Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-24-2007, 10:08 AM
|
#1
|
Senior Member
Registered: Apr 2003
Posts: 3,695
Rep:
|
About iptables rules
Hi folks,
Ubuntu 7.04 lamp server amd64 - Host OS
VMware
Guest OS - not yet installed.
Iptables-1.3.6
$ cat /etc/network/interfaces
Code:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.10
netmask 255.255.255.0
gateway 192.168.0.1
Browser can connect Internet w/o problem.
After performing following steps to setup iptables, Internet connection blocked.
Edited /etc/rc.local and entered following rules on it
Code:
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
#exit 0
#
# INPUT
#
# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22
# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222
# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333
# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902
# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable
#
# OUTPUT
#
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53
# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.10 --reject-with icmp-port-unreachable
# reject all other traffic from the management interface NIC
iptables -I OUTPUT 4 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
$ sudo /etc/init.d/rc.local start
Code:
* Running local boot scripts (/etc/rc.local) [ OK ]
$ sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere 192.168.0.10 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8222
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8333
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:902
REJECT 0 -- anywhere 192.168.0.10 reject-with icmp-port-unreachable
ACCEPT 0 -- anywhere 192.168.0.10 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8222
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8333
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:902
REJECT 0 -- anywhere 192.168.0.10 reject-with icmp-port-unreachable
ACCEPT 0 -- anywhere 192.168.0.10 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8222
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8333
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:902
REJECT 0 -- anywhere 192.168.0.10 reject-with icmp-port-unreachable
ACCEPT 0 -- anywhere 192.168.0.10 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8222
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8333
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:902
REJECT 0 -- anywhere 192.168.0.10 reject-with icmp-port-unreachable
ACCEPT 0 -- anywhere 192.168.0.10 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8222
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8333
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:902
REJECT 0 -- anywhere 192.168.0.1 reject-with icmp-port-unreachable
ACCEPT 0 -- anywhere 192.168.0.10 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 192.168.0.10 anywhere state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.0.10 anywhere udp dpt:domain
REJECT 0 -- 127.0.0.10 anywhere reject-with icmp-port-unreachable
REJECT 0 -- 192.168.0.10 anywhere reject-with icmp-port-unreachable
ACCEPT 0 -- 192.168.0.10 anywhere state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.0.10 anywhere udp dpt:domain
REJECT 0 -- localhost anywhere reject-with icmp-port-unreachable
REJECT 0 -- 192.168.0.10 anywhere reject-with icmp-port-unreachable
ACCEPT 0 -- 192.168.0.10 anywhere state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.0.10 anywhere udp dpt:domain
REJECT 0 -- localhost anywhere reject-with icmp-port-unreachable
REJECT 0 -- 192.168.0.10 anywhere reject-with icmp-port-unreachable
ACCEPT 0 -- 192.168.0.10 anywhere state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.0.10 anywhere udp dpt:domain
REJECT 0 -- localhost anywhere reject-with icmp-port-unreachable
REJECT 0 -- 192.168.0.10 anywhere reject-with icmp-port-unreachable
ACCEPT 0 -- 192.168.0.10 anywhere state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.0.10 anywhere udp dpt:domain
REJECT 0 -- localhost anywhere reject-with icmp-port-unreachable
REJECT 0 -- 192.168.0.10 anywhere reject-with icmp-port-unreachable
$ ping -c3 yahoo.com
Code:
PING yahoo.com (216.109.112.135) 56(84) bytes of data.
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
--- yahoo.com ping statistics ---
0 packets transmitted, 0 received, +3 errors
Failed.
I have to run following command to stop iptables.
$ sudo iptables -F
No complaint
$ ping -c3 yahoo.com
Code:
PING yahoo.com (216.109.112.135) 56(84) bytes of data.
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 ttl=55 time=242 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=2 ttl=54 time=247 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=3 ttl=54 time=246 ms
--- yahoo.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 242.397/245.283/247.256/2.086 ms
Internet connection then worked.
Please advise where goes wrong. TIA
B.R.
satimis
|
|
|
08-25-2007, 09:49 AM
|
#2
|
LQ Newbie
Registered: Feb 2007
Distribution: Ubuntu 7.10 Mint 4.0
Posts: 23
Rep:
|
ok
that's pritty far out man I never did iptables like that befor I was reading around and I read you can spend a liftime on iptables because it's sooo awsome :-))
|
|
|
08-25-2007, 06:10 PM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
The reason ping doesn't work is because you don't have any OUTPUT rule allowing it (ICMP type 8 packets) - so the ICMP packets run into the last rule and get sent to REJECT.
Quote:
iptables -I OUTPUT 4 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
|
Quote:
PING yahoo.com (216.109.112.135) 56(84) bytes of data.
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
|
BTW, why are you doing this with inserts instead of appends? It makes it a PITA to make edits.
Last edited by win32sux; 08-25-2007 at 06:39 PM.
|
|
|
08-25-2007, 08:04 PM
|
#4
|
Senior Member
Registered: Apr 2003
Posts: 3,695
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
The reason ping doesn't work is because you don't have any OUTPUT rule allowing it (ICMP type 8 packets) - so the ICMP packets run into the last rule and get sent to REJECT.
BTW, why are you doing this with inserts instead of appends? It makes it a PITA to make edits.
|
Hi win32sux,
Tks for your advice.
I'm building a Virtual Machine with lamp server running on Ubuntu 7.04 amd64 as Host OS. This VM will be for testing only. I found following guides on Internet;
http://searchservervirtualization.te...242833,00.html
and am following them to proceed. VMware is now running on this PC. I haven't installed Guest OS yet.
The rules posted came from the guides with little modification.
Network connection;
Server -> Router -> DSL Modem -> ISP
Router with 4 ports and Modem are supplied by ISP. 192.168.01 has been locked by ISP with password which I need login and password to access. This address is now used as Gateway address.
192.168.0.10 is reserved for server. Other 3 ports are connected to workstations. I have fixed IP provided by ISP and domain name registered with Godaddy. The server after setup will serve LAN as well as Internet.
I won't run this server as workstation. On installing this VM, I need searching technical documents on Internet, Therefore I run X with limited components of X installed such as Fluxbox (Desktop manager), GUI browser-Firefox (I'm not experienced on running TEXT browser), GUI text Editor (leafpad), Rox filer, screenshot, etc. X won't start a boot.
That is the whole story.
B.R.
satimis
Last edited by satimis; 08-25-2007 at 08:07 PM.
|
|
|
08-25-2007, 08:44 PM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
I see. Well, I must admit it's the first time I've seen that style script. On a side note, I noticed you made a typo with the loopback interface address. It's supposed to be "127.0.0.1", not "127.0.0.10". You should probably fix that. So did you get your ping issue sorted-out? Using the same style as your other rules, one like this should let you ping:
Code:
iptables -I OUTPUT -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
Last edited by win32sux; 08-25-2007 at 08:56 PM.
|
|
|
08-26-2007, 11:22 AM
|
#6
|
Senior Member
Registered: Apr 2003
Posts: 3,695
Original Poster
Rep:
|
Hi win32sux
Quote:
I see. Well, I must admit it's the first time I've seen that style script. On a side note, I noticed you made a typo with the loopback interface address. It's supposed to be "127.0.0.1", not "127.0.0.10". You should probably fix that. So did you get your ping issue sorted-out?
|
Oh, correct it. Tks.
Still having problem.
$ sudo /etc/rc.local start
$ sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
It hung here until I cancelled it.
$ ping -c3 yahoo.com
Code:
PING yahoo.com (66.94.234.13) 56(84) bytes of data.
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
It hung here.
Quote:
Using the same style as your other rules, one like this should let you ping:
Code:
iptables -I OUTPUT -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
|
Changed the line;
Code:
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53
as;
Code:
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
$ sudo /etc/rc.local start
$ sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere 192.168.0.10 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8222
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8333
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:902
REJECT 0 -- anywhere 192.168.0.10 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 192.168.0.10 anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- 192.168.0.10 anywhere icmp echo-request
REJECT 0 -- localhost anywhere reject-with icmp-port-unreachable
REJECT 0 -- 192.168.0.10 anywhere reject-with icmp-port-unreachable
$ ping -c3 yahoo.com
ping: unknown host yahoo.com
Still failed.
$ cat /etc/rc.local
Code:
#
# INPUT
#
# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22
# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222
# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333
# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902
# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable
#
# OUTPUT
#
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
# reject all other traffic from the management interface NIC
iptables -I OUTPUT 4 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
B.R.
satimis
|
|
|
08-26-2007, 05:57 PM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
You weren't supposed to replace the DNS rule with the ping one, just simply add the ping rule. The reason your "iptables -L" stalled and why you are now getting a "unknown host" error is because without the DNS rule your box can't do any DNS lookups. The idea was for you to end up with something like:
Code:
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53
# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
# allow all pings from the management interface NIC
iptables -I OUTPUT 4 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
# reject all other traffic from the management interface NIC
iptables -I OUTPUT 5 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
Last edited by win32sux; 08-26-2007 at 05:59 PM.
|
|
|
08-26-2007, 08:15 PM
|
#8
|
Senior Member
Registered: Apr 2003
Posts: 3,695
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
You weren't supposed to replace the DNS rule with the ping one, just simply add the ping rule. The reason your "iptables -L" stalled and why you are now getting a "unknown host" error is because without the DNS rule your box can't do any DNS lookups. The idea was for you to end up with something like:
Code:
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53
# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
# allow all pings from the management interface NIC
iptables -I OUTPUT 4 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
# reject all other traffic from the management interface NIC
iptables -I OUTPUT 5 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
|
Hi win32sux,
Edited /etc/rc.local
$ cat /etc/rc.local
Code:
#
# INPUT
#
# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22
# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222
# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333
# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902
# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable
#
# OUTPUT
#
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53
# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
# allow all pings from the management interface NIC
iptables -I OUTPUT 4 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
# reject all other traffic from the management interface NIC
iptables -I OUTPUT 5 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
$ sudo /etc/init.d/rc.local start
No complaint
$ sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere 192.168.0.10 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8222
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8333
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:902
REJECT 0 -- anywhere 192.168.0.10 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 192.168.0.10 anywhere state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.0.10 anywhere udp dpt:domain
REJECT 0 -- localhost anywhere reject-with icmp-port-unreachable
ACCEPT icmp -- 192.168.0.10 anywhere icmp echo-request
REJECT 0 -- 192.168.0.10 anywhere reject-with icmp-port-unreachable
It took prolonged time to generate each line.
$ ping -c3 yahoo.com
Code:
PING yahoo.com (66.94.234.13) 56(84) bytes of data.
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=54 time=179 ms
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=2 ttl=54 time=180 ms
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=3 ttl=55 time=178 ms
--- yahoo.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 178.975/179.568/180.084/0.668 ms
Ping OK. But can't browse Internet
B.R.
satimis
|
|
|
08-26-2007, 08:48 PM
|
#9
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by satimis
Ping OK. But can't browse Internet
|
Perfectly normal, as the rules you've used don't allow outgoing HTTP/HTTPS packets. Please understand that the tutorial you used provides you with a very restrictive set of rules. I haven't really read the tutorial so I don't know the reasoning behind the rules, but this is indeed the behavior they are designed for. Typically this is for security reasons (as in "nobody should be surfing the Web on this box", etc.) - in fact, adding the ping rule in and of itself could be considered a security issue if the idea was to have a full-lockdown of anything outgoing from 192.168.0.10 besides DNS.
Do you need to always be able to ping and surf the Web and stuff from this IP on this box? If so, you have chosen the wrong iptables script to get started with. In any case, here's what it would look like if you wanted to allow HTTP and HTTPS (once again, using the same style):
Code:
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53
# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
# allow all pings from the management interface NIC
iptables -I OUTPUT 4 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
# allow all HTTP from the management interface NIC
iptables -I OUTPUT 5 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 80
# allow all HTTPS from the management interface NIC
iptables -I OUTPUT 6 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 443
# reject all other traffic from the management interface NIC
iptables -I OUTPUT 7 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
By now you should have figured-out that you'll need to add rules in this manner for whatever service you want to allow access for.
Last edited by win32sux; 08-26-2007 at 08:51 PM.
|
|
|
08-26-2007, 09:13 PM
|
#10
|
Senior Member
Registered: Apr 2003
Posts: 3,695
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
Perfectly normal, as the rules you've used don't allow outgoing HTTP/HTTPS packets. Please understand that the tutorial you used provides you with a very restrictive set of rules. I haven't really read the tutorial so I don't know the reasoning behind the rules, but this is indeed the behavior they are designed for. Typically this is for security reasons (as in "nobody should be surfing the Web on this box", etc.) - in fact, adding the ping rule in and of itself could be considered a security issue if the idea was to have a full-lockdown of anything outgoing from 192.168.0.10 besides DNS.
|
Noted with tks.
Quote:
Do you need to always be able to ping and surf the Web and stuff from this IP on this box? If so, you have chosen the wrong iptables script to get started with.
|
In fact this is a test allowing me learning building VM. After finish I won't use the server surfing the web. Should really in need to surf web, I will tunnel a workstation via ssh to do it. At the beginning it is not worthwhile running 2 PCs to do one job.
Quote:
In any case, here's what it would look like if you wanted to allow HTTP and HTTPS (once again, using the same style):
Code:
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53
# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
# allow all pings from the management interface NIC
iptables -I OUTPUT 4 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
# allow all HTTP from the management interface NIC
iptables -I OUTPUT 5 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 80
# allow all HTTPS from the management interface NIC
iptables -I OUTPUT 6 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 443
# reject all other traffic from the management interface NIC
iptables -I OUTPUT 7 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
|
Your advice worked here, websurfing being possible.
$ sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere 192.168.0.10 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8222
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8333
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:902
REJECT 0 -- anywhere 192.168.0.10 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 192.168.0.10 anywhere state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.0.10 anywhere udp dpt:domain
REJECT 0 -- localhost anywhere reject-with icmp-port-unreachable
ACCEPT icmp -- 192.168.0.10 anywhere icmp echo-request
ACCEPT tcp -- 192.168.0.10 anywhere tcp dpt:www
ACCEPT tcp -- 192.168.0.10 anywhere tcp dpt:https
REJECT 0 -- 192.168.0.10 anywhere reject-with icmp-port-unreachable
I wonder why it took prolonged time displaying one/each line?
Port 443 - I suppose is secure layer
http://www.grc.com/port_443.htm
Quote:
By now you should have figured-out that you'll need to add rules in this manner for whatever service you want to allow access for.
|
Noted with tks
B.R.
satimis
|
|
|
08-26-2007, 10:23 PM
|
#11
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Port 443 - I suppose is secure layer
|
Yes, it's needed to surf sites such as hotmail.com, etc. which transmit your password using HTTPS (HTTP over SSL).
Quote:
I wonder why it took prolonged time displaying one/each line?
|
Not sure, but you can determine if it's due to your packet filtering rules by sending packets to LOG before you send them to REJECT. You can then open a terminal and do a "tail -f /var/log/syslog" or similar to see if any packets get filtered when you do your "iptables -L". Example:
Code:
#
# INPUT
#
# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22
# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222
# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333
# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902
# log all other traffic to the management interface NIC before we reject it
iptables -I INPUT 6 -j LOG -d 192.168.0.10 --log-prefix "INPUT REJECT: "
# reject all other traffic to the management interface NIC
iptables -I INPUT 7 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable
#
# OUTPUT
#
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53
# log all other traffic from localhost before we reject it
iptables -I OUTPUT 3 -j LOG -s 127.0.0.1 --log-prefix "OUTPUT REJECT LOCALHOST: "
# reject all other traffic from localhost
iptables -I OUTPUT 4 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
# allow all pings from the management interface NIC
iptables -I OUTPUT 5 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
# allow all HTTP from the management interface NIC
iptables -I OUTPUT 6 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 80
# allow all HTTPS from the management interface NIC
iptables -I OUTPUT 7 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 443
# log all other traffic from the management interface NIC before we reject it
iptables -I OUTPUT 8 -j LOG -s 192.168.0.10 --log-prefix "OUTPUT REJECT: "
# reject all other traffic from the management interface NIC
iptables -I OUTPUT 9 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
Last edited by win32sux; 08-26-2007 at 10:26 PM.
|
|
|
08-27-2007, 04:50 AM
|
#12
|
Senior Member
Registered: Apr 2003
Posts: 3,695
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
Yes, it's needed to surf sites such as hotmail.com, etc. which transmit your password using HTTPS (HTTP over SSL).
Not sure, but you can determine if it's due to your packet filtering rules by sending packets to LOG before you send them to REJECT. You can then open a terminal and do a "tail -f /var/log/syslog" or similar to see if any packets get filtered when you do your "iptables -L". Example:
Code:
#
# INPUT
#
# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22
# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222
# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333
# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902
# log all other traffic to the management interface NIC before we reject it
iptables -I INPUT 6 -j LOG -d 192.168.0.10 --log-prefix "INPUT REJECT: "
# reject all other traffic to the management interface NIC
iptables -I INPUT 7 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable
#
# OUTPUT
#
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53
# log all other traffic from localhost before we reject it
iptables -I OUTPUT 3 -j LOG -s 127.0.0.1 --log-prefix "OUTPUT REJECT LOCALHOST: "
# reject all other traffic from localhost
iptables -I OUTPUT 4 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
# allow all pings from the management interface NIC
iptables -I OUTPUT 5 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
# allow all HTTP from the management interface NIC
iptables -I OUTPUT 6 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 80
# allow all HTTPS from the management interface NIC
iptables -I OUTPUT 7 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 443
# log all other traffic from the management interface NIC before we reject it
iptables -I OUTPUT 8 -j LOG -s 192.168.0.10 --log-prefix "OUTPUT REJECT: "
# reject all other traffic from the management interface NIC
iptables -I OUTPUT 9 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
|
Edited /etc/rc.local
$ cat /etc/rc.local
Code:
#exit 0
#
# INPUT
#
# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22
# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222
# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333
# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902
# log all other traffic to the management interface NIC before we reject it
iptables -I INPUT 6 -j LOG -d 192.168.0.10 --log-prefix "INPUT REJECT: "
# reject all other traffic to the management interface NIC
iptables -I INPUT 7 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable
#
# OUTPUT
#
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED
# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53
# log all other traffic from localhost before we reject it
iptables -I OUTPUT 3 -j LOG -s 127.0.0.1 --log-prefix "OUTPUT REJECT LOCALHOST: "
# reject all other traffic from localhost
iptables -I OUTPUT 4 -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
# allow all pings from the management interface NIC
iptables -I OUTPUT 5 -j ACCEPT -s 192.168.0.10 -p ICMP --icmp-type 8
# allow all HTTP from the management interface NIC
iptables -I OUTPUT 6 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 80
# allow all HTTPS from the management interface NIC
iptables -I OUTPUT 7 -j ACCEPT -s 192.168.0.10 -p TCP --destination-port 443
# log all other traffic from the management interface NIC before we reject it
iptables -I OUTPUT 8 -j LOG -s 192.168.0.10 --log-prefix "OUTPUT REJECT: "
# reject all other traffic from the management interface NIC
iptables -I OUTPUT 9 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable
$ sudo /etc/init.d/rc.local start
Code:
* Running local boot scripts (/etc/rc.local) [ OK ]
$ tail -f /var/log/syslog
Code:
Aug 27 16:43:52 ubuntu /usr/sbin/cron[4658]: (CRON) INFO (pidfile fd = 3)
Aug 27 16:43:52 ubuntu /usr/sbin/cron[4659]: (CRON) STARTUP (fork ok)
Aug 27 16:43:52 ubuntu /usr/sbin/cron[4659]: (CRON) INFO (Running @reboot jobs)
Aug 27 16:43:53 ubuntu /etc/mysql/debian-start[4691]: Checking for crashed MySQL tables.
Aug 27 16:43:53 ubuntu kernel: [ 39.495062] ip_tables: (C) 2000-2006 Netfilter Core Team
Aug 27 16:43:53 ubuntu kernel: [ 39.604519] Netfilter messages via NETLINK v0.30.
Aug 27 16:43:53 ubuntu kernel: [ 39.608871] nf_conntrack version 0.5.0 (8192 buckets, 65536 max)
Aug 27 16:44:30 ubuntu ntpdate[2973]: sendto(fiordland.ubuntu.com): Operation not permitted
Aug 27 16:44:32 ubuntu last message repeated 3 times
Aug 27 16:44:33 ubuntu ntpdate[2973]: no server suitable for synchronization found
hanging here.
$ sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere 192.168.0.10 state RELATED,ESTAB
LISHED
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8222
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8333
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:902
LOG 0 -- anywhere 192.168.0.10 LOG level warning p
refix `INPUT REJECT: '
REJECT 0 -- anywhere 192.168.0.10 reject-with icmp-po
rt-unreachable
ACCEPT 0 -- anywhere 192.168.0.10 state RELATED,ESTAB
LISHED
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8222
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:8333
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:902
REJECT 0 -- anywhere 192.168.0.10 reject-with icmp-po
rt-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 192.168.0.10 anywhere state RELATED,ESTAB
LISHED
ACCEPT udp -- 192.168.0.10 anywhere udp dpt:domain
LOG 0 -- localhost anywhere LOG level warning p
refix `OUTPUT REJECT LOCALHOST: '
REJECT 0 -- localhost anywhere reject-with icmp-po
rt-unreachable
ACCEPT icmp -- 192.168.0.10 anywhere icmp echo-request
ACCEPT tcp -- 192.168.0.10 anywhere tcp dpt:www
ACCEPT tcp -- 192.168.0.10 anywhere tcp dpt:https
LOG 0 -- 192.168.0.10 anywhere LOG level warning p
refix `OUTPUT REJECT: '
REJECT 0 -- 192.168.0.10 anywhere reject-with icmp-po
rt-unreachable
ACCEPT 0 -- 192.168.0.10 anywhere state RELATED,ESTAB
LISHED
ACCEPT udp -- 192.168.0.10 anywhere udp dpt:domain
REJECT 0 -- localhost anywhere reject-with icmp-po
rt-unreachable
ACCEPT icmp -- 192.168.0.10 anywhere icmp echo-request
ACCEPT tcp -- 192.168.0.10 anywhere tcp dpt:www
ACCEPT tcp -- 192.168.0.10 anywhere tcp dpt:https
REJECT 0 -- 192.168.0.10 anywhere reject-with icmp-po
rt-unreachable
"tail -f /var/log/syslog" continued to grow
Code:
Aug 27 16:59:12 ubuntu kernel: [ 957.301623] INPUT REJECT: IN=eth0 OUT= MAC=00:
0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.4 DST=192.168.0.10 LEN=71 T
OS=0x00 PREC=0x00 TTL=251 ID=18687 DF PROTO=UDP SPT=53 DPT=32915 LEN=51
Aug 27 17:01:12 ubuntu kernel: [ 1077.308367] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.4 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=7755 DF PROTO=UDP SPT=53 DPT=32929 LEN=51
Aug 27 17:03:13 ubuntu kernel: [ 1197.363318] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.4 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=62409 DF PROTO=UDP SPT=53 DPT=32942 LEN=51
Aug 27 17:04:13 ubuntu kernel: [ 1257.333374] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.14 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=14733 DF PROTO=UDP SPT=53 DPT=32949 LEN=51
Aug 27 17:05:43 ubuntu kernel: [ 1347.332221] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.4 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=51429 DF PROTO=UDP SPT=53 DPT=32958 LEN=51
Aug 27 17:06:43 ubuntu kernel: [ 1407.319204] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.14 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=39276 DF PROTO=UDP SPT=53 DPT=32965 LEN=51
Aug 27 17:08:13 ubuntu kernel: [ 1497.305903] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5
b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.4 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=35009 DF PROTO=UDP SPT=53 DPT=32974 LEN=51
Aug 27 17:09:01 ubuntu /USR/SBIN/CRON[5022]: (root) CMD ( [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -r -0 rm)
Aug 27 17:09:13 ubuntu kernel: [ 1557.282240] INPUT REJECT: IN=eth0 OUT= MAC=00:0e:a6:f9:a3:5b:00:16:b6:c9:8a:a9:08:00 SRC=202.14.67.14 DST=192.168.0.10 LEN=71 TOS=0x00 PREC=0x00 TTL=251 ID=22864 DF PROTO=UDP SPT=53 DPT=32981 LEN=51
Aug 27 17:17:01 ubuntu /USR/SBIN/CRON[5029]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
hanging here again
[Ctrl]+C to exit
satimis
|
|
|
All times are GMT -5. The time now is 01:48 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|