networking – Implement Explicit Allow Policy in iptables

20.04firewalliptablesnetworkingserver

I am attempting to setup an Explicit Allow policy on my 20.04 Ubuntu web server. By running the following:

iptables -P INPUT DROP

Also added rules for ssh, http and https. Resulting in the following rule set:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Everything works as expected. However, when attempting to install certbot via snap, or clone a github repo. The connections are blocked. Verified by temporarily allowing all INPUT:

iptables -P INPUT DROP

My question is, how do I go about determining what INPUT rules to create to support those actions? Or any other actions in the future?

I recognize I likely need the port #, but I am just unsure how to determine what that is. Or is it as simple as allowing all INPUT from that source (i.e., https://api.snapcract.io, https://github.com)?

Thanks in advance for your help.

Best Answer

You need to allow for packets that are in response to any outgoing session started by you. This rule is needed:

sudo iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

Where: $EXTIF is your interface name; $UNIVERSE is 0.0.0.0/0 (or just leave it out); $EXTIP is your IP address (which you could leave out also).

To help determine what additional INPUT rules might be needed for proper operation of your server add a logging rule as your last INPUT chain rule before control passes through to your default DROP policy.

sudo iptables -A INPUT -j LOG --log-prefix "INPUT DROP:" --log-level info

Be careful, as it might generate a great many log entries. By default the log entries will be in /var/log/syslog and /var/log/kern.log

Additionally, you do not have a local interface ACCEPT rule (unless that is the rule you list without interfaces, use sudo iptables -xvnL). You need one (before the above):

sudo iptables -A INPUT -i lo -j ACCEPT

Related Solutions

Ubuntu – Which INPUT rules do I need to add to iptables so apt (apt-get, aptitude) can work (update, upgrade, search, install)

When you send a HTTP request to the other server, you're using TCP. First, a SYN packet go outside to the other server from a random high port, then you'll receive a ACK response. Finally you send SYN/ACK to the server and the server responds with the requested document (in multiple packets). Your rules do not allow the ACK packet to be received and therefore the connection cannot be established. Add a rule like:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

You don't get iptables logs for free. Your rules should look like:

# if no rule matched, the input should be dropped
-P INPUT DROP

-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# etc

# the limit prevents your logs from being flooded if there are a lot packets being captured
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied" --log-level debug

Note that I've omitted iptables before the commands, I recommend using iptables-restore (or iptables-apply for testing) to avoid locking yourself out if a rule fails to apply. The file to be passed to the command looks like:

*FILTER
# your rules here, for example:
-P INPUT DROP
-P INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT

A newline after the COMMIT line is mandatory.

By default, the entries go to /var/log/kern.log. Not good if you want to differentiate between kernel and iptables messages, so create a filter for rsyslog in /etc/rsyslog.d/iptables.conf containing:

:msg,contains,"iptables denied" /var/log/iptables.log
& ~

This will filter iptables errors and send those to /var/log/iptables.log.

Best Answer

Related Solutions

Ubuntu – Which INPUT rules do I need to add to iptables so apt (apt-get, aptitude) can work (update, upgrade, search, install)

Related Question