edit iptables rules

edit iptables rules

Post by Nanar Duf » Thu, 18 May 2006 22:18:48



Hello,

I' m trying to edit iptables rules in order to only allow web surfing.
I try this:

***********************************************************************************
#iptables -P INPUT DROP

#iptables -P OUTPUT DROP

#iptables -P FORWARD DROP

#iptables -A OUTPUT -o eth1 --protocol tcp --destination-port 80 -m
state --state NEW,ESTABLISHED -j ACCEPT

#iptables -A INPUT -i eth1 --protocol tcp --source-port 80 -m state
--state ESTABLISHED -j ACCEPT

#iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:www
state ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
state NEW,ESTABLISHED

# telnet www.google.com 80
telnet: could not resolve www.google.com/80: Temporary failure in name
resolution
**************************************************************************************

Anyone has an idea please ?

Thanxs.

 
 
 

edit iptables rules

Post by noEM » Fri, 19 May 2006 05:52:47



> Hello,

> I' m trying to edit iptables rules in order to only allow web surfing. I
> try this:

> *************************************************************************
> #iptables -P INPUT DROP

> #iptables -P OUTPUT DROP

> #iptables -P FORWARD DROP

> #iptables -A OUTPUT -o eth1 --protocol tcp --destination-port 80 -m state
> --state NEW,ESTABLISHED -j ACCEPT

> #iptables -A INPUT -i eth1 --protocol tcp --source-port 80 -m state
> --state ESTABLISHED -j ACCEPT

> #iptables -L
> Chain INPUT (policy DROP)
> target     prot opt source               destination ACCEPT     tcp  --
> anywhere             anywhere            tcp spt:www state ESTABLISHED

> Chain FORWARD (policy DROP)
> target     prot opt source               destination

> Chain OUTPUT (policy DROP)
> target     prot opt source               destination ACCEPT     tcp  --
> anywhere             anywhere            tcp dpt:www state NEW,ESTABLISHED

> # telnet www.google.com 80
> telnet: could not resolve www.google.com/80: Temporary failure in name
> resolution
> ***************************************************************************

> Anyone has an idea please ?

> Thanxs.

Hi.

What we seem to see here is a name resolution failure.

DNS is used to convert name "www.google.com" into numeric IP addresses.

So you need to let the DNS traffic through your firewall rule set.

On my machine it look like :

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  MY_DNS_IP.90        0.0.0.0/0    tcp flags:!0x16/0x02
ACCEPT     udp  --  MY_DNS_IP.90        0.0.0.0/0
ACCEPT     tcp  --  MY_DNS_IP.53        0.0.0.0/0    tcp flags:!0x16/0x02
ACCEPT     udp  --  MY_DNS_IP.53        0.0.0.0/0

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  MY_IP_ADDR.243        MY_DNS_IP.90      tcp dpt:53
ACCEPT     udp  --  MY_IP_ADDR.243        MY_DNS_IP.90      udp dpt:53

But if I may, have a look at a software called FireStarter.

Their URL is :

 http://www.fs-security.com/

Well, I hope it help.

 
 
 

edit iptables rules

Post by Nanar Dyf » Fri, 19 May 2006 15:21:53


noEMA a crit :

Quote:

> Hi.

> What we seem to see here is a name resolution failure.

> DNS is used to convert name "www.google.com" into numeric IP addresses.

> So you need to let the DNS traffic through your firewall rule set.

> On my machine it look like :

> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     tcp  --  MY_DNS_IP.90        0.0.0.0/0    tcp flags:!0x16/0x02
> ACCEPT     udp  --  MY_DNS_IP.90        0.0.0.0/0
> ACCEPT     tcp  --  MY_DNS_IP.53        0.0.0.0/0    tcp flags:!0x16/0x02
> ACCEPT     udp  --  MY_DNS_IP.53        0.0.0.0/0

> Chain OUTPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     tcp  --  MY_IP_ADDR.243        MY_DNS_IP.90      tcp dpt:53
> ACCEPT     udp  --  MY_IP_ADDR.243        MY_DNS_IP.90      udp dpt:53

> But if I may, have a look at a software called FireStarter.

> Their URL is :

>  http://www.fs-security.com/

> Well, I hope it help.

Thanxs a lot, your solution work fine i just add this rules to iptables:

*****************************************************************************
#iptables -A INPUT -i eth1 --protocol udp --source-port 53 -j ACCEPT
#iptables -A OUTPUT -o eth1 --protocol udp --destination-port 53 -j ACCEPT
#iptables -A INPUT -i eth1 --protocol tcp --source-port 53 -j ACCEPT
#iptables -A OUTPUT -o eth1 --protocol tcp --destination-port 53 -j ACCEPT
*****************************************************************************

Thanxs.

 
 
 

edit iptables rules

Post by jewo » Sat, 20 May 2006 01:15:05


Quote:> Thanxs a lot, your solution work fine i just add this rules to iptables:

*****************************************************************************
Quote:> #iptables -A INPUT -i eth1 --protocol udp --source-port 53 -j ACCEPT
> #iptables -A OUTPUT -o eth1 --protocol udp --destination-port 53 -j ACCEPT
> #iptables -A INPUT -i eth1 --protocol tcp --source-port 53 -j ACCEPT
> #iptables -A OUTPUT -o eth1 --protocol tcp --destination-port 53 -j ACCEPT

*****************************************************************************

it works but all udp/tcp packets with sourceport 53 can pass the firewall,
so it's easy to pass your INPUT DROP policy! the solution noEMA has posted
is more secure.

 
 
 

1. iptables: rule with RETURN target just after a rule with ACCEPT target

Hi, I've seen in several scripts the following layout:

iptables criteria -j ACCEPT
iptables the_same_criteria_as_above -j RETURN

for example:

iptables  -A INPUT -p tcp -m tcp --dport 100 -j ACCEPT
iptables  -A INPUT -p tcp -m tcp --dport 100 -j RETURN

The last rule will be never matched, because all tcp incoming
connections will be accepted, and then will go throw the next chain.
So, What is the usefulness of this configuration?

IMHO, I think is for changing the scripts in a fast way (just
commenting on the first line will yield in default policy for the
INPUT chain)

TIA

2. Remote MAC Addresses?

3. Converting ipchains rules to iptables rules?

4. persistent beasty...

5. iptables: rule with RETURN target after a rule with the ACCEPT target

6. Reuse of pts by telnetd

7. Looking for iptables applications code (iptables.c) to run some rules to forward packets

8. A very easy question!!! Please answer me!!!

9. What file do I need to edit to diable passwd rules?

10. Ask how to edit the firewall rule>

11. IPTables rule for non-passive FTP data ports?

12. iptables rule questions:

13. iptables rules testing