View previous topic :: View next topic |
Author |
Message |
Wizumwalt Guru
Joined: 20 Aug 2006 Posts: 547
|
Posted: Sat Jul 05, 2014 2:06 am Post subject: iptables help |
|
|
I'm running gentoo and have started learning iptables. Although I haven't figured out how to properly add rules using /etc/init.d/iptables. So instead, what I've done is use the following script. This is the start of my basic firewall.
My problem is once this is loaded ... my web browser either doesn't load pages at all, or I can hit basic pages like google.com very slowly. It almost sounds like a domain resolving issue.
Any help much appreciated.[/code]
Code: |
#!/bin/bash
start() {
# clear current ruleset
iptables -F
iptables -X
iptables -Z
# set the default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# allow traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
# accept incoming traffic based on established connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# DHCP bootp
iptables -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
# allow connections to port 22
# iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT
# allow icmp
#iptables -A INPUT -p icmp -j ACCEPT
# drop broadcast/multicast packets (so as not to fill the log file)
iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP
# log everything else
iptables -A INPUT -j LOG
}
stop() {
iptables -F
iptables -t nat -F
iptables -X
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
}
if [ "$1" = "start" ]
then
start
elif [ "$1" = "stop" ]
then
stop
fi
|
|
|
Back to top |
|
|
Tractor Girl Apprentice
Joined: 16 May 2013 Posts: 159
|
Posted: Sat Jul 05, 2014 3:16 am Post subject: |
|
|
Quote: | iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT |
This one is depreciated, you should use something like:
Code: | iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
Quote: | iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT |
Same here, but whole state part is probably unnecessary. You definitely should change default ssh port.
If you care about security, it is a good idea to set output policy to DROP.
As for iptables autostart, just load the rules, and run:
Quote: | rc-update add iptables default |
Here's simple example with logging:
Code: | #!/bin/bash
#### Clear ####
iptables -F
iptables -X
#++++++++++++++
#### Policy ####################
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#+++++++++++++++++++++++++++++++
##### CUSTOM CHAINS ####################################################################
# Icmp
iptables -N ICMP
iptables -A ICMP -m limit --limit 15/minute -j LOG --log-prefix "Icmp: "
iptables -A ICMP -j DROP
# Bad Flags, Bogus etc.
iptables -N BOGUS
iptables -A BOGUS -m limit --limit 15/minute -j LOG --log-prefix "Bogus: "
iptables -A BOGUS -j DROP
# Lan Spoof
iptables -N LANSPOOF
iptables -A LANSPOOF -m limit --limit 15/minute -j LOG --log-prefix "LanSpoof: "
iptables -A LANSPOOF -j DROP
# Loopback Spoof
iptables -N LOOPSPOOF
iptables -A LOOPSPOOF -m limit --limit 15/minute -j LOG --log-prefix "LoopSpoof: "
iptables -A LOOPSPOOF -j DROP
# Finall Firewall
iptables -N FIREWALL
iptables -A FIREWALL -m limit --limit 15/minute -j LOG --log-prefix "Firewall: "
iptables -A FIREWALL -j DROP
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
##### INPUT BLOCK ##############################################################################
# Drop all ICMP
iptables -A INPUT -p icmp -j ICMP
# LAN Spoof
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j LANSPOOF
iptables -A INPUT -i wlan0 -s 192.168.0.0/24 -j LANSPOOF
# Loopback Spoof
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j LOOPSPOOF
# Fragments
iptables -A INPUT -f -j BOGUS
# Bogus packets
iptables -A INPUT -m conntrack --ctstate INVALID -j BOGUS
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j BOGUS
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j BOGUS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j BOGUS
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j BOGUS
iptables -A INPUT -m conntrack --ctstate NEW,RELATED -p tcp ! --tcp-flags ALL SYN -j BOGUS
#----- INPUT ACCEPT ----------------------------------------------------------------------------
# Already established and related
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Loopback
iptables -A INPUT -i lo -j ACCEPT
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
##### OUTPUT BLOCK #####################################################################
# Drop all ICMP
iptables -A OUTPUT -p icmp -j ICMP
# Bogus packets
iptables -A OUTPUT -m conntrack --ctstate INVALID -j BOGUS
#---- OUTPUT ACCEPT --------------------------------------------------------------------
# Loopback
iptables -A OUTPUT -o lo -j ACCEPT
# Dns
iptables -A OUTPUT -p udp --dport 53 -d 208.67.222.222 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -d 208.67.220.220 -j ACCEPT
# Services
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 873 -j ACCEPT
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
##### FORWARD BLOCK ####################################################################
# Bogus Packets
iptables -A FORWARD -m conntrack --ctstate INVALID -j BOGUS
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
##### FINAL CATCH ALL ##########
iptables -A INPUT -j FIREWALL
iptables -A OUTPUT -j FIREWALL
#+++++++++++++++++++++++++ |
Does your problems with connectivity occur also with with blank iptables?
Run this script and check it:
Code: | #!/bin/bash
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT |
You can check currently loaded rules with
|
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3131
|
Posted: Sat Jul 05, 2014 1:01 pm Post subject: |
|
|
Quote: | Although I haven't figured out how to properly add rules using /etc/init.d/iptables |
1) configure iptables by hand
2) run /etc/init.d/iptables save
3) run rc-config add iptables
Config you have just applied manually will be restored next time your system enters currently active runlevel (most likely 3, default)
Also since the default policy is accept, the most basic, (and most defensive) config goes like that:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
This should let you call the world and hear an answer, but nobody out there will be able to call you first.
At lest on ipv4. ipv6 requies second set of iptables rules. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|