Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Wow! Damn, thats some nice security . Perfect. Thanks!
Also how do I allow web traffic, simply add a port 80 rule?
yup... just stick it in there before the LOG rule...
Code:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT
Quote:
How would one allow all OUTBOUND traffic?
change the OUTPUT chain's policy to ACCEPT at the top of the script (you should then remove all the OUTPUT rules)... like:
Code:
#!/bin/sh
IPT="/usr/local/bin/iptables"
LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"
ADMIN_IP1="192.168.1.2"
ADMIN_IP2="200.100.100.140"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# NETBIOS Name Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 137 \
-m state --state NEW -j ACCEPT
# NETBIOS Datagram Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 138 \
-m state --state NEW -j ACCEPT
# NETBIOS session service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 139 \
-m state --state NEW -j ACCEPT
# Microsoft Naked CIFS:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 445 \
-m state --state NEW -j ACCEPT
# BitTorrent (and MSN file transfers):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 6881:6999 \
-m state --state NEW -j ACCEPT
# SSH2 Daemon (ADMIN #1):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP1 --dport 22 \
-m state --state NEW -j ACCEPT
# SSH2 Daemon (ADMIN #2):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP2 --dport 22 \
-m state --state NEW -j ACCEPT
# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "
Quote:
I may have confused you/myself. I do need to be able to access things like IRC, MSN, FTP, HTTP etc from the machine, as its not only a server, but a desktop machine running Gaim etc.
well the easiest thing to do in such a case would be to set the OUTPUT policy to ACCEPT, as above... the more secure alternative is to add an OUTPUT rule for each thing you need to use... sorta like this:
Code:
#!/bin/sh
IPT="/usr/local/bin/iptables"
LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"
ADMIN_IP1="192.168.1.2"
ADMIN_IP2="200.100.100.140"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# NETBIOS Name Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 137 \
-m state --state NEW -j ACCEPT
# NETBIOS Datagram Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 138 \
-m state --state NEW -j ACCEPT
# NETBIOS session service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 139 \
-m state --state NEW -j ACCEPT
# Microsoft Naked CIFS:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 445 \
-m state --state NEW -j ACCEPT
# BitTorrent (and MSN file transfers):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 6881:6999 \
-m state --state NEW -j ACCEPT
# SSH2 Daemon (ADMIN #1):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP1 --dport 22 \
-m state --state NEW -j ACCEPT
# SSH2 Daemon (ADMIN #2):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP2 --dport 22 \
-m state --state NEW -j ACCEPT
# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Pings:
$IPT -A OUTPUT -p ICMP -o $LAN_IFACE --icmp-type 8 \
-m state --state NEW -j ACCEPT
# DNS:
$IPT -A OUTPUT -p UDP -o $LAN_IFACE --dport 53 \
-m state --state NEW -j ACCEPT
# HTTP:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT
# HTTPS:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 443 \
-m state --state NEW -j ACCEPT
# FTP:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 21 \
-m state --state NEW -j ACCEPT
# IRC:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 6667 \
-m state --state NEW -j ACCEPT
# Gaim:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 1863 \
-m state --state NEW -j ACCEPT
# BitTorrent:
$IPT -A OUTPUT -p TCP -o $LAN_IFACE --dport 6881:6999 \
-m state --state NEW -j ACCEPT
# Log all other packets before sending them to DROP:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
if your iptables has support for the multiport match, then you could specify multiple ports on one rule, greatly simplifying your script, like:
Code:
#!/bin/sh
IPT="/usr/local/bin/iptables"
LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"
ADMIN_IP1="192.168.1.2"
ADMIN_IP2="200.100.100.140"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET -m multiport \
--dport 137,138 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET -m multiport \
--dport 139,445,6881:6999 -m state --state NEW -j ACCEPT
# SSH2 Daemon (ADMIN #1):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP1 --dport 22 \
-m state --state NEW -j ACCEPT
# SSH2 Daemon (ADMIN #2):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP2 --dport 22 \
-m state --state NEW -j ACCEPT
# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -p ICMP -o $LAN_IFACE --icmp-type 8 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p UDP -o $LAN_IFACE --dport 53 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o $LAN_IFACE -m multiport \
--dport 80,443,21,6667,1863,6881:6999 -m state --state NEW -j ACCEPT
# Log all other packets before sending them to DROP:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
Quote:
I'd be happy making individual rules for each application if its better to do that?
yes, it's the more secure option... but it's also the less friendly, of course...
Quote:
Also, just to be sure, when I run iptables -L I get this:
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Can you explain what these mean?
Thanks a lot!
well, to get a better idea of what's going-on i suggest you use this command instead:
Code:
iptables -L -v -n
it will give you more info such as which interface the rules apply to, etc... but basically what you posted is: the first line says that packets with a state of RELATED or ESTABLISHED are to be sent to ACCEPT... we need to do this because since our policy is set to DROP, which blocks all packets, we need to allow packets which are parts of connections that have already been established or that are parts of directly related connections... the second lines is sending all packets to ACCEPT, most likely because it's the rule for the loopback interface, and we trust ourselves...
Hey. win32sux, I dont suppose you managed to sort out how to do implement OpenVPN into the firewall?
no, not yet... my laptop did arrive, but i need to finish getting the basic linux stuff set-up before thinking about my VPN and stuff... i do know that the cool thing about OpenVPN is that you only need to use one port, though...
# BitTorrent (and MSN file transfers):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 6881:6999 \
-m state --state NEW -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 6881 -j DNAT --to 10.8.0.6:6881
To forward BitTorrent traffic down my VPN to my connected client (i.e. on another machine somewhere on hte net)
However, doesnt that first IPTABLES rule (which I got form your post), only allow BiTorrent traffic from my local network? Which would be useless?
Also can you see any inherent security problems with this rule?
# BitTorrent (and MSN file transfers):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 6881:6999 \
-m state --state NEW -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 6881 -j DNAT --to 10.8.0.6:6881
To forward BitTorrent traffic down my VPN to my connected client (i.e. on another machine somewhere on hte net)
However, doesnt that first IPTABLES rule (which I got form your post), only allow BiTorrent traffic from my local network? Which would be useless?
Also can you see any inherent security problems with this rule?
Thanks!
Damn, this rule doesnt work. I cant even get web browsing to work.
I've "echo 1 > /proc/sys/net/ipv4/ip_forward" 'ed, and added the following rules as reccomended by OpenVPN's FAQ.
Rules added:
Code:
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
# Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT
# Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT
Just when I connect to my server, I cannot browse the web. I know OpenVPN is set up correctly, as I used to be able to browse websites with my old firewall config.
well, that's one of the reasons the LOG rules are there... check your logs to see which packets are getting sent to DROP...
I tried a ping to www.google.com from my VPN client while connected and the packets are definitely being dropped.
Im not sure where to go from here though. I've added rules to allow traffic in from the VPN and also for traffic to be forwarded to other devices (as in the OpenVPN FAQ).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
. Perfect. Thanks!
