LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-18-2003, 11:54 AM   #1
Kinstonian
LQ Newbie
 
Registered: Mar 2002
Posts: 29

Rep: Reputation: 15
iptables rules aren't working


For some reason i am still able to surf the net when iptables set to drop UDP traffic. DNS is UDP and UDP is stateless so i don't know how i am able to use domain names. Whats going on? The rules are listed when i type iptables -L...

LAN_IP="192.168.5.4"
LAN_BROADCAST_ADDRESS="192.168.5.255"
LAN_IFACE="eth0"
LO_IFACE="lo"
LO_IP="127.0.0.1"
#WORMPORTS="31337,33270,1234,6711,16660,60001,12345,12346,1524,27665,27444,31335,6000,6001,6002"
IPTABLES="/sbin/iptables"
/sbin/modprobe ip_tables
#/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
echo "Clearing Tables..."
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
echo "Setting Policies & Chains..."
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N bad_tcp_packets
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
echo "Specifying Rules for Chains..."
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#$IPTABLES -A bad_tcp_packets -p tcp -m multiport --dport $WORMPORTS -j DROP
$IPTABLES -A tcp_packets -p tcp -s 0/0 -j DROP
$IPTABLES -A udp_packets -p udp -s 0/0 -j DROP
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
echo "INPUT Table Rules..."
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p all -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p all -i $LO_IFACE -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -p all -d $LAN_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -j tcp_packets
$IPTABLES -A INPUT -p udp -i $LAN_IFACE -j udp_packets
$IPTABLES -A INPUT -p icmp -i $LAN_IFACE -j icmp_packets
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
echo "OUTPUT Table Rules..."
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p all -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p all -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
echo "Done."

Last edited by Kinstonian; 04-18-2003 at 03:03 PM.
 
Old 04-19-2003, 02:05 AM   #2
Sutekh
Member
 
Registered: Apr 2002
Location: Melbourne, Australia
Distribution: Gentoo
Posts: 273

Rep: Reputation: 30
well having had just a quick look you are saying that any established connection will be accepted so if you made the UDP connection then it will pass. Remember the rules run in order so if you want to drop things first and only if they have met certain conditions let them through then put that state rule at the end of one of your home made chains.
 
Old 04-19-2003, 05:49 PM   #3
Kinstonian
LQ Newbie
 
Registered: Mar 2002
Posts: 29

Original Poster
Rep: Reputation: 15
Thanks, your right the established or related rule should be at the bottom... But isn't UDP stateless and doesn't have any established or related states like TCP does? Shouldn't it UDP traffic be droped since it wouldn't be effected by that states rule?

Edit: If something is accepted it doesn't get filtered through any other chains?

Last edited by Kinstonian; 04-19-2003 at 06:53 PM.
 
Old 04-19-2003, 07:20 PM   #4
Sutekh
Member
 
Registered: Apr 2002
Location: Melbourne, Australia
Distribution: Gentoo
Posts: 273

Rep: Reputation: 30
UDP is called stateless (or connectionless) becasue it does not use sequence numbers. It can still be tracked however by the iptables connection tracking module.

There is still a reply needed on a particular socket (ip/port pair) and there is still timeouts for this connection.

In your case we can still tell if the the connection origintated from your machine and therefore pass the rule that checks if the connection is considered established.

Check out your /proc/net/ip_conntrack file for some examples of the sort of information the connection tracking module gets for each connection.

Last edited by Sutekh; 04-19-2003 at 07:22 PM.
 
Old 04-21-2003, 03:14 PM   #5
Kinstonian
LQ Newbie
 
Registered: Mar 2002
Posts: 29

Original Poster
Rep: Reputation: 15
Thanks man, you right... I re-read the Iptables Tutorial and it said UDP was statless and didn't have those states but it didn't matter because conntrack can handle it like you said. I sort of forgot that part
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables Rules metallica1973 Linux - Security 26 09-14-2005 12:10 AM
iptables not working for "accept" action rules vijfita Linux - Networking 7 05-13-2005 05:28 AM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
iptables rules Hegemon Linux - Networking 0 01-28-2004 02:20 AM
iptables rules chrisfirestar Linux - Security 2 10-29-2003 02:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration