block it?
All of those services use tcp ports so I don't believe they would be problematic, but hostname resolution would be affected as it uses udp.

Note: After looking at some docs, Yahoo IM uses port 5050 by default, but if that's blocked it will try port 80 next.

Last edited by Capt_Caveman; 11-13-2006 at 09:36 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables configuration gurl4sh25 Linux - Security 5 10-10-2006 01:20 AM
iptables configuration linuxhippy Slackware 11 03-18-2006 03:59 PM
iptables configuration crazyjedi Linux - Newbie 2 03-15-2006 02:17 AM
IPTables Configuration shaileshjain Linux - Networking 2 04-07-2005 12:16 AM
Iptables configuration Salihou Linux - Networking 2 09-24-2003 02:26 PM


All times are GMT -5. The time now is 09:24 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration