Need help on deciphering my IPTABLES

jun_tuko · 11-13-2005, 09:25 PM

hello gurus,
could somebody please help me on deciphering my iptables and pinpoint to me what's wrong with it? i am following this book about setting up a webserver. they suggested to use their script named "firewall". the contents are listed below. when ever i start this firewall, i cant get to the internet and cant see my webserver. when i stop it, everything works. i also listed the default iptables output below after running the iptables --list (this is when everything works). it seems pretty much open.

i just want to have a secure and safe webserver using apache, mysql, and php with email and ftp capability. please advice. thanks in advance!

********************book's firewall script (does not work)*************************
#!/bin/sh
# Change the part after the = to the where your
# IPTABLES is on your system

IPTABLES=/sbin/iptables

# Flush existing rulles

$IPTABLES -F INPUT

# Allow connections going outbound
# from this machine to reply back

$IPTABLES -A INPUT -j ACCEPT -m state --state \
ESTABLISHED -i eth0 -p icmp
# ESTABLISHED -i wlan0 -p icmp

$IPTABLES -A INPUT -j ACCEPT -m state --state \
ESTABLISHED -i eth0 -p tcp
# ESTABLISHED -i wlan0 -p tcp

$IPTABLES -A INPUT -j ACCEPT -m state --state \
ESTABLISHED -i eth0 -p udp
# ESTABLISHED -i wlan0 -p udp

# Allow incoming SSH requests

$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT

# Allow incoming DNS

$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT

# Allow incoming HTTP requests (to web server)

$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow Ping echo

$IPTABLES -A INPUT -p icmp -j ACCEPT

# Load modules
insmod ip_conntrack_ftp
insmod ipt_LOG
insmod ipt_REJECT
insmod ipt_limit
insmod ipt_state

# The logging is set so if more than 5 packets are dropped
# in three seconds they will be ignored. This
# helps to prevent a DOS attack
# crashing the computer the firewall is running on

# $IPTABLES -A INPUT -m limit --limit 3/second \
# --limit-burst 5 -i ! lo -j LOG

# Drop and log all other data

$IPTABLES -A INPUT -i ! lo -j DROP

*******************default (everything works)******************
[root@projectff selinux]# iptables --list
Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination

**************iptables --list after starting "firewall" script*************
[root@projectff etc]# iptables --list
Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere state ESTABLISHED
ACCEPT udp -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt

op3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
[root@projectff etc]#

Mad Scientist · 11-13-2005, 11:24 PM

It can be much simpler than this. Look at http://wiki.linuxquestions.org/wiki/Iptables for some help setting up your own iptables script. In short, if you want the most basic firewall that allows outside access to your web server, you can have a script that looks like

Code:

#!/bin/bash
# Firewall script that allows access to my web server

# Location of the iptables command
IPTABLES=/sbin/iptables

# Flush existing firewall rules
$IPTABLES --flush

# Delete any extraneous chains which may exist from a previous script
$IPTABLES --delete-chain

# Change the default policy of all three chains to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# Use stateful inspection feature to only allow incoming connections
# related to connections I have already established myself
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow the world access to port 80 on my machine, the port through
# which others can access my web server
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

# Included to allow the script to exit gracefully
exit 0

If you want to allow your server to be pinged, you can add the following before the line with "exit 0",

Code:

# Allow the computer to ping
/sbin/iptables -A INPUT  -p icmp --icmp-type echo-reply   -j ACCEPT
/sbin/iptables -A INPUT  -p icmp --icmp-type echo-request -j ACCEPT

If you would rather forcefully reject the packets that aren't matching your rules, instead of just dropping them to oblivion, you would want to include

Code:

# Reject any packets that do not meet the specified criteria
/sbin/iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

This script is a bit shorter and simpler than your example script. It doesn't take long to get familiar enough with the nuances of iptables to build your own script that performs exactly as you would like. I do strongly recommend using the stateful inspection feature, though.

aether · 11-24-2005, 12:02 PM

I recommend you starting with this simple firewall guide:
http://www.iseclab.net/modules/artic...ticle.php?id=1

It's really useful when trying to understand how iptables operates.
then you could continue with the iptables-tutorial.frozentux.net guide

Good luck! :-)