Last steps in configuring `iptables` firewall, Output problem
by hkjz from LinuxQuestions.org on (#5G2P7)
I complied IPtables script (full code on the bottom of the post).
(1) Unfortunately i went through problem that i cannot make proper OUTPUT rules. Particularly this part makes me problem:
Code:echo " * Accept connection through eth0, with ip from NordVPN server "
echo " this number can be checked in the router settings"
${IPTABLES} -A OUTPUT -o eth0 -d 111.111.111.111 -j ACCEPT
echo " * Accept connection only through tun0"
${IPTABLES} -A OUTPUT -o tun0 -j ACCEPT
echo " # DROP everything else"
${IPTABLES} -A OUTPUT -j DROPFrom computer there is wifi to the router, which is set us as VPN Client (through imported .ovpn file)
There, in section section `Server Address and Port` i can find : Address: 111.111.111.111
Sometimes i connect VPN Client directly from Linux terminal - and then, if i am connected to the router, there is chained VPN from the same provider - first from the laptop, then from the router - tun0 is active.
Code:$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether a8:s7:f4:w4:t4:q1 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a8:47:f4:1s:t4:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.aa.zz/24 brd 192.168.aa.cc scope global dynamic noprefixroute wlan0
valid_lft 52210sec preferred_lft 52210sec
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.8.55/22 brd 10.8.11.255 scope global tun0
valid_lft forever preferred_lft forever
(2) Other question
is loopback line made properly?
Code:#!/bin/bash#!/bin/bash
#
# iptables firewall script,
# sources so far
# https://www.rosehosting.com
# https://restoreprivacy.com/anonymity-networks/
# https://help.ubuntu.com/community/IptablesHowTo
IPTABLES=/sbin/iptables
BLACKLIST=/etc/blacklist.ips
echo " "
echo " == START == "
echo " * flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain
echo " "
echo " == INPUT =="
echo " * allowing loopback devices"
${IPTABLES} -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
echo " * filter rules to match based on connection state: "
echo " Accept already established AND new, but related to another connection already permitted."
${IPTABLES} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
echo " # DROP everything else and Log it"
echo " log is at : /var/log/kern.log"
${IPTABLES} -A INPUT -j LOG
${IPTABLES} -A INPUT -j DROP
echo " "
echo " == FORWARD =="
${IPTABLES} -A FORWARD -j DROP
echo " # DROP all"
echo " "
echo " == OUTPUT =="
echo " * allowing loopback devices"
${IPTABLES} -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
echo " * filter rules to match based on connection state: "
echo " Accept already established only"
${IPTABLES} -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
echo " * Accept connection through eth0, with ip from NordVPN server "
echo " this number can be checked in the router settings"
${IPTABLES} -A OUTPUT -o eth0 -d 111.111.111.111 -j ACCEPT
echo " * Accept connection only through tun0"
${IPTABLES} -A OUTPUT -o tun0 -j ACCEPT
echo " # DROP everything else"
${IPTABLES} -A OUTPUT -j DROP
## BLOCK ABUSING IPs HERE ##
#echo " * BLACKLIST"
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP
#
# Block abusing IPs
# from ${BLACKLIST}
#
if [[ -f "${BLACKLIST}" ]] && [[ -s "${BLACKLIST}" ]]; then
echo " * BLOCKING ABUSIVE IPs"
while read IP; do
${IPTABLES} -I INPUT -s "${IP}" -j DROP
done < <(cat "${BLACKLIST}")
fi
iptables-save > /etc/iptables/rules.v4
#
# Save settings
#
echo ""
echo " * SAVING RULES"
if [[ -d /etc/network/if-pre-up.d ]]; then
if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then
echo -e "#!/bin/bash" > /etc/network/if-pre-up.d/iptables
echo -e "test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules" >> /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
fi
fi
echo ""
echo " * Saving using iptables-persistent "
echo " if this is new install and error occures do : "
echo " sudo apt-get update && sudo apt install iptables-persistent -y"
iptables-save > /etc/iptables/rules.v4
iptables-restore -c < /etc/iptables/rules.v4
echo ""
echo " to watch in real time use:"
echo " sudo watch -d -n 2 --interval 0 'iptables -nvL | grep -v "0 0"' "
echo ""
echo " End of Script"
(1) Unfortunately i went through problem that i cannot make proper OUTPUT rules. Particularly this part makes me problem:
Code:echo " * Accept connection through eth0, with ip from NordVPN server "
echo " this number can be checked in the router settings"
${IPTABLES} -A OUTPUT -o eth0 -d 111.111.111.111 -j ACCEPT
echo " * Accept connection only through tun0"
${IPTABLES} -A OUTPUT -o tun0 -j ACCEPT
echo " # DROP everything else"
${IPTABLES} -A OUTPUT -j DROPFrom computer there is wifi to the router, which is set us as VPN Client (through imported .ovpn file)
There, in section section `Server Address and Port` i can find : Address: 111.111.111.111
Sometimes i connect VPN Client directly from Linux terminal - and then, if i am connected to the router, there is chained VPN from the same provider - first from the laptop, then from the router - tun0 is active.
Code:$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether a8:s7:f4:w4:t4:q1 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a8:47:f4:1s:t4:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.aa.zz/24 brd 192.168.aa.cc scope global dynamic noprefixroute wlan0
valid_lft 52210sec preferred_lft 52210sec
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.8.55/22 brd 10.8.11.255 scope global tun0
valid_lft forever preferred_lft forever
(2) Other question
is loopback line made properly?
Code:#!/bin/bash#!/bin/bash
#
# iptables firewall script,
# sources so far
# https://www.rosehosting.com
# https://restoreprivacy.com/anonymity-networks/
# https://help.ubuntu.com/community/IptablesHowTo
IPTABLES=/sbin/iptables
BLACKLIST=/etc/blacklist.ips
echo " "
echo " == START == "
echo " * flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain
echo " "
echo " == INPUT =="
echo " * allowing loopback devices"
${IPTABLES} -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
echo " * filter rules to match based on connection state: "
echo " Accept already established AND new, but related to another connection already permitted."
${IPTABLES} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
echo " # DROP everything else and Log it"
echo " log is at : /var/log/kern.log"
${IPTABLES} -A INPUT -j LOG
${IPTABLES} -A INPUT -j DROP
echo " "
echo " == FORWARD =="
${IPTABLES} -A FORWARD -j DROP
echo " # DROP all"
echo " "
echo " == OUTPUT =="
echo " * allowing loopback devices"
${IPTABLES} -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
echo " * filter rules to match based on connection state: "
echo " Accept already established only"
${IPTABLES} -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
echo " * Accept connection through eth0, with ip from NordVPN server "
echo " this number can be checked in the router settings"
${IPTABLES} -A OUTPUT -o eth0 -d 111.111.111.111 -j ACCEPT
echo " * Accept connection only through tun0"
${IPTABLES} -A OUTPUT -o tun0 -j ACCEPT
echo " # DROP everything else"
${IPTABLES} -A OUTPUT -j DROP
## BLOCK ABUSING IPs HERE ##
#echo " * BLACKLIST"
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP
#
# Block abusing IPs
# from ${BLACKLIST}
#
if [[ -f "${BLACKLIST}" ]] && [[ -s "${BLACKLIST}" ]]; then
echo " * BLOCKING ABUSIVE IPs"
while read IP; do
${IPTABLES} -I INPUT -s "${IP}" -j DROP
done < <(cat "${BLACKLIST}")
fi
iptables-save > /etc/iptables/rules.v4
#
# Save settings
#
echo ""
echo " * SAVING RULES"
if [[ -d /etc/network/if-pre-up.d ]]; then
if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then
echo -e "#!/bin/bash" > /etc/network/if-pre-up.d/iptables
echo -e "test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules" >> /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
fi
fi
echo ""
echo " * Saving using iptables-persistent "
echo " if this is new install and error occures do : "
echo " sudo apt-get update && sudo apt install iptables-persistent -y"
iptables-save > /etc/iptables/rules.v4
iptables-restore -c < /etc/iptables/rules.v4
echo ""
echo " to watch in real time use:"
echo " sudo watch -d -n 2 --interval 0 'iptables -nvL | grep -v "0 0"' "
echo ""
echo " End of Script"