Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
EDIT: ** please see post #9 for my updated script if anyone is using this for reference.**
iv never really needed a firewall on my windows or linux machine.. but i want to give iptables a shot.
what i want to do is block EVERYTHING coming into the computer except for information regarding web browsing. im quite new to iptables so sorry if im screwing everything up and bear with me.
i initially thought i needed two rules:
1 - accept tcp packets with sourceport 80
2 - drop everything else
i tried this and it didnt work. i would try and browse to 'google.com' but it wouldnt work. i then tried to browse to '[googleIPAddress]/index.html' and it worked. this made me remember that i was blocking the DNS ports for the HTTP request. i then added a rule for tcp and udp dns packets to accept. this is what i have come up with all together:
Quote:
#!/bin/bash
# MY FIREWALL SCRIPT:
# - block all incoming traffic, EXCEPT: tcp http, tcp dns, udp dns
IPT=/usr/sbin/iptables
$IPT -F
$IPT -A INPUT -t filter -p tcp --sport http -j ACCEPT
$IPT -A INPUT -t filter -p tcp --sport 53 -j ACCEPT
$IPT -A INPUT -t filter -p udp --sport 53 -j ACCEPT
$IPT -A INPUT -t filter -p tcp --sport https -j ACCEPT
$IPT -A INPUT -t filter -p udp --sport https -j ACCEPT
$IPT -A INPUT -t filter -p all -j DROP
echo Firewall configured.
by the way, the rule to drop all packets should be _last_, correct? meaning, if none of the previous rules dont match, then do that one (which will of course match).
anyways, i then ran this script and it seems to be working fine (so far)--i can use any web browser i have, as normal.
also, i have ran afew online security scans and most of them froze.. this seems to tell me it couldnt even start to do what it wanted to do (ie scan for udp/tcp open ports), meaning high[er] security for me, correct? either that or my browser isnt compatible with the site.
do you think the script i have is fine for my only firewall to allow only webbrowsing? is there any rule you can think of that i should change/add/remove? i will also be wanting to modify this to allow for kopete or any other program i want, but if i can get this correctly i should be able to figure out the rest my self.
by the way, im not using a router.
Thanks
EDIT: well i already see a problem: i cant access hotmail.com, ill have to look into it.
UPDATE: fixed the hotmail problem. its because it need tcp & udp https ports open too. iv updated the quote above to match my changes.
Have you given a thought that if you download any program from the net and it is a trojan / rootkit?
You may have stopped incoming traffic but what about outgoing?
You should block all outgoing traffic too, except for the ports which you need to use.
(Also add the updated firewall code in the quote so that future readers of the thread may find it useful)
RanDrake10:
ya, i searched for the port number for https and found that too. id rather just put https than the port number, which is allowed, and is why i did what i did. here is the output of the command (for the INPUT chain, the others dont have any rules):
jayakrishnan:
what do you mean my rules drop everything? i set them to drop everything but what i have specified. i thought the drop rule needs to be the last rule.. can someone clarify please?
imagineers7:
i thought about this, but, do i _need_ to block outgoing traffic? if i have it setup to block all the incoming traffic (except what i specified), then it doesnt matter what is going out--only what i want to come in will come in. or am i wrong on this too? and yes, when i get this all sorted out ill update the quote
one question i have is this: "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)". the FORWARD chain is also 0,0, but the OUTPUT chain is not. i can understand the values for FORWARD and OUTPUT.. but why would INPUT be 0, if its accepting these HTTP and DNS packets.
i thought the drop rule needs to be the last rule.. can someone clarify please?
It does need to be last. The rules will be processed in sequential order so if you put the drop rule as the first rule in the firewall then *all* packets will match in and *all* will be dropped.
Quote:
Originally Posted by nadroj
one question i have is this: "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)". the FORWARD chain is also 0,0, but the OUTPUT chain is not. i can understand the values for FORWARD and OUTPUT.. but why would INPUT be 0, if its accepting these HTTP and DNS packets.
That is the counter for the number of packets and total bytes that have been processed by the default policy rule for that chain. The policy rule will technically be the last rule in the chain, so if no packets are matched by any other rule in that chain, then the default policy rule will be used to process the packet. However, in the case of your INPUT chain you have a "catch-all" drop rule right before the default policy, so all packets that don't match any other rule will match that one and will be dropped before reaching the default policy rule. If you look at the counter for the last rule in that chain, you can see that it has matched a fair number of packets. So technically this last rule is redundant and you should get rid of it and just set your default policy to DROP for the INPUT chain.
Also, their is actually a major hole in your firewall that is a common mistake for people writing their first firewall. If I were scanning your machine and configured my scanner to use port 53 as the source port, I could completely scan every port on your entire machine without the firewall blocking anything. If you are going to filter based on source ports, then you need to restrict the destination port as well. IMO you should take advantage of iptables state tracking capabilities and simply allow only packets on the INPUT chain that are of the ESTABLISHED or RELATED states. Then configure your OUTPUT chain to only allow outgoing traffic on the http,https, and dns ports. That way the only incoming traffic that is accepted are replies to connections you've initiated on a limited number of ports.
Capt:
REGARDING COUNTER:
ok, thanks for clearing up the drop-all policy being first or last.. it makes sense.
so ill drop my last policy and add 'iptables -P INPUT DROP' to set the default policy for INPUT to DROP all packets, as you suggested.
REGARDING FIREWALL FLAW:
but your port scanner scanner wouldnt be communicating via DNS response packets, which means my firewall WOULD block it? or am i wrong? (most likely )
ill try and work on modifying the rules and add afew to the OUTPUT chain, as you recommended. after i get that working, ill try and update my first post to match my [future] current setup for the rules.
do you (or anyone else) see any other flaws or other rules i should add, for what i want to do?
Capt:
REGARDING FIREWALL FLAW:
but your port scanner scanner wouldnt be communicating via DNS response packets, which means my firewall WOULD block it?
That's the problem with relying entirely on port filtering; iptables doesn't do any kind of application layer filtering so it's not looking at the packet and asking whether it "looks" like a DNS or HTTP packet. It's simply looking at whether the packet header has a source port of 53 or 80. In general, port scanners don't need the application that's listening on a particular port to understand the packet, they just need the OS's TCP/IP stack to respond in some way (with a SYN or RST for example). So regardless of the contents of the packet I'm sending, all I would need to do is set the source port to 53 and then increment the destination port from 1-65535 and each packet would match the DNS rule and be passed through the firewall.
Quote:
do you (or anyone else) see any other flaws or other rules i should add, for what i want to do?
i modified my rules as you suggested and its working as it was before.
i set the -P option for the INPUT chain as you suggested to DROP.. however i could still use kopete, for example.. so i used '-P OUTPUT DROP' as well.. and it seems to be working. here is my script:
Code:
#!/bin/bash
IPT=/usr/sbin/iptables
# flush all current rules
$IPT -F
# set default policy on INPUT and OUTPUT chains to DROP packets that dont match the rules
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
# only accept packets on the INPUT chain that are ESTABLISHED or RELATED to a current connection
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow ONLY packets with the following protocols and port numbers to be sent out
$IPT -A OUTPUT -t filter -p tcp --dport http -j ACCEPT
$IPT -A OUTPUT -t filter -p tcp --dport 53 -j ACCEPT
$IPT -A OUTPUT -t filter -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -t filter -p tcp --dport https -j ACCEPT
$IPT -A OUTPUT -t filter -p udp --dport https -j ACCEPT
echo Firewall configured.
i dont need to worry about the source port, right?
EDIT: also, for the FORWARD chain, would it be better to just set the default policy to DROP? Im not using a router, just a DSL modem. My computer is the only one using the WAN IP from our ISP, so a packet would never come to my computer to be forwarded (routed) to another router, correct?
however i could still use kopete, for example.. so i used '-P OUTPUT DROP' as well..
Yeah, with the Default OUTPUT policy being ACCEPT then everything would be allowed, so you want it as DROP.
Quote:
and it seems to be working. here is my script:
Looks good. You may want to allow RELATED traffic on the OUTPUT chain as well. Certain types of error messages (like ICMP source quench) would be blocked from being sent by your machine. Depending on your setup you may never have a problem, but it could cause issues randomly that are difficult to diagnose.
Quote:
i dont need to worry about the source port, right?
Nope. The source port is going to vary over a wide range of ports, so you'd need to specify all of 1024-65535 (or at least whatever is set in /proc). The security benefit of doing so is relatively minor.
Quote:
for the FORWARD chain, would it be better to just set the default policy to DROP? Im not using a router, just a DSL modem. My computer is the only one using the WAN IP from our ISP, so a packet would never come to my computer to be forwarded (routed) to another router, correct?
Theoretically, yes you are correct in that packets shouldn't ever get forwarded in your setup. However, I would set it to DROP anyway.
Looks good. You may want to allow RELATED traffic on the OUTPUT chain as well. Certain types of error messages (like ICMP source quench) would be blocked from being sent by your machine. Depending on your setup you may never have a problem, but it could cause issues randomly that are difficult to diagnose.
ok ill try and leave my setup as shown in my previous post.. if i get weird error messages or haults in my network activity then ill add it. should i put it before my other OUTPUT rules or as the last OUTPUT rule?
Quote:
Theoretically, yes you are correct in that packets shouldn't ever get forwarded in your setup. However, I would set it to DROP anyway.
ok i was just making sure. i didnt want to block other user's packets by being selfish and not FORWARDing any.. but, again, this would never happen because i dont even use a router. anything sent to my NIC is destined for it, not to be forwarded anyway.
my next step is to look into kopete and how it operates so i can allow that traffic as well, then that should be all i need for my firewall. i wont bother with other software or antivirus, etc, tools.. just my iptables script.
OK Capt', thanks alot. iptables is pretty neat and very powerful.. and now, after afew days, i seem to understand it pretty well, thanks to your, and afew others', help.
Here is a little bash script I made for my firewall, if you want to look at it for any help.
Also if anybody else has any suggestions, send them to me.
Distribution: Arch Linux && OpenBSD 7.4 && Pop!_OS && Kali && Qubes-Os
Posts: 824
Rep:
Quote:
Originally Posted by nadroj
Code:
#!/bin/bash
IPT=/usr/sbin/iptables
# flush all current rules
$IPT -F
# set default policy on INPUT and OUTPUT chains to DROP packets that dont match the rules
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
# only accept packets on the INPUT chain that are ESTABLISHED or RELATED to a current connection
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow ONLY packets with the following protocols and port numbers to be sent out
$IPT -A OUTPUT -t filter -p tcp --dport http -j ACCEPT
$IPT -A OUTPUT -t filter -p tcp --dport 53 -j ACCEPT
$IPT -A OUTPUT -t filter -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -t filter -p tcp --dport https -j ACCEPT
$IPT -A OUTPUT -t filter -p udp --dport https -j ACCEPT
echo Firewall configured.
Shouldnt there be rules like these for dropping bad packets etc ?
Code:
$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
and ..
Code:
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
)
