Configuring iptables to accept outbound connections

[mrclark219]

Ok, so I am running gentoo and I wanted to use iptables to build a firewall using the stateful rules. The problem is that now the machine that I setup the firewall wont allow outbound connections to it. I run a backup of my other computer that sends it to this machine via ftp, but since I have setup the firewall things went a little haywire. I can't ping the machine. I am wondering if anyone has any advice on how I can tweak my existing rules to allow this outbound connection that I need.

Here are the rules:

#!/bin/sh
export LAN=eth0

#setup logging
#iptables -N logdrop_I
#iptables -A logdrop_I -j LOG --log-prefix "DROP INPUT PACKET"
#iptables -A logdrop_I -j DROP

iptables --flush
iptables --delete-chain
iptables -A INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i ! ${LAN} -j ACCEPT

#http
iptables -A INPUT -s ipaddresses-p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#samba
iptables -A INPUT -s ipaddresses-p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -s ipaddresses-p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -s.ipaddresses -p tcp -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -s ipaddresses-p tcp -m tcp --dport 445 -j ACCEPT
#ftp
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#domain
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT

#ping
iptables -I INPUT -p icmp -j ACCEPT

#output
iptables -A OUTPUT -j ACCEPT

#log
iptables -A INPUT -p tcp -m tcpmulti --dport 22,20,21,53,80,139,445 -j LOG --log-prefix "DROP PACKET:"
iptables -A INPUT -p udp -m udpmulti --dport 137,138 -j LOG --log-prefix "DROP PACKET:"
iptables -A INPUT -p udp --dport 137:138 -j LOG --log-prefix "DROP PACKET:" --log-level info
iptables -A INPUT -p tcp --dport 20:80 -j LOG --log-prefix "DROP PACKET:" --log-level info
iptables -A INPUT -p tcp --dport 445 -j LOG --log-prefix "DROP PACKET:" --log-level info
iptables -A INPUT -p tcp -j LOG --log-prefix "DROP PACKET:" --log-level info

iptables -A OUTPUT -p tcp --sport 0:21 -j LOG --log-prefix "DROP OUTPUT PACKET:" --log-level info
iptables -A OUTPUT -p tcp --sport 23:5000 -j LOG --log-prefix "DROP OUTPUT PACKET:" --log-level info
iptables -A OUTPUT -p udp --sport 0:21 -j LOG --log-prefix "DROP OUTPUT PACKET:" --log-level info
iptables -A OUTPUT -p udp --sport 23:5000 -j LOG --log-prefix "DROP OUTPUT PACKET:" --log-level info
#iptables -A OUTPUT -p tcp -j LOG --log-prefix "DROP PACKET:" --log-level info

#reject everything else
#iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

/etc/init.d/iptables save
_________________
Mr. Clark

[jomen]

If I follow your description and if I see this correctly, the problem is actually inbound connections to that machine?

Your third rule is:

[mrclark219]

Ok, so I changed iptables -A INPUT DROP, to use iptables -P INPUT DROP which makes sense, and seemed to solve the ping problems that I was having. Now, I am having trouble with nmblookup, I run the command: nmblookup -d 5 machine1 which debugs the machine1 should return the machines ip address as well, right? Well as of now, nmblookup is failing, when it queries machine 1 and returns this message..querying neo1 on 192.168.x.x(brdcastip)......Sending a packet of len 50 to (brdcastip) on port 137
Sending a packet of len 50 to (brdcastip) on port 137
Sending a packet of len 50 to (brdcastip) on port 137
name_query failed to find name machine1

any suggestions on what I could now in this instance.

I appreciate you helping me with this situation!!

Thanks,

Thomas Clark
_________________
Mr. Clark

[jomen]

I'm not proficient - only suggesting.
Not much more I can do - just spotted the glitch in the first post.
If someone knows better - please do correct!

The ports to open would be 137, 138, 139 and 445 - for both UDP and TCP.
I'm not sure if both protocols are really needed or if eighter one is enough.
You used UDP for 137, 138 and TCP for 139, 445.

Is "brdcastip" allowed in?

[mrclark219]

brdcastip is and actual value like 192.168.x.x for example, but yes it is allowed in...
_________________
Mr. Clark

[jomen]

broadcast is x.x.x.255 while normal IP's are usually not x.x.x.0 or x.x.x.1 - but everything in between up to x.x.x.254.
Did you allow the whole range like so for example?

[mrclark219]

yeah those netwrok addresses aren't commented out anymore..And the thing still wont allow me to perform the command nmblookup, which needs to work. From what I have read, I shouldn't be able to ping, if nmblookup isnt working, but I can ping the machines. Weird to me!
_________________
Mr. Clark

[jomen]

[mrclark219]

#!/bin/sh
export LAN=eth0

#setup logging
#iptables -N logdrop_I
#iptables -A logdrop_I -j LOG --log-prefix "DROP INPUT PACKET"
#iptables -A logdrop_I -j DROP

iptables --flush
iptables --delete-chain
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i ! ${LAN} -j ACCEPT

#http
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 80 -j ACCEPT
#ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#samba
iptables -A INPUT -p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 139 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 445 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 137 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 138 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
#ftp
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#domain
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
#ping
iptables -I INPUT -p icmp -j ACCEPT

#output
iptables -A OUTPUT -j ACCEPT

#log
#iptables -A INPUT -p tcp -m tcpmulti --dport 22,20,21,53,80,139,445 -j LOG --log-prefix "DROP PACKET:"
#iptables -A INPUT -p udp -m udpmulti --dport 137,138 -j LOG --log-prefix "DROP PACKET:"
iptables -A INPUT -p udp --dport 137:138 -j LOG --log-prefix "DROP PACKET:" --log-level info
iptables -A INPUT -p tcp --dport 20:80 -j LOG --log-prefix "DROP PACKET:" --log-level info
iptables -A INPUT -p tcp --dport 445 -j LOG --log-prefix "DROP PACKET:" --log-level info
iptables -A INPUT -p tcp -j LOG --log-prefix "DROP PACKET:" --log-level info

iptables -A OUTPUT -p tcp --sport 0:21 -j LOG --log-prefix "DROP OUTPUT PACKET:" --log-level info
iptables -A OUTPUT -p tcp --sport 23:5000 -j LOG --log-prefix "DROP OUTPUT PACKET:" --log-level info
iptables -A OUTPUT -p udp --sport 0:21 -j LOG --log-prefix "DROP OUTPUT PACKET:" --log-level info
iptables -A OUTPUT -p udp --sport 23:5000 -j LOG --log-prefix "DROP OUTPUT PACKET:" --log-level info
#iptables -A OUTPUT -p tcp -j LOG --log-prefix "DROP PACKET:" --log-level info

#reject everything else
#iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

/etc/init.d/iptables save

is the script that I have, kind sir!
_________________
Mr. Clark

[jomen]

May I suggest to use the "Code" button next time you post code - it looks better and is more readable

Sorry for saying this but: your script is unneccesarily complicated with a lot of redundancy and unused/commented out things.

I'm suggesting this:

[mrclark219]

I'm gonna try it out and see what happens. As far as, apologizing about my code, I wouldn't worry to much about that, as we learn from trial and error. I will let you know if this helps. So you are saying that if this doesn't work, then I may have an issue with samba altogether? I surely hope that is not the case, but I guess we shall see, ey?
_________________
Mr. Clark

[jomen]

[mrclark219]

Ok, so I tried all of your suggestions, I stopped the firewall altogether, and tried using..

[jomen]

wierd - when I ran the script - I could not even ping my Gateway - not even after flushing all the chains (iptables -F)
That clearly shows that I'm in over my head here - but learning myself while at it.

anyway

The samba server runs on the machine with the firewall - yes?
Which machines IP is 192.168.0.1 ? - it is the Gateway

I may have overlooked something - can you try replacing the "samba" portion first with this :

[Hu]

Flushing a chain does not clear any associated policy. Since you are (correctly) using policy to decide the final action for unmatched packets, flushing all chains means the policy applies to all packets. The simplest path forward would be to lower the firewall, start net-analyzer/tcpdump with the appropriate options, run your desired query, and then examine the resulting packet capture to find exactly which protocols and ports are required. We can then write rules to permit those.

[jomen]

well - Tank you!

[mrclark219]

yea the machine with the firewall is also the machine that has samba on it. As far as the suggestion go, trying your samba script does work when I run it the machine freezes up and I have to reboot to get in via ssh..I have tried

[jomen]

The tcpdump-command you posted is no good - and it should have given you an error - or the usage instructions instead.
"-1" is not a valid switch - if it was "-I" then: no need for that if run as root - which I'd suggest
etho is not valid - it would be eth0 instead

[Hu]

[mrclark219]

[post=][/post]This is still a problem for me. I have tried to revise the script several times and it produces the same results the firewall starts up fine, with the exception of the name query issue. I am not sure what the problem is here but someone said that seeing the output of iptables-save -c would help to find the problem.

[mrclark219]

any suggestions?
_________________
Mr. Clark