iptables config -

RTT · 01-10-2004, 10:26 AM

Hi, I've been using this script that I wrote myself for a while but all of a sudden it's stopped working

The box refuses to talk to the internet when this is applied.

Code:

#!/bin/sh
#
# rtt's firewall script using IPTABLES
#
# Open ports: 3874, 80, 21
#
IPTABLES="/usr/sbin/iptables"
UPPORTS="1024:65535"
PPORTS="0:1023"
#
# Clear...
$IPTABLES --policy INPUT ACCEPT
$IPTABLES --policy OUTPUT ACCEPT
$IPTABLES --policy FORWARD ACCEPT
$IPTABLES --flush
#
# Start...
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT ACCEPT
#
#
# Allow from local network:
$IPTABLES -A INPUT -s 192.168.0.0/24 -i eth0 -j ACCEPT
#
# Open port 80
$IPTABLES -A INPUT -s ! 192.168.0.0/24 -i eth0 -p tcp -m state --state NEW --sport $UPPORTS --dport 80 -j ACCEPT
# Open port 21
$IPTABLES -A INPUT -s ! 192.168.0.0/24 -i eth0 -p tcp -m state --state NEW --sport $UPPORTS --dport 21 -j ACCEPT
# Open 3784
$IPTABLES -A INPUT -s ! 192.168.0.0/24 -i eth0 -p tcp -m state --state NEW --sport $UPPORTS --dport 3784 -j ACCEPT
# Open 6667
$IPTABLES -A INPUT -s 0/0 -i eth0 -p tcp -m state --state NEW --sport $UPPORTS --dport 6667 -j ACCEPT 
# EOF

All it does is allow any traffic on the local network, and then opens up ports 80, 21 and 3784 to anyone.

Any ideas why this locks the box from the internet?

Any help much appreciated!

artur · 01-10-2004, 10:54 AM

Quote:

Originally posted by RTT

Code:

# Clear...
$IPTABLES --policy INPUT ACCEPT
#
# Start...
$IPTABLES --policy INPUT DROP

Isn't this redundant? Why set policy to accept just to change it to drop right after it?

Quote:

Code:

# Allow from local network:
$IPTABLES -A INPUT -s 192.168.0.0/24 -i eth0 -j ACCEPT
#
# Open port 80
$IPTABLES -A INPUT -s ! 192.168.0.0/24 -i eth0 -p tcp -m state --state NEW --sport $UPPORTS --dport 80 -j ACCEPT

That -s ! 192.168.0.0/24 part is redundant too, I think. You just let all the traffic from 192.168.0.0/24 through, so you know that it won't be comming from that net to this rule. Why slow down the filter checking for it? Just skip the -s portion.

Generally, your rules seem a bit too restrictive. Loosen up on them and let some more traffic in. Why do you care which port the connection comes from? So what if some machine uses it's port 80 to talk to your port 80?

You could use tcpdump to see what exactly happens when you try to talk to the net and where connection stops.

Capt_Caveman · 01-10-2004, 02:40 PM

You'll also need to allow packets that are of the state RELATED,ESTABLISHED. As of right now, your firewall will allow only packets which are NEW and are opening a tcp connection, but there isn't any rule to allow the tcp packets that follow, so they'll fall through and hit the default input policy of DROP. Something like:

iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

should do the trick.