Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Can't configure iptables
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
somethin
n00b
n00b


Joined: 19 Jan 2016
Posts: 37

PostPosted: Fri Jun 10, 2016 4:39 pm    Post subject: [SOLVED] Can't configure iptables Reply with quote

I can't understand how to configure iptables.
I use the following script to configure it:
Code:
#!/bin/bash

iptables -F
iptables -X
iptables -Z
iptables -N TCP
iptables -N UDP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

This script is from Arch Linux Wiki and I should be able to open ports only by adding rules to the TCP (or UDP) chain.
But nmap says that some ports are open
Code:
$ nmap $(wget http://ipinfo.io/ip -qO -)

Starting Nmap 7.01 ( https://nmap.org ) at 2016-06-10 19:37 EEST
Nmap scan report for litenet1.ett.ua (78.154.164.202)
Host is up (0.017s latency).
Not shown: 990 closed ports
PORT     STATE    SERVICE
21/tcp   filtered ftp
22/tcp   filtered ssh
23/tcp   filtered telnet
53/tcp   open     domain
80/tcp   open     http
1723/tcp open     pptp
3784/tcp filtered bfd-control
8001/tcp open     vcom-tunnel
8009/tcp open     ajp13
8291/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds

Why are these ports open and how can I open only specific ports ?


Last edited by somethin on Mon Jun 13, 2016 4:26 pm; edited 1 time in total
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1725

PostPosted: Fri Jun 10, 2016 5:00 pm    Post subject: Reply with quote

Code:
nmap $(wget http://ipinfo.io/ip -qO -)

Are you aware that you're testing your ISP's router?
By the services it discovered I'm almost sure that it's not your own PC, and you're behind NAT
Back to top
View user's profile Send private message
somethin
n00b
n00b


Joined: 19 Jan 2016
Posts: 37

PostPosted: Fri Jun 10, 2016 5:09 pm    Post subject: Reply with quote

...So, Do I need to run "nmap localhost" or "nmap 192.168.0.100" ?
Back to top
View user's profile Send private message
somethin
n00b
n00b


Joined: 19 Jan 2016
Posts: 37

PostPosted: Fri Jun 10, 2016 5:12 pm    Post subject: Reply with quote

Btw, I can acces internet with web browser, so port 80 is still open.
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 829

PostPosted: Fri Jun 10, 2016 7:32 pm    Post subject: Reply with quote

You should scan your computer from an unrelated network, if you want to see what is open to others on unrelated networks.

http://www.whatsmyip.org/port-scanner/ has a selection of scanning routines.
Back to top
View user's profile Send private message
somethin
n00b
n00b


Joined: 19 Jan 2016
Posts: 37

PostPosted: Fri Jun 10, 2016 8:49 pm    Post subject: Reply with quote

1. http://www.whatsmyip.org/port-scanner/ show that ports 53,80,1723,,8001,8009,8291 are open.
2. Here is an experiment:
Code:
$ sudo iptables-save
# Generated by iptables-save v1.4.21 on Fri Jun 10 23:41:19 2016
*mangle
:PREROUTING ACCEPT [3:640]
:INPUT ACCEPT [2:64]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Fri Jun 10 23:41:19 2016
# Generated by iptables-save v1.4.21 on Fri Jun 10 23:41:19 2016
*filter
:INPUT DROP [2:64]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Jun 10 23:41:19 2016
$ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State     
$ sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ chromium-browser https://google.com &> /dev/null & disown
[1] 3280
$ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State     
tcp        0      0 192.168.0.100:57476     173.194.113.215:https   ESTABLISHED
tcp        0      0 192.168.0.100:36760     bud02s23-in-f13.1:https TIME_WAIT 
tcp      398      0 192.168.0.100:32774     bud02s22-in-f3.1e:https ESTABLISHED
tcp      398      0 192.168.0.100:57480     173.194.113.215:https   ESTABLISHED
tcp      398      0 192.168.0.100:57478     173.194.113.215:https   ESTABLISHED
tcp        0      0 192.168.0.100:36774     bud02s23-in-f13.1:https ESTABLISHED
tcp        0      0 192.168.0.100:48004     bud02s23-in-f14.1:https ESTABLISHED
tcp        0      0 192.168.0.100:41708     lf-in-f239.1e100.:https ESTABLISHED
tcp        0      0 192.168.0.100:41694     lf-in-f239.1e100.:https TIME_WAIT 
tcp        0      0 192.168.0.100:47994     bud02s23-in-f14.1:https TIME_WAIT 
tcp        0      0 192.168.0.100:32772     bud02s22-in-f3.1e:https ESTABLISHED
tcp        0      0 192.168.0.100:58260     173.194.113.216:https   TIME_WAIT

It seems that "sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" opens every port, but it shouldn't.
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 829

PostPosted: Fri Jun 10, 2016 9:15 pm    Post subject: Reply with quote

Quote:
It seems that "sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" opens every port, but it shouldn't.


It opens all the ports, but only for traffic that started at the firewalled machine. Otherwise, you'd have had to make firewall rules for incoming to those higher number ports like 57576, or incoming from 443 (https).

As for your router/network showing ports 3,80,1723,,8001,8009,8291 as open, your netstat command isn't showing the inactive but open and listening ports, and it isn't showing the UDP ports. Try `netstat -tul` to see both TCP and UDP packets, but only the ports that are LISTENING. You can also do `netstat -tua` to see all the ports, LISTENING, ESTABLISHED, and WAITING. Depending on your preference for reading the report, you can add a "n" to show the numeric port instead of named, and you can add a "p" to show the program that has that port open.
Back to top
View user's profile Send private message
somethin
n00b
n00b


Joined: 19 Jan 2016
Posts: 37

PostPosted: Fri Jun 10, 2016 9:58 pm    Post subject: Reply with quote

1. sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT should allow traffic that is already ESTABLISHED or RELATED to established connection. There is different state for NEW connections. See man iptables-extensions(8 ).
2. netstat -tua before applying rule right after the reboot shows only udp 0 0 0.0.0.0:bootpc 0.0.0.0:* .
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 829

PostPosted: Fri Jun 10, 2016 10:54 pm    Post subject: Reply with quote

So far, so good. When you open chromium, or another browser, and hook up to a website or three, you will have connections between the firewalled computer and http/https ports at the websites.

Still a mystery as to what is opening that handful of ports (53,80,1723,,8001,8009,8291), but `netstat -tuap`will show what is running on the firewalled machine, that might be LISTENING for packets destined for those ports. Your router might offer some ports to the outside world too.
Back to top
View user's profile Send private message
somethin
n00b
n00b


Joined: 19 Jan 2016
Posts: 37

PostPosted: Fri Jun 10, 2016 11:49 pm    Post subject: Reply with quote

Just to clarify the problem.
What I do:
Code:
sudo iptables -F
sudo iptables -X
sudo iptables -Z
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P INTPUT DROP
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

What I expect to happen: All ports are closed unless I do
Code:
sudo iptables -N TCP
sudo iptables -N UDP
sudo iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
sudo iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
sudo iptables -A <TCP/UDP> -p <tcp/udp> --dport <port> -j ACCEPT

What happens: All ports are open (not all ports because, maybe, I am behind my router's firewall).
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 829

PostPosted: Sat Jun 11, 2016 12:01 am    Post subject: Reply with quote

How do you reach the conclusion that any port is open?

If you leave the firewall in the condition you just described, and use the port scanner form an external website, any ports that the port scanner sees are NOT on the computer running the firewall. You can prove that with `netstat -tua`.

If you want all the ports to the outside closed, including RELATED and ESTABLISHED connections, you won't be able to do much on the external network.
Back to top
View user's profile Send private message
somethin
n00b
n00b


Joined: 19 Jan 2016
Posts: 37

PostPosted: Sat Jun 11, 2016 12:13 am    Post subject: Reply with quote

Well, when I leave the firewall in the condition I just described, I am able to use web browser to load any page, which means ports 80 and 443 are open and can be further proven with netstat -tua.

And, why open ports determined via port scanner are NOT on my computer, which is running firewall ?
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 829

PostPosted: Sat Jun 11, 2016 12:27 am    Post subject: Reply with quote

From the `netstat -tua` lines you gave before, ports 80 and 443 are open on the HOST computer (website server, "Foreign address" column in the netstat report), not the computer that the browser/firewall are running on (Local address).

We haven't figured out why ports 53,80,1723,8001,8009,8291 are shown as open when you probe from the outside, but if those ports don't show up in the "Local address" column of `netstat -tua`, then those ports aren't open on your computer.

Where are they open? Well, your router is a separate computer, and you are going to have to learn how to read its configuration. On the system I have here, the router can forward certain NEW packets to any computer I choose, on the local network. My router forwards SSH packets to one computer on the inside, and forwards TELNET and FTP packets to a separate machine that runs as a honeypot (no telnet or ftp service running, but the packets come through - persistent attempts result in closing the firewall to blocks of IP address). When I portscan from the outside, it looks like the system has live TELNET and FTP services, the ports are opern, but there is nobody home (`netstat -tua` shows no open TELNET or FTP port, no service running there).
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5637

PostPosted: Sat Jun 11, 2016 5:16 pm    Post subject: Reply with quote

somethin wrote:
1. sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT should allow traffic that is already ESTABLISHED or RELATED to established connection.

Such as the connection you establish by sending a SYN packet from your web browser...
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1725

PostPosted: Sun Jun 12, 2016 9:05 am    Post subject: Reply with quote

Quote:
Well, when I leave the firewall in the condition I just described, I am able to use web browser to load any page, which means ports 80 and 443 are open

No, it doesn't.
When you use web browser to load "any page", it means that the "any" machine hosting that any page has port 80 open. You are using random port to initiate the connection, and firewalls are usually set to allow outgoing traffic (output policy accept) and accept incoming traffic you expected (conntrac ESTABLISHED,RELATED accept).
Still, if you want to test your firewall, you must first ensure you're testing the correct machine.
Use another computer within your LAN to scan your machine's IP. Within LAN you can compare MAC reported by nmap to the one assigned to the interface you want to scan.

Also, make sure to accept all traffic incoming via local loopback.
Back to top
View user's profile Send private message
somethin
n00b
n00b


Joined: 19 Jan 2016
Posts: 37

PostPosted: Mon Jun 13, 2016 4:25 pm    Post subject: Reply with quote

Ok, thanks, I understand now. And, I guess, open ports are because of the router.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum