iptables questions

initbox · 2008-09-27 11:21:03

Right... So I've been thinking about making a simple iptables-firewall that will just DROP everything except the ports I specifically open. I don't really care about using the "allow all the connections that I started"-method.

Would it be practical? I'm not really experienced with ports though, so I'm not really certain about what ports I NEED to have open/un-dropped for basic functioning. I'm guessing atleast 80, 443, 53/67/68? And even if I open 80 and 443 for web browsing, will they appear as closed and not be forced open if I use the ACCEPT flag in iptables?

Would DNS create a problem though? Because of the Kaminsky-issue and the subsequent fix that randomized ports? I'm not really sure if I remember the issue correctly anymore so this might be incorrect (as a client only, that is)

And will I HAVE to use the -p flag for some rules or can I just leave it out and it will count for both TCP and UDP? Oh, and, what would be a reasonable way of finding out the ports I need in case I need to open additional ports. netstat seems to be a bit messy.

Cheers. And first post

Ramses de Norre · 2008-09-27 12:12:51

On my laptop I have this simple script:

*filter
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14:738]
:INPUT DROP [21:1646]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.123.1/24 -j ACCEPT

COMMIT

It DROPS all input and allows all output, then I accept related and established connections (otherwise you've got no networking), allow localhost (necessary!) and my intranet. If you need to allow a port, e.g. ssh, you'd add something like

-A INPUT -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW --dport 22 -j ACCEPT

By the way, you don't need to open port 80 to browse websites, you only want to open that port if you serve webpages.

chochem · 2008-09-27 12:35:05

I'm sort of in the same position, except that my firewall is on my router which makes FORWARD rules the interesting ones. I can certainly say that it's a good way to learn about ports and packets and iptables but I think Ramses' suggestions look reasonable. Keep it simple.

And will I HAVE to use the -p flag for some rules or can I just leave it out and it will count for both TCP and UDP?

Actually I'm kinda curious about this as well - if I leave out the -p flag the command just doesn't have any effect.

Oh, and, what would be a reasonable way of finding out the ports I need in case I need to open additional ports. netstat seems to be a bit messy.

Google and wireshark (AUR) are my only suggestions. If you need to find common stuff like your bittorrent client's ports, it's usually in the settings or else it can ususally be found really easily on the web. To open up for a web service to see my webcam, I had to spend some time, pouring over the traffic logs in wireshark.

Last edited by chochem (2008-09-27 12:36:39)

initbox · 2008-09-27 15:31:00

By the way, you don't need to open port 80 to browse websites, you only want to open that port if you serve webpages.

Does that apply when you allow established connections or always? I'd think that the packets need to go somewhere

I can certainly say that it's a good way to learn about ports and packets and iptables but I think Ramses' suggestions look reasonable. Keep it simple.

Yeah keeping things simple is usually the best way to go about things.. But I really want to do this the difficult way so i can learn more about networking etc.

Google and wireshark (AUR) are my only suggestions. If you need to find common stuff like your bittorrent client's ports, it's usually in the settings or else it can ususally be found really easily on the web. To open up for a web service to see my webcam, I had to spend some time, pouring over the traffic logs in wireshark.

Yeah Google is pretty obvious. Wireshark I've tried to use but it freezes when I start capturing, atleast on Ubuntu/Debian. Even as root.

Now that I've been thinking about this for some time, I'm even more curious about DNS...

Ramses de Norre · 2008-09-27 15:40:45

initbox wrote:

By the way, you don't need to open port 80 to browse websites, you only want to open that port if you serve webpages.
Does that apply when you allow established connections or always? I'd think that the packets need to go somewhere

When you visit a site, you make a request to the server on port 80, so port 80 on that server, you then get a connection from your pc to the server. The connection uses some high-numbered port on your pc, if it would use port 80, you could only visit one website at a time, as you only have one port 80... So you never need to open port 80 to browse the internet. Allowing established connections however is necessary whatsoever, as you would be dropping the server's reply if you don't. Making it quiet useless to send out requests, because you don't allow answers.

If it still isn't clear, you should read up a bit about the tcp/ip protocol.

initbox wrote:

I can certainly say that it's a good way to learn about ports and packets and iptables but I think Ramses' suggestions look reasonable. Keep it simple.
Yeah keeping things simple is usually the best way to go about things.. But I really want to do this the difficult way so i can learn more about networking etc.

Then set up a {ssh,file,web,database,...}-server, there is no sense in trying to make a complex firewall if you're machine is only sending out requests and dropping all input.

initbox wrote:

Google and wireshark (AUR) are my only suggestions. If you need to find common stuff like your bittorrent client's ports, it's usually in the settings or else it can ususally be found really easily on the web. To open up for a web service to see my webcam, I had to spend some time, pouring over the traffic logs in wireshark.
Yeah Google is pretty obvious. Wireshark I've tried to use but it freezes when I start capturing, atleast on Ubuntu/Debian. Even as root.
Now that I've been thinking about this for some time, I'm even more curious about DNS...

What has DNS to do with all this?

Ramses de Norre · 2008-09-27 15:41:41

initbox wrote:

By the way, you don't need to open port 80 to browse websites, you only want to open that port if you serve webpages.
Does that apply when you allow established connections or always? I'd think that the packets need to go somewhere

When you visit a site, you make a request to the server on port 80, so port 80 on that server, you then get a connection from your pc to the server. The connection uses some high-numbered port on your pc, if it would use port 80, you could only visit one website at a time, as you only have one port 80... So you never need to open port 80 to browse the internet. Allowing related and established connections however is necessary whatsoever, as you would be dropping the server's reply if you don't. Making it quiet useless to send out requests, because you don't allow answers.

If it still isn't clear, you should read up a bit about the tcp/ip protocol.

initbox wrote:

I can certainly say that it's a good way to learn about ports and packets and iptables but I think Ramses' suggestions look reasonable. Keep it simple.
Yeah keeping things simple is usually the best way to go about things.. But I really want to do this the difficult way so i can learn more about networking etc.

Then set up a {ssh,file,web,database,...}-server, there is no sense in trying to make a complex firewall if you're machine is only sending out requests and dropping all input.

initbox wrote:

Google and wireshark (AUR) are my only suggestions. If you need to find common stuff like your bittorrent client's ports, it's usually in the settings or else it can ususally be found really easily on the web. To open up for a web service to see my webcam, I had to spend some time, pouring over the traffic logs in wireshark.
Yeah Google is pretty obvious. Wireshark I've tried to use but it freezes when I start capturing, atleast on Ubuntu/Debian. Even as root.
Now that I've been thinking about this for some time, I'm even more curious about DNS...

What has DNS to do with all this?

Last edited by Ramses de Norre (2008-09-27 15:42:02)

initbox · 2008-09-27 15:52:24

When you visit a site, you make a request to the server on port 80, so port 80 on that server, you then get a connection from your pc to the server. The connection uses some high-numbered port on your pc, if it would use port 80, you could only visit one website at a time, as you only have one port 80... So you never need to open port 80 to browse the internet. Allowing related and established connections however is necessary whatsoever, as you would be dropping the server's reply if you don't. Making it quiet useless to send out requests, because you don't allow answers.
If it still isn't clear, you should read up a bit about the tcp/ip protocol.

I didn't figure that the connection would use some high numbered port on my pc instead of just port 80. It's kind of obvious now that I think about it though.

Allowing related and established connections however is necessary whatsoever, as you would be dropping the server's reply if you don't. Making it quiet useless to send out requests, because you don't allow answers.

This is indeed the case if the programs use random high-number ports. If only some specific ports were used, it would work.

What has DNS to do with all this?

Well the Kaminsky-vulnerability this year.. I thought they fixed it by making DNS use random ports (atleast on servers) but I -think- that even DNS-clients now use random ports.

Apparently my brilliant plan would be hard to put into action because of all the random ports. I guess it would be possible if you only had specific ports that are in use. Allowing New/Established connections seems to be the way I have to go. Unless it can be specified which ports you use for www-requests (and DNS?). But having to specify only some ports for DNS would be bad so it would be best to have a separate rule for them, but that would be hard if not impossible..

Ramses de Norre · 2008-09-27 15:55:25

Request are _always_ on random, high-numbered ports... And why would you want to restrict the ports you can establish connections on? That would only limit the amount of connections you can make.

initbox · 2008-09-27 16:04:04

Request are _always_ on random, high-numbered ports... And why would you want to restrict the ports you can establish connections on? That would only limit the amount of connections you can make.

Heh, just so that I could indeed DROP packets that aren't coming to specific ports. But yeah, that wouldn't really be wise. The New/Established way is the way to go, since it doesn't have any drawback compared to the method I was thinking of, actually only benefits.

chochem · 2008-09-28 10:50:09

initbox wrote:

Wireshark I've tried to use but it freezes when I start capturing, atleast on Ubuntu/Debian. Even as root.

I have this issue too, if i start it with gksudo or gksu. Googling the issue I found a suggestion on ubuntuforums.org to run it using sudo in a terminal instead and for some strange reason it works that way.

sudo -b wireshark

Last edited by chochem (2008-09-28 10:52:36)

Arch Linux

#1 2008-09-27 11:21:03

iptables questions

#2 2008-09-27 12:12:51

Re: iptables questions

#3 2008-09-27 12:35:05

Re: iptables questions

#4 2008-09-27 15:31:00

Re: iptables questions

#5 2008-09-27 15:40:45

Re: iptables questions

#6 2008-09-27 15:41:41

Re: iptables questions

#7 2008-09-27 15:52:24

Re: iptables questions

#8 2008-09-27 15:55:25

Re: iptables questions

#9 2008-09-27 16:04:04

Re: iptables questions

#10 2008-09-28 10:50:09

Re: iptables questions

Board footer