IPTables OUTPUT chain help

baronobeefdip · 01-08-2013, 09:56 AM

I have an apache server going and I set the default settings for the chains to drop everything and I would allow only what I declared necessary to be open to run on the firewall but I faced a problem. I have done these commands for security

Code:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Now iptables is set to drop everything from all the targets, Since I have an apache server going I did these commands

Code:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT

I attempted to access the website after setting these options and I was unable to reach it so I did some experimenting. I changed the defaults of the input chain to ACCEPT and I got nothing still, When I changed the defaults of the output chain to accept and the input back to drop it started working again. My question is what do I need to set in the output chain in order to have a working apache server while having the default value for the output chain set to drop while allowing access to the web page.

acid_kewpie · 01-08-2013, 10:03 AM

Don't set OUTPUT to DROP. It sounds like you don't have a real grasp what what the different tables are for, so I'd really suggest you read up on things like connection tracking and such. Most normal servers will not have anything at all in the OUTPUT table, only INPUT. Whilst forums are great places to learn, saying "how to I make this work?" is really not the way to do what you're after, you need to understand what you're messing with IF you are messing with it. The defaults would more than laikely have been just fine, after new connections on port 80 were added to INPUT.

Why do you want to have a default DROP? What security scenarios are you trying to guard against?

baronobeefdip · 01-08-2013, 11:20 AM

I am trying to prevent the possibility that if someone had planted a netcat listener and it's working on a port that isn't being used (through the output chain, the input chain should be just as restrictive as to not let any unauthorized connection established). They can then use the netcat listener to make a backdoor and gain access to the machine. In order to ensure that any unused ports aren't open I set the default output chain target to drop and I want to only allow ports for certain services (in this case apache) and nothing else. The problem is that when I set the output chain to drop and put in this command

Code:

iptables -P OUTPUT DROP
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT

unSpawn · 01-08-2013, 12:58 PM

Quote:

Originally Posted by baronobeefdip

I am trying to prevent (..) They can then use the netcat listener to make a backdoor and gain access to the machine.

That being your scenario I suggest you look at other aspects of host security first. Please list what distribution and release you're using, what your web server serves (package names and versions if possible) and what security measures you already implemented?

Quote:

Originally Posted by baronobeefdip

In order to ensure that any unused ports aren't open I set the default output chain target to drop and I want to only allow ports for certain services (in this case apache) and nothing else.

Generally speaking you should be somewhat aware of how network connections and services work before you modify your firewall. If you do best use "-j LOG" targets to assess what traffic goes where as that's the easiest, most efficient way to troubleshoot rule set problems. For example (top of my head):

Code:

-P OUTPUT ACCEPT
- A OUTPUT -o lo -j ACCEPT
- A OUTPUT -m tcp -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
- A OUTPUT -m limit --limit 1/s -j LOG --log-prefix "OUT_EST_other "
- A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- A OUTPUT -m udp -p udp --dport 53 -m state --state NEW -j ACCEPT
- A OUTPUT -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT
- A OUTPUT -m icmp -p icmp -m state --state NEW -j ACCEPT
- A OUTPUT -m limit --limit 1/s -j LOG --log-prefix "OUT_REJ_other "
- A OUTPUT -m limit --limit 1/s -j REJECT

will allow loopback (which you always should), allows "answers" from your web server without logging them, logs all other related requests with a "OUT_EST_other" tag, allows DNS and ICMP requests out and finally logs and rejects everything else (not DROP wrt response) using the "OUT_REJ_other" tag which you can grep for in your Syslog.

acid_kewpie · 01-08-2013, 01:57 PM

If you do have a netcat instances listening, then traffic still needs to traverse INPUT to reach it, so what's the issue?

baronobeefdip · 01-16-2013, 04:18 PM

I agree that having the output chain like this and this only

Code:

iptables -A OUTPUT -m state --state ESTABLLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state INVALID -j DROP

Will suffice as being at least the best security that I can do, You are right in saying that in order for someone to get access to the box with netcat they need to traverse the input chain first, since the input chain is restricted to only the ports that match the protocols that the box is running the possibility of something being able to get in through a backdoor like netcat are reduced considerably, This might not fare well with the leader of the lab environment that I am working in, He is very hard to convince. From what I can see however is that the OUTPUT chain shouldn't be a big concern since it's only allowing currently established connection out (related and established, do i need NEW?) and that if net cat is running it will be visible as being an open port from the outside (which is controlled by the output chain) but in order to get a connection to the machine you need to go through the input chain and this is where it is going to stop the netcat backdoor in it's tracks.

masatheesh · 01-25-2013, 04:05 AM

By inserting below rule,it will help to identify dropped packets in Input chain

iptables -A INPUT -j DROP --log-prefix "Input: "

Also its better to add a rule with Input chain to accept all traffic from lo