Jump to content

need help with writing iptables rules


theYinYeti
 Share

Recommended Posts

Hi! Happy New Year!

 

I have installed a server on a USB key, and there is very little space available, so I want to write my firewall rules myself instead of installing a firewall front-end software.

 

I'm doing tests on my main PC, currently running Shorewall, so IMO I have to do some “house-cleaning†first, hence the flush at the start of my script. Before any attempt, here was the output from nmap:

[root@sedentaire ~]# nmap -sS -sU 192.168.1.21

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-31 16:37 CET
Interesting ports on sedentaire (192.168.1.21):
Not shown: 1983 closed ports
PORT     STATE         SERVICE
22/tcp   open          ssh
139/tcp  open          netbios-ssn
143/tcp  open          imap
445/tcp  open          microsoft-ds
631/tcp  open          ipp
993/tcp  open          imaps
3128/tcp open          squid-http
6566/tcp open          unknown
8080/tcp open          http-proxy
68/udp   open|filtered dhcpc
123/udp  open|filtered ntp
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
177/udp  open|filtered xdmcp
631/udp  open|filtered ipp
3130/udp open|filtered squid-ipc
5353/udp open|filtered zeroconf

Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds

 

Following explanations from linuxhomenetworking.com, I wrote this simple basic firewall, just as a test:

iptables -t filter -F
iptables -t filter -A OUTPUT -j ACCEPT
iptables -t filter -A FORWARD -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 51413 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 51413 -j ACCEPT
iptables -t filter -A INPUT -j DROP

 

But it does not work. Instead of telling me that one port is opened (51413), nmap seems to just hang…

What is wrong with my rules?

 

Yves.

Edited by theYinYeti
Link to comment
Share on other sites

The server has only one network interface and is connected to my home LAN. There, 192.168.1.X PCs can access the server. Besides, my ADSL router is configured so that all connections from internet on ports from 1 to 10000 are redirected to the server. Thus, the server can also be accessed from internet, but with a bit more restrictions (hence the -s parameters).

 

Reading a bit more, I came up with this. Is it any better? Or even good? :)

# default rules
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT

# reset specific rules
iptables -t filter -F INPUT
iptables -t filter -F FORWARD
iptables -t filter -F OUTPUT

# allow continuation of already-started connections
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow local connections
iptables -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

# allowed ports (running servers):
# 1/ TCP
# echo
iptables -t filter -A INPUT -p tcp --dport 7 --syn -j ACCEPT
# ssh
iptables -t filter -A INPUT -p tcp --dport 22 --syn -j ACCEPT
# smtp
iptables -t filter -A INPUT -p tcp --dport 25 --syn -j ACCEPT
# http
iptables -t filter -A INPUT -p tcp --dport 80 --syn -j ACCEPT
# imap
iptables -t filter -A INPUT -p tcp --dport 143 --syn -s 192.168.1.0/24 -j ACCEPT
# https
iptables -t filter -A INPUT -p tcp --dport 443 --syn -j ACCEPT
# samba
iptables -t filter -A INPUT -p tcp --dport 445 --syn -s 192.168.1.0/24 -j ACCEPT
# smtps
iptables -t filter -A INPUT -p tcp --dport 465 --syn -j ACCEPT
# ipp
iptables -t filter -A INPUT -p tcp --dport 631 --syn -s 192.168.1.0/24 -j ACCEPT
# rsync
iptables -t filter -A INPUT -p tcp --dport 873 --syn -s 192.168.1.0/24 -j ACCEPT
# imaps
iptables -t filter -A INPUT -p tcp --dport 993 --syn -j ACCEPT
# nfs
iptables -t filter -A INPUT -p tcp --dport 2049 --syn -s 192.168.1.0/24 -j ACCEPT
# Transmission
iptables -t filter -A INPUT -p tcp --dport 51413 --syn -j ACCEPT
# 2/ UDP
# ipp
iptables -t filter -A INPUT -p udp --dport 631 --syn -s 192.168.1.0/24 -j ACCEPT
# zeroconf
iptables -t filter -A INPUT -p udp --dport 5353 --syn -s 192.168.1.0/24 -j ACCEPT
# Transmission
iptables -t filter -A INPUT -p udp --dport 51413 --syn -j ACCEPT

 

Yves.

Link to comment
Share on other sites

Well, I've finally found the missing bit in my knowledge. I should have thought of this sooner:

http://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html

At the source! :)

 

Now my (seemingly working) firewall is defined like that:

# default rules
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT

# clear specific rules
iptables -t filter -F INPUT
iptables -t filter -F FORWARD
iptables -t filter -F OUTPUT

# allow continuation of already-started connections
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -f -j ACCEPT

# allow local connections
iptables -t filter -A INPUT -i lo -j ACCEPT

# allowed ports (running servers):
# ping
iptables -t filter -A INPUT -p icmp -j ACCEPT
# ssh
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
# smtp
iptables -t filter -A INPUT -p tcp --dport 25 -j REJECT
# http
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
# portmapper
iptables -t filter -A INPUT -p tcp --dport 111 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 111 -s 192.168.1.0/24 -j ACCEPT
# imap
iptables -t filter -A INPUT -p tcp --dport 143 -s 192.168.1.0/24 -j ACCEPT
# https
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
# samba
iptables -t filter -A INPUT -p tcp --dport 445 -s 192.168.1.0/24 -j ACCEPT
# smtps
iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
# ipp
iptables -t filter -A INPUT -p tcp --dport 631 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 631 -s 192.168.1.0/24 -j ACCEPT
# rsync
iptables -t filter -A INPUT -p tcp --dport 873 -s 192.168.1.0/24 -j ACCEPT
# imaps
iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT
# nfs
iptables -t filter -A INPUT -p tcp --dport 2049 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 2049 -s 192.168.1.0/24 -j ACCEPT
# statd
iptables -t filter -A INPUT -p tcp --dport 2050 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 2050 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 2051 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 2051 -s 192.168.1.0/24 -j ACCEPT
# mountd
iptables -t filter -A INPUT -p tcp --dport 2052 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 2052 -s 192.168.1.0/24 -j ACCEPT
# zeroconf
iptables -t filter -A INPUT -p udp --dport 5353 -s 192.168.1.0/24 -j ACCEPT
# nlockmgr
iptables -t filter -A INPUT -p tcp --dport 32000 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 32000 -s 192.168.1.0/24 -j ACCEPT

 

To those who have experience in firewall rules, do you see flaws in this initial setup?

 

Yves.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...