here is my whitelist allowing wikipedia and rejecting all other sites. Unfortunately this script does not work : I cannot connect to wikipedia. Why ?
Thank you
Allow incoming traffic from established connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow incoming connections from wikipedia
iptables -A INPUT -s 78.109.84.114 -j ACCEPT
Allow outcoming connections from wikipedia
iptables -A OUTPUT -s 78.109.84.114 -j ACCEPT
Drop other incoming connections.
iptables -P INPUT DROP
Drop any transfer of traffic.
iptables -P FORWARD DROP
I think i got your Problem.
Try using iptables -A OUTPUT -d 78.109.84.114 -j ACCEPT instead of
iptables -A OUTPUT -s 78.109.84.114 -j ACCEPT
And if you want to work with the state module then use:
iptables -A OUTPUT -m state --state NEW -d 78.109.84.114 -j ACCEPT
The Problem is, that you create a rule, that says that Traffic that goes into the OUTPUT Chain with the Source Adress 78.109.84.114 is allowed. But what you want is a rule that allows Traffic to Wikipedia outgoing not from Wikipedia.
Related
First, I set up my firewall like this to allow everything:
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables --flush
Then, I check if NTP is working:
sudo systemctl daemon-reload
sudo systemctl restart systemd-timesyncd
timedatectl
and I can see that it says System clock synchronized: yes.
But then if I reboot and set up my firewall like this (reject everything except for NTP):
sudo iptables -P INPUT REJECT
sudo iptables -P OUTPUT REJECT
sudo iptables -P FORWARD REJECT
sudo iptables -A INPUT -p udp --dport 123 -j ACCEPT
sudo iptables -A OUTPUT -p udp --sport 123 -j ACCEPT
then I get System clock synchronized: no and the clock won't sync.
Based on the above steps, I'm convinced it's the firewall that's blocking timesyncd. I have read (for example, here) that perhaps it has to do with extra ports being opened by the service or the fact that is uses SNTP instead of NTP. I have tried different combinations of rules, but with no success yet as I am not an expert with iptables.
But there must be a way to set it up such that it works without altogether disabling the firewall.
Summary
--dport and --sport are switched.
Explanation
For the other services that I am allowing through the firewall, my machine is the server. For NTP, my machine is the client. Because the rest of my original configuration actually looked more like this:
...
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 5353 -j ACCEPT
...
sudo iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
sudo iptables -A OUTPUT -p udp --sport 5353 -j ACCEPT
...
I assumed that --dport was meant to be used with INPUT and --sport was used with OUTPUT. However, you have to think about what it means. To use NTP as a client, I need to allow INPUT packets that are coming from a source port of 123, not input packets that are coming to a destination port of 123. Likewise, I need to allow OUTPUT packets with destination port 123, not output with source 123.
So the answer to my question is to use this:
sudo iptables -P INPUT REJECT
sudo iptables -P OUTPUT REJECT
sudo iptables -P FORWARD REJECT
sudo iptables -A INPUT -p udp --sport 123 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
I can set iptables rules to prevent external connection. But can we use iptables to prevent internal connection? For example, I have set iptables to prevent port 5555 port on my machine, but my local APP can still connect with 5555 when running on my machine.
Yes you can block it using iptables.
iptables -A INPUT -d 127.0.0.1 -p tcp --dport 5555 -j DROP
With this command you'll not be able to connect from your own host to your own service. Then you can remove the rule using the opposite to -A append which is -D delete:
iptables -D INPUT -d 127.0.0.1 -p tcp --dport 5555 -j DROP
Hope it helps.
Depends upon how you are blocking the port 5555, if you have a specific INPUT rule with interface and source and/or destination addresses it would match only those. In your case, you could modify your rule to just match tcp destination port 5555 and it will block all packets to tcp destination port 5555. for eg:
iptables -t filter -I INPUT -p tcp --dport 5555 -j DROP
If you just want to block your internal apps and not touch your existing iptables rule then use the incoming interface as lo for eg:
iptables -t filter -I INPUT -i lo -p tcp --dport 5555 -j DROP
Note: If you are using destination ip then use the entire loopback address range rather than just 127.0.0.1 for eg:
iptables -t filter -I INPUT -d 127.0.0.0/8 -p tcp --dport 5555 -j DROP
Before you do any changes you can instead of -j DROP action use -j LOG action to log and confirm the tcp connections this rule will match. You could also skip the action part without specifying the -j option and check how many packets would match your rule with iptables -t filter -L -n -v without causing any harm.
I need some custom iptables for a login page of my wifi hotspot on my raspberry pi. I want an http login page: this is how it should work, I just don't know how to configure the iptables.:
Any connections on an ip address that is not already logged in, should be redirected to the pi's port 8181 (the server for my login page).
Any connections on an ip address that is logged in should be allowed to access the outside internet.
Any connections initially requesting the pi's port 8181 should be allowed.
How should I set this up with iptables?
Thanks!
I've found the following article very helpful when learning iptables:
http://wiki.centos.org/HowTos/Network/IPTables
Basically you can start with a something similar to:
# iptables -P INPUT ACCEPT
# iptables -F
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
This will block pretty much everything other than SSH, outgoing connections, and connections that are previously established (ie from previous outgoing connections)
Once that is in place you need to do the redirection:
http://proghowto.com/iptables-redirect-port-80-to-port-8080
And finally you need to run something like the following for each ip that gets authenticated:
# iptables -A INPUT -s 192.168.0.4 -j ACCEPT
The following will drop packets which contain the string specified:
iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "therichsheickc#yahoo.com"
The string is one which a botnet spammer uses (from 1000's upon 1000's of ip addresses) to hammer my email servers constantly. This rule is somewhat effective, but doesn't stop the connections. I'd like it to -j DROP the IP as well after a match. Can I do this in iptables without going to userspace?
This particular scanner always greet with EHLO 192.168.2.33. Use these rules to stop them:
iptables -t raw -A PREROUTING -i eth+ -p tcp --dport 25 -m string --string "192.168.2.33" --algo bm -m recent --set --name SBOT
iptables -I INPUT -i eth+ -p tcp --dport 25 -m recent --rcheck --name SBOT -j REJECT --reject-with tcp-reset
or maybe this will help :
iptables -A FORWARD -m string --algo bm --string "therichsheickc#yahoo.com" -j DROP
how do I drop all traffic to smtp, except originating from my IP? This example I found drops traffic for particular IP, I need to deny by default, but allow 1 IP in. Thanks
# iptables -A INPUT -s 65.55.44.100 -p tcp --destination-port 25 -j DROP
iptables -A INPUT -s ! 65.55.44.100 -p tcp --destination-port 25 -j DROP
# iptables -A INPUT -s 65.55.44.100 -p tcp --destination-port 25 -j ACCEPT
# iptables -A INPUT -p tcp --destination-port 25 -j DROP
If you actually want to deny all traffic by default, and only open up holes for specific protocols/addresses/etc., what you want to do is continue to use the rule you have now, and also modify the default policy like so:
# iptables -P INPUT DROP
Otherwise, siposa's answer will drop all SMTP traffic except for the specified IP address, while not affecting other protocols.