Re: iptables disables outbound traffic

From: Jean-David Beyer (jdbeyer_at_exit109.com)
Date: 10/08/05


Date: Sat, 08 Oct 2005 10:14:13 -0400

Jerry Sievers wrote:
> "suze" <outbacknevada@yahoo.com> writes:
>
>
>> I've created a script to add iptables rules. It works great on the
>> input side -- allowing only requests for services explicitly mentioned.
>>
>>
>> Problem is it disables all outbound functionality. With the firewall
>> running, I can't ssh or ftp FROM the server anywhere. The server
>> doesn't balk at the request -- just can't process the incoming response
>> to the request.
>
>
> You need to keep the high numbered input ports open, Those of 1024 and
> higher. If you've got any sensitive services listening there,
> explicetly close those ports too.
>
> A not too uncommon policy is;
>
> input policy drop
> explicit drop secured high number ports (if any)
> open all needed services
> open ports 1024 and above
>
> The order of these rules is important
>
Those rules seem a bit lax to me, but they may be better than the default
firewall that comes with Windows XP Home. ;-)

My policy is to drop everything: incoming, outgoing, and forwarding.
Then I explicitly allow replies to stuff I send out, and stuff from my own
machine (i.e., loopback).
Then I allow spontaneous stuff from outside (i.e., from the rest of my LAN)
with one set of rules, and the Internet with another set of rules. If it is
not explicitly allowed, it does not go through.
Then I allow stuff to go out only to a restricted set of IP addresses. This
set is pretty open, but not totally. And when it is forwarding from the
Windows machine, it forwards only to port 80 of a small white list of IP
addresses.

It looks, in part, like this to start:

###########################################################################
# #
# NOW SETUP THE FIREWALL #
# #
###########################################################################

###########################################################################
# #
# Clear the existing firewall rules #
# #
###########################################################################
# #
$IPT -P INPUT DROP # Set default policy to DROP
$IPT -P OUTPUT DROP # Set default policy to DROP
$IPT -P FORWARD DROP # Set default policy to DROP
$IPT -F # Flush all chains
$IPT -X # Delete all userchains
# #
for table in filter nat mangle; do
    $IPT -t $table -F # Delete the table's rules
    $IPT -t $table -X # Delete the table's chains
    $IPT -t $table -Z # Zero the table's counters
done
# #
###########################################################################

Then it does some stuff that accepts the lo stuff, and selects the specific
rules for what happens next:

###########################################################################
# #
# Main Firewall Rules #
# #
###########################################################################
# #
# The explicit drops here (-j DROP, -j BAD_INPUT, and -j BAD_OUTPUT) #
# should be unnecessary, but are included here just in case an error #
# in the other chains lets something fall through. #
# #
$IPT -A FORWARD -j SHUN
$IPT -A FORWARD -i $EXTDEV0 -j IN_NETWORK
$IPT -A FORWARD -i $INTDEV0 -j OUT_NETWORK
$IPT -A FORWARD -i $INTDEV1 -j OUT_NETWORK
$IPT -A FORWARD -j LOG --log-prefix "IPT FORWARD: " $LOGOPT
$IPT -A FORWARD -j DROP
# #
$IPT -A INPUT -j SHUN
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -j IN_IP_CHECK
$IPT -A INPUT -j IN_FIREWALL
$IPT -A INPUT -j BAD_INPUT
# #
$IPT -A OUTPUT -j SHUN
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -j OUT_IP_CHECK
$IPT -A OUTPUT -j OUT_FIREWALL
$IPT -A OUTPUT -j BAD_OUTPUT
# #
###########################################################################

SHUN is a simple set of rules that drop specific IP addresses or range of
addresses. This list of IP addresses is usually null, but if someone is
attacking, their IP address can be put in and his stuff dropped until a
better solution can be worked out.

EXTDEV0 is my PPP connection to the Internet. INTDEV0 is my eth0, and
INTDEV1 is my eth1.

*IP_CHECKs verify that the IP addresses are OK.

And so on.

Here is the beginning of IN_FIREWALL to give a taste...

###########################################################################
# #
# INPUT TABLE CHAINS. #
# #
###########################################################################
# #
$IPT -N IN_FIREWALL
$IPT -A IN_FIREWALL -p icmp -j IN_F_ICMP
$IPT -A IN_FIREWALL -p tcp -j TCP_FLAGS
$IPT -A IN_FIREWALL -p tcp --syn -j SYN_FLOOD
$IPT -A IN_FIREWALL -p tcp -m state --state ESTABLISHED,RELATED \
                                                            -j ACCEPT
$IPT -A IN_FIREWALL -p udp -m state --state ESTABLISHED,RELATED \
                                                            -j ACCEPT
# #
# AOL Instant Messenger.
for sip in $EBF_AIM $IBF_AIM; do
    $IPT -A IN_FIREWALL -p tcp -m state --state NEW \
        -s $sip --dport $TCP_AIM -j ACCEPT
    $IPT -A IN_FIREWALL -p tcp -m state --state NEW \
        -s $sip --dport $TCP_MLTMB -j ACCEPT
done
# #
# For IDENT (AUTH) daemon. #
for sip in $EBF_AUTH $IBF_AUTH; do
    $IPT -A IN_FIREWALL -p tcp -m state --state NEW \
        -s $sip --dport auth -j ACCEPT
done
#
...
...
...
  # Everything else is logged and dropped. #
$IPT -A IN_FIREWALL -j BAD_IN_FIREWALL
# #

IN_F_ICMP rejects ICMP requests we do not like (i.e., from most sources).
TCP_FLAGS rejects invalid TCP flags.
SYN_FLOOD rejects floods of SYNs.

-- 
  .~.  Jean-David Beyer          Registered Linux User 85642.
  /V\  PGP-Key: 9A2FC99A         Registered Machine   241939.
 /( )\ Shrewsbury, New Jersey    http://counter.li.org
 ^^-^^ 09:50:00 up 8 days, 2:52, 3 users, load average: 4.04, 4.15, 4.20


Relevant Pages

  • Code This: Lousy bigot (Was: Re: Superman Rerun out of theatres ...)
    ... This is Verizon's policy on the acceptable use of the Service. ... Verizon reserves the right to deny Service to you, ... or of a sexually explicit or graphic nature; ... information on newsgroups which is not in the topic area or charter ...
    (rec.arts.comics.dc.universe)
  • Re: iptables problem
    ... Chain INPUT (policy DROP) ... Say I have a server that runs services for web, mail, domain, time and is also a gateway (I will use masquerading for the last although you can use plain NAT). ... $ipt -F OUTPUT ...
    (RedHat)
  • Re: [PATCH] Dynamic port labeling V2
    ... the selinuxfs interface to portcon and changed the interface to only ... don't have to be authorized to reload the full policy. ... strange labeling states when changing a set of ports to a new label. ... It seems most reliable to add the entire set of portcons every ...
    (Linux-Kernel)
  • Re: networking err
    ... i got bit by mysql doing this a month or so ago. ... Interesting ports on localhost: ... Chain FORWARD (policy ACCEPT) ...
    (Debian-User)
  • Re: VPN / ipchains / masquerade linux 2.4.22
    ... > Chain input (policy ACCEPT): ... > The VPN won't conntact to the VPN Server of my work. ...
    (comp.os.linux.networking)