Hi guys, I'm trying to configure iptables to only allow certain ports access.
I set the first set of rules to block everything and then subsequently open ports as needed, but everything still seems to be blocked.
I have read that the order matters (new to iptables), perhaps this is an issue. Google has not been very helpful.
What am I doing wrong here?
EDIT: OS is Debian and Iceweasel browser. If that's relevant.
#!/bin/bash
#Drop all
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Outbound
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 7465 -j ACCEPT
#Inbound
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7465 -j ACCEPT
#Forwarded
iptables -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 7465 -j ACCEPT
Think of the direction of the packet in the INPUT section. dport describes what?
Say your client software grabs a random local port, 68123, and starts the TCP handshake with an SSH service on 22 elsewhere. The reply comes back to you on 68123 and is ... DROP.
Generally the first rule looks like this:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
And should fix that
Solved: As below works just fine.
Some sites were using other ports such as 8443 as an https alternative and 587 (submission) in the same role.
#Drop all
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Accept IN associated ports
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#Inbound
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7465 -j ACCEPT
#Outbound
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 7465 -j ACCEPT
#Forwarded
iptables -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 7465 -j ACCEPT
Are you running services you want to allow access to, or are all these ports for outgoing traffic? Is this a server or desktop or router?
This would allow OUTGOING web traffic:
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
ah i see you edited it. I'm guessing your individual INPUT rules are mostly useless, and you'd see 0 under them in iptables -L -v -n since your OUTPUT allows the connection request, and the "-m state" rule does the rest.
This is just for my laptop but it is something I'd like to implement on my desktop too at some point, just testing it here..
Is the 'FORWARDED' flag more for use with routers?
What I'm looking to do is drop all traffic and then only allow IN/OUT certain ports and services as I need them.
The problem I had before was websites I was connecting to had the default ports changed, ie 587 for example rather than 80.
I want the rules to block anything coming in that hasn't already been established by me initiating a connection.
Example:
I initiate to connect to a webserver on local 80
Webserver responds on 587 and the connection is allowed because I initiated it in the first place.
Ideally to happen without explicitly specifying each and every port/service individually.
If being explicit is the best or safest way, so be it, just want to get it done effectively.
Would it be best to only have
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Rather than the same for
INPUT,OUTPUT,FORWARD
?
If that is the case, what should it look like based on my previous posts.
Much appreciate your help by the way buddy, sorry if I'm a little slow on the uptake!
Basically you want to deny incoming packets that you didn't initiate? This is usually done in the router, but there are so many tutorials and howtos..
Having just that rule and a default policy of ALLOW on OUTPUT should do it though.
And yes, FORWARD should only matter if you're routing packets. It's likely not even enabled (it's a separate sysctl option)
Yeah that is basically what I want to do.
Thanks for the help.