iptables: allow only web-browsing
EDIT: ** please see post #9 for my updated script if anyone is using this for reference.**
iv never really needed a firewall on my windows or linux machine.. but i want to give iptables a shot. what i want to do is block EVERYTHING coming into the computer except for information regarding web browsing. im quite new to iptables so sorry if im screwing everything up and bear with me. i initially thought i needed two rules: 1 - accept tcp packets with sourceport 80 2 - drop everything else i tried this and it didnt work. i would try and browse to 'google.com' but it wouldnt work. i then tried to browse to '[googleIPAddress]/index.html' and it worked. this made me remember that i was blocking the DNS ports for the HTTP request. i then added a rule for tcp and udp dns packets to accept. this is what i have come up with all together: Quote:
anyways, i then ran this script and it seems to be working fine (so far)--i can use any web browser i have, as normal. also, i have ran afew online security scans and most of them froze.. this seems to tell me it couldnt even start to do what it wanted to do (ie scan for udp/tcp open ports), meaning high[er] security for me, correct? either that or my browser isnt compatible with the site. do you think the script i have is fine for my only firewall to allow only webbrowsing? is there any rule you can think of that i should change/add/remove? i will also be wanting to modify this to allow for kopete or any other program i want, but if i can get this correctly i should be able to figure out the rest my self. by the way, im not using a router. Thanks EDIT: well i already see a problem: i cant access hotmail.com, ill have to look into it. UPDATE: fixed the hotmail problem. its because it need tcp & udp https ports open too. iv updated the quote above to match my changes. |
Hi nadroj,
Have you given a thought that if you download any program from the net and it is a trojan / rootkit? You may have stopped incoming traffic but what about outgoing? You should block all outgoing traffic too, except for the ports which you need to use. (Also add the updated firewall code in the quote so that future readers of the thread may find it useful) Bye |
Ur rule drops everything , the drop rule should be first rule in the there ,
No? |
Port 443 is for https.
Also 'iptables -nvL' will give you a list of what is set. |
RanDrake10:
ya, i searched for the port number for https and found that too. id rather just put https than the port number, which is allowed, and is why i did what i did. here is the output of the command (for the INPUT chain, the others dont have any rules): Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) what do you mean my rules drop everything? i set them to drop everything but what i have specified. i thought the drop rule needs to be the last rule.. can someone clarify please? imagineers7: i thought about this, but, do i _need_ to block outgoing traffic? if i have it setup to block all the incoming traffic (except what i specified), then it doesnt matter what is going out--only what i want to come in will come in. or am i wrong on this too? and yes, when i get this all sorted out ill update the quote :) one question i have is this: "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)". the FORWARD chain is also 0,0, but the OUTPUT chain is not. i can understand the values for FORWARD and OUTPUT.. but why would INPUT be 0, if its accepting these HTTP and DNS packets. Thanks all |
Quote:
Quote:
Also, their is actually a major hole in your firewall that is a common mistake for people writing their first firewall. If I were scanning your machine and configured my scanner to use port 53 as the source port, I could completely scan every port on your entire machine without the firewall blocking anything. If you are going to filter based on source ports, then you need to restrict the destination port as well. IMO you should take advantage of iptables state tracking capabilities and simply allow only packets on the INPUT chain that are of the ESTABLISHED or RELATED states. Then configure your OUTPUT chain to only allow outgoing traffic on the http,https, and dns ports. That way the only incoming traffic that is accepted are replies to connections you've initiated on a limited number of ports. |
Capt:
REGARDING COUNTER: ok, thanks for clearing up the drop-all policy being first or last.. it makes sense. so ill drop my last policy and add 'iptables -P INPUT DROP' to set the default policy for INPUT to DROP all packets, as you suggested. REGARDING FIREWALL FLAW: but your port scanner scanner wouldnt be communicating via DNS response packets, which means my firewall WOULD block it? or am i wrong? (most likely :p) ill try and work on modifying the rules and add afew to the OUTPUT chain, as you recommended. after i get that working, ill try and update my first post to match my [future] current setup for the rules. do you (or anyone else) see any other flaws or other rules i should add, for what i want to do? thanks all |
Quote:
Quote:
|
k Thanks Capt.
i modified my rules as you suggested and its working as it was before. i set the -P option for the INPUT chain as you suggested to DROP.. however i could still use kopete, for example.. so i used '-P OUTPUT DROP' as well.. and it seems to be working. here is my script: Code:
#!/bin/bash heres the output of 'iptables -L' Code:
Chain INPUT (policy DROP) EDIT: also, for the FORWARD chain, would it be better to just set the default policy to DROP? Im not using a router, just a DSL modem. My computer is the only one using the WAN IP from our ISP, so a packet would never come to my computer to be forwarded (routed) to another router, correct? |
Quote:
Quote:
Quote:
Quote:
|
Quote:
Quote:
my next step is to look into kopete and how it operates so i can allow that traffic as well, then that should be all i need for my firewall. i wont bother with other software or antivirus, etc, tools.. just my iptables script. OK Capt', thanks alot. iptables is pretty neat and very powerful.. and now, after afew days, i seem to understand it pretty well, thanks to your, and afew others', help. |
Here is a little bash script I made for my firewall, if you want to look at it for any help.
Also if anybody else has any suggestions, send them to me. http://randrake.homelinux.net/files/Firewall.html |
hmm, the links not working.
|
It does for me. Thanks @all :) for an instructive thread, btw.
|
Quote:
Code:
$IPT -A INPUT -p ALL -m state --state INVALID -j DROP Code:
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP |
All times are GMT -5. The time now is 03:12 PM. |