Re: iptables udp and output

From: NeoSadist (neosad1st_at_charter.net)
Date: 01/14/04


Date: Wed, 14 Jan 2004 07:21:33 -0700

charly wrote:

>> Don't you mean:
>> iptables -A INPUT -p tcp --sport 137:139 -j DROP
>> iptables -A INPUT -p udp --sport 137:139 -j DROP
> yes, thanx !
>
> I post my script here for comments and remarks before testing it tonight :
> IPTABLES="/usr/local/iptables-1.2.9/iptables"

Forget "make install"?

> INSMOD="/sbin/insmod"
> INTERNET_SERVICES="25,110,119"
> LOCAL_SERVICES="20,21,22"
>
> # Modules to load
> $INSMOD ip_tables
> $INSMOD ip_conntrack
> $INSMOD ip_conntrack_ftp
> $INSMOD ipt_state
> $INSMOD iptable_nat
> $INSMOD ipt_MASQUERADE

Not necessary: your machine will load the modules it needs as it needs them.

>
>
> $IPTABLES -F
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -F -t mangle
> $IPTABLES -F -t nat

Not necessary:
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z

>
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> #$IPTABLES -P FORWARD ACCEPT

No, it should be drop forwarded unless you need to forward packets, and even
then the policy should always be DROP or REJECT unless you have other
needs.

>
>
> #-----------------------------
> # INPUT RULES
> #-----------------------------
> $IPTABLES -A INPUT -o lo -j ACCEPT

Uh, actually this is better:
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

>
> # Drop ALL attempted port scans
> $IPTABLES -A INPUT -m psd -j DROP

Good idea.
Try this one too:
$IPTABLES -A INPUT -f -j DROP

Most vulnerabilities for windows machines are based on packet fragmentation
reassembly, and by just dropping all fragmented packets, it helps a lot.
I've dropped fragmented packets since 2000 with NPF, then with IPTables.

>
> # ping falls dead
> $IPTABLES -A INPUT -p icmp -j DROP

Why? Ping can be a nice tool to help troubleshoot the network with. You
can just limit it if you're scared:
$IPTABLES -A INPUT -p icmp -m limit --limit 3/minute -j ACCEPT

Even then, you're dropping ALL icmp, and there are other things your network
needs from ICMP. A better way to do it would be to include it in your
state machine:
$IPTABLES -A INPUT -p icmp -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED \
-j ACCEPT

Also, you could just add a blanket statement to drop all invalid state
packets:
$IPTABLES -A INPUT -i eth0 -m state --state INVALID -j DROP

>
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

What? No -p ! icmp ?
You should exclude icmp from that part, because icmp functions differently.

> $IPTABLES -A INPUT -p tcp --match multiport --sports $INTERNET_SERVICES
> -j ACCEPT
> $IPTABLES -A INPUT -p tcp --match multiport --dports $LOCAL_SERVICES -j
> ACCEPT

The state machine should work well enough for that, but if you insist...
If those are incoming connection requests, you could specify that they're
SYN packets by adding --syn after -p tcp:
$IPTABLES -A INPUT -p tcp --syn -m multiport --sports ...

>
> # Stop W2K Chatter
> $IPTABLES -A INPUT -p tcp --sport 137:139 -j DROP
> $IPTABLES -A INPUT -p udp --sport 137:139 -j DROP

Should not be necessary: if you have no incoming state NEW and no incoming
ports 137:139 specified, these should get dropped. However, you can
manually drop them ...
I'd recommend dropping 135:139 and 445 for Netbios... Win2000/xp use port
445 more often ...

>
> #Allow incoming DNS traffic
> $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT

DNS traffic is UDP. To prevent DNS spoofing/poisoning, you can specify
where the DNS should come from (since you should only communicate DNS with
the DNS servers your ISP uses):

$IPTABLES -A INPUT -p udp -s 24.240.225.10 --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d 24.240.225.10 --dport 53 -j ACCEPT

BTW: for non-loopback stuff, you can be more specific on ALL rules by adding
"-i eth0" for INPUT and "-o eth0" for output.
Also, when specifying ports, remember it's source port (--sport) for INPUT
and destination port (--dport) for OUTPUT.
I suggest you download and install ethereal, and watch your network and see
how it acts.

>
> #Allow incoming NMBD/SMB traffic
> $IPTABLES -A INPUT -p udp --dport 137 -i eth0 -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport 138 -i eth0 -j ACCEPT

Uh, wait. You just shut off all that traffic above, and now you're
accepting it? Dude, get a clue.

>
>
> #-----------------------------
> # OUTPUT RULES
> #-----------------------------
> $IPTABLES -A OUTPUT -o lo -j ACCEPT

This should be up with the loopback input rule.

> $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

No, you can safely use --state NEW,ESTABLISHED,RELATED here, just specify
that the output interface is "-o eth0"

> $IPTABLES -A OUTPUT -m state --state NEW -m owner --uid-owner charly -j
> ACCEPT

What if root wants to ping the network while troubleshooting? What about
things that run suid root? I think that, if it's a single user machine,
specifying the owner is pointless.

>
> # No ping answer allowed
> $IPTABLES -A OUTPUT -p icmp -j DROP

Again, I don't see why you limit ping by blocking all icmp. If you want to
enable/disable ping, You can enable the good types (0 for request and 8 for
reply) and disable the bad types if you'd like, but other types are needed
for normal networking (i.e. networking by the rules in the RFC/IEEE
standard), such as type 3 "destination unreachable".
Go to www.netfilter.org and go to the iptables tutorial -- read and learn.

-- 
Living in LA is like not having a date on Saturday night.
                -- Candice Bergen


Relevant Pages

  • Re: Trouble adding pc to domain
    ... Just tried to reset the IP stack and that didn't help either. ... I can ping public sites such as yahoo.com by name but I can not ping internal hostnames. ... Any ideas on what I need to do to the dns server to resolve this? ... The network card works as I can surf the net without any problems. ...
    (microsoft.public.windows.server.networking)
  • RE: Urgent 4.9 networking problems
    ... telnet to the router and the ping -R - but why is telnet timing out ?? ... I have to disable dns. ... Ping ip address does no DNS lookups. ... I can say is look at how your network resolves DNS lookups. ...
    (freebsd-questions)
  • Re: Internal IP addresses showing up with external IPs
    ... systems, including printers, that we cannot ping any longer on our ... network, but the results from the ping come back as an external ... internal DNS and you have them set up that way (No ISP or external DNS in AD ...
    (microsoft.public.windows.server.dns)
  • Re: Internet set up
    ... >> window to see if you can ping an outside address. ... then your dns isn't setup correctly. ... > is an update to my router firmware, so I will go do that now. ... IP of 192.168.1.1 for your internal network. ...
    (linux.redhat.install)
  • Re: Cant get to internet, while others computers can
    ... I can ping everything inside the network (router,servers, ... Ping and Tracert problem is only for dns names ... >> I have checked the internet on the other 3 machines and ...
    (microsoft.public.win2000.networking)