Iptables firewall - Security

This is a discussion on Iptables firewall - Security ; I have my firewall working on everything (HTTP,POP,SMTP,PING,NNTP) but FTP is a problem. It still is a work in progress. I am getting failed packets when I try to establish ftp connections. I think I need something special to allow ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Iptables firewall

  1. Iptables firewall

    I have my firewall working on everything (HTTP,POP,SMTP,PING,NNTP) but FTP
    is a problem. It still is a work in progress.

    I am getting failed packets when I try to establish ftp connections.

    I think I need something special to allow ftp connections but I have not
    figured out what. I know that ftp tries to establish communication using
    ports 20 and 21.

    I have loaded ip_conntrack and ip_conntrack_ftp modules

    The log message is:

    Jun 14 15:25:46 desktop IPT OUTPUT packet died: IN= OUT=wlan0
    SRC=192.168.1.101 DST=208.113.193.9 LEN=56 TOS=0x00 PREC=0x00 TTL=64
    ID=14388 DF PROTO=TCP SPT=58851 DPT=40587 WINDOW=5840 RES=0x00 SYN URGP=0

    Jun 14 15:25:49 desktop IPT OUTPUT packet died: IN= OUT=wlan0
    SRC=192.168.1.101 DST=208.113.193.9 LEN=56 TOS=0x00 PREC=0x00 TTL=64
    ID=14389 DF PROTO=TCP SPT=58851 DPT=40587 WINDOW=5840 RES=0x00 SYN URGP=0

    Jun 14 15:25:55 desktop IPT OUTPUT packet died: IN= OUT=wlan0
    SRC=192.168.1.101 DST=208.113.193.9 LEN=56 TOS=0x00 PREC=0x00 TTL=64
    ID=14390 DF PROTO=TCP SPT=58851 DPT=40587 WINDOW=5840 RES=0x00 SYN URGP=0

    Jun 14 15:26:06 desktop IPT OUTPUT packet died: IN= OUT=wlan0
    SRC=192.168.1.101 DST=208.113.193.9 LEN=56 TOS=0x00 PREC=0x00 TTL=64
    ID=18788 DF PROTO=TCP SPT=58853 DPT=40587 WINDOW=5840 RES=0x00 SYN URGP=0


    Here is my iptables script parts:

    Init.

    IPTABLES="/usr/sbin/iptables"
    MODPROBE="/sbin/modprobe"
    GREP="/bin/grep"
    IFCONFIG="/sbin/ifconfig"
    CUT="/bin/cut"

    LAN_IP=`$IFCONFIG | $GREP "Bcast" | $CUT -d: -f2 | $CUT -d" " -f1`
    LAN_IFACE=`$IFCONFIG | $GREP Ethernet | $CUT -f1 -d " "`
    LAN_BROADCAST=`$IFCONFIG | $GREP "Bcast" | $CUT -d: -f3 | $CUT -d" " -f1`
    LAN_IP_RANGE="192.168.0.0/16"
    LO_IFACE="lo"
    LO_IP="127.0.0.1"

    Whips & Chains

    # allowed chain
    #
    $IPTABLES -A allowed -p TCP --syn -j ACCEPT
    $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A allowed -p TCP -j DROP
    #
    # INPUT CHAIN
    #
    $IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state
    NEW -j REJECT --reject-with tcp-reset
    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j
    LOG --log-prefix "New not syn:"
    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    # Rules for special networks not part of the Internet
    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
    # Special rule for DHCP requests from LAN, which are not caught properly
    otherwise.
    $IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
    # Rules for incoming packets from the internet.
    $IPTABLES -A INPUT -p ALL -d $LAN_IP -m state --state ESTABLISHED,RELATED -j
    ACCEPT
    # TCP packets
    $IPTABLES -A INPUT -p TCP -s 0/0 --dport 21 -j allowed
    #$IPTABLES -A INPUT -p TCP -s 0/0 --dport 22 -j allowed
    #$IPTABLES -A INPUT -p TCP -s 0/0 --dport 80 -j allowed
    $IPTABLES -A INPUT -p TCP -s 0/0 --dport 113 -j allowed
    # UDP
    #$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 53 -j ACCEPT
    #$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 123 -j ACCEPT
    #$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
    #$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
    # ICMP
    $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
    $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
    #
    # If you have a Microsoft Network on the outside of your firewall, you may
    # also get flooded by Multicasts. We drop them so we do not get flooded by
    # logs
    #
    #$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
    # Log weird packets that don't match the above.
    $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j
    LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
    $IPTABLES -A INPUT -j DROP

    #
    # OUTPUT chain
    #
    # Bad TCP packets we don't want.
    $IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state
    NEW -j REJECT --reject-with tcp-reset
    $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j
    LOG --log-prefix "New not syn:"
    $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
    # Special OUTPUT rules to decide which IP's to allow.
    $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
    #
    # FIXME
    #
    $IPTABLES -A OUTPUT -p UDP -s $LAN_IP --dport 53 -j ACCEPT
    $IPTABLES -A OUTPUT -p TCP -s $LAN_IP --dport 20 -j allowed
    $IPTABLES -A OUTPUT -p TCP -s $LAN_IP --dport 21 -j allowed
    $IPTABLES -A OUTPUT -p TCP -s $LAN_IP --dport 53 -j allowed
    $IPTABLES -A OUTPUT -p TCP -s $LAN_IP --dport 80 -j allowed
    $IPTABLES -A OUTPUT -p TCP -s $LAN_IP --dport 110 -j allowed
    $IPTABLES -A OUTPUT -p TCP -s $LAN_IP --sport 113 -j allowed
    $IPTABLES -A OUTPUT -p TCP -s $LAN_IP --dport 119 -j allowed
    #
    # FIXME
    #
    #$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
    # Log weird packets that don't match the above.
    $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j
    LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "


    Thanks for your help

    --
    Tayo'y Mga Pinoy

  2. Re: Iptables firewall

    On Sat, 14 Jun 2008 15:49:16 -0400, Baho Utot wrote:

    > I have my firewall working on everything (HTTP,POP,SMTP,PING,NNTP) but FTP
    > is a problem. It still is a work in progress.
    >
    > I am getting failed packets when I try to establish ftp connections.
    >
    > I think I need something special to allow ftp connections but I have not
    > figured out what. I know that ftp tries to establish communication using
    > ports 20 and 21.
    >
    > I have loaded ip_conntrack and ip_conntrack_ftp modules


    Try putting the firewall down and doing a packet capture as you ftp to
    some place to see what is happening. There's two ways to ftp, using active
    (PORT) or passive (PASV): one is the server connects back to you, the
    passive one is you connect again to it. Probably you are using normal ftp
    (PORT command) then refusing the incoming connection. You'd probably see
    the same problems with P2P and other things that need to make an arbitrary
    incoming connection. I don't think just loading the modules is enough. I'm
    not sure how to do this totally myself, but it might involve using the
    conntrack match (-m conntrack):

    conntrack match v1.4.0-20080119 options:
    [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNA T][,...]
    State(s) to match
    [!] --ctproto proto Protocol to match; by number or name, eg. `tcp'
    --ctorigsrc [!] address[/mask]
    Original source specification
    --ctorigdst [!] address[/mask]
    Original destination specification
    --ctreplsrc [!] address[/mask]
    Reply source specification
    --ctrepldst [!] address[/mask]
    Reply destination specification
    [!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]
    Status(es) to match
    [!] --ctexpire time[:time] Match remaining lifetime in seconds against
    value or range of values (inclusive)


    ....but don't ask me which ctstatus or ctstate it is. Maybe EXPECTED? The
    files in /proc/net might help. Watch them while you ftp and see what they
    show, look in ip_conntrack, ip_conntrack_expect, nf_conntrack,
    nf_conntrack_expect, and so on.

    Anyway, I get around this by using a much less restrictive firewall:
    just block known annoying/dangerous things and let the rest go thru. It's
    Linux, after all





    --
    [** America, the police state **]
    Whoooose! What's that noise? Why, it's US citizen's
    rights, going down the toilet with Bush flushing.
    http://www.theregister.co.uk/2008/01..._nsa_internal/
    http://www.wired.com/politics/securi...007/08/wiretap
    http://www.hermes-press.com/police_state.htm
    http://www.privacyinternational.org/...D=x-347-559597


  3. Re: Iptables firewall

    jayjwa wrote:

    [putolin]

    >
    > Anyway, I get around this by using a much less restrictive firewall:
    > just block known annoying/dangerous things and let the rest go thru. It's
    > Linux, after all
    >


    Well yes, if I only block incoming things works well, The problem is when I
    block everything outbound and then open the individual outbound ports.

    I probably just block incoming and not block any outgoing.

    Thanks


    --
    Tayo'y Mga Pinoy

  4. Re: Iptables firewall

    Baho Utot wrote:
    > jayjwa wrote:
    >
    > [putolin]
    >
    >> Anyway, I get around this by using a much less restrictive firewall:
    >> just block known annoying/dangerous things and let the rest go thru. It's
    >> Linux, after all
    >>

    >
    > Well yes, if I only block incoming things works well, The problem is when I
    > block everything outbound and then open the individual outbound ports.
    >
    > I probably just block incoming and not block any outgoing.
    >
    > Thanks
    >
    >

    Try generating a firewall here: http://easyfwgen.morizot.net/gen/

    May not be what you want but should give you some idea how to.

  5. Re: Iptables firewall

    Chipmunk wrote:

    > Baho Utot wrote:
    >> jayjwa wrote:
    >>
    >> [putolin]
    >>
    >>> Anyway, I get around this by using a much less restrictive firewall:
    >>> just block known annoying/dangerous things and let the rest go thru.
    >>> It's Linux, after all
    >>>

    >>
    >> Well yes, if I only block incoming things works well, The problem is
    >> when I block everything outbound and then open the individual outbound
    >> ports.
    >>
    >> I probably just block incoming and not block any outgoing.
    >>
    >> Thanks
    >>
    >>

    > Try generating a firewall here: http://easyfwgen.morizot.net/gen/
    >
    > May not be what you want but should give you some idea how to.


    will do
    thanks

    --
    Tayo'y Mga Pinoy

+ Reply to Thread