Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 02-04-2009, 07:07 AM   #1
LQ Newbie
Registered: Nov 2005
Posts: 7

Rep: Reputation: 0
Some iptables rules are not working on Ubuntu 8.10 server

On Ubuntu 8.10 server, I want to deny any attempt of a connection by the server to any other host on the home network. This includes PING as well. I set up a number of rules though ufw, enabled it and rebooted and I can still connect to other machines. In the following output from ufw status, is Ubuntu and is the other host. I can still communicate between the two on port 80 and by ICMP and believe that ufw/iptables is working because the two statements concerning ports 22 and 80 take effect.

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere DENY DENY
Anywhere DENY

Saved iptables rules:

# Generated by iptables-save v1.4.0 on Tue Feb 3 23:15:19 2009
:INPUT DROP [107:9343]
:OUTPUT ACCEPT [840:50760]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-not-local - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: "
-A ufw-after-forward -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j RETURN
-A ufw-after-input -p udp -m udp --dport 138 -j RETURN
-A ufw-after-input -p tcp -m tcp --dport 139 -j RETURN
-A ufw-after-input -p tcp -m tcp --dport 445 -j RETURN
-A ufw-after-input -p udp -m udp --dport 67 -j RETURN
-A ufw-after-input -p udp -m udp --dport 68 -j RETURN
-A ufw-after-input -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: "
-A ufw-after-input -j RETURN
-A ufw-after-output -j RETURN
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-forward -j RETURN
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -s -j ACCEPT
-A ufw-before-input -d -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-input -j RETURN
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-before-output -j RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: "
-A ufw-not-local -j DROP
-A ufw-user-forward -j RETURN
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -s -d -j DROP
-A ufw-user-input -s -d -j DROP
-A ufw-user-input -s -j DROP
-A ufw-user-input -j RETURN
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT]: "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A ufw-user-output -j RETURN

What am I overlooking?

Old 02-04-2009, 07:47 AM   #2
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Originally Posted by PossumJerky View Post
On Ubuntu 8.10 server, I want to deny any attempt of a connection by the server to any other host on the home network. This includes PING as well.
The simplest way to achieve this is probably:
iptables -I OUTPUT -o $LAN_IFACE -d $LAN_NET -m state --state NEW -j REJECT
Based on that, I believe the essence of your issue is that you are using the INPUT chain instead of the OUTPUT one.

Last edited by win32sux; 02-04-2009 at 07:53 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 09:50 PM
iptables rules for an ubuntu gateway (filtering connections to and from Internet) Zingaro2002 Linux - Networking 4 05-06-2007 02:01 AM
IPTABLES rules not working right Bobbyd4 Linux - Security 2 04-03-2007 12:05 AM
iptables not working for "accept" action rules vijfita Linux - Networking 7 05-13-2005 05:28 AM
iptables rules aren't working Kinstonian Linux - Networking 4 04-21-2003 03:14 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:40 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration