iptables: allow only web-browsing
 

EDIT: ** please see post #9 for my updated script if anyone is using this for reference.**

iv never really needed a firewall on my windows or linux machine.. but i want to give iptables a shot.

what i want to do is block EVERYTHING coming into the computer except for information regarding web browsing. im quite new to iptables so sorry if im screwing everything up and bear with me.

i initially thought i needed two rules:
1 - accept tcp packets with sourceport 80
2 - drop everything else

i tried this and it didnt work. i would try and browse to 'google.com' but it wouldnt work. i then tried to browse to '[googleIPAddress]/index.html' and it worked. this made me remember that i was blocking the DNS ports for the HTTP request. i then added a rule for tcp and udp dns packets to accept. this is what i have come up with all together:
by the way, the rule to drop all packets should be _last_, correct? meaning, if none of the previous rules dont match, then do that one (which will of course match).

anyways, i then ran this script and it seems to be working fine (so far)--i can use any web browser i have, as normal.

also, i have ran afew online security scans and most of them froze.. this seems to tell me it couldnt even start to do what it wanted to do (ie scan for udp/tcp open ports), meaning high[er] security for me, correct? either that or my browser isnt compatible with the site.

do you think the script i have is fine for my only firewall to allow only webbrowsing? is there any rule you can think of that i should change/add/remove? i will also be wanting to modify this to allow for kopete or any other program i want, but if i can get this correctly i should be able to figure out the rest my self.

by the way, im not using a router.
Thanks

EDIT: well i already see a problem: i cant access hotmail.com, ill have to look into it.
UPDATE: fixed the hotmail problem. its because it need tcp & udp https ports open too. iv updated the quote above to match my changes.

Hi nadroj,

Have you given a thought that if you download any program from the net and it is a trojan / rootkit?
You may have stopped incoming traffic but what about outgoing?
You should block all outgoing traffic too, except for the ports which you need to use.

(Also add the updated firewall code in the quote so that future readers of the thread may find it useful)

Bye

Ur rule drops everything , the drop rule should be first rule in the there ,

No?

Port 443 is for https.
Also 'iptables -nvL' will give you a list of what is set.

RanDrake10:
ya, i searched for the port number for https and found that too. id rather just put https than the port number, which is allowed, and is why i did what i did. here is the output of the command (for the INPUT chain, the others dont have any rules):
jayakrishnan:
what do you mean my rules drop everything? i set them to drop everything but what i have specified. i thought the drop rule needs to be the last rule.. can someone clarify please?

imagineers7:
i thought about this, but, do i _need_ to block outgoing traffic? if i have it setup to block all the incoming traffic (except what i specified), then it doesnt matter what is going out--only what i want to come in will come in. or am i wrong on this too? and yes, when i get this all sorted out ill update the quote :)

one question i have is this: "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)". the FORWARD chain is also 0,0, but the OUTPUT chain is not. i can understand the values for FORWARD and OUTPUT.. but why would INPUT be 0, if its accepting these HTTP and DNS packets.

Thanks all

It does need to be last. The rules will be processed in sequential order so if you put the drop rule as the first rule in the firewall then *all* packets will match in and *all* will be dropped.

That is the counter for the number of packets and total bytes that have been processed by the default policy rule for that chain. The policy rule will technically be the last rule in the chain, so if no packets are matched by any other rule in that chain, then the default policy rule will be used to process the packet. However, in the case of your INPUT chain you have a "catch-all" drop rule right before the default policy, so all packets that don't match any other rule will match that one and will be dropped before reaching the default policy rule. If you look at the counter for the last rule in that chain, you can see that it has matched a fair number of packets. So technically this last rule is redundant and you should get rid of it and just set your default policy to DROP for the INPUT chain.

Also, their is actually a major hole in your firewall that is a common mistake for people writing their first firewall. If I were scanning your machine and configured my scanner to use port 53 as the source port, I could completely scan every port on your entire machine without the firewall blocking anything. If you are going to filter based on source ports, then you need to restrict the destination port as well. IMO you should take advantage of iptables state tracking capabilities and simply allow only packets on the INPUT chain that are of the ESTABLISHED or RELATED states. Then configure your OUTPUT chain to only allow outgoing traffic on the http,https, and dns ports. That way the only incoming traffic that is accepted are replies to connections you've initiated on a limited number of ports.

Capt:
REGARDING COUNTER:
ok, thanks for clearing up the drop-all policy being first or last.. it makes sense.
so ill drop my last policy and add 'iptables -P INPUT DROP' to set the default policy for INPUT to DROP all packets, as you suggested.

REGARDING FIREWALL FLAW:
but your port scanner scanner wouldnt be communicating via DNS response packets, which means my firewall WOULD block it? or am i wrong? (most likely :p)
ill try and work on modifying the rules and add afew to the OUTPUT chain, as you recommended. after i get that working, ill try and update my first post to match my [future] current setup for the rules.

do you (or anyone else) see any other flaws or other rules i should add, for what i want to do?

thanks all

That's the problem with relying entirely on port filtering; iptables doesn't do any kind of application layer filtering so it's not looking at the packet and asking whether it "looks" like a DNS or HTTP packet. It's simply looking at whether the packet header has a source port of 53 or 80. In general, port scanners don't need the application that's listening on a particular port to understand the packet, they just need the OS's TCP/IP stack to respond in some way (with a SYN or RST for example). So regardless of the contents of the packet I'm sending, all I would need to do is set the source port to 53 and then increment the destination port from 1-65535 and each packet would match the DNS rule and be passed through the firewall.

Post your ruleset once you've modified them.

k Thanks Capt.

i modified my rules as you suggested and its working as it was before.
i set the -P option for the INPUT chain as you suggested to DROP.. however i could still use kopete, for example.. so i used '-P OUTPUT DROP' as well.. and it seems to be working. here is my script:
i dont need to worry about the source port, right?

heres the output of 'iptables -L'
ok any comments on my current setup now? Thanks.

EDIT: also, for the FORWARD chain, would it be better to just set the default policy to DROP? Im not using a router, just a DSL modem. My computer is the only one using the WAN IP from our ISP, so a packet would never come to my computer to be forwarded (routed) to another router, correct?

Yeah, with the Default OUTPUT policy being ACCEPT then everything would be allowed, so you want it as DROP.

Looks good. You may want to allow RELATED traffic on the OUTPUT chain as well. Certain types of error messages (like ICMP source quench) would be blocked from being sent by your machine. Depending on your setup you may never have a problem, but it could cause issues randomly that are difficult to diagnose.

Nope. The source port is going to vary over a wide range of ports, so you'd need to specify all of 1024-65535 (or at least whatever is set in /proc). The security benefit of doing so is relatively minor.

Theoretically, yes you are correct in that packets shouldn't ever get forwarded in your setup. However, I would set it to DROP anyway.

ok ill try and leave my setup as shown in my previous post.. if i get weird error messages or haults in my network activity then ill add it. should i put it before my other OUTPUT rules or as the last OUTPUT rule?
ok i was just making sure. i didnt want to block other user's packets by being selfish and not FORWARDing any.. but, again, this would never happen because i dont even use a router. anything sent to my NIC is destined for it, not to be forwarded anyway.

my next step is to look into kopete and how it operates so i can allow that traffic as well, then that should be all i need for my firewall. i wont bother with other software or antivirus, etc, tools.. just my iptables script.

OK Capt', thanks alot. iptables is pretty neat and very powerful.. and now, after afew days, i seem to understand it pretty well, thanks to your, and afew others', help.

Here is a little bash script I made for my firewall, if you want to look at it for any help.
Also if anybody else has any suggestions, send them to me.

http://randrake.homelinux.net/files/Firewall.html

hmm, the links not working.

It does for me. Thanks @all :) for an instructive thread, btw.

Shouldnt there be rules like these for dropping bad packets etc ?
and ..
Cheers, ///..