Re: iptables disables outbound traffic

From: Jean-David Beyer (jdbeyer_at_exit109.com)
Date: 10/08/05

• Next message: Jean-David Beyer: "Re: buffering on named pipes"
• Previous message: Aragorn: "Re: Is linux free"
• In reply to: Jerry Sievers: "Re: iptables disables outbound traffic"
• Next in thread: David H. Brown: "Re: iptables disables outbound traffic"
• Reply: David H. Brown: "Re: iptables disables outbound traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sat, 08 Oct 2005 10:14:13 -0400

Jerry Sievers wrote:
> "suze" <outbacknevada@yahoo.com> writes:
>
>
>> I've created a script to add iptables rules. It works great on the
>> input side -- allowing only requests for services explicitly mentioned.
>>
>>
>> Problem is it disables all outbound functionality. With the firewall
>> running, I can't ssh or ftp FROM the server anywhere. The server
>> doesn't balk at the request -- just can't process the incoming response
>> to the request.
>
>
> You need to keep the high numbered input ports open, Those of 1024 and
> higher. If you've got any sensitive services listening there,
> explicetly close those ports too.
>
> A not too uncommon policy is;
>
> input policy drop
> explicit drop secured high number ports (if any)
> open all needed services
> open ports 1024 and above
>
> The order of these rules is important
>
Those rules seem a bit lax to me, but they may be better than the default
firewall that comes with Windows XP Home. ;-)

My policy is to drop everything: incoming, outgoing, and forwarding.
Then I explicitly allow replies to stuff I send out, and stuff from my own
machine (i.e., loopback).
Then I allow spontaneous stuff from outside (i.e., from the rest of my LAN)
with one set of rules, and the Internet with another set of rules. If it is
not explicitly allowed, it does not go through.
Then I allow stuff to go out only to a restricted set of IP addresses. This
set is pretty open, but not totally. And when it is forwarding from the
Windows machine, it forwards only to port 80 of a small white list of IP
addresses.

It looks, in part, like this to start:

###########################################################################
# #
# NOW SETUP THE FIREWALL #
# #
###########################################################################

###########################################################################
# #
# Clear the existing firewall rules #
# #
###########################################################################
# #
$IPT -P INPUT DROP # Set default policy to DROP
$IPT -P OUTPUT DROP # Set default policy to DROP
$IPT -P FORWARD DROP # Set default policy to DROP
$IPT -F # Flush all chains
$IPT -X # Delete all userchains
# #
for table in filter nat mangle; do
    $IPT -t $table -F # Delete the table's rules
    $IPT -t $table -X # Delete the table's chains
    $IPT -t $table -Z # Zero the table's counters
done
# #
###########################################################################

Then it does some stuff that accepts the lo stuff, and selects the specific
rules for what happens next:

###########################################################################
# #
# Main Firewall Rules #
# #
###########################################################################
# #
# The explicit drops here (-j DROP, -j BAD_INPUT, and -j BAD_OUTPUT) #
# should be unnecessary, but are included here just in case an error #
# in the other chains lets something fall through. #
# #
$IPT -A FORWARD -j SHUN
$IPT -A FORWARD -i $EXTDEV0 -j IN_NETWORK
$IPT -A FORWARD -i $INTDEV0 -j OUT_NETWORK
$IPT -A FORWARD -i $INTDEV1 -j OUT_NETWORK
$IPT -A FORWARD -j LOG --log-prefix "IPT FORWARD: " $LOGOPT
$IPT -A FORWARD -j DROP
# #
$IPT -A INPUT -j SHUN
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -j IN_IP_CHECK
$IPT -A INPUT -j IN_FIREWALL
$IPT -A INPUT -j BAD_INPUT
# #
$IPT -A OUTPUT -j SHUN
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -j OUT_IP_CHECK
$IPT -A OUTPUT -j OUT_FIREWALL
$IPT -A OUTPUT -j BAD_OUTPUT
# #
###########################################################################

SHUN is a simple set of rules that drop specific IP addresses or range of
addresses. This list of IP addresses is usually null, but if someone is
attacking, their IP address can be put in and his stuff dropped until a
better solution can be worked out.

EXTDEV0 is my PPP connection to the Internet. INTDEV0 is my eth0, and
INTDEV1 is my eth1.

*IP_CHECKs verify that the IP addresses are OK.

And so on.

Here is the beginning of IN_FIREWALL to give a taste...

###########################################################################
# #
# INPUT TABLE CHAINS. #
# #
###########################################################################
# #
$IPT -N IN_FIREWALL
$IPT -A IN_FIREWALL -p icmp -j IN_F_ICMP
$IPT -A IN_FIREWALL -p tcp -j TCP_FLAGS
$IPT -A IN_FIREWALL -p tcp --syn -j SYN_FLOOD
$IPT -A IN_FIREWALL -p tcp -m state --state ESTABLISHED,RELATED \
                                                            -j ACCEPT
$IPT -A IN_FIREWALL -p udp -m state --state ESTABLISHED,RELATED \
                                                            -j ACCEPT
# #
# AOL Instant Messenger.
for sip in $EBF_AIM $IBF_AIM; do
    $IPT -A IN_FIREWALL -p tcp -m state --state NEW \
        -s $sip --dport $TCP_AIM -j ACCEPT
    $IPT -A IN_FIREWALL -p tcp -m state --state NEW \
        -s $sip --dport $TCP_MLTMB -j ACCEPT
done
# #
# For IDENT (AUTH) daemon. #
for sip in $EBF_AUTH $IBF_AUTH; do
    $IPT -A IN_FIREWALL -p tcp -m state --state NEW \
        -s $sip --dport auth -j ACCEPT
done
#
...
...
...
  # Everything else is logged and dropped. #
$IPT -A IN_FIREWALL -j BAD_IN_FIREWALL
# #

IN_F_ICMP rejects ICMP requests we do not like (i.e., from most sources).
TCP_FLAGS rejects invalid TCP flags.
SYN_FLOOD rejects floods of SYNs.

-- 
  .~.  Jean-David Beyer          Registered Linux User 85642.
  /V\  PGP-Key: 9A2FC99A         Registered Machine   241939.
 /( )\ Shrewsbury, New Jersey    http://counter.li.org
 ^^-^^ 09:50:00 up 8 days, 2:52, 3 users, load average: 4.04, 4.15, 4.20

• Next message: Jean-David Beyer: "Re: buffering on named pipes"
• Previous message: Aragorn: "Re: Is linux free"
• In reply to: Jerry Sievers: "Re: iptables disables outbound traffic"
• Next in thread: David H. Brown: "Re: iptables disables outbound traffic"
• Reply: David H. Brown: "Re: iptables disables outbound traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Code This: Lousy bigot (Was: Re: Superman Rerun out of theatres ...) ... This is Verizon's policy on the acceptable use of the Service. ... Verizon reserves the right to deny Service to you, ... or of a sexually explicit or graphic nature; ... information on newsgroups which is not in the topic area or charter ... (rec.arts.comics.dc.universe) Re: iptables problem ... Chain INPUT (policy DROP) ... Say I have a server that runs services for web, mail, domain, time and is also a gateway (I will use masquerading for the last although you can use plain NAT). ... $ipt -F OUTPUT ... (RedHat) Re: VPN / ipchains / masquerade linux 2.4.22 ... > Chain input (policy ACCEPT): ... > The VPN won't conntact to the VPN Server of my work. ... (comp.os.linux.networking) Re: [PATCH] Smack: Simplified Mandatory Access Control Kernel ... The MLS systems from the 1990's could do all that without the complexity required by SELinux policy. ... SELinux integrates privilege into the policy mechanism. ... Here's an argument for why implicit labeling is good and explicit labeling is bad: If your process wants to label things explicitly it needs special privileges to do so, and it can abuse those privileges. ... (Linux-Kernel) Re: Disabling USB ports and external disk drives ... Or which exactly registry mods do you mean?) ... Disable the Use of USB Storage Devices in Windows XP ... ;parallel ports access policy settings. ... END POLICY; Block FDD ... (microsoft.public.win2000.group_policy)

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint