iptables

tommytomato · 06-22-2007, 08:09 PM

Hi all

Any one used iptables with Ubuntu

care to point me to a easy to understand and read tutorial please.

I've tried and tried but I cant get the hang of the major tutorials out there.

I have a script and I'm wondering will this running on Ubuntu 6.0.6-1

As you can see this was created some time ago for me, I haven't used on since, but now the time to try work it out, any one care to teeach me or point me to a very basic tutorial please.

Code:

*mangle
:PREROUTING ACCEPT [1:576]
:INPUT ACCEPT [1:576]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [2:1152]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*filter
:INPUT ACCEPT [6:3456]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

# Generated by iptables-save v1.2.9 on Tue Sep 21 12:29:55 2004
*mangle
:PREROUTING ACCEPT [1644:139895]
:INPUT ACCEPT [1644:139895]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1533:369026]
:POSTROUTING ACCEPT [1532:368906]
COMMIT
# Completed on Tue Sep 21 12:29:55 2004
# Generated by iptables-save v1.2.9 on Tue Sep 21 12:29:55 2004
*nat
:PREROUTING ACCEPT [25:3104]
:POSTROUTING ACCEPT [11:736]
:OUTPUT ACCEPT [11:736]
COMMIT
# Completed on Tue Sep 21 12:29:55 2004
# Generated by iptables-save v1.2.9 on Tue Sep 21 12:29:55 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:120]
:REJECT-PKT - [0:0]
-A INPUT -s 83.132.97.14 -j DROP
-A INPUT -s 81.199.85.110 -j DROP
-A INPUT -s 218.16.120.80 -j DROP 
-A INPUT -s 210.59.228.94 -j DROP 
-A INPUT -s 219.153.0.218 -j DROP 
-A INPUT -s 63.93.95.121 -j DROP 
-A INPUT -s 203.134.154.2 -j DROP 
-A INPUT -s 67.52.65.10 -j DROP 
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 127.0.0.0/255.0.0.0 -j DROP 
-A INPUT -d 127.0.0.0/255.0.0.0 -j DROP 
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT 
-A INPUT -j REJECT-PKT 
-A OUTPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT 
-A OUTPUT -s 10.0.0.0/255.0.0.0 -j ACCEPT 
-A OUTPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT 
-A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset 
-A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable 
COMMIT
# Completed on Tue Sep 21 12:29:55 2004

TT

fragos · 06-22-2007, 08:54 PM

iptables can be a bit confusing. I recommend you investigate firestarter which is a GUI setup for iptables. The firestarter daemon must be run with each boot but the GUI portion only need be run when you want to look at the logs.

tommytomato · 06-22-2007, 09:12 PM

Quote:

Originally Posted by fragos

iptables can be a bit confusing. I recommend you investigate firestarter which is a GUI setup for iptables. The firestarter daemon must be run with each boot but the GUI portion only need be run when you want to look at the logs.

thanks for the tip, but i run a command line server

building as we speak

any other idea's, I remember using a firewall before on a fedore system by running the command redhat-config-firewall I think it was, any thing like that around,

Or can I load that script i have and save, only problem is if i stuff up how can i reset iptables..I have the same network as before hasn't changed that much

TT

tommytomato · 06-23-2007, 12:56 AM

Question please

Should iptables be saved before one starts to muck around with it

Code:

iptables-save

or does it have a back up copy allready

Code:

iptables-restore

Just wondering because I dont want to lock my self out, would i be able to restore it so i can get back into the server.

TT

on iptables

tommytomato · 06-23-2007, 01:42 AM

when adding pre-up iptables-restore < /etc/iptables.up.rules

to /etc/network/interfaces script

I get heaps of start up errors

why is this so

I saved a file /etc/iptables.up.rules with my new rules

Code:

# Generated by iptables-save v1.3.3 on Sat Jun 23 14:26:42 2007
*filter
:INPUT ACCEPT [955:73113]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [739:286876]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Sat Jun 23 14:26:42 2007

and I also saved a copy called /etc/iptables.test.rules

Code:

# Generated by iptables-save v1.3.3 on Sat Jun 23 14:10:10 2007
*filter
:INPUT ACCEPT [865:64590]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [525:201202]
COMMIT
# Completed on Sat Jun 23 14:10:10 2007

https://help.ubuntu.com/community/IptablesHowTo

TT

tommytomato · 06-23-2007, 09:16 PM

Any one know please how to save the iptables so it boots up on start

I'm using a CLI command line server, using ubuntu 6.06-1

I haven't been able to find an answer

any one help please

TT

fragos · 06-23-2007, 09:24 PM

When you start frestarter the firewall rules created with firestarter are re-applied.

tommytomato · 06-23-2007, 09:29 PM

Quote:

Originally Posted by fragos

When you start frestarter the firewall rules created with firestarter are re-applied.

Sorry to say, but I'm not using firestarter on a CLI command line server.

Any one else know please

TT

spurious · 06-24-2007, 12:18 AM

See this concise iptables tutorial. Although it is written for Ubuntu, you can adapt it to other distros.

tommytomato · 06-24-2007, 12:22 AM

Quote:

Originally Posted by spurious

See this concise iptables tutorial. Although it is written for Ubuntu, you can adapt it to other distros.

Funny you should post that link, I'm reading it now
and making up my own as we speak

even thou i dont know what i'm doing

TT

tommytomato · 06-24-2007, 02:31 AM

hi all

How do i un do sudo update-rc.d firewall defaults please

I have block all traffic from the net

TT

tommytomato · 06-24-2007, 02:48 AM

this is so weird

My brother tells me the site is up
when i use a net scanner it tells me only one port open, like so

Quote:

GRC Port Authority Report created on UTC: 2007-06-24 at 06:59:49

Results from scan of ports: 0-1055

1 Ports Open
1047 Ports Closed
8 Ports Stealth
---------------------
1056 Ports Tested

The port found to be OPEN was: 80

Ports found to be STEALTH were: 21, 23, 135, 139, 254, 255,
445, 593

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

but when i use nmap and scan the server pc which is on my network it shows me this

Quote:

when i ran /etc/init.d/firewall stop

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-24 14:22 WST
Interesting ports on rockinghamgateway.com (192.168.1.4):
Not shown: 1687 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql

Nmap finished: 1 IP address (1 host up) scanned in 0.235 seconds

when i ran /etc/init.d/firewall restart

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-24 14:23 WST
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 4.007 seconds

I think i have opened up all the ports sum how

any one know what i did wrong

TT

tommytomato · 06-24-2007, 03:42 AM

Can any one please tell me why i get this error

Code:

/etc/init.d/firewall restart
Removing all iptables rules:  [End of flush]
Iptables rules creation: iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument

And here is my latest try

Code:

/etc/init.d/firewall status
Chain FIREWALL (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
TRUSTED    all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
FIREWALL   all  --  anywhere             anywhere            
DROP       all  --  a83-132-97-14.cpe.netcabo.pt  anywhere            
DROP       all  --  81.199.85.110        anywhere            
DROP       all  --  218.16.120.80        anywhere            
DROP       all  --  mx4.url.com.tw       anywhere            
DROP       all  --  218.0.153.219.broad.cq.cq.dynamic.163data.com.cn  anywhere            
DROP       all  --  63-93-95-121.lsan.mdsg-pacwest.com  anywhere            
DROP       all  --  002.011.dsl.syd.iprimus.net.au  anywhere            
DROP       all  --  mail.ala-hawaii.org  anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain TRUSTED (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            udp spt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:www 
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:pop3 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

TT

spurious · 06-24-2007, 11:25 AM

Quote:

Originally Posted by tommytomato

hi all

How do i un do sudo update-rc.d firewall defaults please

I have block all traffic from the net

TT

To remove the 'firewall' script from your start-up rc.d list, just do: sudo update-rc.d firewall remove

spurious · 06-24-2007, 11:27 AM

[QUOTE=tommytomato]Can any one please tell me why i get this error

Code:

/etc/init.d/firewall restart
Removing all iptables rules:  [End of flush]
Iptables rules creation: iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument

Please post your firewall iptables script.