Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED]Can't close ports 1024:65535 without losing internet
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Mardok45
n00b
n00b


Joined: 21 Jun 2008
Posts: 69
Location: Right behind you

PostPosted: Thu May 27, 2010 4:06 pm    Post subject: [SOLVED]Can't close ports 1024:65535 without losing internet Reply with quote

Hi,

I'm trying to set up iptables to act as a NAT and a firewall, but the machine needs internet access.

The problem is I can't open up ports 80,443, and 53 without also opening up 1024:65535 in order to get internet access.

Is there a way to securely allow UDP/TCP packets through 1024:65535 (or at least a more secure way than the way I'm currently doing it)?
Code:

#!/bin/bash
#Use bash as the shell script

export LAN=eth0 #For readability's sake
export WAN=eth1

iptables -N OPEN-TCP #Create two new chains for handling TCP and UDP packets
iptables -N OPEN-UDP

#Drop anything being recieved by the machine by default
iptables -P INPUT DROP

#Accept anything on the loopback device
iptables -A INPUT -i lo -j ACCEPT

#Accept anything on the LAN
iptables -A INPUT -i $LAN -j ACCEPT

#If we recieve a TCP packet on the WAN, send it to the OPEN-TCP chain to determine whether it should be dropped or accepted.
#It will only accept packets that already have an established connection.
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -i $WAN -j OPEN-TCP

#Same as above, except with UDP packets.
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -i $WAN -j OPEN-UDP

#I'll figure out how to handle NAT later
iptables -P FORWARD DROP

#Drop anything sent out by the machine by default
iptables -P OUTPUT DROP

#Allow any packet sent out on the loopback device by default
iptables -A OUTPUT -o lo -j ACCEPT

#Allow any packet sent out on the LAN by default
iptables -A OUTPUT -o $LAN -j ACCEPT

#If any kind of TCP packet is sent out on the WAN, send it to the OPEN-TCP chain to determine if it should be accepted or dropped.
iptables -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -o $WAN -j OPEN-TCP

#Same as above, except with UDP.
iptables -A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -o $WAN -j OPEN-UDP

#If the port is on 80, accept
iptables -A OPEN-TCP -p tcp --dport 80 -j ACCEPT

#This is needed for internet access.  Is there a more secure way of doing this?
iptables -A OPEN-TCP -p tcp --dport 1024: -j ACCEPT

#If none of the above rules match, then drop the packet.
iptables -A OPEN-TCP -j DROP

#If we're doing a DNS lookup, accept
iptables -A OPEN-UDP -p udp --dport 53 -j ACCEPT

#This is needed for internet access.  NEED MORE SECURE WAY OF DOING THIS!!!
iptables -A OPEN-UDP -p udp --dport 1024: -j ACCEPT

#If the packet doesn't match any of the above rules, drop it.
iptables -A OPEN-UDP -j DROP


I know there's plenty of vulnerabilities (especially since I need this machine to access the internet), but I'll worry about that later. Right now, I just need a better way of allowing packets through 1024:65535.

Any help will be appreciated.


Last edited by Mardok45 on Thu May 27, 2010 6:35 pm; edited 1 time in total
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1226

PostPosted: Thu May 27, 2010 5:37 pm    Post subject: Re: Can't close ports 1024:65535 without losing internet acc Reply with quote

Mardok45 wrote:

The problem is I can't open up ports 80,443, and 53 without also opening up 1024:65535 in order to get internet access.

Why do you think that this is the case? What applications do you use that need the latter ports open?
_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
Mardok45
n00b
n00b


Joined: 21 Jun 2008
Posts: 69
Location: Right behind you

PostPosted: Thu May 27, 2010 5:45 pm    Post subject: Reply with quote

I have no idea why that's the case.

I'm running DHCP, FTP, and other things in a VM on the server but I only want those services on the LAN, which is why I left everything on the LAN side wide open (plus I'm the only one on the LAN, so I don't care what else gets passed around there).

When I remove the UDP rules for ports 1024+ and try a wget, it hangs at DNS resolution.
When I remove the TCP rules for ports 1024+ and try a wget, it hangs when trying to access the website.

I'm new to iptables and NAT, so I'm sorry if this is stupid.
Back to top
View user's profile Send private message
ocbMaurice
Tux's lil' helper
Tux's lil' helper


Joined: 14 Feb 2003
Posts: 84
Location: Switzerland

PostPosted: Thu May 27, 2010 6:21 pm    Post subject: Reply with quote

Hi,

I guess you try to simply open a webpage on the gateway.

When you i.e. wget http://somewebpage this traffic should be seen:

OUTPUT (state = NEW, src port = XXX, dst port = 80)
INPUT (state = ESTABLISHED, src port = 80, dst port = XXX)
then maybe some more OUTPUT/INPUT with state ESTABLISHED

The point is that the src/dst ports are exchanged for INPUT and OUTPUT.

So this rule might be enough:
Code:
iptables -A OPEN-TCP -p tcp --sport 80 -j ACCEPT
iptables -A OPEN-TCP -p udp --sport 53 -j ACCEPT


A far more easier and better way is to:
Code:
iptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT


Since iptables is statefull, this should be secure, as you already allowed the connection before.
IMO you only need to ACCEPT specific traffic when the state is NEW.

You may also want to add some logging for rejected packages (lookup -j LOG).

I'm also not sure if it's wise to use the same chain for IN and OUT filtering.

I hope I got this correct from my memory.

Maurice
Back to top
View user's profile Send private message
Mardok45
n00b
n00b


Joined: 21 Jun 2008
Posts: 69
Location: Right behind you

PostPosted: Thu May 27, 2010 6:34 pm    Post subject: Reply with quote

ocbMaurice wrote:

So this rule might be enough:
Code:
iptables -A OPEN-TCP -p tcp --sport 80 -j ACCEPT
iptables -A OPEN-UDP -p udp --sport 53 -j ACCEPT



That did it. Thanks.

And yeah, it probably isn't a good idea to use the same custom chains for IN/OUT, that'll get changed.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum