Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
02-20-2015, 09:40 AM
|
#1
|
|
LQ Veteran
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282
|
[SOLVED] Need help understanding iptables...
Hi all...
Admittedly, I'm not that familiar with iptables or how it's configured. I ran "sudo iptables -L" to see if it was up and running in my new Lubuntu 14.04 install and received this readout...
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
What does this mean, exactly? Do I need to configure it more and if so, what would be a good front end to make it a quick easy job that does it right with no weird side affects? For some reason, I didn't see guarddog in the repositories.
Thanks! 
Last edited by ardvark71; 02-20-2015 at 09:30 PM.
Reason: Grammar correction.
|
|
|
|
|
02-20-2015, 10:54 AM
|
#2
|
|
LQ Addict
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 24,263
|
|
|
|
1 members found this post helpful.
|
|
02-20-2015, 11:15 AM
|
#3
|
|
LQ Veteran
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282
Original Poster
|
Quote:
Originally Posted by pan64
|
Thank you, this is a good start, even though I understand very little of what Ramesh is talking about. 
I installed gufw to help with the gui end of it, hope it works well. Strange though, I wasn't able to find either Guarddog or Firestarter in the repositories. Hmmm. 
I'd welcome any other thoughts, including on gufw, if anyone has any. 
Regards...
Last edited by ardvark71; 02-20-2015 at 11:17 AM.
Reason: Grammar correction.
|
|
|
|
|
02-20-2015, 11:56 AM
|
#5
|
|
Senior Member
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,815
|
And FWIW, your original post showed a "firewall" with no rules and a default policy of "ACCEPT", which will accept anything from anywhere -- equivalent to no firewall at all.
|
|
|
1 members found this post helpful.
|
|
02-20-2015, 09:29 PM
|
#6
|
|
LQ Veteran
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282
Original Poster
|
Quote:
Originally Posted by rknichols
And FWIW, your original post showed a "firewall" with no rules and a default policy of "ACCEPT", which will accept anything from anywhere -- equivalent to no firewall at all.
|
Hi...
That's what I suspected. I'm kind of surprised Lubuntu would ship with a default policy of this kind, unless there's something I'm missing. 
I'm going to go ahead and mark this as solved as you guys have given me good starter information to work with, thank you!
@pan64: Thanks for the links. I wonder why they're outdated? I don't think at iptables would have changed that much.
Regards...
Last edited by ardvark71; 02-20-2015 at 10:23 PM.
Reason: Changed wording.
|
|
|
|
|
02-20-2015, 09:38 PM
|
#7
|
|
LQ Veteran
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282
Original Poster
|
Well, I can see my policy has changed...
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
Regards... |
|
|
|
|
02-20-2015, 09:51 PM
|
#8
|
|
Member
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326
Rep: 
|
You have marked this solved, but thought I'd post this tutorial on iptables. I found it to be very helpful in understanding how it works.
https://www.frozentux.net/documents/iptables-tutorial/ |
|
|
1 members found this post helpful.
|
|
02-20-2015, 10:20 PM
|
#9
|
|
LQ Veteran
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282
Original Poster
|
Quote:
Originally Posted by Miati
|
Thank you! Taking a look at it now....
Regards... |
|
|
|
|
02-21-2015, 09:52 AM
|
#10
|
|
Senior Member
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,815
|
Quote:
Originally Posted by ardvark71
Well, I can see my policy has changed...
|
That appears to be a skeleton that some tool has set up in preparation for generating some rules. It still doesn't appear to do anything. Somewhere you must have a firewall builder tool that needs to be configured with actual rules.
Don't spend a lot of time trying to understand that skeleton. Any manually generated set of firewall rules would look nothing like that.
[EDIT] OK, I take that back. Buried in all that boilerplate there appears to be an actual firewall, presumably understandable by whoever wrote the tool that generated it.
Last edited by rknichols; 02-21-2015 at 10:06 AM.
Reason: OK, I take that back ...
|
|
|
1 members found this post helpful.
|
|
02-21-2015, 11:15 AM
|
#11
|
|
LQ Veteran
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282
Original Poster
|
Quote:
Originally Posted by rknichols
That appears to be a skeleton that some tool has set up in preparation for generating some rules. It still doesn't appear to do anything. Somewhere you must have a firewall builder tool that needs to be configured with actual rules.
Don't spend a lot of time trying to understand that skeleton. Any manually generated set of firewall rules would look nothing like that.
[EDIT] OK, I take that back. Buried in all that boilerplate there appears to be an actual firewall, presumably understandable by whoever wrote the tool that generated it.
|
Hi...
Thank you for your observations, I'm glad you saw that it appeared to be a legitimate setup. I installed gufw as Guarddog and Firestarter are no longer in Canonical's repositories.
Regards... |
|
|
|
|
02-21-2015, 06:52 PM
|
#12
|
|
Member
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326
Rep:
|
Quote:
Originally Posted by rknichols
[EDIT] OK, I take that back. Buried in all that boilerplate there appears to be an actual firewall, presumably understandable by whoever wrote the tool that generated it.
|
It is quite a extensive skeleton.
unfortunately, while gui's make setting up stuff more simple they also have the effect of making debugging or understanding it a nightmare.
For example,
Code:
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
This to me says, accept anything from anywhere, otherwise accept it as long as it's related or established.
What's the point of the second one if it's already accepted?
This is a example iptables setup script that is in no way the "correct" way, but may serve as a guide to a simple setup.
There are also numerous guides specifying how to setup iptables.
Code:
#!/bin/bash
ipt=/sbin/iptables
$ipt -F
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -A INPUT -i lo -j ACCEPT # Permit loopback
$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Permit established connections
$ipt -A INPUT -p tcp -m tcp --syn --dport 22 -j ACCEPT # SSH
$ipt -A INPUT -s 192.168.1.1/24 -j REJECT
By line, flush all rules, set default policies, permit loopback connections, permit established and related connections, permit ssh connections and send reject messages to lan (drop without response otherwise
I find this to be a very simple non-instrusive setup that is quite secure.
Last edited by Miati; 02-21-2015 at 06:57 PM.
|
|
|
1 members found this post helpful.
|
|
02-21-2015, 07:12 PM
|
#13
|
|
Moderator
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,361
|
Quote:
Originally Posted by Miati
It is quite a extensive skeleton.
unfortunately, while gui's make setting up stuff more simple they also have the effect of making debugging or understanding it a nightmare.
|
I totally agree!
HAHA! I wondered what gufw and ufw were - I find it to be "Uncomplicated Fire Wall"!
Incomprehensible Fire Wall might be a better name from what I can see!
I guess there might be a case to be made for front-ends, but honestly, I have always been able to manage my own using a text file I usually name firewall.rules and the iptables shell commands - and I am not really very smart!
I have recently had to review the how-tos and my own notes to lock down my VPS with some adaptive rules to lockout attackers more effectively, and harden my mail server, but still no big surprises or difficulties.
When I write and test the rules myself, I always know when it is working! The few times in the past when I tried to use a "firewall program", I was never really sure what it was doing, or when it was working, and often ran wide open without knowing it!
If you can understand it well enough to effectively configure a firewall program, then you can probably understand it well enough to just write the rules!
Last edited by astrogeek; 02-21-2015 at 07:18 PM.
Reason: typos, more comments
|
|
|
|
|
02-21-2015, 08:14 PM
|
#14
|
|
LQ Veteran
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282
Original Poster
|
Quote:
Originally Posted by Miati
Code:
#!/bin/bash
ipt=/sbin/iptables
$ipt -F
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -A INPUT -i lo -j ACCEPT # Permit loopback
$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Permit established connections
$ipt -A INPUT -p tcp -m tcp --syn --dport 22 -j ACCEPT # SSH
$ipt -A INPUT -s 192.168.1.1/24 -j REJECT
By line, flush all rules, set default policies, permit loopback connections, permit established and related connections, permit ssh connections and send reject messages to lan (drop without response otherwise
I find this to be a very simple non-instrusive setup that is quite secure. |
Do I run your code in a terminal exactly as I see it? If not, what commands would I use to achieve the same setup?
Thanks! |
|
|
|
|
02-21-2015, 08:38 PM
|
#15
|
|
Member
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326
Rep:
|
Quote:
Originally Posted by ardvark71
Do I run your code in a terminal exactly as I see it? If not, what commands would I use to achieve the same setup?
Thanks!
|
This is a bash script that should be run on boot before network interfaces are brought up.
It should result in a iptables -L output similar to this
While it's easier to simply run it, I would suggest taking some time to identify if it does what you want. It does what I want, but it may be too open or closed for you. If you don't care, I believe it makes a good "standard" ruleset.
If you have no need for ssh, remove the line permitting access to port 22. If you use a webserver utilizing http and https, include port 80 & 443
Code:
iptables -A INPUT -p tcp -m multiport 80,443 -j ACCEPT
Also understand the force of it. iptables -F will cause all rules to be erased and policies reset, which may cause ufw to be very unable / overwrite what you had setup prior.
Note that each time I type $ipt, it really references /sbin/iptables. So it's similar to typing iptables -F, iptables -P INPUT DROP, etc.
I attempted to make it simple and linear since simplicity and good comments (after the #) makes debugging a problem later on much easier.
Also note the order is very important. Should I do this command ($ipt -A INPUT -s 192.168.1.1/24 -j REJECT) first, it will cause all lan connections to be rejected - a negative outcome. However, since it's the last one all connections will be dropped anyways and rejecting it will assist in debugging since it will identify that it was blocked - a positive outcome (preventing hanging connections as well)
Last edited by Miati; 02-21-2015 at 08:49 PM.
|
|
|
1 members found this post helpful.
|
All times are GMT -5. The time now is 10:10 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
