iptables configuration help

mousie · 09-01-2005, 11:43 AM

Hi, I am relatively new to linux, sort of off and on again user. I've been using the same firewall script for a while and it seemed to work fine. Recently I've decided to convert my laptop to a linux machine and using the same iptables script I can't seem to access the internet (wired). Apparently it has something to do with the outbound rules because when I allow access to everything the internet works fine. I would have thought opening up port 80 would have been good enough. Can you please help me? I am running Slackware 10.1. My iptables script is below. Thanks.

#(1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#((2) Loopback
#Always allow loopback traffic
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo -j ACCEPT

#Deny outside packets from internet which claim to be from loopback
iptables -A INPUT -j REJECT -p all -s localhost -i eth0

#(3) INPUT chain rules
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#TCP rules
iptables -A INPUT -p TCP -i eth0 --destination-port 22 -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --destination-port 80 -j ACCEPT
#UDP rules
iptables -A INPUT -p UDP -i eth0 --destination-port 53 -j ACCEPT

#(4) OUTPUT chain rules
iptables -A OUTPUT -p TCP --destination-port 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p TCP --destination-port 22 -m state --state NEW -j ACCEPT

primo · 09-01-2005, 01:36 PM

Quote:

#((2) Loopback
#Always allow loopback traffic
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo -j ACCEPT

Loose the restrictions on the loopback interface. Not all localhost traffic is from/to 127.0.0.1. It may use any of your local interface's IP address.

[QUOTE ]iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT[/QUOTE]

If you want a functional connection, append NEW to --state in the OUTPUT rule. The internet isn't only port 80, not even the web which may use 443 (https) too. What about 25 (smtp), 110 (pop3), et cetera and their SSL equivalents?

mousie · 09-01-2005, 01:57 PM

Hi, ah I see. I added NEW to --state in the OUTPUT rule and it seems to work fine. However, would this be safe to allow all new,established, related outbound connections? Wouldn't it be safer to specify each and every port, or will this cause problems as well? Also when you say loosen the loopback, i thought the ip of the local machine is always 127.0.0.1. Does this change? Do you need to specify others? Thanks.