Iptables firewall

Printable View

06-14-2008, 07:49 PM
unix

Iptables firewall

I have my firewall working on everything (HTTP,POP,SMTP,PING,NNTP) but FTP
is a problem. It still is a work in progress.

I am getting failed packets when I try to establish ftp connections.

I think I need something special to allow ftp connections but I have not
figured out what. I know that ftp tries to establish communication using
ports 20 and 21.

I have loaded ip_conntrack and ip_conntrack_ftp modules

The log message is:

Jun 14 15:25:46 desktop IPT OUTPUT packet died: IN= OUT=wlan0
SRC=192.168.1.101 DST=208.113.193.9 LEN=56 TOS=0x00 PREC=0x00 TTL=64
ID=14388 DF PROTO=TCP SPT=58851 DPT=40587 WINDOW=5840 RES=0x00 SYN URGP=0

Jun 14 15:25:49 desktop IPT OUTPUT packet died: IN= OUT=wlan0
SRC=192.168.1.101 DST=208.113.193.9 LEN=56 TOS=0x00 PREC=0x00 TTL=64
ID=14389 DF PROTO=TCP SPT=58851 DPT=40587 WINDOW=5840 RES=0x00 SYN URGP=0

Jun 14 15:25:55 desktop IPT OUTPUT packet died: IN= OUT=wlan0
SRC=192.168.1.101 DST=208.113.193.9 LEN=56 TOS=0x00 PREC=0x00 TTL=64
ID=14390 DF PROTO=TCP SPT=58851 DPT=40587 WINDOW=5840 RES=0x00 SYN URGP=0

Jun 14 15:26:06 desktop IPT OUTPUT packet died: IN= OUT=wlan0
SRC=192.168.1.101 DST=208.113.193.9 LEN=56 TOS=0x00 PREC=0x00 TTL=64
ID=18788 DF PROTO=TCP SPT=58853 DPT=40587 WINDOW=5840 RES=0x00 SYN URGP=0

Here is my iptables script parts:

Init.

IPTABLES="/usr/sbin/iptables"
MODPROBE="/sbin/modprobe"
GREP="/bin/grep"
IFCONFIG="/sbin/ifconfig"
CUT="/bin/cut"

LAN_IP=`$IFCONFIG | $GREP "Bcast" | $CUT -d: -f2 | $CUT -d" " -f1`
LAN_IFACE=`$IFCONFIG | $GREP Ethernet | $CUT -f1 -d " "`
LAN_BROADCAST=`$IFCONFIG | $GREP "Bcast" | $CUT -d: -f3 | $CUT -d" " -f1`
LAN_IP_RANGE="192.168.0.0/16"
LO_IFACE="lo"
LO_IP="127.0.0.1"

Whips & Chains

# allowed chain
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# INPUT CHAIN
#
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state
NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j
LOG --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Rules for special networks not part of the Internet
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
# Special rule for DHCP requests from LAN, which are not caught properly
otherwise.
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
# Rules for incoming packets from the internet.
$IPTABLES -A INPUT -p ALL -d $LAN_IP -m state --state ESTABLISHED,RELATED -j
ACCEPT
# TCP packets
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 21 -j allowed
#$IPTABLES -A INPUT -p TCP -s 0/0 --dport 22 -j allowed
#$IPTABLES -A INPUT -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 113 -j allowed
# UDP
#$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 123 -j ACCEPT
#$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
#$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
# ICMP
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
# Log weird packets that don't match the above.
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
$IPTABLES -A INPUT -j DROP

#
# OUTPUT chain
#
# Bad TCP packets we don't want.
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state
NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j
LOG --log-prefix "New not syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
# Special OUTPUT rules to decide which IP's to allow.
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
#
# FIXME
#
$IPTABLES -A OUTPUT -p UDP -s $LAN_IP --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP -s $LAN_IP --dport 20 -j allowed
$IPTABLES -A OUTPUT -p TCP -s $LAN_IP --dport 21 -j allowed
$IPTABLES -A OUTPUT -p TCP -s $LAN_IP --dport 53 -j allowed
$IPTABLES -A OUTPUT -p TCP -s $LAN_IP --dport 80 -j allowed
$IPTABLES -A OUTPUT -p TCP -s $LAN_IP --dport 110 -j allowed
$IPTABLES -A OUTPUT -p TCP -s $LAN_IP --sport 113 -j allowed
$IPTABLES -A OUTPUT -p TCP -s $LAN_IP --dport 119 -j allowed
#
# FIXME
#
#$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
# Log weird packets that don't match the above.
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

Thanks for your help

--
Tayo'y Mga Pinoy
06-16-2008, 10:00 AM
unix

Re: Iptables firewall

On Sat, 14 Jun 2008 15:49:16 -0400, Baho Utot wrote:
[color=blue]
> I have my firewall working on everything (HTTP,POP,SMTP,PING,NNTP) but FTP
> is a problem. It still is a work in progress.
>
> I am getting failed packets when I try to establish ftp connections.
>
> I think I need something special to allow ftp connections but I have not
> figured out what. I know that ftp tries to establish communication using
> ports 20 and 21.
>
> I have loaded ip_conntrack and ip_conntrack_ftp modules[/color]

Try putting the firewall down and doing a packet capture as you ftp to
some place to see what is happening. There's two ways to ftp, using active
(PORT) or passive (PASV): one is the server connects back to you, the
passive one is you connect again to it. Probably you are using normal ftp
(PORT command) then refusing the incoming connection. You'd probably see
the same problems with P2P and other things that need to make an arbitrary
incoming connection. I don't think just loading the modules is enough. I'm
not sure how to do this totally myself, but it might involve using the
conntrack match (-m conntrack):

conntrack match v1.4.0-20080119 options:
[!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT][,...]
State(s) to match
[!] --ctproto proto Protocol to match; by number or name, eg. `tcp'
--ctorigsrc [!] address[/mask]
Original source specification
--ctorigdst [!] address[/mask]
Original destination specification
--ctreplsrc [!] address[/mask]
Reply source specification
--ctrepldst [!] address[/mask]
Reply destination specification
[!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]
Status(es) to match
[!] --ctexpire time[:time] Match remaining lifetime in seconds against
value or range of values (inclusive)

....but don't ask me which ctstatus or ctstate it is. Maybe EXPECTED? The
files in /proc/net might help. Watch them while you ftp and see what they
show, look in ip_conntrack, ip_conntrack_expect, nf_conntrack,
nf_conntrack_expect, and so on.

Anyway, I get around this by using a much less restrictive firewall:
just block known annoying/dangerous things and let the rest go thru. It's
Linux, after all ;)

--
[** America, the police state **]
Whoooose! What's that noise? Why, it's US citizen's
rights, going down the toilet with Bush flushing.
[url]http://www.theregister.co.uk/2008/01/27/bush_nsa_internal/[/url]
[url]http://www.wired.com/politics/security/news/2007/08/wiretap[/url]
[url]http://www.hermes-press.com/police_state.htm[/url]
[url]http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-559597[/url]
06-16-2008, 09:11 PM
unix

Re: Iptables firewall

jayjwa wrote:

[putolin]
[color=blue]
>
> Anyway, I get around this by using a much less restrictive firewall:
> just block known annoying/dangerous things and let the rest go thru. It's
> Linux, after all ;)
>[/color]

Well yes, if I only block incoming things works well, The problem is when I
block everything outbound and then open the individual outbound ports.

I probably just block incoming and not block any outgoing.

Thanks

--
Tayo'y Mga Pinoy
06-17-2008, 09:16 AM
unix

Re: Iptables firewall

Baho Utot wrote:[color=blue]
> jayjwa wrote:
>
> [putolin]
>[color=green]
>> Anyway, I get around this by using a much less restrictive firewall:
>> just block known annoying/dangerous things and let the rest go thru. It's
>> Linux, after all ;)
>>[/color]
>
> Well yes, if I only block incoming things works well, The problem is when I
> block everything outbound and then open the individual outbound ports.
>
> I probably just block incoming and not block any outgoing.
>
> Thanks
>
>[/color]
Try generating a firewall here: [url]http://easyfwgen.morizot.net/gen/[/url]

May not be what you want but should give you some idea how to.
06-17-2008, 08:34 PM
unix

Re: Iptables firewall

Chipmunk wrote:
[color=blue]
> Baho Utot wrote:[color=green]
>> jayjwa wrote:
>>
>> [putolin]
>>[color=darkred]
>>> Anyway, I get around this by using a much less restrictive firewall:
>>> just block known annoying/dangerous things and let the rest go thru.
>>> It's Linux, after all ;)
>>>[/color]
>>
>> Well yes, if I only block incoming things works well, The problem is
>> when I block everything outbound and then open the individual outbound
>> ports.
>>
>> I probably just block incoming and not block any outgoing.
>>
>> Thanks
>>
>>[/color]
> Try generating a firewall here: [url]http://easyfwgen.morizot.net/gen/[/url]
>
> May not be what you want but should give you some idea how to.[/color]

will do
thanks

--
Tayo'y Mga Pinoy