LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-25-2013, 12:18 PM   #1
tiuz
Member
 
Registered: Mar 2006
Distribution: Slackware 14
Posts: 55

Rep: Reputation: 15
Problems with iptables > Rules set but not working effektive


Hello,

My original IPtables rules where (are) these:
--------------
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -i ppp0 -j DROP
iptables -A INPUT -s 127.0.0.1/32 -i ppp0 -j DROP
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A INPUT -m limit --limit 20/minute -j LOG --log-level 4 --log-prefix "Iptables_DROP: "
--------------------
for my box to act as router gateway for the LAN-PCs. In combo with dansguardian squid p3scan. So far everything works fine.

But i needed to block access to https facebook and twitter so i added these rules (which i found searching google)

iptables -I FORWARD -m string --string ´facebook´ --algo bm -j DROP
iptables -I FORWARD -m string --string ´twitter´ --algo bm -j DROP

after adding the rules neither https://www.facebook.com nor https://www.twitter.com did work, which is great. I saved the iptables rules via iptables-save > /etc/iptables_rules.
At system-boot theses are loaded via /etc/rc.local which looks like:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables-restore < /etc/iptables_regeln
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
pptp adsl
exit 0

After every reboot the iptables Rules are present, but facebook and twitter are accessable again. If i delete the rules and add them manually again it works again. I have no idea why it works when i add the rules manually but they don´t work when loaded via iptables-restore (iptables -L shows that the rules are set).

On that machine I am using Debian 6.0.

Thanks for any ideas / hints.

tz.
 
Old 08-26-2013, 05:13 AM   #2
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,436
Blog Entries: 11

Rep: Reputation: 181Reputation: 181
Please provide output of /etc/iptables_regeln.

Also make sure that the connection has not been established before you activate the iptables rules. Which should not be if run through rc.local.
Maybe changing the position of the rules helps. Just put them before the ESTABLISHED,RELATED rules.
 
Old 08-27-2013, 06:26 AM   #3
tiuz
Member
 
Registered: Mar 2006
Distribution: Slackware 14
Posts: 55

Original Poster
Rep: Reputation: 15
Hello,

I have modified the Line a bit, here is the Rules i have tested now output of iptables -L

Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- localhost anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP icmp -- anywhere anywhere icmp echo-request
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 20/min burst 5 LOG level warning prefix `Iptables_DROP: '

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere STRING match "|c2b474776974746572c2b4|" ALGO name bm TO 65535
DROP all -- anywhere anywhere STRING match "|c2b466616365626f6f6bc2b4|" ALGO name bm TO 65535
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere

I have used these Rules on after one:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I FORWARD -m string --string ´facebook´ --algo bm -j DROP
iptables -I FORWARD -m string --string ´twitter´ --algo bm -j DROP
iptables -I INPUT -i ppp0 -p icmp --icmp-type echo-request -j DROP
iptables -I INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP
iptables -I INPUT -i lo -p icmp --icmp-type echo-request -j ACCEPT
iptables -I INPUT -i eth1 -p icmp --icmp-type echo-request -j ACCEPT
iptables -I INPUT -s 127.0.0.1/32 -i ppp0 -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A INPUT -m limit --limit 20/minute -j LOG --log-level 4 --log-prefix "Iptables_DROP: "

And finally this is the content of /etc/iptables_regeln which i saved with iptables-save >/etc/iptables_regeln

# Generated by iptables-save v1.4.8 on Tue Aug 27 13:04:55 2013
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Tue Aug 27 13:04:55 2013
# Generated by iptables-save v1.4.8 on Tue Aug 27 13:04:55 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 127.0.0.1/32 -i ppp0 -j DROP
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i lo -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m limit --limit 20/min -j LOG --log-prefix "Iptables_DROP: "
-A FORWARD -m string --hex-string "|c2b474776974746572c2b4|" --algo bm --to 65535 -j DROP
-A FORWARD -m string --hex-string "|c2b466616365626f6f6bc2b4|" --algo bm --to 65535 -j DROP
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
COMMIT
# Completed on Tue Aug 27 13:04:55 2013

Again https://www.facebook.com and https://www.twitter.com are accessable, and again if i delete these Rules

iptables -I FORWARD -m string --string ´facebook´ --algo bm -j DROP
iptables -I FORWARD -m string --string ´twitter´ --algo bm -j DROP

and insert them manually afterwards it works, but not if loaded at boot time. The rules are loaded before the internet-connection is established which rc.local reflects: (pptp adsl starts i-net connection)

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables-restore < /etc/iptables_regeln
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
pptp adsl
exit 0

tz.
 
Old 08-28-2013, 07:03 AM   #4
tiuz
Member
 
Registered: Mar 2006
Distribution: Slackware 14
Posts: 55

Original Poster
Rep: Reputation: 15
I played around with it yesterday changed positions of Rules and so on, without and success.

Then i tried to add sleep 5 just before pptp adsl in /etc/rc.local so that the internet-connection will not be established (directly) right after iptables rules have been loaded and it works now. If i try https://www.facebook.com or https://www.twitter.com no connection will be established. I did several reboot´s (just in case) and it still works :-))

tz.
 
Old 08-28-2013, 07:18 AM   #5
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,436
Blog Entries: 11

Rep: Reputation: 181Reputation: 181
Nice one.

Still some odd behavior. Any interest in comparing the output of iptables-save with and without the sleep in between?
 
Old 08-28-2013, 02:55 PM   #6
Gullible Jones
Member
 
Registered: Apr 2011
Posts: 141

Rep: Reputation: 10
I've seen stuff like this before, and believe it is some sort of race condition. Try using iptables-restore to apply the rules instead:

Code:
iptables-restore <<ENDRULES
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
... blah blah rules ...
COMMIT
ENDRULES
Edit: hope that helps, and BTW thank you for mentioning this iptabls feature; I didn't realize it existed until today!

Last edited by Gullible Jones; 08-28-2013 at 03:08 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Set iptables rules from Kernel Module saurabhchokshi Programming 5 05-01-2009 11:10 PM
Some iptables rules are not working on Ubuntu 8.10 server PossumJerky Linux - Security 1 02-04-2009 07:47 AM
IPTABLES rules not working right Bobbyd4 Linux - Security 2 04-03-2007 12:05 AM
startup script to set up iptables rules doesn't run alexfittyfives Debian 2 06-01-2004 07:21 PM
iptables rules aren't working Kinstonian Linux - Networking 4 04-21-2003 03:14 PM


All times are GMT -5. The time now is 12:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration