theYinYeti Posted December 31, 2009 Share Posted December 31, 2009 (edited) Hi! Happy New Year! I have installed a server on a USB key, and there is very little space available, so I want to write my firewall rules myself instead of installing a firewall front-end software. I'm doing tests on my main PC, currently running Shorewall, so IMO I have to do some “house-cleaning†first, hence the flush at the start of my script. Before any attempt, here was the output from nmap: [root@sedentaire ~]# nmap -sS -sU 192.168.1.21 Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-31 16:37 CET Interesting ports on sedentaire (192.168.1.21): Not shown: 1983 closed ports PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 143/tcp open imap 445/tcp open microsoft-ds 631/tcp open ipp 993/tcp open imaps 3128/tcp open squid-http 6566/tcp open unknown 8080/tcp open http-proxy 68/udp open|filtered dhcpc 123/udp open|filtered ntp 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 177/udp open|filtered xdmcp 631/udp open|filtered ipp 3130/udp open|filtered squid-ipc 5353/udp open|filtered zeroconf Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds Following explanations from linuxhomenetworking.com, I wrote this simple basic firewall, just as a test: iptables -t filter -F iptables -t filter -A OUTPUT -j ACCEPT iptables -t filter -A FORWARD -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 51413 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 51413 -j ACCEPT iptables -t filter -A INPUT -j DROP But it does not work. Instead of telling me that one port is opened (51413), nmap seems to just hang… What is wrong with my rules? Yves. Edited December 31, 2009 by theYinYeti Link to comment Share on other sites More sharing options...
theYinYeti Posted December 31, 2009 Author Share Posted December 31, 2009 The server has only one network interface and is connected to my home LAN. There, 192.168.1.X PCs can access the server. Besides, my ADSL router is configured so that all connections from internet on ports from 1 to 10000 are redirected to the server. Thus, the server can also be accessed from internet, but with a bit more restrictions (hence the -s parameters). Reading a bit more, I came up with this. Is it any better? Or even good? :) # default rules iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT ACCEPT # reset specific rules iptables -t filter -F INPUT iptables -t filter -F FORWARD iptables -t filter -F OUTPUT # allow continuation of already-started connections iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow local connections iptables -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT # allowed ports (running servers): # 1/ TCP # echo iptables -t filter -A INPUT -p tcp --dport 7 --syn -j ACCEPT # ssh iptables -t filter -A INPUT -p tcp --dport 22 --syn -j ACCEPT # smtp iptables -t filter -A INPUT -p tcp --dport 25 --syn -j ACCEPT # http iptables -t filter -A INPUT -p tcp --dport 80 --syn -j ACCEPT # imap iptables -t filter -A INPUT -p tcp --dport 143 --syn -s 192.168.1.0/24 -j ACCEPT # https iptables -t filter -A INPUT -p tcp --dport 443 --syn -j ACCEPT # samba iptables -t filter -A INPUT -p tcp --dport 445 --syn -s 192.168.1.0/24 -j ACCEPT # smtps iptables -t filter -A INPUT -p tcp --dport 465 --syn -j ACCEPT # ipp iptables -t filter -A INPUT -p tcp --dport 631 --syn -s 192.168.1.0/24 -j ACCEPT # rsync iptables -t filter -A INPUT -p tcp --dport 873 --syn -s 192.168.1.0/24 -j ACCEPT # imaps iptables -t filter -A INPUT -p tcp --dport 993 --syn -j ACCEPT # nfs iptables -t filter -A INPUT -p tcp --dport 2049 --syn -s 192.168.1.0/24 -j ACCEPT # Transmission iptables -t filter -A INPUT -p tcp --dport 51413 --syn -j ACCEPT # 2/ UDP # ipp iptables -t filter -A INPUT -p udp --dport 631 --syn -s 192.168.1.0/24 -j ACCEPT # zeroconf iptables -t filter -A INPUT -p udp --dport 5353 --syn -s 192.168.1.0/24 -j ACCEPT # Transmission iptables -t filter -A INPUT -p udp --dport 51413 --syn -j ACCEPT Yves. Link to comment Share on other sites More sharing options...
theYinYeti Posted January 1, 2010 Author Share Posted January 1, 2010 Well, I've finally found the missing bit in my knowledge. I should have thought of this sooner: http://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html At the source! :) Now my (seemingly working) firewall is defined like that: # default rules iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT ACCEPT # clear specific rules iptables -t filter -F INPUT iptables -t filter -F FORWARD iptables -t filter -F OUTPUT # allow continuation of already-started connections iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -f -j ACCEPT # allow local connections iptables -t filter -A INPUT -i lo -j ACCEPT # allowed ports (running servers): # ping iptables -t filter -A INPUT -p icmp -j ACCEPT # ssh iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT # smtp iptables -t filter -A INPUT -p tcp --dport 25 -j REJECT # http iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT # portmapper iptables -t filter -A INPUT -p tcp --dport 111 -s 192.168.1.0/24 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 111 -s 192.168.1.0/24 -j ACCEPT # imap iptables -t filter -A INPUT -p tcp --dport 143 -s 192.168.1.0/24 -j ACCEPT # https iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT # samba iptables -t filter -A INPUT -p tcp --dport 445 -s 192.168.1.0/24 -j ACCEPT # smtps iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT # ipp iptables -t filter -A INPUT -p tcp --dport 631 -s 192.168.1.0/24 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 631 -s 192.168.1.0/24 -j ACCEPT # rsync iptables -t filter -A INPUT -p tcp --dport 873 -s 192.168.1.0/24 -j ACCEPT # imaps iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT # nfs iptables -t filter -A INPUT -p tcp --dport 2049 -s 192.168.1.0/24 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 2049 -s 192.168.1.0/24 -j ACCEPT # statd iptables -t filter -A INPUT -p tcp --dport 2050 -s 192.168.1.0/24 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 2050 -s 192.168.1.0/24 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 2051 -s 192.168.1.0/24 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 2051 -s 192.168.1.0/24 -j ACCEPT # mountd iptables -t filter -A INPUT -p tcp --dport 2052 -s 192.168.1.0/24 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 2052 -s 192.168.1.0/24 -j ACCEPT # zeroconf iptables -t filter -A INPUT -p udp --dport 5353 -s 192.168.1.0/24 -j ACCEPT # nlockmgr iptables -t filter -A INPUT -p tcp --dport 32000 -s 192.168.1.0/24 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 32000 -s 192.168.1.0/24 -j ACCEPT To those who have experience in firewall rules, do you see flaws in this initial setup? Yves. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now