LinuxQuestions.org

LinuxQuestions.org (http://www.linuxquestions.org/questions/index.php)
-   Linux - Security (http://www.linuxquestions.org/questions/forumdisplay.php?f=4)
-   -   Find all outbound traffic (Ubuntu Server) (http://www.linuxquestions.org/questions/showthread.php?t=4175451718)

JoseCuervo 02-26-2013 12:37 AM

Hello, the iptables that I created for my Ubuntu server has a gloabl deny rule that prevents Ubuntu from accessing the internet, and prevents windows computers on the network from seeing the Samba share I created. I have tried to use tcpdump to see what exactly I need to allow through the firewall, but the data is overwhelming. How can I parse the tcpdump information to show me what Ubuntu is doing, and what I need to allow? I'm completely new to this, I only learned Samba, iptables, vim, and pretty much Ubuntu in general in the last few days. That said, I can follow instructions and references fairly well.

My current iptables.rules:
Code:

# Generated by iptables-save v1.4.12 on Sun Feb 24 11:30:47 2013

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

##### Accept established traffic & loopback traffic
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

##### Accept Samba traffic from local network
-A INPUT -p udp -s 192.168.0.0/24 -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -s 192.168.0.0/24 -m udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

##### Accept SSH connections only from Viki
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m mac --mac-source 1C:6F:65:C6:5D:37 -m tcp --dport 22 -j ACCEPT

##### Accept Minecraft from local network only, for now
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 25565 -j ACCEPT

##### Reject all other INPUT traffic
#-A INPUT -j REJECT

##### Reject all forwarded traffic
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

###### Allow OUTPUT on port 80
-A OUTPUT -d 91.189.92.200/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -d 91.189.91.13/32 -p tcp -m tcp --dport 80 -j ACCEPT

##### Allow Ubuntu to access update sites
-A OUTPUT -p tcp --dport 80 -d security.ubuntu.com -j ACCEPT
-A OUTPUT -p tcp --dport 80 -d us.archive.ubuntu.com -j ACCEPT

##### Allow any OUTPUT traffic on the network
-A OUTPUT -d 192.168.0.0/24 -j ACCEPT

##### Reject all other OUTPUT traffic
#-A OUTPUT -j REJECT

COMMIT
# Completed on Sun Feb 24 11:30:47 2013

I just need a way to find out what it is I'm not allowing through so that I can uncomment my global deny rules for INPUT and OUTPUT. My end goal is to lock this server to the exact minimum necessary. Thanks in advance!

So I just installed and ran wireshark on my Ubuntu VM, and then connected my windows 7 computer and played a show over the network (from Ubuntu to Windows). Wireshark showed 1700 packets in about 15 seconds, is that right? They were all between two IP addresses, which are the VM and host I'm guessing.

JoseCuervo 02-26-2013 03:07 AM

After watching wireshark for a while I realized that the Ubuntu VM I was using wasn't using the same addresses as the iptable rules had stipulated. I've modified them, and it seems to be working atm.

unSpawn 02-26-2013 06:06 AM

Quote:

Originally Posted by JoseCuervo (Post 4899849)
I have tried to use tcpdump to see what exactly I need to allow through the firewall, but the data is overwhelming. How can I parse the tcpdump information to show me what Ubuntu is doing, and what I need to allow? (..) I just need a way to find out what it is I'm not allowing through so that I can uncomment my global deny rules for INPUT and OUTPUT. My end goal is to lock this server to the exact minimum necessary.

The easiest way is to add LOG target rules before you DROP or REJECT, for example in the filter table INPUT chain:
Code:

-A INPUT -m state --state INVALID -j LOG --log-prefix "IN_drop_inv "
-A INPUT -m state --state NEW -j LOG --log-prefix "IN_drop_new "
-A INPUT -j REJECT


Quote:

Originally Posted by JoseCuervo (Post 4899849)
(..) They were all between two IP addresses, which are the VM and host I'm guessing.

Commands like
Code:

ifconfig -a
ip link show
arp -a

and else router (DHCP daemon) logs, arpwatch or arphound should all be able to tell you about local addresses and those in use in your LAN so there's no need to "guess".

JoseCuervo 02-27-2013 02:22 AM

Thanks unSpawn, all of those commands are useful to know. I'm unfortunately new enough that I'm asking a lot of questions, but learning fast enough that I seem to stumble onto an answer just as someone is explaining things to me. In case anyone else reads this thread and needs newbie level guidance, what I managed to do with a lot of suggestions from this site was run:
Code:

sudo tcpdump -w capturedPackets.log
which captured all of the traffic my system was seeing. I let it run for about ten minutes, made sure to do all of the things that I wanted my server to do such as updates and serving files with Samba, and then hit Control-C to end the tcpdump capture. Then I used
Code:

sudo wireshark capturedPackets.log
to examine the details of all of the traffic that I had captured. Wireshark incorporates filters that let me slowly eliminate traffic that I recognized, until I was left with what I had to allow through the firewall.


All times are GMT -5. The time now is 09:31 AM.