comments on iptables

rng · 09-14-2011, 10:37 AM

Kindly comment on the following iptable rules which I think may be useful for me since I need to only use web browser for my net connection.

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -t nat --policy PREROUTING ACCEPT
iptables -t nat --policy OUTPUT ACCEPT
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t mangle --policy PREROUTING ACCEPT
iptables -t mangle --policy OUTPUT ACCEPT
iptables -t mangle --policy INPUT ACCEPT
iptables -t mangle --policy FORWARD DROP
iptables -t mangle --policy POSTROUTING ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

corp769 · 09-15-2011, 03:44 AM

Hello,

Let me ask you this - Does it work as advertised for you? To me, it looks good, but I don't know what the full desired output is. Overall, yes it looks good, but you need to be happy with the configuration. If it works, then it works!

Cheers,

Josh

slimm609 · 09-15-2011, 06:41 AM

Quote:

Originally Posted by rng

iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

you don't need the last 2 lines because you set the default policy at the beginning to drop. They wont hurt anything but they are also not doing anything

rng · 09-15-2011, 07:14 AM

Will these iptables rules prevent programs installed on my system from communicating data or info across the net? If not, what rules can be added to prevent that and allow only firefox to connect to the network?
Can there be a script having a combination of netstat and iptables commands which can do this?

goossen · 10-03-2011, 07:30 AM

You don't need the following lines because the packets will be dropped by the default policy (which BTW, is not a good idea to use)

Code:

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

And you will need the return of the DNS

Code:

iptables -A INPUT -p udp --sport 53 -j ACCEPT

Now, why is not a good idea to use default policy drop:

Lets say you are working remotely and flush the iptables rules (which is not a good idea either, but its not uncommon), your server will be inaccessible immediately. All the packets will be dropped since they match the default policy in the chain. And you will need physical access to the machine to solve the problem.
It's better to explicitly drop everything at the bottom of every chain.

win32sux · 10-04-2011, 10:30 AM

Quote:

Originally Posted by goossen

And you will need the return of the DNS

Code:

iptables -A INPUT -p udp --sport 53 -j ACCEPT

There's already a rule in there for packets in state ESTABLISHED, so it's all good. Sending UDP packets with source port 53 to ACCEPT would open up a giant hole in the firewall, as all a bad guy would need to do in order to get his UDP packets through is set source port 53 on them (destination port could be anything). So, I'd say stay away from these types of rules.

goossen · 10-05-2011, 06:38 AM

You are right win32sux, my bad. Thanks for pointing!

rng · 10-05-2011, 11:41 AM

Thanks for your replies. I am using ubuntu at two computers. The above script works well at my home computer where I connect directly to the internet (through wired adsl modem) but at my office computer where the internet access is through institutional LAN proxy (I have entered proxy details in browser), it works for a minute or so and then stops. On the other hand, if I use ufw firewall with 'default deny' options, it works perfectly. Where could be the fault in my script?