Ubuntu – Iptables allow just internet connection

firewalliptablesnetworking

let me explain what I did before;

# Only INPUT policy DROP, others are ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -A INPUT -p tcp --sport 80 -j ACCEPT

I also try this; for these ports to 443 and 8080

sudo iptables -A INPUT -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

Then I realized that, I should allow dns server too,

sudo iptables -A INPUT -p udp --sport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 53 -j ACCEPT

Apply this rules but I can not connect internet,

But when I allow all udp port I can connect.

Do I forget something? or do wrong something?

Best Answer

How does your computer get its IP address? If it is via DHCP, then you need to allow UDP replies to port 68 (or from port 67, see later on):

sudo iptables -A INPUT -p udp --sport 67 --dport 68 -m state --state RELATED,ESTABLISHED -j ACCEPT

If your objective is to just allow website browsing, then the connection would always be initiated from your end so you only need to allow the related traffic back in (in this example the assumption is that eth0 is your NIC name):

sudo iptables -A INPUT -i eth0 -p tcp -m multiport --sport 80,443,8080 -m state --state ESTABLISHED,RELATED -j ACCEPT

Now, you may or may not need to allow the local interface (depends on what you are doing with your computer):

sudo iptables -A INPUT -i lo -j ACCEPT

In the end , you can combine some of these things and end up with:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp -m multiport --sport 53,67 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp -m multiport --sport 53,80,443,8080 -m state --state ESTABLISHED,RELATED -j ACCEPT

I coded this on one of my test computers and it worked fine (the SSH port 22 stuff is for me, because I don't actually sit at that computer):

#!/bin/sh
FWVER=0.01
#
# test extremely basic 2015.06.10 Ver:0.01
#
#     run as sudo
#

echo "Loading test rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
EXTIF="eth0"
EXTIP="192.168.111.140"
UNIVERSE="0.0.0.0/0"

#Clearing any previous configuration
#
echo "  Clearing any existing rules and setting default policy to ACCEPT.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z

echo about to load rules.

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp -m multiport --sport 53,67 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m multiport --sport 53,80,443,8080 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT

echo Test rule set version $FWVER done.

I made it start automatically via my /etc/network/interfaces file:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
pre-up /home/doug/test_iptables_06

# The primary network interface
auto eth0
iface eth0 inet dhcp

Note that more typically, users will merely allow whatever related traffic back in, with a more generic rule (using the variables names of my script above):

$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

EDIT:

Sometimes to help understand / debug adding some logging can help. For example:

echo about to load rules.

$IPTABLES -A INPUT -i lo -j LOG --log-prefix "ILO:" --log-level info
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp -m multiport --sport 53,67 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m multiport --sport 53,80,443,8080 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -j LOG --log-prefix "IDROP:" --log-level info

echo Test rule set version $FWVER done.

then observe /var/log/syslog for the entries. Be careful with logging, so that you don't flood the log file.

Related Solutions

Ubuntu – Configuration of iptables (verfication, actives services, allow FTP)

FTP is a bit odd in that to allow inbound traffic on port 21 and outbound traffic on port 20 :

sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT

In addition ftp will use a random higher port. To allow this you need to load the ip_conntrack_ftp module on boot. Uncomment and modify the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config file to read

IPTABLES_MODULES="ip_conntrack_ftp"

You will still need a way to save your iptables configuration and restore it when you boot. Ubuntu does not have a simple way of doing this. Basically you can either use /etc/rc.local or disable NetworkManager and use networking scripts.

First save your rules:

sudo iptables-save /etc/iptables.save

Method 1 : Edit /etc/rc.local and add the line

iptables-restore /etc/iptables.save

Method 2 : Edit /etc/network/interfaces and use "post-up" to bring our iptables rules up.

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
post-up /sbin/iptables-restore /etc/iptables.save

Then reboot.

The preferred method is probably to use UFW

sudo ufw allow ftp

UFW is the fedault tool for Ubuntu, uses syntax very similar to iptables, and is enabled and restored on rebooting.

See:

https://serverfault.com/questions/38398/allowing-ftp-with-iptables

http://slacksite.com/other/ftp.html

http://bodhizazen.com/Tutorials/iptables

https://help.ubuntu.com/community/UFW

Best Answer

Related Solutions

Ubuntu – Configuration of iptables (verfication, actives services, allow FTP)

Related Question