LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 12-30-2012, 03:32 AM   #1
it2
LQ Newbie
 
Registered: Dec 2012
Posts: 7

Rep: Reputation: Disabled
iptables is not implementing rules


i am setting up my firewall using iptables. I have set the INPUT default to DROP.(iptables -P INPUT DROP.) Then I am entering my rules for each port. For example (iptables -A INPUT -p tcp --sport 80 -j ACCEPT) and so on. However, iptables is still dropping my internet connection despite having 80 and 8080 ect... open.

I have also tried leaving the INPUT default to ACCEPT, Then putting what ports i want to accept first ( for example iptables -A INPUT -p tcp --sport 80 -j ACCEPT) then putting the rule to drop all other traffic last (iptables -A INPUT -j DROP)

Either way I have tried, iptables seems to be only using the most restrictive rule regardless of its precendence. There could be 13 accept rules in front of my DROP rule but once I add it my internet connection which is using port 80 and 443 is blocked. Any help is appreciated.
 
Old 12-30-2012, 04:23 AM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,806

Rep: Reputation: Disabled
Quote:
Originally Posted by it2 View Post
i am setting up my firewall using iptables. I have set the INPUT default to DROP.(iptables -P INPUT DROP.) Then I am entering my rules for each port. For example (iptables -A INPUT -p tcp --sport 80 -j ACCEPT) and so on. However, iptables is still dropping my internet connection despite having 80 and 8080 ect... open.

I have also tried leaving the INPUT default to ACCEPT, Then putting what ports i want to accept first ( for example iptables -A INPUT -p tcp --sport 80 -j ACCEPT) then putting the rule to drop all other traffic last (iptables -A INPUT -j DROP)
The rule as you've written it will accept traffic from port 80 to any port on your system. Is that what you want? Is this system a web server, a router or simply a PC accessing the Internet?
 
Old 12-30-2012, 04:52 AM   #3
it2
LQ Newbie
 
Registered: Dec 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
this is just my laptop connecting to the internet. Yes this is all i want it to to for now. I am still new to iptables. Everything i know and have read about firewalls tells me that my first rules should be taking precedence over my last rule, and certainly the default.

Last edited by it2; 12-30-2012 at 04:59 AM.
 
Old 12-30-2012, 05:05 AM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,806

Rep: Reputation: Disabled
And they do, so if something isn't working, there must be something wrong with the ruleset. Could you post the output from iptables -L INPUT?
 
Old 12-30-2012, 05:31 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by Ser Olmy View Post
Could you post the output from iptables -L INPUT?
FWIW I'd suggest asking for
Code:
iptables-save > /tmp/rules.txt
output (attached as plain text?) instead because that takes all chains leading up to "filter" into account, shows chain policies and doesn't try to resolve address and port names. If one needs just the filter table then
Code:
iptables --line-numbers -nvxL > /tmp/filter.txt
would provide a "cleaner" list while preserving rule order in an easy to read way.
 
Old 12-30-2012, 05:54 AM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,806

Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
FWIW I'd suggest asking for
Code:
iptables-save > /tmp/rules.txt
output (attached as plain text?) instead because that takes all chains leading up to "filter" into account, shows chain policies and doesn't try to resolve address and port names.
Not to mention that it includes interface matches, which are strangely absent when you list the rules with iptables -L. The latter does include the policy, though.

In this case, I figured a simple list would be enough to shed some light on what the problem might be.
 
Old 12-30-2012, 08:55 AM   #7
it2
LQ Newbie
 
Registered: Dec 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
# Generated by iptables-save v1.4.12 on Sun Dec 30 08:51:48 2012
*filter
:INPUT DROP [32:2209]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:548]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT
COMMIT
# Completed on Sun Dec 30 08:51:48 2012
 
Old 12-30-2012, 08:58 AM   #8
it2
LQ Newbie
 
Registered: Dec 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
aboveis the output. I haven't read it like that yet. I have been using -L. it appears on this output the DROP policy takes precedence over the ACCEPT rules for the INPUT.
 
Old 12-30-2012, 09:01 AM   #9
it2
LQ Newbie
 
Registered: Dec 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
below is -L output for comparison

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:http-alt
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:smtp
ACCEPT tcp -- anywhere anywhere tcp spt:imap2
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:imap2
ACCEPT tcp -- anywhere anywhere tcp spt:smtp
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:http-alt

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain ufw-after-forward (0 references)
target prot opt source destination

Chain ufw-after-input (0 references)
target prot opt source destination

Chain ufw-after-logging-forward (0 references)
target prot opt source destination

Chain ufw-after-logging-input (0 references)
target prot opt source destination

Chain ufw-after-logging-output (0 references)
target prot opt source destination

Chain ufw-after-output (0 references)
target prot opt source destination

Chain ufw-before-forward (0 references)
target prot opt source destination

Chain ufw-before-input (0 references)
target prot opt source destination

Chain ufw-before-logging-forward (0 references)
target prot opt source destination

Chain ufw-before-logging-input (0 references)
target prot opt source destination

Chain ufw-before-logging-output (0 references)
target prot opt source destination

Chain ufw-before-output (0 references)
target prot opt source destination

Chain ufw-reject-forward (0 references)
target prot opt source destination

Chain ufw-reject-input (0 references)
target prot opt source destination

Chain ufw-reject-output (0 references)
target prot opt source destination

Chain ufw-track-input (0 references)
target prot opt source destination

Chain ufw-track-output (0 references)
target prot opt source destination

Last edited by it2; 12-30-2012 at 09:02 AM.
 
Old 12-30-2012, 11:49 AM   #10
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,806

Rep: Reputation: Disabled
A policy never takes presedence over a rule in any chain. I believe the main cause of your connection problems may be that there's no rule to allow DNS packets (UDP and TCP port 53). Without DNS, name resolution won't work.

Another issue is the lack of rules for traffic over the loopback interface (lo). This can cause all sorts of weird errors and malfunctions as processes on the same system may be unable to communicate with one another. You need this rule, preferably at the top of the chain:
Code:
iptables -A INPUT -i lo -j ACCEPT
Only locally generated traffic can ever enter the loopback interface, so this is perfectly safe.

As Netfilter (the firewall you configure with iptables) is a stateful firewall, there's a special match criteria for all packets received in response to outgoing requests: the ESTABLISHED state. Your entire INPUT chain can be replaced with a single rule:
Code:
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
You may also want to allow packets matching the RELATED state, as that covers stuff like ICMP errors and data streams detected by ALG modules (like FTP data and SIP/H.323 streams).

Flush your INPUT chain and add the two rules I just mentioned and perhaps the RELATED rule. If you then add an OUTPUT rule for DNS packets, I think you will find you can access the web from your laptop.
 
Old 12-30-2012, 12:12 PM   #11
it2
LQ Newbie
 
Registered: Dec 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
ser,

thanks for the help brother. I'll let you know how it goes
 
Old 12-30-2012, 12:56 PM   #12
it2
LQ Newbie
 
Registered: Dec 2012
Posts: 7

Original Poster
Rep: Reputation: Disabled
ser,
the rule you recommended is working. I'm gonna keep tweaking my rules a bit more but mystery solved. Thanks again for the assist
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Restore iptables Rules that have been saved with iptables-save tiuz Linux - Security 4 08-14-2010 06:50 PM
Iptables and implementing a policy sportsman667 Linux - Security 2 11-04-2007 06:30 AM
Iptables and implementing a policy sportsman667 Linux - Newbie 2 11-03-2007 05:35 PM
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 10:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration