*clearing throat*
[friend]:*whispering* "Calm down, kid."
Ok. Hi all. I have been writing a firewall script for my Red Hat Linux 9. It hasn't been working properly. I have a dial-up connection, only one computer and no (dns, dhcp, ftp, nfs) servers. It's only a workstation. I do all of my homework, programming, reading, etc. on my computer. This is my simple firewall script that I wrote:
# New Chains
iptables -N allowed
# Policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# allowed chains
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP
# TCP Rules
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
This script is ok. But I have a problem, it will not let me surf the net. I can't use the webbrowsers to surf. I have read tutorials and HowTo's on iptables yet I don't understand why I can't surf. When I turn off the firewall, it goes to it's default ACCEPT policy. There I can surf the net. But when I turn it on again, I can't use it. Here is another script that I wrote:
# Internet
INET_IFACE="ppp0"
# Localhost configuration
LO_IFACE="lo"
LO_IP="127.0.0.1"
# New Chains
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets
# Policies (Default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# allowed chains
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP
# TCP Rules
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A INPUT -p TCP -s xxx.xx.xx.xxx --dport 53 -j ACCEPT
iptables -A INPUT -p TCP -s xxx.xx.xx.xxx --dport 53 -j ACCEPT
# Incoming packets from the internet
iptables -A INPUT -p ALL -i INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i INET_IFACE -j udp_packets
Wtih this script I still get the same problem. I replced my ISP's ip address with x's. I did this to see if my ISP wasn't getting any connection from my computer to theirs. So that I can get a dynamic ip address. But it also failed. Here is another script:
# Internet
INET_IFACE="ppp0"
# Localhost configuration
LO_IFACE="lo"
LO_IP="127.0.0.1"
# New Chains
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets
# Policies (Default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#PROC SETTINGS
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block pings to broadcast IP (smurf)
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians #Log non-routable IPs
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route #Block source-routed packets
#DROP BAD PACKETS
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP #DROP NEW NOT SYN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #DROP SYN-FIN SCANS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #DROP SYN-RST SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #DROP X-MAS SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP #DROP NMAP FIN SCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP #DROP NULL SCANS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP #DROP ALL/ALL SCANS
#LOG AND DROP IANA RESERVED/BOGONS
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
# allowed chains
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP
# TCP Rules
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A INPUT -p TCP -s xxx.xx.xx.xxx --dport 53 -j ACCEPT
iptables -A INPUT -p TCP -s xxx.xx.xx.xxx --dport 53 -j ACCEPT
# Incoming packets from the internet
iptables -A INPUT -p ALL -i INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i INET_IFACE -j udp_packets
I'm thinking third times the charm. EEERRRRR!!!! I was wrong again. Half of the script is from a script in this website and half is mine. I'm not so good on iptables. But I do read a lot about iptables yet hard to understand.
I'm sure that with the scripts that I showed you I should be able to surf. But it doesn't. I don't know why. I have been working on this for two weeks and I'm very frustrated. I'm thinking my frustration is making me go through a loophole. Never to find a solution.
I will appreciate all the help I can get. Thanks to all in advance.