LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-01-2005, 11:43 AM   #1
mousie
LQ Newbie
 
Registered: Oct 2004
Distribution: Fedora Core 4, Slackware 10.0
Posts: 15

Rep: Reputation: 0
iptables configuration help


Hi, I am relatively new to linux, sort of off and on again user. I've been using the same firewall script for a while and it seemed to work fine. Recently I've decided to convert my laptop to a linux machine and using the same iptables script I can't seem to access the internet (wired). Apparently it has something to do with the outbound rules because when I allow access to everything the internet works fine. I would have thought opening up port 80 would have been good enough. Can you please help me? I am running Slackware 10.1. My iptables script is below. Thanks.

#(1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#((2) Loopback
#Always allow loopback traffic
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo -j ACCEPT

#Deny outside packets from internet which claim to be from loopback
iptables -A INPUT -j REJECT -p all -s localhost -i eth0

#(3) INPUT chain rules
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#TCP rules
iptables -A INPUT -p TCP -i eth0 --destination-port 22 -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --destination-port 80 -j ACCEPT
#UDP rules
iptables -A INPUT -p UDP -i eth0 --destination-port 53 -j ACCEPT

#(4) OUTPUT chain rules
iptables -A OUTPUT -p TCP --destination-port 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p TCP --destination-port 22 -m state --state NEW -j ACCEPT
 
Old 09-01-2005, 01:36 PM   #2
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Re: iptables configuration help

Quote:
#((2) Loopback
#Always allow loopback traffic
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo -j ACCEPT
Loose the restrictions on the loopback interface. Not all localhost traffic is from/to 127.0.0.1. It may use any of your local interface's IP address.

[QUOTE ]iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT[/QUOTE]

If you want a functional connection, append NEW to --state in the OUTPUT rule. The internet isn't only port 80, not even the web which may use 443 (https) too. What about 25 (smtp), 110 (pop3), et cetera and their SSL equivalents?
 
Old 09-01-2005, 01:57 PM   #3
mousie
LQ Newbie
 
Registered: Oct 2004
Distribution: Fedora Core 4, Slackware 10.0
Posts: 15

Original Poster
Rep: Reputation: 0
Hi, ah I see. I added NEW to --state in the OUTPUT rule and it seems to work fine. However, would this be safe to allow all new,established, related outbound connections? Wouldn't it be safer to specify each and every port, or will this cause problems as well? Also when you say loosen the loopback, i thought the ip of the local machine is always 127.0.0.1. Does this change? Do you need to specify others? Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables configuration help Alien#007 Linux - Networking 1 08-12-2005 01:32 PM
IPTables Configuration shaileshjain Linux - Networking 2 04-07-2005 12:16 AM
iptables configuration tungaw2001 Linux - Networking 2 04-15-2004 03:01 PM
Iptables configuration Salihou Linux - Networking 2 09-24-2003 02:26 PM
iptables configuration know Linux - Networking 2 05-25-2003 04:55 PM


All times are GMT -5. The time now is 08:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration