Iptables Configuration?
 

- hey guys hope you can help me here.
- i block all incoming and outgoing connections in my iptables configuration. at firts i just to allow web browsing so i tried this configuration:

at first it work then when i tried it again it nolonger works. i tried a little more reading and i think that configuration is wrong but it work before. so i narrow it down to this.

but still no internet access.

can you help me here pls...

Then main problem likely has to do with DNS traffic or DHCP. If you are only allowing http traffic, then you are not going to be able to send or receive DNS packets and won't be able to resolve host names.

Also I would recommend against filtering based on source ports. The reason is that an attacker could easily configure his port scanner to use port 80 as the source port and would be able to scan/connect to any port on your system. IPtables has statefull filtering capability, so go ahead and use it. For all of your rules, you can replace them with:

iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED

It's probably a good idea to post your entire firewall ruleset here as well because you are going to need other things as well, like allowing local traffic over the loopback interface otherwise things like X will break.

- thanks fot the tip. actually my only firewall ruleset is the one i posted. i am still trying to create configuration that would only allow web browsing, ftp, emails, and IM. and a security configuration that could prevent hackers from poking to our network.i am new to iptables and i would appreciate your help :)

The following would be a reasonable core ruleset to use. What type of ftp (passive/active) and IM (yahoo/MSN/etc) do you use?

#!/bin/sh

#SET DEFAULT POLICIES
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#ALLOW TRAFFIC OVER LOOPBACK INTERFACE
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#ALLOW OUTBOUND HTTP
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
#ALLOW OUTBOUND SMTP
iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#ALLOW OUTBOUND DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED

#ALLOW ONLY INCOMING REPLIES TO OUR TRAFFIC
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-we use yahoo and our ftp uses passive mode
-so the meaning of this code:
is to only allow replies to request from out network and wont allow anything else.

- do i have to allow udp? what would be the effect if i block it?

I believe Yahoo messenger uses port 80 as well, so the OUTPUT rules allowing dport 80 should allow it. Passive FTP can be a bit more tricky due to the nature of the protocol itself. The easiest and most effective is to allow outbound traffic on the FTP control channel (dport 21), then the data channel is opened and allowed because it's related to the initial FTP connection. The problem is that it's not an easy thing for the connection tracking module to follow, so there is a specific iptables module designed for that purpose: ip_conntrack_ftp. It should already be installed, just load with 'modprobe ip_conntrack_ftp'. You can add it to your script at the top.

It will allow replies and related traffic, like certain ICMP packets used for error handling an connection negotiation (e.g. "ICMP fragmentation needed" messeges), but again those are *only* allowed for a connection that you have initiated and once the connection is closed then the packets will be denied again.


As I posted it above, it would cover any protocol (tcp, udp, icmp, etc) but only for connections that are initiated by you.


All of those services use tcp ports so I don't believe they would be problematic, but hostname resolution would be affected as it uses udp.

Note: After looking at some docs, Yahoo IM uses port 5050 by default, but if that's blocked it will try port 80 next.