*clearing throat*

[friend]:*whispering* "Calm down, kid."

Ok. Hi all. I have been writing a firewall script for my Red Hat Linux 9. It hasn't been working properly. I have a dial-up connection, only one computer and no (dns, dhcp, ftp, nfs) servers. It's only a workstation. I do all of my homework, programming, reading, etc. on my computer. This is my simple firewall script that I wrote:

# New Chains

iptables -N allowed

# Policies

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allowed chains

iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

# TCP Rules

iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed


This script is ok. But I have a problem, it will not let me surf the net. I can't use the webbrowsers to surf. I have read tutorials and HowTo's on iptables yet I don't understand why I can't surf. When I turn off the firewall, it goes to it's default ACCEPT policy. There I can surf the net. But when I turn it on again, I can't use it. Here is another script that I wrote:

# Internet

INET_IFACE="ppp0"

# Localhost configuration

LO_IFACE="lo"
LO_IP="127.0.0.1"

# New Chains

iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets

# Policies (Default)

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allowed chains

iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

# TCP Rules

iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A INPUT -p TCP -s xxx.xx.xx.xxx --dport 53 -j ACCEPT
iptables -A INPUT -p TCP -s xxx.xx.xx.xxx --dport 53 -j ACCEPT

# Incoming packets from the internet

iptables -A INPUT -p ALL -i INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i INET_IFACE -j udp_packets

Wtih this script I still get the same problem. I replced my ISP's ip address with x's. I did this to see if my ISP wasn't getting any connection from my computer to theirs. So that I can get a dynamic ip address. But it also failed. Here is another script:

# Internet

INET_IFACE="ppp0"

# Localhost configuration

LO_IFACE="lo"
LO_IP="127.0.0.1"

# New Chains

iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets

# Policies (Default)

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#PROC SETTINGS
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block pings to broadcast IP (smurf)
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians #Log non-routable IPs
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route #Block source-routed packets

#DROP BAD PACKETS
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP #DROP NEW NOT SYN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #DROP SYN-FIN SCANS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #DROP SYN-RST SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #DROP X-MAS SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP #DROP NMAP FIN SCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP #DROP NULL SCANS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP #DROP ALL/ALL SCANS

#LOG AND DROP IANA RESERVED/BOGONS
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP

# allowed chains

iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

# TCP Rules

iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A INPUT -p TCP -s xxx.xx.xx.xxx --dport 53 -j ACCEPT
iptables -A INPUT -p TCP -s xxx.xx.xx.xxx --dport 53 -j ACCEPT

# Incoming packets from the internet

iptables -A INPUT -p ALL -i INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i INET_IFACE -j udp_packets

I'm thinking third times the charm. EEERRRRR!!!! I was wrong again. Half of the script is from a script in this website and half is mine. I'm not so good on iptables. But I do read a lot about iptables yet hard to understand.
I'm sure that with the scripts that I showed you I should be able to surf. But it doesn't. I don't know why. I have been working on this for two weeks and I'm very frustrated. I'm thinking my frustration is making me go through a loophole. Never to find a solution.
I will appreciate all the help I can get. Thanks to all in advance.

First of all I like the part of dropping bogons and all, and it would be good if everyone implementend that. That said, 1) your list isn't complete: Google for "cymru bogon" and you'll find lists that are easy to convert 2) you don't DROP outbound bogons. Next to that I like to keep the flow (the path packets traverse the chains by) in firewall scripts as well so it'll be easier to see what goes where (INPUT > tcp_packets > allowed).

Best advice if you like to write your own rules is to let all "decisions" be preceded by -j LOG rules, so you can actually see what gets through or not. Your HTTP requests are outbound traffic, so if you want to keep output DROPped without opening you cannot make requests (logging it would have shown that).

Ok, looking at your firewalls I see the following problems:

In the first one, you don't allow any kind of UDP so DNS lookups won't work. It also only allows incoming traffic to ports 80 and 22. It doesn't allow any outgoing replies (your ESTABLISHED,RELATED rule is in the "allowed" chain and only packets with --dport 80/22 are loaded onto the "allowed" chain. In order to get outgoing reply traffic through you'd need to load --sport 80/22 traffic onto "allowed" as well.

In the second one, you have a similar problem. You've added a "udp_packets" chain but it's never used. You have rules for DNS this time, but you only allow tcp traffic. The bulk of DNS traffic is going to be UDP, with TCP only being used in rare circumstances. You mentioned that you have a dynamic IP, which is likely using DHCP/BOOTP to get an IP address. Note that this uses UDP ports 67/68, not the DNS port 53.

Third is basically the same firewall as the second with some bogon and bad flag filtering, so it has the same fundamental problems...you have a "udp_packets" chain but it doesn't do anything, etc.

For some general firewall troubleshooting advice, try starting out by allowing all traffic on the OUTPUT chain (just make you default policy ACCEPT). Once you get you INPUT filtering working properly then move to tightening OUTPUT. Aso, when you are stuck and packets are getting dropped somewhere try adding some logging rules around all of the DROP rules. That way you can see where the packets are dying and what kind of packets they are (port numbers, incoming, outgoing, etc). For example, if you had a single drop rule then you'd want to do something like this:

...
...
iptables -A INPUT -j LOG --log-prefix "Before DROP rule"
iptables -A INPUT -j DROP
iptables -A INPUT -j LOG --log-prefix "After DROP rule"
...
...

Ok. On my script I added --sport 22 and 80 just like this:

# TCP Rules

iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --sport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --sport 80 -j allowed

I also wrote it like this:

iptables -A tcp_packets -p TCP -s 0/0 --dport 80 --sport 80 -j allowed

None of these two ways worked. Even with the OUTPUT policy with the ACCEPT chain. The same goes with this:

# UDP Rules

iptables -A udp_packets -p UDP --dport 67 -j allowed
iptables -A udp_packets -p UDP --sport 67 -j allowed
iptables -A udp_packets -p UDP --dport 68 -j allowed
iptables -A udp_packets -p UDP --sport 68 -j allowed

These are the ports for dynamic ip address that Capt_Caveman had told me to open. I added:

echo "1" > /proc/sys/net/ipv4/ip_dynaddr #Dynamic IP support

This replaces the chain (I hope) and it works fine for now. I am going to replace the "tcp_packets" with the INPUT chain hopefully this will work if it doesn't then I'll just start all over. For now I'll just keep working on the script.

Ok. Capt_Caveman you said I could use the LOG rule for DROPed packets. If I use it where can I see the logs?

I tested out your script a bit. I missed it the first time through, but you are never referencing any of your variables in the shell script. When you set a variable (like INET_IFACE="ppp0"), in order to use the value held by the variable you need to reference the variable using the $ operator. So in your script, you need to use $INET_IFACE not just INET_IFACE. With the way you have the script written, iptables is filtering on an interface literally named "INET_IFACE" instead of ppp0. In fact if you look at the output of iptables -vL , you'll see the INET_IFACE listed instead of ppp0. So to give an example of how you should be using variables in your script:
Also, make sure that you are flushing all of your rules and removing user-defined chains using iptables -F and iptables -X so that all of the old rules are removed, otherwise you'll just be adding rulesets on top of each other.

In regards to logging, your log messages should usually appear in /var/log/messages. If you don't see anything then take a look at /etc/syslog.conf

1 members found this post helpful.

WOOHOO!!!
Thanks. It works fine. Wow, I didn't know, something that would be right there in your face, could be soooo complicated to find. Almost like programming in C++. This teaches me that I should use more the "iptables -vL' command and use the LOG rule more often. Think about still being a

Now, to keep configuring the firewall script (and looking for errors too).
Thanks again guys.