On Fri, 21 Mar 2003 09:39:15 +0100
"Vaessen, E.M.J. (Ed)"
My home PC stuation is very simple: it can connect via USB ADSL but it offers no services to the internet, where I only want to browse and download files. Also there is no local network. A simple situation that in my opninion needs only simple iptable rules for a firewall.
A command was suggested to have the quickest way in protection nirvana. I flushed all rules and then gave command:
iptables -A INPUT -p tcp --syn -j DROP
But with this I could connect to my ISP (a least I saw my IP number popping up in /var/log/messages) but using the browser no site could be found. Some DNS problem I guess.
Trying another suggestion, the following script was used:
#!/bin/sh #simple iptables firewall script # denys all incoming or forwarding traffic, except as related to established outgoing connections. # allows all outbound traffic. # logs incoming traffic that is dropped.
IPTABLES="/sbin/iptables" NIC="ppp0" LOCAL="lo"
$IPTABLES -F FORWARD $IPTABLES -F INPUT $IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -i $LOCAL -j ACCEPT $IPTABLES -A INPUT -i $NIC -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -m limit -j LOG
Well, that made things work perfectly. And still only a few lines needed!
Can anyone explain what is wrong with the first effort?
The first one dosn't allow "established,related" . When your browser tries to get something from the net, it opens some ports to receive. Those are "established ,related" packets. That is why iptables is called "stateful", it maintains awareness of it's current state. To see what I'm talking about, as root, without your browser started, type socklist, to see what ports are open. Now open your browser, and go to some site, and start a download, then look at socklist again. You will see extra ports get opened by your browser. There is a common misconception that all web traffic is port 80, that is only for standard servers. -- use Perl; #powerful programmable prestidigitation