[SOLVED] A question regarding iptables rules and OUTPUT filters

mrmnemo · 08-25-2010, 10:43 PM

Hi!

I put together the following filter set :

Code:

#!/bin/sh

###To understand this script, reference the No Starch Press Linux Firewalls Book.

MODPROBE=/sbin/modprobe
IPT=/sbin/iptables
IPTSV=/sbin/iptables-save
IPT6=/sbin/ip6tables
IPT6SV=/sbin/ip6tables-save

### flush / drop policy sets
echo "[+] Flushing existing rules with DEFAULT of DROP [+]"
echo "[+] IPv4 [+]"
	$IPT -F
	$IPT -F -t nat
	$IPT -X
	$IPT -P INPUT DROP
	$IPT -P OUTPUT DROP
	$IPT -P FORWARD DROP

echo "[+] IPv6 [+]"
	$IPT6 -F
	$IPT6 -F -t nat
	$IPT6 -X
	$IPT6 -P INPUT DROP
	$IPT6 -P OUTPUT DROP
	$IPT6 -P FORWARD DROP
	
###Module Loading: many of these may already be loaded. Also, running lsmod will aide in tracking down issues with module loading.
echo "[+] Loading modules for state tracking [+]"
	$MODPROBE ip_conntrack
	$MODPROBE iptable_nat
	$MODPROBE ip_conntrack_ftp
	$MODPROBE ip_nat_ftp

###INPUT rules: Allowing only ESTABLISHED / RELATED 
echo "[+] Setting up INPUT table [+]"
	$IPT -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
	$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP	
	$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	
###INPUT rules: anti-spoofing rules. How to set up anti-spoofing rules on single-homed system.

###INPUT rules: INPUT from internal network, or specific services.
        $IPT -A INPUT -p tcp -m multiport --ports 137:139,445 -j ACCEPT
        $IPT -A INPUT -p udp -m multiport --ports 13:139,445 -j ACCEPT
###INPUT rules: LOG rules.
	$IPT -A INPUT -i ! lo -j LOG --log-prefix "DROP" --log-ip-options --log-tcp-options
	
echo "[+] Done [+]"

###OUTPUT rules
echo "[+] Setting up OUTPUT table [+]"
	$IPT -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
	$IPT -A OUTPUT -m conntrack --ctstate INVALID -j DROP

###OUTPUT rules: Allowed out
	$IPT -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 21 --syn -m conntrack --ctstate NEW -j ACCEPT
	#$IPT -A OUTPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 25 --syn -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 43 --syn -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 4321 --syn -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
	$IPT -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
	$IPT -A OUTPUT -p tcp -m multiport --ports 137:139,445 -j ACCEPT
        $IPT -A OUTPUT -p udp -m multiport --ports 137:139,445 -j ACCEPT
###OUTPUT rules: LOG rule
	$IPT -A OUTPUT -o ! lo -j LOG --log-prefix "DROPED OUTBOUND" --log-ip-options --log-tcp-options

I wanted to know how to allow certain APPLICATIONS through the OUTBOUND tables. For example, I wish to be able to use tools such as nmap,tracepath, and traceroute. However, I am not sure where to look to understand the ports to open. I was starting to think that maybe rather than ports to open it would need to be somehthing like tcp flags that would ned to be allowed. Any way, I have tried google and am still haing problems.
I started wanting to use these tools due to getting ready for my network+ and security+ certs. I would really appreciate the help.

theNbomr · 08-27-2010, 06:39 PM

/etc/services normally contains a fairly complete list of ports used by standard services. I think there is at least one version that is vetted by IANA or some such organization.

--- rod.

mrmnemo · 08-27-2010, 10:29 PM

thanks man. Guess I should have looked at some man pages. Nmap at least seems to be --source-port ( wow.. ) . thanks for trying to address my stupid question.