LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-04-2015, 06:20 PM   #1
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 921

Rep: Reputation: 46
dropping all traffic iptables


Will this script do what is described in it?
Code:
#!/bin/bash
#--------------------------------------------------
# Script to flush all existing firewall rules and limit all traffic to the online stream 
# and the Shabbat service stream.  There may be as much as 12 hours before the normal cron 
# job that reloads the droplist from Spamhous.org kicks in and downloads the new list as
# the currently used list may be 37 hours old.
#
# We need to make this script run 21 minuets prior to sundown, probably with an "at" job.
# Currently it is called by another script at the proper time.

# First we need to stop Arno Iptables Firewall with something like.

/etc/init.d/arno-iptables-firewall stop

# not sure that is correct since the adoption of systemd by debian.

# Second I think I need to flush all the existing rules with something like.

iptables --flush

# Then we need to build the new rule set for the coming Shabbat.  Since we only
# want to allow traffic to and from the online radio stream and the online service I think
# we should do something like this.

iptables -I FORWARD -s 216.118.106.247 -j ALLOW
iptables -I FORWARD -s s2.voscast.com -j ALLOW
iptables -I INPUT -d 216.118.106.247 -j ALLOW
iptables -I INPUT -d s2.voscast.com -j ALLOW
iptables -I OUTPUT -s 216.118.106.247 -j ALLOW
iptables -I OUTPUT -s s2.voscast.com -j ALLOW
iptables  INPUT -s eth1 -j DROP
iptables  FORWARD -s eth1 -j DROP
iptables  OUTPUT -s eth1 -j DROP
iptables  INPUT -s eth0 -j DROP
iptables  FORWARD -s eth0 -j DROP
iptables  OUTPUT -s eth0 -j DROP
iptables  INPUT -s eth2 -j DROP
iptables  FORWARD -s eth2 -j DROP
iptables  OUTPUT -s eth2 -j DROP

# After the Shabbat is over we need to restart the firewall with something like.
# Scheduled to run at 45 minuets after sundown with an "at" job.
# Also called by another script at the proper time.

/etc/init.d/arno-iptables-firewall start

# not sure that is correct since the adoption of systemd by debian.  I want long term
# durability.
Thanks
 
Old 02-06-2015, 08:39 AM   #2
wildwizard
Member
 
Registered: Apr 2009
Location: Oz
Distribution: slackware64-14.0
Posts: 875

Rep: Reputation: 282Reputation: 282Reputation: 282
That set of rules makes no sense at all

The usage of -I in that form gives a rule set that is the opposite of what is written in the script, bad for readability and thus bad for debugging.

This combination of rules makes no sense at all
Code:
iptables -I FORWARD -s 216.118.106.247 -j ALLOW
iptables -I INPUT -d 216.118.106.247 -j ALLOW
The -d on the INPUT chain implies that address is local to the machine so why would it appear in the FORWARD chain as well?
Using -d on INPUT rules is also not normal so perhaps you meant -s, with the opposite problem on the OUTPUT chain.

The massive list of DROP rules would be better managed by setting the policy of each chain to DROP, makes for better readability and easier debugging.

Also you should read this as it will help you work out were the packets go and thus which chains need rules to handle them :-
http://www.netfilter.org/documentati...g-HOWTO-6.html
 
Old 02-06-2015, 10:22 AM   #3
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 921

Original Poster
Rep: Reputation: 46
Thnaks wildwizard,

Quote:
The usage of -I in that form gives a rule set that is the opposite of what is written in the script, bad for readability and thus bad for debugging.
My understanding is that the -I switch inserts the rule into the list of rules to be acted on.

So
Code:
iptables -I FORWARD -s 216.118.106.247 -j ALLOW
would insert the rule into the forwarding chain so a packet with the specified source address and cause a Jump to allow chain there by forwarding the packet to the correct internal host.

Quote:
The -d on the INPUT chain implies that address is local to the machine so why would it appear in the FORWARD chain as well?
My understanding is that the -d switch identifies the destination of the packet. Since this script is to run on the external host/firewall my thinking was that it needed to be there. Clearly I don't understand what I am trying to do. I was just trying to cover all the bases so that the packets would get to the internal host they are suppose to.

Quote:
The massive list of DROP rules would be better managed by setting the policy of each chain to DROP, makes for better readability and easier debugging
If you are referring to the list from spamhaus.org that is already taken care of by Arno's Iptables Firewall via a separate script. It is only mentioned in the comments so I don't forget about it.

Guess I have some reading to do. Maybe this old dog can actually learn a new trick this time.
 
Old 02-06-2015, 04:14 PM   #4
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Rep: Reputation: 106Reputation: 106
Quote:
My understanding is that the -I switch inserts the rule into the list of rules to be acted on
Code:
iptables -I FORWARD -s 216.118.106.247 -j ALLOW
While -I is meant to insert a rule into the table, it's not designed for normal appending

If you have 5 rules in INPUT and you want to append a rule above rule 4 you would use insert.

Code:
iptables -I INPUT 4 rules -j ACCEPT
Normally if you are just appending rules to a chain

Code:
iptables -A INPUT rules -j ACCEPT
Quote:
Guess I have some reading to do. Maybe this old dog can actually learn a new trick this time.
This is a nice comprehensive overview of iptables. It's quite a read but it's got a lot of good info.
https://www.frozentux.net/iptables-tutorial/chunkyhtml/

Last edited by Miati; 02-06-2015 at 04:25 PM.
 
Old 02-06-2015, 04:38 PM   #5
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 921

Original Poster
Rep: Reputation: 46
Thanks Miati

Been working on the rules and now I have
Code:
# Traffic to and from internal hosts?
iptables -A FORWARD -s 216.118.106.247 -j ALLOW
iptables -A FORWARD -s s2.voscast.com -j ALLOW

# Traffic specific to external host/firewall
iptables -A INPUT -s 216.118.106.247 -j ALLOW
iptables -A INPUT -s s2.voscast.com -j ALLOW
iptables -A OUTPUT -d 216.118.106.247 -j ALLOW
iptables -A OUTPUT -d s2.voscast.com -j ALLOW

# Change default policy to drop all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# And just for those rude dudes
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
 
Old 02-06-2015, 06:11 PM   #6
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Rep: Reputation: 106Reputation: 106
Code:
iptables -P INPUT DROP
...

# And just for those rude dudes
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
By definition of a Drop Policy, if it is not explicity listed to be accepted (or sent to another chain or rejected)
it is dropped.

It's a little like saying A & B is allowed, but C is not allowed, even though if you never mentioned C, it would be not be allowed anyways.
It doesn't harm your security, but is redundant when the default policy is drop.

As for this:
Code:
iptables -P OUTPUT DROP
Be prepared for headaches. Do you know what ips/ports are used on outgoing connections? Cause you'll now need to specify ALL of them.
Otherwise it'll be dropped and all your connections will be left hanging.. Not much fun.

Also, sometimes connections need to make new connections to work. This will prevent existing or related connections to be dropped
Code:
iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
I greatly suggest reading the link I provided before. At least read sections 7 to 11. Going through what makes up iptables is well worth the effort in the long run.

Last edited by Miati; 02-06-2015 at 06:34 PM.
 
Old 02-08-2015, 06:24 AM   #7
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 921

Original Poster
Rep: Reputation: 46
Thanks,

I figured that the "rude dude" rules were redundant but rude dudes are offensive and I wanted to be sure they couldn't get in.

Quote:
Be prepared for headaches. Do you know what ips/ports are used on outgoing connections? Cause you'll now need to specify ALL of them. Otherwise it'll be dropped and all your connections will be left hanging.. Not much fun.
The ips that are listed are the ones that nslookup reports. I do know that one of the audio streams comes from a different ip when it is running. I would imagine that the other does the same thing. So if I understand correctly
Code:
iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
will make it so that the connection to the second ip will be established and and allowed making the stream function correctly.

I was unclear as to if the conntrak needed to be in the FORWARD chain or not. Most of the time the streams will be in that chain and not local to the external host/firewall.

It occurs to me that it would be a good idea to have one rule that will allow a specific internal host to access the external host during the 25 hour rest day. Just in case as the external host is in a less than convenient place. With that in mind I think something like
Code:
iptables -A INPUT -s 192.168.1.104 -j ALLOW
should do the trick and give the internal host access.

So with all that I have a new rule set
Code:
# Traffic to and from internal hosts?
iptables -A FORWARD -s 216.118.106.247 -j ALLOW
iptables -A FORWARD -s 198.178.123.5 -j ALLOW
iptables -A FORWARD -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Traffic specific to external host/firewall
iptables -A INPUT -s 216.118.106.247 -j ALLOW
iptables -A INPUT -s 198.178.123.5 -j ALLOW
iptables -A INPUT -s 192.168.1.104 -j ALLOW
iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d 216.118.106.247 -j ALLOW
iptables -A OUTPUT -d 198.178.123.5 -j ALLOW

# Change default policy to drop all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
The only other issue, if the above is now correct that is, is how to get root for this part of the process. The script that calls this one runs as a normal user. I looked into this once before but don't remember where or what I found out.

Thanks again
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
auto dropping excessive traffic using iptables mlewis Linux - Networking 2 06-15-2011 08:46 PM
[SOLVED] iptables not dropping ip zamorac Linux - Security 5 05-01-2010 08:39 AM
[HELP] redirect traffic to spesific port based on Traffic Content using iptables summersgone Linux - Server 2 06-22-2009 11:26 AM
NIC dropping inbound traffic after some time - CentOS 5 - BroadCom BCM5721 vesperatus Linux - Networking 6 06-11-2007 08:54 AM
Mandrake dropping off network under heavy traffic elluzion Linux - Networking 4 08-26-2004 10:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration