Hi guys,

I'm having difficulty with reading iptable rules. I've evidently configured something wrong in the "UFW" and/or "Lokkit" settings, because no traffic seems to be able to get through. I've appended the output of "iptables -L" below. I can't understand a word of it, I'm afraid.

My aims are pretty simple:

I'm connecting via usb stick modem to the Vodafone mobile network

The box is a stand-alone desktop, single-user, running Ubuntu 8.1; no server requirements; no SSH etc.

I just want to close off everything except Web browsing, file downloading (torrent & ftp) and system updates.


Here's the output from "iptables -L"


Chain INPUT (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere

Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable

Chain ufw-after-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK FORWARD]: '
RETURN all -- anywhere anywhere

Chain ufw-after-input (1 references)
target prot opt source destination
RETURN udp -- anywhere anywhere udp dpt:netbios-ns
RETURN udp -- anywhere anywhere udp dpt:netbios-dgm
RETURN tcp -- anywhere anywhere tcp dpt:netbios-ssn
RETURN tcp -- anywhere anywhere tcp dpt:microsoft-ds
RETURN udp -- anywhere anywhere udp dpt:bootps
RETURN udp -- anywhere anywhere udp dpt:bootpc
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK INPUT]: '
RETURN all -- anywhere anywhere

Chain ufw-after-output (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT all -- 224.0.0.0/4 anywhere
ACCEPT all -- anywhere 224.0.0.0/4
ufw-user-input all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK NOT-TO-ME]: '
DROP all -- anywhere anywhere

Chain ufw-user-forward (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain ufw-user-input (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix `[UFW LIMIT]: '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain ufw-user-output (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Can anyone spot what's wrong from the above?

Thanks,

CC.

Given your requirements, the ruleset you posted is complex and bizarre.

Try this from the command line instead:
Then save that ruleset - however it is Ubuntu saves rulesets. If you're still having trouble, post the output of iptables -nvL (in code tags).

Okay, thanks for that. I'll try it and report back shortly. I'm just re-installing Ubuntu from scratch just to make certain everything is nice and clean again.

Well the commands went in without complaint from the shell. Is the machine now protected? If so I can save the changes with "sudo iptables-save > /etc/default" which I believe is the correct place within Ubuntu.


Here's the output from # iptables -L......

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

(END)


......and here's the output from # iptables -nvL.....

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 40 packets, 3184 bytes)
pkts bytes target prot opt in out source destination

(END)

I've never heard of a file called /etc/default. You can pretty much save your config to any file you wish, just specify the name of the file in a pre-up line in your /etc/network/interfaces file. For example, I store my firewall config in /etc/firewall.txt so my /etc/network/interfaces file looks like:That said, the configuration you've shown doesn't match the commands suggested by anomie. You are sending packages in states RELATED and ESTABLISHED to DROP, which would break all transmissions.

Hi Win32sux,

You're right. Mea Culpa.

I just double-checked and obviously mis-typed the suggested command first time round.

I've now re-entered the correct char.string put forward by anomie and the output text is now:

(BEGINS)

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

(ENDS)

I have to say the terms employed by whomever wrote this program are deeply unhelpful inasmuch as they bear no relation to their generally-accepted meanings in the natural world. It's extremely confusing for those of us who read Victorian novels.

Anyway, am I clear to go online now? Is my box safe?

Thanks,

CC.

Hi Win32sux,

You're right. Mea Culpa.

I just double-checked and obviously mis-typed the suggested command first time round.

I've now re-entered the correct char.string put forward by anomie and the output text is now:

(BEGINS)

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

(ENDS)

I have to say the terms employed by whomever wrote this program are deeply unhelpful inasmuch as they bear no relation to their generally-accepted meanings in the natural world. It's extremely confusing for those of us who read Victorian novels.

Anyway, am I clear to go online now? Is my box safe?

Thanks,

CC.

Actually, the output you've just posted still has the same problem.

If you execute his commands properly, your output should look like this (with different packet/byte counts):

Thanks for that. I have re-entered the commands and now have the following output:-

(begins)

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 80 packets, 6368 bytes)
pkts bytes target prot opt in out source destination

(ends)

But with a policy of "ACCEPT 0 packets" of INPUT I can't see how this can possibly work?? Can it?

As an aside, I think this is one area of the Ubuntu distro that Team Ubuntu needs to look into urgently if they hope to lure away more Windoze users. Iptables may certainly be a powerful, versatile and wonderfully precise way of tailoring your firewall needs, but user-friendly it CERTAINLY AINT!

I'm aware of add-ons like lokkit and ufw that simplify firewall rule-setting, but they're still crude and in need of further refinement - and they don't come with the distro so you have to download them, which is kinda risky with no operational firewall in the first place!!

I've no idea where to send suggestions for further development (I'm a Debian man, anyway) but the above is just my 2c worth.

O_o...

Downloading without a firewall from the repositories for the distribution is as safe as it gets and a firewall isn't going to protect you from anything bad that would come from those locations anyways.

I do not think a firewall does what you think a firewall does (excuse my princess bride butchery.)

Don't get me wrong-- a firewall is a very useful piece of technology to have between you and the internet. That being said a firewall on the local machine is largely moot if you're already NAT'd like most people on broadband. If you get a direct routeable internet ip on your computer it's considerably more useful of course.

My default install only has ssh showing to the outside even without a firewall, but I don't suppose most newbies strip things down that far to begin with. Shrug, YMMV.

I'm not worried about anything nasty coming from a respository, but all the while I'm connected to the internet as things stand with the box in question, *all* ports are open (the default condition for Ubuntu) so there's no protection from nasties coming in via Telnet, SSH, FTP and the rest of these access points!

Unless you've a telnet, SSH and FTP service configured and running, those ports will show as closed. This is the reason why the first measure of hardening a box would be to disable all unneeded services....no listening services, no open ports.

Agreed, but most newbies don't know and don't want to know anything about security period unfortunately.

If you have a strong password and root logins disabled (for the services you listed), there's really no "nasties" available that can do anything to you. Ports are only open if you have a daemon running and listening on that port... why would you have telnet, ftp, etc running if you're not using them?

I'd be more concerned with portmap exposed or something similar if I installed nfs than i would be with most distributions versions of ssh and ftp (provided of course my password wasn't something silly like "fred")

Besides, if you're nat'd already behind another device even if you installed every single service you could stuff on the box and had no security enabled what so ever and still didn't have a local firewall... people on the internet *still* couldn't hit a single one of them unless you statically mapped a port from your nat device (or UPNP'd one).