LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-20-2015, 09:40 AM   #1
ardvark71
LQ Veteran
 
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282
Blog Entries: 4

Rep: Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842
Question [SOLVED] Need help understanding iptables...


Hi all...

Admittedly, I'm not that familiar with iptables or how it's configured. I ran "sudo iptables -L" to see if it was up and running in my new Lubuntu 14.04 install and received this readout...

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
What does this mean, exactly? Do I need to configure it more and if so, what would be a good front end to make it a quick easy job that does it right with no weird side affects? For some reason, I didn't see guarddog in the repositories.

Thanks!

Last edited by ardvark71; 02-20-2015 at 09:30 PM. Reason: Grammar correction.
 
Old 02-20-2015, 10:54 AM   #2
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 22,258

Rep: Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419
just look for iptables tutorial, like this: http://www.thegeekstuff.com/2011/01/...-fundamentals/
 
1 members found this post helpful.
Old 02-20-2015, 11:15 AM   #3
ardvark71
LQ Veteran
 
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282

Original Poster
Blog Entries: 4

Rep: Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842
Thumbs up

Quote:
Originally Posted by pan64 View Post
just look for iptables tutorial, like this: http://www.thegeekstuff.com/2011/01/...-fundamentals/
Thank you, this is a good start, even though I understand very little of what Ramesh is talking about.

I installed gufw to help with the gui end of it, hope it works well. Strange though, I wasn't able to find either Guarddog or Firestarter in the repositories. Hmmm.

I'd welcome any other thoughts, including on gufw, if anyone has any.

Regards...

Last edited by ardvark71; 02-20-2015 at 11:17 AM. Reason: Grammar correction.
 
Old 02-20-2015, 11:21 AM   #4
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 22,258

Rep: Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419
yes, it looks like firestarter in now outdated. Probably guarddog too. You need to look for tutorials and choose what you prefer, there are a lot of different ones...
http://blog.adityapatawari.com/2011/...explained.html
http://www.linuxquestions.org/questi...es-4175463884/
http://www.linuxhomenetworking.com/w...Using_iptables
 
1 members found this post helpful.
Old 02-20-2015, 11:56 AM   #5
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,786

Rep: Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216
And FWIW, your original post showed a "firewall" with no rules and a default policy of "ACCEPT", which will accept anything from anywhere -- equivalent to no firewall at all.
 
1 members found this post helpful.
Old 02-20-2015, 09:29 PM   #6
ardvark71
LQ Veteran
 
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282

Original Poster
Blog Entries: 4

Rep: Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842
Smile

Quote:
Originally Posted by rknichols View Post
And FWIW, your original post showed a "firewall" with no rules and a default policy of "ACCEPT", which will accept anything from anywhere -- equivalent to no firewall at all.
Hi...

That's what I suspected. I'm kind of surprised Lubuntu would ship with a default policy of this kind, unless there's something I'm missing.

I'm going to go ahead and mark this as solved as you guys have given me good starter information to work with, thank you!

@pan64: Thanks for the links. I wonder why they're outdated? I don't think at iptables would have changed that much.

Regards...

Last edited by ardvark71; 02-20-2015 at 10:23 PM. Reason: Changed wording.
 
Old 02-20-2015, 09:38 PM   #7
ardvark71
LQ Veteran
 
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282

Original Poster
Blog Entries: 4

Rep: Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842
Wink

Well, I can see my policy has changed...

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere            

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere            

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination
Regards...
 
Old 02-20-2015, 09:51 PM   #8
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Rep: Reputation: 106Reputation: 106
You have marked this solved, but thought I'd post this tutorial on iptables. I found it to be very helpful in understanding how it works.

https://www.frozentux.net/documents/iptables-tutorial/
 
1 members found this post helpful.
Old 02-20-2015, 10:20 PM   #9
ardvark71
LQ Veteran
 
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282

Original Poster
Blog Entries: 4

Rep: Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842
Smile

Quote:
Originally Posted by Miati View Post
You have marked this solved, but thought I'd post this tutorial on iptables. I found it to be very helpful in understanding how it works.

https://www.frozentux.net/documents/iptables-tutorial/
Thank you! Taking a look at it now....

Regards...
 
Old 02-21-2015, 09:52 AM   #10
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,786

Rep: Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216
Quote:
Originally Posted by ardvark71 View Post
Well, I can see my policy has changed...
That appears to be a skeleton that some tool has set up in preparation for generating some rules. It still doesn't appear to do anything. Somewhere you must have a firewall builder tool that needs to be configured with actual rules.

Don't spend a lot of time trying to understand that skeleton. Any manually generated set of firewall rules would look nothing like that.

[EDIT] OK, I take that back. Buried in all that boilerplate there appears to be an actual firewall, presumably understandable by whoever wrote the tool that generated it.

Last edited by rknichols; 02-21-2015 at 10:06 AM. Reason: OK, I take that back ...
 
1 members found this post helpful.
Old 02-21-2015, 11:15 AM   #11
ardvark71
LQ Veteran
 
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282

Original Poster
Blog Entries: 4

Rep: Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842
Quote:
Originally Posted by rknichols View Post
That appears to be a skeleton that some tool has set up in preparation for generating some rules. It still doesn't appear to do anything. Somewhere you must have a firewall builder tool that needs to be configured with actual rules.

Don't spend a lot of time trying to understand that skeleton. Any manually generated set of firewall rules would look nothing like that.

[EDIT] OK, I take that back. Buried in all that boilerplate there appears to be an actual firewall, presumably understandable by whoever wrote the tool that generated it.
Hi...

Thank you for your observations, I'm glad you saw that it appeared to be a legitimate setup. I installed gufw as Guarddog and Firestarter are no longer in Canonical's repositories.

Regards...
 
Old 02-21-2015, 06:52 PM   #12
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Rep: Reputation: 106Reputation: 106
Quote:
Originally Posted by rknichols View Post
[EDIT] OK, I take that back. Buried in all that boilerplate there appears to be an actual firewall, presumably understandable by whoever wrote the tool that generated it.
It is quite a extensive skeleton.
unfortunately, while gui's make setting up stuff more simple they also have the effect of making debugging or understanding it a nightmare.
For example,
Code:
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
This to me says, accept anything from anywhere, otherwise accept it as long as it's related or established.
What's the point of the second one if it's already accepted?

This is a example iptables setup script that is in no way the "correct" way, but may serve as a guide to a simple setup.
There are also numerous guides specifying how to setup iptables.

Code:
#!/bin/bash
ipt=/sbin/iptables

$ipt -F

$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT

$ipt -A INPUT -i lo -j ACCEPT # Permit loopback
$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Permit established connections
$ipt -A INPUT -p tcp -m tcp --syn --dport 22 -j ACCEPT # SSH

$ipt -A INPUT -s 192.168.1.1/24 -j REJECT
By line, flush all rules, set default policies, permit loopback connections, permit established and related connections, permit ssh connections and send reject messages to lan (drop without response otherwise
I find this to be a very simple non-instrusive setup that is quite secure.

Last edited by Miati; 02-21-2015 at 06:57 PM.
 
1 members found this post helpful.
Old 02-21-2015, 07:12 PM   #13
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,286
Blog Entries: 24

Rep: Reputation: 4238Reputation: 4238Reputation: 4238Reputation: 4238Reputation: 4238Reputation: 4238Reputation: 4238Reputation: 4238Reputation: 4238Reputation: 4238Reputation: 4238
Quote:
Originally Posted by Miati View Post
It is quite a extensive skeleton.
unfortunately, while gui's make setting up stuff more simple they also have the effect of making debugging or understanding it a nightmare.
I totally agree!

HAHA! I wondered what gufw and ufw were - I find it to be "Uncomplicated Fire Wall"!

Incomprehensible Fire Wall might be a better name from what I can see!

I guess there might be a case to be made for front-ends, but honestly, I have always been able to manage my own using a text file I usually name firewall.rules and the iptables shell commands - and I am not really very smart!

I have recently had to review the how-tos and my own notes to lock down my VPS with some adaptive rules to lockout attackers more effectively, and harden my mail server, but still no big surprises or difficulties.

When I write and test the rules myself, I always know when it is working! The few times in the past when I tried to use a "firewall program", I was never really sure what it was doing, or when it was working, and often ran wide open without knowing it!

If you can understand it well enough to effectively configure a firewall program, then you can probably understand it well enough to just write the rules!

Last edited by astrogeek; 02-21-2015 at 07:18 PM. Reason: typos, more comments
 
Old 02-21-2015, 08:14 PM   #14
ardvark71
LQ Veteran
 
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282

Original Poster
Blog Entries: 4

Rep: Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842
Quote:
Originally Posted by Miati View Post
Code:
#!/bin/bash
ipt=/sbin/iptables

$ipt -F

$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT

$ipt -A INPUT -i lo -j ACCEPT # Permit loopback
$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Permit established connections
$ipt -A INPUT -p tcp -m tcp --syn --dport 22 -j ACCEPT # SSH

$ipt -A INPUT -s 192.168.1.1/24 -j REJECT
By line, flush all rules, set default policies, permit loopback connections, permit established and related connections, permit ssh connections and send reject messages to lan (drop without response otherwise
I find this to be a very simple non-instrusive setup that is quite secure.
Do I run your code in a terminal exactly as I see it? If not, what commands would I use to achieve the same setup?

Thanks!
 
Old 02-21-2015, 08:38 PM   #15
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Rep: Reputation: 106Reputation: 106
Quote:
Originally Posted by ardvark71 View Post
Do I run your code in a terminal exactly as I see it? If not, what commands would I use to achieve the same setup?

Thanks!
This is a bash script that should be run on boot before network interfaces are brought up.
It should result in a iptables -L output similar to this

While it's easier to simply run it, I would suggest taking some time to identify if it does what you want. It does what I want, but it may be too open or closed for you. If you don't care, I believe it makes a good "standard" ruleset.
If you have no need for ssh, remove the line permitting access to port 22. If you use a webserver utilizing http and https, include port 80 & 443
Code:
iptables -A INPUT -p tcp -m multiport 80,443 -j ACCEPT
Also understand the force of it. iptables -F will cause all rules to be erased and policies reset, which may cause ufw to be very unable / overwrite what you had setup prior.

Note that each time I type $ipt, it really references /sbin/iptables. So it's similar to typing iptables -F, iptables -P INPUT DROP, etc.
I attempted to make it simple and linear since simplicity and good comments (after the #) makes debugging a problem later on much easier.

Also note the order is very important. Should I do this command ($ipt -A INPUT -s 192.168.1.1/24 -j REJECT) first, it will cause all lan connections to be rejected - a negative outcome. However, since it's the last one all connections will be dropped anyways and rejecting it will assist in debugging since it will identify that it was blocked - a positive outcome (preventing hanging connections as well)

Last edited by Miati; 02-21-2015 at 08:49 PM.
 
1 members found this post helpful.
  


Reply

Tags
frontend, iptables firewall block


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Understanding iptables NotionCommotion Linux - Newbie 3 03-23-2014 12:39 PM
I Need Help Understanding IPTables Bhuvana77 Linux - Networking 3 07-22-2010 06:25 AM
Understanding iptables veeruk101 Linux - Networking 4 07-25-2007 02:58 PM
understanding iptables gr00ve Linux - Networking 1 11-01-2004 12:47 PM
Understanding iptables Buckyjunior Linux - Networking 3 03-07-2004 06:18 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration