Re: iptables udp and output
From: NeoSadist (neosad1st_at_charter.net)
Date: Wed, 14 Jan 2004 07:21:33 -0700
>> Don't you mean:
>> iptables -A INPUT -p tcp --sport 137:139 -j DROP
>> iptables -A INPUT -p udp --sport 137:139 -j DROP
> yes, thanx !
> I post my script here for comments and remarks before testing it tonight :
Forget "make install"?
> # Modules to load
> $INSMOD ip_tables
> $INSMOD ip_conntrack
> $INSMOD ip_conntrack_ftp
> $INSMOD ipt_state
> $INSMOD iptable_nat
> $INSMOD ipt_MASQUERADE
Not necessary: your machine will load the modules it needs as it needs them.
> $IPTABLES -F
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -F -t mangle
> $IPTABLES -F -t nat
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> #$IPTABLES -P FORWARD ACCEPT
No, it should be drop forwarded unless you need to forward packets, and even
then the policy should always be DROP or REJECT unless you have other
> # INPUT RULES
> $IPTABLES -A INPUT -o lo -j ACCEPT
Uh, actually this is better:
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
> # Drop ALL attempted port scans
> $IPTABLES -A INPUT -m psd -j DROP
Try this one too:
$IPTABLES -A INPUT -f -j DROP
Most vulnerabilities for windows machines are based on packet fragmentation
reassembly, and by just dropping all fragmented packets, it helps a lot.
I've dropped fragmented packets since 2000 with NPF, then with IPTables.
> # ping falls dead
> $IPTABLES -A INPUT -p icmp -j DROP
Why? Ping can be a nice tool to help troubleshoot the network with. You
can just limit it if you're scared:
$IPTABLES -A INPUT -p icmp -m limit --limit 3/minute -j ACCEPT
Even then, you're dropping ALL icmp, and there are other things your network
needs from ICMP. A better way to do it would be to include it in your
$IPTABLES -A INPUT -p icmp -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED \
Also, you could just add a blanket statement to drop all invalid state
$IPTABLES -A INPUT -i eth0 -m state --state INVALID -j DROP
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
What? No -p ! icmp ?
You should exclude icmp from that part, because icmp functions differently.
> $IPTABLES -A INPUT -p tcp --match multiport --sports $INTERNET_SERVICES
> -j ACCEPT
> $IPTABLES -A INPUT -p tcp --match multiport --dports $LOCAL_SERVICES -j
The state machine should work well enough for that, but if you insist...
If those are incoming connection requests, you could specify that they're
SYN packets by adding --syn after -p tcp:
$IPTABLES -A INPUT -p tcp --syn -m multiport --sports ...
> # Stop W2K Chatter
> $IPTABLES -A INPUT -p tcp --sport 137:139 -j DROP
> $IPTABLES -A INPUT -p udp --sport 137:139 -j DROP
Should not be necessary: if you have no incoming state NEW and no incoming
ports 137:139 specified, these should get dropped. However, you can
manually drop them ...
I'd recommend dropping 135:139 and 445 for Netbios... Win2000/xp use port
445 more often ...
> #Allow incoming DNS traffic
> $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
DNS traffic is UDP. To prevent DNS spoofing/poisoning, you can specify
where the DNS should come from (since you should only communicate DNS with
the DNS servers your ISP uses):
$IPTABLES -A INPUT -p udp -s 220.127.116.11 --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d 18.104.22.168 --dport 53 -j ACCEPT
BTW: for non-loopback stuff, you can be more specific on ALL rules by adding
"-i eth0" for INPUT and "-o eth0" for output.
Also, when specifying ports, remember it's source port (--sport) for INPUT
and destination port (--dport) for OUTPUT.
I suggest you download and install ethereal, and watch your network and see
how it acts.
> #Allow incoming NMBD/SMB traffic
> $IPTABLES -A INPUT -p udp --dport 137 -i eth0 -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport 138 -i eth0 -j ACCEPT
Uh, wait. You just shut off all that traffic above, and now you're
accepting it? Dude, get a clue.
> # OUTPUT RULES
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
This should be up with the loopback input rule.
> $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
No, you can safely use --state NEW,ESTABLISHED,RELATED here, just specify
that the output interface is "-o eth0"
> $IPTABLES -A OUTPUT -m state --state NEW -m owner --uid-owner charly -j
What if root wants to ping the network while troubleshooting? What about
things that run suid root? I think that, if it's a single user machine,
specifying the owner is pointless.
> # No ping answer allowed
> $IPTABLES -A OUTPUT -p icmp -j DROP
Again, I don't see why you limit ping by blocking all icmp. If you want to
enable/disable ping, You can enable the good types (0 for request and 8 for
reply) and disable the bad types if you'd like, but other types are needed
for normal networking (i.e. networking by the rules in the RFC/IEEE
standard), such as type 3 "destination unreachable".
Go to www.netfilter.org and go to the iptables tutorial -- read and learn.
-- Living in LA is like not having a date on Saturday night. -- Candice Bergen