iptables script blocking too much

[TehBroZor]

Hello,

I have been trying to get a basic packet filter firewall using iptables. After reading a bit I have more questions than answers.

viewtopic.php?f=157&t=216978&hilit=iptables&start=20

this discussion seems to be about packet filters vs application fire walls (is ufw an application fire wall? can you use iptables and ufw together?)

here is my script so far:

Code: Select all

#! /bin/sh
# init.d/localfw
#
# System startup script for local packet filters
# (NOT an actual firewall)
#
### BEGIN INIT INFO
# Provides:          localfw
# Required-Start:    $networking $syslog
# Required-Stop:     $networking $syslog
# Default-Start:     2 3 5
# Default-Stop:      0 1 6
# Short-Description: Example initscript
# Description:       Start localfw to add some basic protections for host
### END INIT INFO
#
# Author: tehbrozor (using help)

IPTABLES=/sbin/iptables
test -x $IPTABLES || exit 5

#IP_LOCAL=192.168.42.110	#Way too fetch local ip? or update for DHCP?

case "$1" in
start)
echo -n "Loading host packet filters"

#Load kernel modules
modprobe ip_tables
modprobe ip_conntrack

# Flush active rules and custom chains
$IPTABLES --flush
$IPTABLES --delete-chain

# set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT #for now.. focus on inbound- come back to authorize only desired outgoing packets

# local processes only ought to be using loopback interface anyways
$IPTABLES -A INPUT  -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#authorized packets ought to conform to basic rules
$IPTABLES -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 255.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP

# actual local traffic won't come from local ip- but local loopback
#$IPTABLES -A INPUT -s $IP_LOCAL -j LOG --log-prefix "Spoofed source IP"
#$IPTABLES -A INPUT -s $IP_LOCAL -j DROP

#inbound tcp sessions ought to start with SYN packet
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth scan attempt?"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# INBOUND POLICY----------------------------------
# packets that enter our network interface from network and are addressed to this host

#accept inbound packets that are part of ongoing connections
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#accept DNS access
$IPTABLES -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT


# Log and DROP anything that doesn't match our INBOUND POLICY---
$IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default (INPUT):"
$IPTABLES -A INPUT -j DROP

# OUTBOUND POLICY---------------------------------

#To dos: (right now its accept policy but later...)
# 1) approve established connections
# 2) limit outbound ping for admin testing only
# 3) allow outbound DNS queries
# 4) govern ability to initiate connections to services that I use, when I use them
# 5) log and drop anything else

# FORWARD POLICY----------------------------------
$IPTABLES -A FORWARD -j LOG --log-prefix "Attempted FORWARD? Dropped by default:"
$IPTABLES -A FORWARD -j DROP
;;

#Unload packet filters for testing (Dont do when connected to network! (if you can help it :/))
#
wide_open)
echo -n "DANGER!! Unloading host's packet filter!"
$IPTABLES --flush
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
;;

stop) 
echo -n "Batten-down the hatches! packet filter stopping"
$IPTABLES --flush
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
;;

status)
echo "using iptables to check packet filter status..."
$IPTABLES --line-numbers -vn --list
;;

*)
echo "Usage: $0 {start|stop|wide_open|status}"
exit 1
;;
esac

The example I started with is for bastion hosts. I don't plan on running any public services for now but would like dns to work and my webbrowsers to work.

http://www.linuxquestions.org/questions ... pt-189039/

in that thread I see that you must allow tcp connections on the ports being used: 80, 81 and any other ports used for http (I had found some more, but seem to have lost those posts). What I dont get is this.. If I've approved any established or related (it is OR right?) inbound packets and my outbound policy is accept (for now) why isn't the script working as is?
the iptables man pages did say established connections must have two way traffic to be established, but isn't a returning http packet related to my connection requests? Any help or a pointing in the right direction would be appreciated!

(I'm running LMDE 2 Betsy- Thank you!)

[bigbenaugust]

It is my understanding that ufw simply provides a slightly more human-friendly interface to iptables rules.

For instance, you can set up rules using ufw and then list them using

Code: Select all

sudo iptables --list

An application firewall is more like allow/deny rules in Apache or OpenSSH. It exists above the level of the kernel where the packet filter is.

[TehBroZor]

Thank you Ben, that clears that up. I won't worry about those things for now then.
On the packet filter front- I am able to send packets out and get them back but I dont seem to be able to look up domain names:

~ $ sudo /etc/init.d/localfw wide_open
DANGER!! Unloading Host's packet filter!~ $ ping -c 4 -w 4 http://www.google.com
PING http://www.google.com (63.80.2.19) 56(84) bytes of data.
64 bytes from 63.80.2.19: icmp_seq=1 ttl=50 time=84.7 ms
64 bytes from 63.80.2.19: icmp_seq=2 ttl=50 time=105 ms
64 bytes from 63.80.2.19: icmp_seq=3 ttl=50 time=90.9 ms
64 bytes from 63.80.2.19: icmp_seq=4 ttl=50 time=90.3 ms

--- http://www.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 84.773/92.858/105.282/7.580 ms
~ $ sudo /etc/init.d/localfw stop
Batten-down the hatches! packet filter stopping~ $ sudo /etc/init.d/localfw start
Loading Host's
~ $ ping -c 4 -w 4 http://www.google.com
ping: unknown host http://www.google.com
~ $ ping -c 4 -w 4 63.80.2.19
PING 63.80.2.19 (63.80.2.19) 56(84) bytes of data.
64 bytes from 63.80.2.19: icmp_seq=1 ttl=50 time=371 ms
64 bytes from 63.80.2.19: icmp_seq=2 ttl=50 time=82.8 ms
64 bytes from 63.80.2.19: icmp_seq=3 ttl=50 time=89.7 ms
64 bytes from 63.80.2.19: icmp_seq=4 ttl=50 time=65.4 ms

--- 63.80.2.19 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 65.460/152.479/371.903/126.992 ms
~ $

So there must be something wrong with the rules I have so far(?) Did I not allow the name lookups right? This is been a pain in the butt but I feel like im learning alot.

[bigbenaugust]

This is been a pain in the butt but I feel like im learning alot.

This quote is glorious. 20 years as a UNIX admin... and this sentence just about sums it up.

Back to the issue at hand, if you happen to be blocking outbound DNS (UDP port 53), then that will foul up lookups. But you shouldn't be doing that based on the init script above. But I would take a look at your outbound DNS rule... I might also allow TCP port 53 and make sure the destination ports are valid (they should be).

You may also wish to set an inbound LOG policy to see what's going on.