Need advice on my iptables config

Hammett · 10-02-2008, 02:08 PM

Hello everyone!

I'm a complete noob regarding iptables configuration, but reading some documentation and howtos, I ended up with this little script.

It should block all inbound and outbound connections unless sepcifically allowed, but testing the firewall indicates that a lot of ports are open which shouldn't.

I need advice on how to improve my firewall so I can only give access to those ports I really want to have connection.

Code:

# Generated by Hammett on Mon 10th Sep 2007
*filter
# Shut down all traffic
-P FORWARD DROP
-P INPUT DROP
-P OUTPUT DROP

# Clear all rules
-F
-X

# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o 127.0.0.1 -j ACCEPT

# Allow DNS
-A OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
-A OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT

# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow HTTP,HTTPS
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

# Allow ftp
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 20:21 -j ACCEPT
# Allow rsync (for portage)
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 873 -j ACCEPT

# Allow ping
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow Bit-torrent connections
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6889 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 6881:6999 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 6881:6889 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 2710 -j ACCEPT

#Allow Skype
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 23399 -j ACCEPT

#Allow GIT
-A OUTPUT -p udp -m state --state NEW -m udp --dport 9418 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 9418 -j ACCEPT

#Allow TitleTrading
-A OUTPUT -p udp -m state --state NEW -m udp --dport 19010 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 19010 -j ACCEPT

#Allow World of Warcraft
 -A OUTPUT -p udp -m state --state NEW -m udp --dport 3724 -j ACCEPT
 -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 3724 -j ACCEPT

# Allow MSN Messenger
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 1863 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 6891:6899 -j ACCEPT
-A OUTPUT -p udp -m state --state NEW -m udp --dport 6891:6899 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6891:6899 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 6891:6899 -j ACCEPT

# Allow SoulSeek
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 2240 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 2234:2239 -j ACCEPT

# Allow IRC
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 6665:6669 -j ACCEPT

COMMIT

Firewall test done under GRC ShieldsUP! shows that:

Code:

Results from scan of ports: 0-1055

  786 Ports Open
    1 Ports Closed
  269 Ports Stealth
---------------------
 1056 Ports Tested

Any help is more than appretiated.

win32sux · 10-02-2008, 02:19 PM

My first piece of advice is that you stop messing with the iptables configuration file. You should make yourself an iptables script, and the only thing editing the configuration file should be the iptables-save binary itself. Here's a script to get you started:

Code:

#!/bin/sh

IPT="/sbin/iptables"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p TCP -i eth0 --dport 6881 \
-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

$IPT -A OUTPUT -p UDP -o eth0 --dport 53 \
-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p TCP -o eth0 --dport 443 \
-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p TCP -o eth0 --dport 80 \
-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p TCP -o eth0 --dport 21 \
-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p TCP -o eth0 --dport 6881:6999 \
-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p ICMP -o eth0 --icmp-type 8 \
-m state --state NEW -j ACCEPT

All you gotta do is follow the examples to add your own rules.

Hammett · 10-02-2008, 04:44 PM

Thanks for the advice, I followed and I just created the script you suggested.

The problem though, still persists.

If I understand it well, the iptables -P INPUT DROP will stealth all incoming connections, no matter what port.

If so, why I still have some ports open not specified in the rules?

win32sux · 10-02-2008, 05:06 PM

The only way for a port to be "open" is if there is something listening on it. I seriously doubt you have 786 things listening on your computer, so I would make sure the scanner you are using is not giving false positives. The script, as posted, only allows connections to one port (6881/TCP). So a port scanner should show that port as "closed" if you don't have anything listening on it, and "open" if you do (such as your BitTorrent application). All other ports should appear as "stealthed" or "filtered".