LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-04-2009, 07:07 AM   #1
PossumJerky
LQ Newbie
 
Registered: Nov 2005
Posts: 7

Rep: Reputation: 0
Some iptables rules are not working on Ubuntu 8.10 server


On Ubuntu 8.10 server, I want to deny any attempt of a connection by the server to any other host on the home network. This includes PING as well. I set up a number of rules though ufw, enabled it and rebooted and I can still connect to other machines. In the following output from ufw status, 172.25.25.211 is Ubuntu and 172.25.25.16 is the other host. I can still communicate between the two on port 80 and by ICMP and believe that ufw/iptables is working because the two statements concerning ports 22 and 80 take effect.

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
172.25.25.16 DENY 172.25.25.211
172.25.25.211 DENY 172.25.25.16
Anywhere DENY 172.25.25.16

Saved iptables rules:

# Generated by iptables-save v1.4.0 on Tue Feb 3 23:15:19 2009
*filter
:INPUT DROP [107:9343]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [840:50760]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-not-local - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: "
-A ufw-after-forward -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j RETURN
-A ufw-after-input -p udp -m udp --dport 138 -j RETURN
-A ufw-after-input -p tcp -m tcp --dport 139 -j RETURN
-A ufw-after-input -p tcp -m tcp --dport 445 -j RETURN
-A ufw-after-input -p udp -m udp --dport 67 -j RETURN
-A ufw-after-input -p udp -m udp --dport 68 -j RETURN
-A ufw-after-input -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: "
-A ufw-after-input -j RETURN
-A ufw-after-output -j RETURN
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-forward -j RETURN
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-input -j RETURN
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-before-output -j RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: "
-A ufw-not-local -j DROP
-A ufw-user-forward -j RETURN
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -s 172.25.25.211/32 -d 172.25.25.16/32 -j DROP
-A ufw-user-input -s 172.25.25.16/32 -d 172.25.25.211/32 -j DROP
-A ufw-user-input -s 172.25.25.16/32 -j DROP
-A ufw-user-input -j RETURN
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT]: "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A ufw-user-output -j RETURN
COMMIT

What am I overlooking?

Thanks
 
Old 02-04-2009, 07:47 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by PossumJerky View Post
On Ubuntu 8.10 server, I want to deny any attempt of a connection by the server to any other host on the home network. This includes PING as well.
The simplest way to achieve this is probably:
Code:
iptables -I OUTPUT -o $LAN_IFACE -d $LAN_NET -m state --state NEW -j REJECT
Based on that, I believe the essence of your issue is that you are using the INPUT chain instead of the OUTPUT one.

Last edited by win32sux; 02-04-2009 at 07:53 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 09:50 PM
iptables rules for an ubuntu gateway (filtering connections to and from Internet) Zingaro2002 Linux - Networking 4 05-06-2007 02:01 AM
IPTABLES rules not working right Bobbyd4 Linux - Security 2 04-03-2007 12:05 AM
iptables not working for "accept" action rules vijfita Linux - Networking 7 05-13-2005 05:28 AM
iptables rules aren't working Kinstonian Linux - Networking 4 04-21-2003 03:14 PM


All times are GMT -5. The time now is 10:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration