[SOLVED] iptables blocking certain ports. How do I allow for access?

michaelk · 10-15-2018, 03:20 PM

Code:

# ALL UDP
iptables -N RULE_21
iptables -A OUTPUT -p udp -m udp  -j RULE_21
iptables -A INPUT -p udp -m udp  -j RULE_21
iptables -A RULE_21  -j LOG  --log-level info --log-prefix "RULE 21 -- DENY "
iptables -A RULE_21  -j DROP

# ALL TCP
iptables -N RULE_22
iptables -A OUTPUT -p tcp -m tcp  -j RULE_22
iptables -A INPUT -p tcp -m tcp  -j RULE_22
iptables -A RULE_22  -j LOG  --log-level info --log-prefix "RULE 22 -- DENY "
iptables -A RULE_22  -j DROP

It looks like your dropping all other UDP/TCP traffic including SMB/CIFS

PROBLEMCHYLD · 10-15-2018, 03:33 PM

Thanks, now how do I add only my Lan to see the other computers on the network along with samba shares.

michaelk · 10-15-2018, 03:50 PM

SAMBA uses ports

Code:

NetBIOS Name Service 	137 	udp
NetBIOS Datagram 	138 	udp
NetBIOS Session 	139 	tcp
SMB over TCP            445 	tcp

Add rules to allow the desired ports where the source is your local LAN.

PROBLEMCHYLD · 10-15-2018, 04:45 PM

Quote:

Originally Posted by michaelk

SAMBA uses ports

Code:

NetBIOS Name Service 	137 	udp
NetBIOS Datagram 	138 	udp
NetBIOS Session 	139 	tcp
SMB over TCP            445 	tcp

Add rules to allow the desired ports where the source is your local LAN.

I know how to add the samba bits but not the LAN part. Little help, thank you.

michaelk · 10-15-2018, 04:57 PM

I think this will work. Change what is necessary for the others.

Quote:

-A INPUT -s 192.168.1.0/24 -m state -–state NEW -p udp –dport 137 -j ACCEPT
-A OUTPUT -d 192.168.178.0/24 -p udp --sport 137 -m state --state ESTABLISHED -j ACCEPT

PROBLEMCHYLD · 10-15-2018, 05:41 PM

Quote:

Originally Posted by michaelk

Code:

# ALL UDP
iptables -N RULE_21
iptables -A OUTPUT -p udp -m udp  -j RULE_21
iptables -A INPUT -p udp -m udp  -j RULE_21
iptables -A RULE_21  -j LOG  --log-level info --log-prefix "RULE 21 -- DENY "
iptables -A RULE_21  -j DROP

# ALL TCP
iptables -N RULE_22
iptables -A OUTPUT -p tcp -m tcp  -j RULE_22
iptables -A INPUT -p tcp -m tcp  -j RULE_22
iptables -A RULE_22  -j LOG  --log-level info --log-prefix "RULE 22 -- DENY "
iptables -A RULE_22  -j DROP

It looks like your dropping all other UDP/TCP traffic including SMB/CIFS

This has really helped me. Thank you very much..... Now when I change DROP to ACCEPT, am I opening a can of worms? I can see the computers on the LAN and connect when I change it to ACCEPT.

michaelk · 10-15-2018, 05:58 PM

You have specific rules to log and drop UDP/TCP traffic but your basic policies are drop which means you need an input and output rule for any traffic. Changing drop to accept is basically allowing any traffic not denied by an existing rule in and out.

PROBLEMCHYLD · 10-15-2018, 09:32 PM

Quote:

Originally Posted by michaelk

You have specific rules to log and drop UDP/TCP traffic but your basic policies are drop which means you need an input and output rule for any traffic. Changing drop to accept is basically allowing any traffic not denied by an existing rule in and out.

I somewhat understand this, but how do I fix it? I need an example...

michaelk · 10-16-2018, 05:58 AM

Code:

-A INPUT -m state -–state NEW -p udp –dport 137 -j ACCEPT
-A OUTPUT -p udp --sport 137 -m state --state ESTABLISHED -j ACCEPT 

-A INPUT -m state -–state NEW -p udp –dport 138 -j ACCEPT
-A OUTPUT -p udp --sport 138 -m state --state ESTABLISHED -j ACCEPT 

-A INPUT -m state -–state NEW -p tcp –dport 139 -j ACCEPT
-A OUTPUT -p tcp --sport 139 -m state --state ESTABLISHED -j ACCEPT 

-A INPUT -m state -–state NEW -p tcp –dport 445 -j ACCEPT
-A OUTPUT -p tcp --sport 445 -m state --state ESTABLISHED -j ACCEPT

PROBLEMCHYLD · 10-16-2018, 10:59 AM

Quote:

Originally Posted by michaelk

Code:

-A INPUT -m state -–state NEW -p udp –dport 137 -j ACCEPT
-A OUTPUT -p udp --sport 137 -m state --state ESTABLISHED -j ACCEPT 

-A INPUT -m state -–state NEW -p udp –dport 138 -j ACCEPT
-A OUTPUT -p udp --sport 138 -m state --state ESTABLISHED -j ACCEPT 

-A INPUT -m state -–state NEW -p tcp –dport 139 -j ACCEPT
-A OUTPUT -p tcp --sport 139 -m state --state ESTABLISHED -j ACCEPT 

-A INPUT -m state -–state NEW -p tcp –dport 445 -j ACCEPT
-A OUTPUT -p tcp --sport 445 -m state --state ESTABLISHED -j ACCEPT

I think my failure is I'm putting the rules in the wrong spot. Adding the samba rules before rule 21 and 22 still blocks the Lan.

michaelk · 10-16-2018, 11:39 AM

Forgot one...

Code:

-A INPUT -m state -–state NEW -p tcp –dport 137 -j ACCEPT
-A OUTPUT -p tcp --sport 137 -m state --state ESTABLISHED -j ACCEPT

PROBLEMCHYLD · 10-16-2018, 12:21 PM

Quote:

Originally Posted by michaelk

Forgot one...

Code:

-A INPUT -m state -–state NEW -p tcp –dport 137 -j ACCEPT
-A OUTPUT -p tcp --sport 137 -m state --state ESTABLISHED -j ACCEPT

I have added the following to iptables right before rule 21 and 22, still nothing.

Code:

# SAMBA
iptables -N RULE_15
iptables -A OUTPUT -p tcp -m tcp --sport 137 -j RULE_15
iptables -A INPUT -p tcp -m tcp --dport 137 -j RULE_15
iptables -A RULE_15 -j LOG --log-level info --log-prefix "RULE 15 -- ACCEPT"
iptables -A RULE_15 -j ACCEPT

iptables -N RULE_16
iptables -A OUTPUT -p udp -m udp --sport 137 -j RULE_16
iptables -A INPUT -p udp -m udp --dport 137 -j RULE_16
iptables -A RULE_16 -j LOG --log-level info --log-prefix "RULE 16 -- ACCEPT"
iptables -A RULE_16 -j ACCEPT

iptables -N RULE_17
iptables -A OUTPUT -p udp -m udp --sport 138 -j RULE_17
iptables -A INPUT -p udp -m udp --dport 138 -j RULE_17
iptables -A RULE_17 -j LOG --log-level info --log-prefix "RULE 17 -- ACCEPT"
iptables -A RULE_17 -j ACCEPT

iptables -N RULE_18
iptables -A OUTPUT -p tcp -m tcp --sport 139 -j RULE_18
iptables -A INPUT -p tcp -m tcp --dport 139 -j RULE_18
iptables -A RULE_18 -j LOG --log-level info --log-prefix "RULE 18 -- ACCEPT"
iptables -A RULE_18 -j ACCEPT

iptables -N RULE_19
iptables -A OUTPUT -p tcp -m tcp --sport 445 -j RULE_19
iptables -A INPUT -p tcp -m tcp --dport 445 -j RULE_19
iptables -A RULE_19 -j LOG --log-level info --log-prefix "RULE 19 -- ACCEPT"
iptables -A RULE_19 -j ACCEPT

Still can't see the computers on the LAN. Only if I use ACCEPT on rule 21/22.

PROBLEMCHYLD · 10-16-2018, 01:38 PM

What rule would I use to pass my hardware router through iptables? I believe this is the culprit of all my issues. I could be wrong, but I don't know enough about iptables. So hopefully passing my router through iptables will help.

lazydog · 10-16-2018, 08:36 PM

Can you post the output of the following command:

Code:

iptables -S

PROBLEMCHYLD · 10-16-2018, 10:40 PM

Quote:

Originally Posted by lazydog

Can you post the output of the following command:

Code:

iptables -S

Code:

[root@darkstar:~] # iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N In_RULE_0
-N In_RULE_1
-N In_RULE_2
-N In_RULE_3
-N In_RULE_4
-N In_RULE_5
-N In_RULE_6
-N In_RULE_7
-N RULE_20
-N RULE_21
-N RULE_22
-N RULE_23
-N drop_invalid
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -m state --state INVALID -j drop_invalid
-A INPUT -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j drop_invalid
-A INPUT -s 127.0.0.1/32 -i wlan0 -j In_RULE_0
-A INPUT -p icmp -m icmp --icmp-type any -j In_RULE_1
-A INPUT -p tcp -m tcp --dport 43 -j In_RULE_2
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j In_RULE_3
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j In_RULE_4
-A INPUT -f -j In_RULE_5
-A INPUT -p udp -m udp --dport 513 -j In_RULE_6
-A INPUT -p udp -m udp --dport 33434:33524 -j In_RULE_7
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j RULE_20
-A INPUT -p udp -m udp -j RULE_21
-A INPUT -p tcp -m tcp -j RULE_22
-A INPUT -j RULE_23
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A OUTPUT -m state --state INVALID -j drop_invalid
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1025:65535 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1701 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1723 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3389 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 3389 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6667 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6697 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6881 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 6881 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 8881 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8881 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 7881 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --sport 123 -j RULE_20
-A OUTPUT -p udp -m udp -j RULE_21
-A OUTPUT -p tcp -m tcp -j RULE_22
-A OUTPUT -d 127.0.0.1/32 -j RULE_23
-A In_RULE_0 -j LOG --log-prefix "RULE 0 -- DENY" --log-level 6
-A In_RULE_0 -j DROP
-A In_RULE_1 -j LOG --log-prefix "RULE 1 -- DENY" --log-level 6
-A In_RULE_1 -j DROP
-A In_RULE_2 -j LOG --log-prefix "RULE 2 -- DENY" --log-level 6
-A In_RULE_2 -j DROP
-A In_RULE_3 -j LOG --log-prefix "RULE 3 -- DENY" --log-level 6
-A In_RULE_3 -j DROP
-A In_RULE_4 -j LOG --log-prefix "RULE 4 -- DENY" --log-level 6
-A In_RULE_4 -j DROP
-A In_RULE_5 -j LOG --log-prefix "RULE 5 -- DENY" --log-level 6
-A In_RULE_5 -j DROP
-A In_RULE_6 -j LOG --log-prefix "RULE 6 -- DENY" --log-level 6
-A In_RULE_6 -j DROP
-A In_RULE_7 -j LOG --log-prefix "RULE 7 -- DENY" --log-level 6
-A In_RULE_7 -j DROP
-A RULE_20 -j LOG --log-prefix "RULE 20 -- DENY" --log-level 6
-A RULE_20 -j DROP
-A RULE_21 -j LOG --log-prefix "RULE 21 -- DENY" --log-level 6
-A RULE_21 -j DROP
-A RULE_22 -j LOG --log-prefix "RULE 22 -- DENY" --log-level 6
-A RULE_22 -j DROP
-A RULE_23 -j LOG --log-prefix "RULE 23 -- DENY" --log-level 6
-A RULE_23 -j DROP
-A drop_invalid -j LOG --log-prefix "INVALID state -- DENY" --log-level 7
-A drop_invalid -j DROP
[root@darkstar:~] #