iptables, no access through http
*clearing throat*
[friend]:*whispering* "Calm down, kid." Ok. Hi all. I have been writing a firewall script for my Red Hat Linux 9. It hasn't been working properly. I have a dial-up connection, only one computer and no (dns, dhcp, ftp, nfs) servers. It's only a workstation. I do all of my homework, programming, reading, etc. on my computer. This is my simple firewall script that I wrote: # New Chains iptables -N allowed # Policies iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # allowed chains iptables -A allowed -p TCP --syn -j ACCEPT iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A allowed -p TCP -j DROP # TCP Rules iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed This script is ok. But I have a problem, it will not let me surf the net. I can't use the webbrowsers to surf. I have read tutorials and HowTo's on iptables yet I don't understand why I can't surf. When I turn off the firewall, it goes to it's default ACCEPT policy. There I can surf the net. But when I turn it on again, I can't use it. Here is another script that I wrote: # Internet INET_IFACE="ppp0" # Localhost configuration LO_IFACE="lo" LO_IP="127.0.0.1" # New Chains iptables -N allowed iptables -N tcp_packets iptables -N udp_packets iptables -N icmp_packets # Policies (Default) iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # allowed chains iptables -A allowed -p TCP --syn -j ACCEPT iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A allowed -p TCP -j DROP # TCP Rules iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed iptables -A INPUT -p TCP -s xxx.xx.xx.xxx --dport 53 -j ACCEPT iptables -A INPUT -p TCP -s xxx.xx.xx.xxx --dport 53 -j ACCEPT # Incoming packets from the internet iptables -A INPUT -p ALL -i INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p TCP -i INET_IFACE -j tcp_packets iptables -A INPUT -p UDP -i INET_IFACE -j udp_packets Wtih this script I still get the same problem. I replced my ISP's ip address with x's. I did this to see if my ISP wasn't getting any connection from my computer to theirs. So that I can get a dynamic ip address. But it also failed. Here is another script: # Internet INET_IFACE="ppp0" # Localhost configuration LO_IFACE="lo" LO_IP="127.0.0.1" # New Chains iptables -N allowed iptables -N tcp_packets iptables -N udp_packets iptables -N icmp_packets # Policies (Default) iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #PROC SETTINGS echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block pings to broadcast IP (smurf) echo "1" > /proc/sys/net/ipv4/conf/all/log_martians #Log non-routable IPs echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route #Block source-routed packets #DROP BAD PACKETS iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP #DROP NEW NOT SYN iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #DROP SYN-FIN SCANS iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #DROP SYN-RST SCANS iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #DROP X-MAS SCANS iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP #DROP NMAP FIN SCAN iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP #DROP NULL SCANS iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP #DROP ALL/ALL SCANS #LOG AND DROP IANA RESERVED/BOGONS iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP" iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP" iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP" iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP" iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP" iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP # allowed chains iptables -A allowed -p TCP --syn -j ACCEPT iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A allowed -p TCP -j DROP # TCP Rules iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed iptables -A INPUT -p TCP -s xxx.xx.xx.xxx --dport 53 -j ACCEPT iptables -A INPUT -p TCP -s xxx.xx.xx.xxx --dport 53 -j ACCEPT # Incoming packets from the internet iptables -A INPUT -p ALL -i INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p TCP -i INET_IFACE -j tcp_packets iptables -A INPUT -p UDP -i INET_IFACE -j udp_packets I'm thinking third times the charm. EEERRRRR!!!! I was wrong again. Half of the script is from a script in this website and half is mine. I'm not so good on iptables. But I do read a lot about iptables yet hard to understand. :scratch: I'm sure that with the scripts that I showed you I should be able to surf. But it doesn't. I don't know why. I have been working on this for two weeks and I'm very frustrated. I'm thinking my frustration is making me go through a loophole. Never to find a solution. :cry: I will appreciate all the help I can get. Thanks to all in advance. |
First of all I like the part of dropping bogons and all, and it would be good if everyone implementend that. That said, 1) your list isn't complete: Google for "cymru bogon" and you'll find lists that are easy to convert 2) you don't DROP outbound bogons. Next to that I like to keep the flow (the path packets traverse the chains by) in firewall scripts as well so it'll be easier to see what goes where (INPUT > tcp_packets > allowed).
Best advice if you like to write your own rules is to let all "decisions" be preceded by -j LOG rules, so you can actually see what gets through or not. Your HTTP requests are outbound traffic, so if you want to keep output DROPped without opening you cannot make requests (logging it would have shown that). |
Ok, looking at your firewalls I see the following problems:
In the first one, you don't allow any kind of UDP so DNS lookups won't work. It also only allows incoming traffic to ports 80 and 22. It doesn't allow any outgoing replies (your ESTABLISHED,RELATED rule is in the "allowed" chain and only packets with --dport 80/22 are loaded onto the "allowed" chain. In order to get outgoing reply traffic through you'd need to load --sport 80/22 traffic onto "allowed" as well. In the second one, you have a similar problem. You've added a "udp_packets" chain but it's never used. You have rules for DNS this time, but you only allow tcp traffic. The bulk of DNS traffic is going to be UDP, with TCP only being used in rare circumstances. You mentioned that you have a dynamic IP, which is likely using DHCP/BOOTP to get an IP address. Note that this uses UDP ports 67/68, not the DNS port 53. Third is basically the same firewall as the second with some bogon and bad flag filtering, so it has the same fundamental problems...you have a "udp_packets" chain but it doesn't do anything, etc. For some general firewall troubleshooting advice, try starting out by allowing all traffic on the OUTPUT chain (just make you default policy ACCEPT). Once you get you INPUT filtering working properly then move to tightening OUTPUT. Aso, when you are stuck and packets are getting dropped somewhere try adding some logging rules around all of the DROP rules. That way you can see where the packets are dying and what kind of packets they are (port numbers, incoming, outgoing, etc). For example, if you had a single drop rule then you'd want to do something like this: ... ... iptables -A INPUT -j LOG --log-prefix "Before DROP rule" iptables -A INPUT -j DROP iptables -A INPUT -j LOG --log-prefix "After DROP rule" ... ... |
Ok. On my script I added --sport 22 and 80 just like this:
# TCP Rules iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed iptables -A tcp_packets -p TCP -s 0/0 --sport 22 -j allowed iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed iptables -A tcp_packets -p TCP -s 0/0 --sport 80 -j allowed I also wrote it like this: iptables -A tcp_packets -p TCP -s 0/0 --dport 80 --sport 80 -j allowed None of these two ways worked. Even with the OUTPUT policy with the ACCEPT chain. The same goes with this: # UDP Rules iptables -A udp_packets -p UDP --dport 67 -j allowed iptables -A udp_packets -p UDP --sport 67 -j allowed iptables -A udp_packets -p UDP --dport 68 -j allowed iptables -A udp_packets -p UDP --sport 68 -j allowed These are the ports for dynamic ip address that Capt_Caveman had told me to open. I added: echo "1" > /proc/sys/net/ipv4/ip_dynaddr #Dynamic IP support This replaces the chain (I hope) and it works fine for now. I am going to replace the "tcp_packets" with the INPUT chain hopefully this will work if it doesn't then I'll just start all over. For now I'll just keep working on the script. Ok. Capt_Caveman you said I could use the LOG rule for DROPed packets. If I use it where can I see the logs? |
I tested out your script a bit. I missed it the first time through, but you are never referencing any of your variables in the shell script. When you set a variable (like INET_IFACE="ppp0"), in order to use the value held by the variable you need to reference the variable using the $ operator. So in your script, you need to use $INET_IFACE not just INET_IFACE. With the way you have the script written, iptables is filtering on an interface literally named "INET_IFACE" instead of ppp0. In fact if you look at the output of iptables -vL , you'll see the INET_IFACE listed instead of ppp0. So to give an example of how you should be using variables in your script:
Code:
INET_IFACE="ppp0" In regards to logging, your log messages should usually appear in /var/log/messages. If you don't see anything then take a look at /etc/syslog.conf |
WOOHOO!!!
Thanks. It works fine. Wow, I didn't know, something that would be right there in your face, could be soooo complicated to find. Almost like programming in C++. This teaches me that I should use more the "iptables -vL' command and use the LOG rule more often. Think about still being a :newbie: Now, to keep configuring the firewall script (and looking for errors too). :p Thanks again guys. |
All times are GMT -5. The time now is 05:10 PM. |