Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, I'm building a linux gateway/firewall based on debian jessie. I'm using ufw because I'm not familiar with the iptable sintax. I have two network interfaces: eth0 (LAN) and eth1 (WAN) on a server machine, and al least one pc connected to the LAN. I enable the firewall on the server and see the status:
Code:
root@backup:~# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
root@backup:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing)
New profiles: skip
So all the port both incoming and outcoming should be closed. Than I try:
But If I try to open a web browser and navigate, or ping from a terminal, from a pc located into the LAN, all the communication are allowed: I can open the web page or ping.
Ok... first of all, have you checked that everything works as expected with ufw disabled? In other words, is your Debian box in fact acting as a router/gateway?
Since you are using UFW and are not that conversant with iptables I will do what I can with UFW only. First, I assume you have gufw installed. If not, please install it for simplicity's sake (sudo apt-get install gufw). When it is installed, open a terminal window and enter sudo gufw. That should open the GUI. When that is open, be sure status is shown as ON. Then let us know what the Incoming and Outgoing boxes show. Next, click on Rules and let us know what rules (exactly as shown) are listed. That will give us a starting point.
OK. This may be a little more complicated because ufw sets up many chains but we'll work through it. If you are logged in as root, run the command 'iptables -L -v -n --line-numbers > rules' (without the quotes, of course). If not running as root run 'sudo . . . .' so that command will be run as root. Look in the file 'rules' and see if anything stands out to you. If not, and nothing probably will if you are uncomfortable with iptables, then edit the file to remove all chains that have no rule in them and post the result. And, as a side note, if you are trying to build a firewall it would be very advisable to become proficient in using iptables as we go along. For what you are trying to do you will find it almost a necessity to work directly with iptables.
A chain in the file will start with a line beginning with the word Chain, a name such as INPUT and information in parentheses. The next line will be a column header line, and then lines of rules (if there are any), a blank line and the the first line of the next chain (or the end of the file). An empty chain will appear as
Chain . . . .
num . . . .
Chain . . . . (this line is not part of the chain but is the start of the next chain).
I am having each rule in the list numbered for easy reference later. The numbers restart at 1 at the beginning of each chain.
Also, go ahead and read the man page (man iptables) to start getting acquainted. It will begin to make sense as we work on this. The -L, -v, -n and --line-numbers should make some sense now and the > rules is simply redirecting the output to the file rules instead of to STDOUT.
if you are trying to build a firewall it would be very advisable to become proficient in using iptables as we go along. For what you are trying to do you will find it almost a necessity to work directly with iptables.
I have started to study the iptables syntax!
This are the results of
Code:
iptables -L -v -n --line-numbers
:
(Too many lines for my newbie eyes....)
Code:
Chain INPUT (policy DROP 4 packets, 200 bytes)
num pkts bytes target prot opt in out source destination
1 82M 120G ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
2 82M 120G ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
3 251K 29M ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
4 120K 14M ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
5 120K 14M ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
6 120K 14M ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 2677 packets, 968K bytes)
num pkts bytes target prot opt in out source destination
1 28M 27G ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
2 28M 27G ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
3 28M 27G ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
4 28M 27G ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
5 28M 27G ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 42M 2302M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
2 42M 2302M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
3 83830 12M ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
4 83830 12M ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
5 83830 12M ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
6 83830 12M ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-input (1 references)
num pkts bytes target prot opt in out source destination
1 53384 4195K ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
2 11560 2651K ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
3 0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
4 56 2688 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
5 115 37730 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
6 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
7 27565 3385K ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-input (1 references)
num pkts bytes target prot opt in out source destination
1 3304 222K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-before-forward (1 references)
num pkts bytes target prot opt in out source destination
1 336K 165M ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
num pkts bytes target prot opt in out source destination
1 1 76 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 81M 120G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
6 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
7 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
9 168 11424 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
10 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
11 98939 11M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
12 2937 395K ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
13 0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
14 96002 10M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-output (1 references)
num pkts bytes target prot opt in out source destination
1 1 76 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 42M 2290M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 7273 697K ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 3/min burst 10
2 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
num pkts bytes target prot opt in out source destination
1 3450 248K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
2 2937 395K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
3 92552 10M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
4 0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-forward (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
num pkts bytes target prot opt in out source destination
1 92680 10M DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-output (1 references)
num pkts bytes target prot opt in out source destination
1 9 540 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
2 7261 696K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain ufw-user-input (1 references)
num pkts bytes target prot opt in out source destination
1 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
Chain ufw-user-limit (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
2 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-output (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80
This is about what I expected and is not at all what you think it is doing. First, you said the policies for the INPUT and OUTPUT chains were both DROP. If you look at those chains you will see that INPUT is indeed DROP. However, OUTPUT is ACCEPT, which is what one would normally expect. Also, and this may be critical, the policy for FORWARD is ACCEPT. This means anything intended for a computer on the LAN is going to be accepted and passed on unless it meets one of the criteria in the rules in that chain. And, as a matter of fact, if you look at a packet as it goes through the forward chain at no point is there a DROP target unless one of the chains not listed has a drop rule in it.
I think where you stand is that you need much more than can be provided through a forum such as this. But all is not lost. Go to the home site for iptables and work through some of their HOW-TOS. For general orientation, look at http://www.linuxhomenetworking.com/w...Using_iptables. Now the real question is why are you trying to build a gateway firewall? If it is for learning purposes, go for it. If it is for actual use you may be wasting your time. There are a number of very good ones out there. If you really want to build one, though, I would suggest you get a prebuilt, install it, and then go through it bit by bit and see what they do and figure out why. Then perhaps you can build your own. I use IPCOP and am quite pleased with it. It has some quirks, but so do they all. IPCOP installation can be a little confusing the first time, but after that it is quick and easy. If you are going to install it, first figure out what your ethernet cards are, the chipsets they use, and whether they are connected to the internet side or to the lan side. You will need to identify them by name during installation. Of course if you guess and guess wrong no big deal. You can go back and change. Once you understand what it is doing and it has served its purpose you can dump it and reinstall Debian or whatever and build your own.
Good luck. And believe me, any effort you put into learning iptables will pay off. Any firewall I know of for Linux uses iptables. If you are moderately proficient with iptables then that puts you in control and you can get any firewall (even UFW) to do EXACTLY what you want it to.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
