iptables troubles

• Previous message: Sebastiaan: "Re: nVIDIA installation works...."
• Next in thread: Douglas G. Phillips: "Re: iptables troubles"
• Reply: Douglas G. Phillips: "Re: iptables troubles"
• Maybe reply: Sergio Basurto: "Re: iptables troubles"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 13 Oct 2004 15:37:35 +0200
To: debian-user <debian-user@lists.debian.org>

Hi All,

I am trying to get a firewall running, but I am no networking expert.
I use Debian Sid, and kernel 2.4.25-1-386 (yes I need to upgrade ;)).

Anyway. I got my fw script from a webpage, and it looks pretty ok to
me. When I run it, it certainly blocks everything except the ports I
want it to allow. Fine.

However, I got reports from users that it was not working for them. I
asked some 5 different people, and it some 3 of them could not reach
the server, while others could. Very weird. They tried it on http,
port 80. It is open in the firewall, and Apache is running.

I have *no* clues what is wrong. I Googled around a lot, tried to
understand the iptables script (I think I do to a degree that I can
understand what each line does), but it al looks fine to me. But how
on earth does it come it is still blocking traffic from *some* users??

This server is in a 19" rack at an ISP. No NAT, just one IP adress.
Very simple setup.

Any clues would be highly appreciated, I am really lost here.

Here is my script:

#!/bin/sh
# This is a sample Firewall script made with Citadec Solutions
# sample firewall generator at http://www.citadec.com
# Remember that this is meant to help you to make your own
# firewall. Allways read this script through before using it!

IPT=/sbin/iptables
LSMOD=/sbin/lsmod
# Flushing old rules
$IPT -F
$IPT -t nat -F

# Next is your IP
NET=<the public IP of my server>
# ICMP Echo-request deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type echo-request -j DROP
# ICMP Host-unreachable deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type
host-unreachable -j DROP
# ICMP Host-redirect deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type redirect -j DROP
# ICMP Timestamp-request deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type
timestamp-request -j DROP
# ICMP Timestamp-reply deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type
timestamp-reply -j DROP
# ICMP Address-mask-request deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type
address-mask-request -j DROP
# ICMP Address-mask-reply deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type
address-mask-reply -j DROP
# ICMP Source-quench deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type source-quench -j DROP
# ICMP Destination-unreachable deny
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type
destination-unreachable -j DROP

# DROP IF NO FLAGS SET OR ALL FLAGS SET (Some scanning methods uses these)
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --tcp-flags ALL NONE -j DROP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --tcp-flags ALL ALL -j DROP

# We dont need ipchains
$LSMOD | grep ipchains -q -s && rmmod ipchains

# Allow everything on the loopback interface
$IPT -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT

# This is done to enable source verification
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
  for f in /proc/sys/net/ipv4/conf/*/rp_filter
  do
   echo 2 > $f
  done
fi

# This one is for syncookies protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

# We dont want ICMP Dead Errors
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi

# We want to Ignore ICMP Broadcasts
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi

# We dont want anyone to play with dynamic TCP/IP
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
  echo 0 > /proc/sys/net/ipv4/ip_dynaddr
fi

# These IP addresses are blocked, because they are not "routable"
$IPT -t filter -A INPUT -s 1.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 2.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 2.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 7.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 23.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 27.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 31.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 41.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 45.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 60.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 68.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 69.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 70.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 71.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 80.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 88.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 90.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 91.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 92.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 100.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 111.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 112.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 127.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 127.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 128.66.0.0/16 -d $NET -j DROP
$IPT -t filter -A INPUT -s 172.16.0.0/12 -d $NET -j DROP
$IPT -t filter -A INPUT -s 197.0.0.0/16 -d $NET -j DROP
$IPT -t filter -A INPUT -s 201.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 220.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 222.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 240.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 242.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 244.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 251.0.0.0/8 -d $NET -j DROP
$IPT -t filter -A INPUT -s 254.0.0.0/8 -d $NET -j DROP

# In this Firewall we dont want Multicast allowed
$IPT -t filter -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP
$IPT -t filter -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP
$IPT -t filter -A OUTPUT -s 224.0.0.0/8 -d 0/0 -j DROP
$IPT -t filter -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j DROP
$IPT -t filter -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j DROP

# Block Packets with Stuffed Routing
$IPT -t filter -A INPUT -s 255.255.255.255 -j DROP
$IPT -t filter -A INPUT -d 0.0.0.0 -j DROP
$IPT -t filter -A OUTPUT -s 255.255.255.255 -j DROP
$IPT -t filter -A OUTPUT -d 0.0.0.0 -j DROP

# ICMP Should be allowed out
$IPT -A OUTPUT -p icmp -s $NET -d 0/0 -j ACCEPT

# Open inbound established connections (ssh)
$IPT -A INPUT -p tcp --sport 22 --destination-port 513:65535 ! --syn
-m state --state RELATED -j ACCEPT

# FTP Data fix
$IPT -A INPUT -p tcp --sport 20 --destination-port 1023:65535 ! --syn
-m state --state RELATED -j ACCEPT
$IPT -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp -s 0/0 -d $NET --destination-port 1023:65535 -j ACCEPT

# Open ports for outbound established connections
$IPT -A OUTPUT -p tcp -s $NET -d 0/0 --destination-port 1:65535 -j ACCEPT
$IPT -A OUTPUT -p udp -s $NET -d 0/0 --destination-port 1:65535 -j ACCEPT
# FTP allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 20 !
--syn -j ACCEPT
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 21 -j ACCEPT
# SSH allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 22 -j ACCEPT
# SMTP allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 25 -j ACCEPT
# POP allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 110 -j ACCEPT
# IMAP allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 143 -j ACCEPT
# HTTP allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 80 -j ACCEPT
# HTTPS allowed
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 443 -j ACCEPT
# These TCP ports are opened also
$IPT -t filter -A INPUT -p tcp --destination-port 465 -j ACCEPT
$IPT -t filter -A INPUT -p tcp --destination-port 993 -j ACCEPT
$IPT -t filter -A INPUT -p tcp --destination-port 995 -j ACCEPT

# THESE IPS HAVE FULL ACCESS TO THIS SYSTEM
$IPT -A INPUT -s <my admin box's IP> -d $NET

# RESTART KLOGD (So we dont get flooded by iptables to tty)
killall -9 klogd
/sbin/klogd -x -c 4

# Deny everything not let through earlier
$IPT -A INPUT -j DROP

-- end of script--

Regards,
Pim Bliek

-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

• Previous message: Sebastiaan: "Re: nVIDIA installation works...."
• Next in thread: Douglas G. Phillips: "Re: iptables troubles"
• Reply: Douglas G. Phillips: "Re: iptables troubles"
• Maybe reply: Sergio Basurto: "Re: iptables troubles"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: easy firewall for freeBSD ... 2- a firewall for a NAT gateway using two ethernet cards. ... /sbin/ipfw add 121 deny ip from any to 127.0.0.0/8 ... /sbin/ipfw add 9800 allow icmp from any to any icmptypes 0,3,4,8,11 ... > program easyfirewall for FreeBSD? ... (comp.unix.bsd.freebsd.misc) Re: Strange PPPoe problem ... The new service uses PPPoe - not a problem, or so I thought - I ... have PPPoe on my firewall. ... And if I do PPPoe on the provided D-Link router, ... like icmp 3/4 packets are being dropped somewhere. ... (Debian-User) Webserver behind nat/ipfw ... I have been struggling for the last months now to run a webserver behind a firewall. ... $cmd 005 allow all from any to any via $lif1 ... # Allow out access to my ISP's Domain name server. ... # Deny all inbound traffic from non-routable reserved address spaces ... (freebsd-questions) Re: network problems 7.0-p3: sendto: Operation not permitted ... This usually indicates firewall rules on the local machine, ... This indicates a high number of ICMP packets being received. ... 1 into my cable modem and nother into a linksys 16port vpn router. ... 01:47:12.196000 arp who-has 181.131.216.67.181.static.hargray.net tell ... (freebsd-stable) Re: ICMP timestamp request is allowed from arbitrary hosts ... There is no registry entry that specifically blocks individual ICMP types on ... enable the Windows Firewall on the XP machines and configure the rules to do ... Point is Windows XP has the ... (microsoft.public.windowsxp.security_admin)