Dear friends,

I wrote an ultra simple firewall script but is struggling to understand some issues about it.
A scope of my original script is as follow:

1)
$iptables -P FORWARD DROP
$iptables -P INPUT DROP
$iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

the above script works fine. i was able to surf the internet and the firewall runs.

Then i tried to experiment a bit by changing the -p ALL to -p tcp instead, as follow:

2)
$iptables -P FORWARD DROP
$iptables -P INPUT DROP
$iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

Upon changing the -p ALL -to -p tcp, internet surfing seems to be blocked. I am suspecting it is something to do with dns, so i tried with the following addition:

3)
$iptables -P FORWARD DROP
$iptables -P INPUT DROP
$iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p udp -m state --state NEW,ESTABLISHED,RELATED --destination-port 53 -j ACCEPT

but it doesn't work....
Actually, I can simply use the first script, internet surfing is fine with the first script. But I am just curious...so i tried to experiment...just can't understand why the 3) script doesn't work...

Thanks a lot for taking time reading my thread...thanks a lot.

Regards
Yong

I don't know if this will fix your problem or not, but when I was experimenting recently, I found that you need to allow both TCP and UDP for DNS to work.. so try 3) as:

$iptables -P FORWARD DROP
$iptables -P INPUT DROP
$iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p udp -m state --state NEW,ESTABLISHED,RELATED --destination-port 53 -j ACCEPT
$iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED --destination-port 53 -j ACCEPT

just a quick idea..

First of all I hope the script you showed us wasn't the full script because you're missing some things. If it is, please check out the LQ FAQ: Security references for pointers to Iptables scripts, especially the .*guru scripts.


I don't know if this will fix your problem or not, but when I was experimenting recently, I found that you need to allow both TCP and UDP for DNS to work..
True, but you're *making* the requests, so that means --state NEW outbound, and --state ESTABLISHED,RELATED inbound. You only need --state NEW inbound if you're hosting a DNS server (say a caching server for your LAN).

Returning to your original question. If something doesn't work the first thing to look for (goes for *everything*) is to check error and debug output. For that Iptables needs "-j LOG" rules before the "decision":

# First rule match, so INPUT will ACCEPT for debugging purposes
$iptables -P INPUT ACCEPT
# Not forwarding for other hosts, so DROP it
$iptables -P FORWARD DROP
# Stating the obvious
$iptables -P OUTPUT ACCEPT
# Not running servers, so DROP that
$iptables -A INPUT -m state --state NEW -j LOG --log-prefix="IN_DROP_SYN "
$iptables -A INPUT -m state --state NEW -j DROP
# Drop these too
$iptables -A INPUT -m state --state INVALID -j LOG --log-prefix="IN_DROP_INV "
$iptables -A INPUT -m state --state INVALID -j DROP
# Responses
$iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
# LOG everything else that doesn't match protocol and state
$iptables -A INPUT -j LOG --log-prefix="IN_DROP_REST "
# Now we got that logged, DROP it like its hot
$iptables -A INPUT -j DROP

Run it for a while and then check your logs for the DROP lines to see which hosts get traffic dropped that *seems* legitimate.

Hi guys,

thanks a lot for helping!!