Noob iptables questions

[omschaub]

Hello all

I have just followed the home router setup and I am EXCITED! I am replacing ClarkConnect with this and all seems to be going fine.


I have a few questions if someone does not mind taking the time to answer. But first off.. a small rant about this process. I have been using Linux now for about 5 years and the absolutely MOST confusing thing I have EVER encountered is IPTABLES! ... I have googled and googled, read and read and I still do not even begin to understand this convoluted software, but since it is SO powerful, my thought here is to get it set up like I like it and then leave it alone to do it's thing.


For scanning/testing purposes, I am using Shields UP! a great external security testing site that scans your firewall and gives straightforward information on what it finds wrong. (Click the Proceed button on their home page to see scanning options)

Here is my current rules-save ( I would LOVE to figure out how some people have these great outputs that are o-so-neat and tidy here in the forums, but I followed the guide and did iptables save and this is the file -- in all it's ugly glory. )

• ETH0 = WAN
  ETH1 = LAN

Code: Select all

# Generated by iptables-save v1.3.5 on Thu Jun 22 10:15:40 2006
*raw
:PREROUTING ACCEPT [48200274:252288353099]
:OUTPUT ACCEPT [27185728:9211098411]
COMMIT
# Completed on Thu Jun 22 10:15:40 2006
# Generated by iptables-save v1.3.5 on Thu Jun 22 10:15:40 2006
*nat
:PREROUTING ACCEPT [627080:62514317]
:POSTROUTING ACCEPT [421754:36208338]
:OUTPUT ACCEPT [8185:536039]
[434:20832] -A PREROUTING -i eth0 -p tcp -m tcp --dport 49009 -j DNAT --to-destination 192.168.1.155
[0:0] -A PREROUTING -i eth0 -p udp -m udp --dport 6881 -j DNAT --to-destination 192.168.1.155
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 6969 -j DNAT --to-destination 192.168.1.155
[73000:3867142] -A PREROUTING -i eth0 -p tcp -m tcp --dport 38810 -j DNAT --to-destination 192.168.1.155
[344476:32071674] -A PREROUTING -i eth0 -p udp -m udp --dport 38810 -j DNAT --to-destination 192.168.1.155
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 4663 -j DNAT --to-destination 192.168.1.155
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 20060 -j DNAT --to-destination 192.168.1.155
[0:0] -A PREROUTING -i eth0 -p udp -m udp --dport 4666 -j DNAT --to-destination 192.168.1.155
[23:1152] -A PREROUTING -i eth0 -p tcp -m tcp --dport 5901 -j DNAT --to-destination 192.168.1.155
[32:1580] -A PREROUTING -i eth0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.1.155
[2693:156224] -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.155
[528806:44341268] -A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Jun 22 10:15:40 2006
# Generated by iptables-save v1.3.5 on Thu Jun 22 10:15:40 2006
*mangle
:PREROUTING ACCEPT [48200282:252288354854]
:INPUT ACCEPT [27454676:241302388472]
:FORWARD ACCEPT [20743966:10985848955]
:OUTPUT ACCEPT [27185727:9211098292]
:POSTROUTING ACCEPT [47929673:20196947449]
COMMIT
# Completed on Thu Jun 22 10:15:40 2006
# Generated by iptables-save v1.3.5 on Thu Jun 22 10:15:40 2006
*filter
:INPUT ACCEPT [374751:439413692]
:FORWARD DROP [22:1228]
:OUTPUT ACCEPT [27157923:9207996179]
[35567:6751290] -A INPUT -i lo -j ACCEPT
[26990985:240841801886] -A INPUT -i eth1 -j ACCEPT
[3:990] -A INPUT -i ! eth1 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A INPUT -i ! eth1 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
[7812:734960] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
[4327:173392] -A INPUT -i ! eth1 -p tcp -m tcp --dport 0:1023 -j DROP
[39247:13366500] -A INPUT -i ! eth1 -p udp -m udp --dport 0:1023 -j DROP
[0:0] -A INPUT -i eth0 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A FORWARD -d 192.168.1.0/255.255.255.0 -i eth1 -j DROP
[42:2433] -A FORWARD -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
[28:2168] -A FORWARD -d 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
[27383:3049283] -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Thu Jun 22 10:15:40 2006

So.. on to the questions:

1. Shields UP! reported that my firewall can be pinged from the outside, does anyone know the iptables rule to stop this?

2. Shields UP! reported from the "Most Common and Troublesome Internet Ports" mostly good results (most were STEALTH, which is good).. SSH was OPEN, which I programmed in so that I can connect from work. But most troublesome was that ports 1024 - 1030 were not stealthed, but were CLOSED.. that means that the firewall responded but that no service was running there. A search for 1024 - 1030 revealed that these were Microsoft specific ports thought to deal with DCOM Interesting since I only use Windoze for gaming and it runs absolutely no server-type programs. Is it okay to have these ports responsive like this or should they be STEALTHed too? and if so, how to do this?

3. Show my ignorance on all of this time: I edited rules-save manually, but I never could get the changes to "stick". Without doing the troublesome, iptables -t xxx -L and then counting down and deleting a specific rule then putting it back in, how do you edit these rules easily?

4. If someone has a great (well commented) script that works as a firewall/DNS gateway/DHCP server/etc. I would love to see it. The example provided in the home router howto seems to leave some holes that I am not so sure I like.

Thanks for reading and thanks in advance for any answers!

[Rikai]

Code: Select all

iptables -vL

Will produce output like:

Code: Select all

Chain icmp_allowed (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    eth1    anywhere             anywhere            icmp echo-request
    0     0 ACCEPT     icmp --  eth1   any     anywhere             anywhere            icmp echo-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state NEW icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            state NEW icmp destination-unreachable
    0     0 LOG        icmp --  any    any     anywhere             anywhere            LOG level warning prefix `Bad ICMP traffic:'
    0     0 DROP       icmp --  any    any     anywhere             anywhere

And so on, for all of your chains.

The chain right there is one of the things you are looking for. It's from our firewall/proxy server, which has an interface on the inside, eth1, and on the outside, eth0. That chain is set up so that all icmp packets, except time-exceeded and desintation-unreachable, are dropped by the external interface, so that icmp-echo (ping) packets are just dropped with no response, imitating a non-existant comptuer. What I think is fun about that chain, though, is that it's set up so that on the internal interface it can send out echo-requests, and receieve echo replies, but cannot do the opposite. Meaning that it can ping other machines and get a response, but will not respond to ping requests itself.

As far as a script goes, here's an init.d script I got from somewhere and modified. It's got all of my firewall rules, and while there are few comments, I think it's pretty easy to read. When you download it, slap it in your /etc/init.d/ directory, and make sure you "chmod 770" and "chown root:root" it. It's got all the standard start/stop/restart options. Make sure you "rc-update add firewall default".

You will need to change the variables at the top to reflect your network setup.

Oh, I don't remember what specifically I used, but there's a lot of modules/options available for netfilter in the kernel. If something doesn't work, look for a related module in your kernel config.

[omschaub]

Rikai, thanks for letting me look at your script.. it is HUGE but it seems very thorough. One question about it, you said to put it in init.d and run it at the default level, do you NOT run iptables then? right now I have iptables at the default level. Thanks again.

[Rikai]

Yeah, you don't need to have iptables in your default runlevel (or any runlevel). This script serves the same purpose, it's just much, much easier to read in my opinion.

There's a lot of stuff in that firewall script you won't need. For example, you're probably not running squid or big brother (which is network monitoring software, not something evil ;), so you can get rid of those chains. There's lots of other stuff I'm sure you'll want to change, but it should be a good starting point.

[RiBBiT]

Well first off, don't trust Steve Gibson or Shields Up! Although I urge everyone to have their own opinions, you might wan't to read some of this: http://grcsucks.com/

Now for your questions.

1. $IPTABLES -A INPUT -p icmp -j DROP should do it. But I must point out that it is generally seen as a better approach to DENY/DROP all incoming packages by default, and then explicitly ACCEPT the traffic that you want, instead of the other way around.

2. Ok, Steve Gibson is grossly exaggerating the importance of what he calles "stealth". What these things mean (in the context of GRCs Shields Up!) is as follows:

OPEN: Your computer informs the sender that the port is available for connection.
CLOSED: Your computer informs the sender that no process is listening to the specified port, so no connection can be made.
STEALTH: You computer does not respond at all, OR it responds with a standard ICMP port unreachable packet, which Shields Up! manages to miss completely.

The reason ports 1-1023 are reported as STEALTH is because you have told your iptables to DROP incoming packages to these ports. Right here it is in your file:

Code: Select all

[4327:173392] -A INPUT -i ! eth1 -p tcp -m tcp --dport 0:1023 -j DROP
[39247:13366500] -A INPUT -i ! eth1 -p udp -m udp --dport 0:1023 -j DROP 

Other packages (to ports 1024-1030 for an example) pass through iptables, but since no process is listening on these ports you get CLOSED as a result. I recommend you to do as I mentioned in 1. and DENY/DROP all incoming packages by default and then explicitly allow the ones that you want.

3. Do you have SAVE_ON_STOP="yes" in you /etc/conf.d/iptables?

4. Sorry, I have never done DNS/DHCP/gateway/etc. stuff with iptables, so I have no such script. I can post the script i use myself for my single end user box though; it is very simple, but it's enough for me.

Code: Select all

# iptables script for Sot [2005-10-30]

IPTABLES="/sbin/iptables"

# Flush rules
$IPTABLES -F
$IPTABLES -X

# Set standard policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# Drop invalid packets
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

# Drop all 127.0.0.1 packets not going through lo
$IPTABLES -A INPUT -i ! lo -s 127.0.0.1 -j DROP
$IPTABLES -A INPUT -i ! lo -d 127.0.0.1 -j DROP
$IPTABLES -A OUTPUT -o ! lo -s 127.0.0.1 -j DROP
$IPTABLES -A OUTPUT -o ! lo -d 127.0.0.1 -j DROP

# Accept ICMP echo-request
$IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT

# Accept loopback
$IPTABLES -A INPUT -i lo -j ACCEPT

# Allow established connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept incoming to port 31771 (sshd), block for 60s after 3 login attempts
# $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 31771 -m recent --update --seconds 100 --hitcount 3 --rttl -j DROP
# $IPTABLES -A INPUT -p tcp -m state --state NEW --dport 31771 -m recent --set -j ACCEPT

# Accept incoming to port 4112 (DC)
$IPTABLES -A INPUT -p tcp --dport 4112 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 4112 -j ACCEPT

# Accept incoming to port 53520 (rtorrent)
$IPTABLES -A INPUT -p tcp --dport 53520 -j ACCEPT

# Reject other incoming data
$IPTABLES -A INPUT -j REJECT