Questions Tagged With iptables

Iptables - How to block sites with Iptables.

gshack — Tue, 15 Nov 2011 19:33:53 -0500

Hello! I desire block sites unnecessary with the Iptables. Which the process ? And for save the commands ?

Thanks you!

iptables and sudo not logging

Ron — Thu, 14 Apr 2011 13:53:25 -0400

I have Ubuntu 10.04.2LTS 32-bit Desktop Edition and it's the same on 3 different systems.

iptables and sudo aren't logging and I need them to be.

1) None of them have the auth.log in /etc which is used for logging sudo commands/login authorizations

2) None of them have the syslog.conf file in /etc (but one does exist under /usr/share/logwatch/default.conf/logfiles/syslog.conf)

3) I've looked in the "Log Viewer" in Gnome and in /etc

I need to enable and monitor these loggings somehow.

iptables configuration script - need help with it

Ron — Wed, 11 Aug 2010 23:02:37 -0400

This section is part of a larger install-script I'm working on, and my knowledge of iptables stinks (still learning it), so what I need is for this to be in the right order, with the right options enabled.

Basically I want: - to allow in what need be, to drop (not reject - what I don't want) - to have separation of the info into the appropriate custom log files in /var/log - to be as safe as possible and secure against probes, attacks etc, yet still usable - to allow NAT port forwarding (I have a router like many people do) (I use SSH and VNC in/out)

This is intended to be used on an Ubuntu desktop machine (Lucid Lynx or later)

Again... I know this stinks, but I need some serious help with it. Some options are in there, just not enabled, and that's fine.

I've updated the script on 08/13/10.

#! /bin/bash
#
# #######################################################################################################################
# iptables setup and configuration
# #######################################################################################################################
#
# The following is a script for setting up and configuring iptables on a desktop computer running Ubuntu.
#
iptables -F
#
# #######################################################################################################################
# Logging
# #######################################################################################################################
#
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
#
#
# #######################################################################################################################
# iptables-rules-input-policies
# #######################################################################################################################
#
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#
# #######################################################################################################################
# Allow unlimited outbound traffic
# #######################################################################################################################
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# #######################################################################################################################
# icmp, INPUT and ports setup
# #######################################################################################################################
#
iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 113 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5500 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5800 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT
#
# #######################################################################################################################
# Securing INPUT
# #######################################################################################################################
#
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
#
# #######################################################################################################################
# Allow freenode to talk to gidentd
# #######################################################################################################################
#
iptables -A INPUT -s chat.freenode.net -p tcp --dport 113 -j ACCEPT
#
# #######################################################################################################################
# Enable IP Forwarding
# #######################################################################################################################
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# #######################################################################################################################
# IP Masquerading
# #######################################################################################################################
#
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
#
# #######################################################################################################################
# iptables-anti-attack-measures-policies
# #######################################################################################################################
#
# In the following section set it 1 to enable the feature or 0 to disable the feature
#
# TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
#
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
#
# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#
# #######################################################################################################################
# Lockdown INPUT
# #######################################################################################################################
#
iptables -A INPUT -j DROP
iptables -P INPUT DROP
#
# #######################################################################################################################
# iptables-save workaround
# #######################################################################################################################
#
iptables-save -c > /etc/iptables.rules
iptables-restore

iptables firewall problem openvpn bridged

Grobi — Fri, 09 Jul 2010 17:10:05 -0400

Hi, i think i got some probs with my iptables firewall, my setup is i got a pc (debian installed) with 2 ethernetcard, eth0 connected to my lan(192.168.1.0/24) eth1 for internet connection (ppp0) I have an openvpn server on that pc in bridged mode, the vpn clients can connect but can't ping the server or any other pc on my lan and the server or my lan pcs can't ping the clients. The bridge is setup correctly and the setup of the openvpn server looks right and the clients got an ip from my lan and a route to it so routing looks fine, problem must be the iptables firewall. The requierements for the firewall are : my Lan can do anything except receiving or posting windows shares, netbios etc over the internet or vpn the vpn clients can do anything except receiving or posting windows shares, netbios etc over the vpn and they can not access the internet over the vpn.

Please if someone could have a look at my script?

Heres the interesting part of my firewall script:



The iptables command. Shorter and sure

ipt="/sbin/iptables"

The network interface

ifLan=eth0
ifWan=ppp0
ifVpnB=br0
ifVpn=tap+

VPN_PORT=1195

FIREWALL STOP

...

FIREWALL START/RELOAD/RESTART

echo "Building firewall..."

Modules

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe ipt_LOG
modprobe iptable_nat
modprobe iptable_filter

Flush current rules.

$ipt -F INPUT
$ipt -F OUTPUT
$ipt -F FORWARD
$ipt -t nat -F PREROUTING
$ipt -t nat -F POSTROUTING
$ipt -t nat -F OUTPUT
$ipt -F
$ipt -X

Set default policies

$ipt --policy INPUT DROP
$ipt --policy OUTPUT ACCEPT
$ipt --policy FORWARD DROP
$ipt -t nat --policy PREROUTING ACCEPT
$ipt -t nat --policy POSTROUTING ACCEPT

SYN flood protection

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

Forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

LOOPBACK

echo "Setting LOOPBACK rules"
$ipt -A INPUT -i lo -j ACCEPT

$ipt -A OUTPUT -o lo -j ACCEPT

WAN

echo "Setting WAN rules"
$ipt -A INPUT -i $ifWan -p udp --dport $VPN_PORT -m state --state NEW -j ACCEPT
$ipt -A INPUT -p tcp --dport 137:139 -i $ifWan -j DROP
$ipt -A INPUT -p udp --dport 137:139 -i $ifWan -j DROP
$ipt -A INPUT -p tcp --dport 445 -i $ifWan -j DROP
$ipt -A INPUT -p udp --dport 445 -i $ifWan -j DROP
$ipt -A INPUT -i $ifWan -m state --state ESTABLISHED,RELATED -j ACCEPT

$ipt -A OUTPUT -p tcp --dport 137:139 -o $ifWan -j DROP
$ipt -A OUTPUT -p udp --dport 137:139 -o $ifWan -j DROP
$ipt -A OUTPUT -p tcp --dport 445 -o $ifWan -j DROP
$ipt -A OUTPUT -p udp --dport 445 -o $ifWan -j DROP
$ipt -A OUTPUT -o $ifWan -j ACCEPT

$ipt -A FORWARD -p tcp --dport 137:139 -o $ifWan -j DROP
$ipt -A FORWARD -p udp --dport 137:139 -o $ifWan -j DROP
$ipt -A FORWARD -p tcp --dport 445 -o $ifWan -j DROP
$ipt -A FORWARD -p udp --dport 445 -o $ifWan -j DROP

$ipt -A FORWARD -i $ifWan -o $ifLan -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $ifWan -o $ifVpnB -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $ifWan -o $ifVpn -m state --state ESTABLISHED,RELATED -j ACCEPT

VPN

echo "Setting VPN rules"
$ipt -A INPUT -i $ifVpn -m state --state ESTABLISHED,RELATED -j ACCEPT

$ipt -A OUTPUT -o $ifVpn -j ACCEPT

$ipt -A FORWARD -i $ifVpn -o $ifLan -j ACCEPT
$ipt -A FORWARD -i $ifVpn -o $ifWan -j ACCEPT
$ipt -A FORWARD -i $ifVpn -o $ifVpnB -j ACCEPT

BRIDGE

echo "Setting BRIDGE rules"
$ipt -A INPUT -i $ifVpnB -j ACCEPT 

$ipt -A OUTPUT -o $ifVpnB -j ACCEPT 

$ipt -A FORWARD -i $ifVpnB -o $ifWan -j ACCEPT
$ipt -A FORWARD -i $ifVpnB -o $ifLan -j ACCEPT
$ipt -A FORWARD -i $ifVpnB -o $ifVpn -j ACCEPT

LAN

echo "Setting LAN rules"
$ipt -A INPUT -i $ifLan -j ACCEPT 

$ipt -A OUTPUT -o $ifLan -j ACCEPT

$ipt -A FORWARD -i $ifLan -o $ifWan -j ACCEPT
$ipt -A FORWARD -i $ifLan -o $ifVpnB -j ACCEPT
$ipt -A FORWARD -i $ifLan -o $ifVpn -j ACCEPT

Portforwarding

...

Masquerading

$ipt -t nat -A POSTROUTING -j MASQUERADE echo "Done!"

thx Grobi

Bridge firewall with iptables; how do i block incoming traffic except for specified ports, and allow outgoing traffic?

Zyprexa — Sun, 02 May 2010 20:15:10 -0400

Im having problems with iptables not doing what i want :(

I have a Ubuntu computer set up as bridge between gateway and lan, with the lan connected to eth0 and eth1 connected to gateway.

I'm trying to get it to basically block everything incoming except for the ports i specify (www, smtp ++), but also allow outgoing traffic. I've found, tried, modified some examples i found on the web, but still it wont block incoming traffic (ie, im still able to reach my webserver)

These are the rules im running now, and i can't figure out why it wont block incoming:

#!/bin/bash

iptables -F
iptables -X

iptables -I INPUT -i eth1 -j DROP
iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -o eth1 -j REJECT
iptables -I OUTPUT -o eth0 -j REJECT

# connection tracking (not entirely sure what this does, but tutorial said it was needed)
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow outgoing traffic
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# allow ping
iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT
# stop incoming
iptables -A FORWARD -i eth1 -o eth0 -j REJECT

iptables -S gives me

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -j DROP
-A INPUT -i eth1 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth1 -j REJECT --reject-with icmp-port-unreachable

Any advice on what im doing wrong is appreciated :(