# [SOLVED]Can't close ports 1024:65535 without losing internet

## Mardok45

Hi, 

I'm trying to set up iptables to act as a NAT and a firewall, but the machine needs internet access.

The problem is I can't open up ports 80,443, and 53 without also opening up 1024:65535 in order to get internet access. 

Is there a way to securely allow UDP/TCP packets through 1024:65535 (or at least a more secure way than the way I'm currently doing it)?

```

#!/bin/bash

#Use bash as the shell script

export LAN=eth0 #For readability's sake

export WAN=eth1

iptables -N OPEN-TCP #Create two new chains for handling TCP and UDP packets

iptables -N OPEN-UDP

#Drop anything being recieved by the machine by default

iptables -P INPUT DROP 

#Accept anything on the loopback device

iptables -A INPUT -i lo -j ACCEPT 

#Accept anything on the LAN

iptables -A INPUT -i $LAN -j ACCEPT 

#If we recieve a TCP packet on the WAN, send it to the OPEN-TCP chain to determine whether it should be dropped or accepted. 

#It will only accept packets that already have an established connection.

iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -i $WAN -j OPEN-TCP

#Same as above, except with UDP packets.

iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -i $WAN -j OPEN-UDP 

#I'll figure out how to handle NAT later

iptables -P FORWARD DROP 

#Drop anything sent out by the machine by default

iptables -P OUTPUT DROP

#Allow any packet sent out on the loopback device by default

iptables -A OUTPUT -o lo -j ACCEPT 

#Allow any packet sent out on the LAN by default

iptables -A OUTPUT -o $LAN -j ACCEPT 

#If any kind of TCP packet is sent out on the WAN, send it to the OPEN-TCP chain to determine if it should be accepted or dropped.

iptables -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -o $WAN -j OPEN-TCP 

#Same as above, except with UDP.

iptables -A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -o $WAN -j OPEN-UDP

#If the port is on 80, accept

iptables -A OPEN-TCP -p tcp --dport 80 -j ACCEPT 

#This is needed for internet access.  Is there a more secure way of doing this?

iptables -A OPEN-TCP -p tcp --dport 1024: -j ACCEPT 

#If none of the above rules match, then drop the packet.

iptables -A OPEN-TCP -j DROP 

#If we're doing a DNS lookup, accept

iptables -A OPEN-UDP -p udp --dport 53 -j ACCEPT 

#This is needed for internet access.  NEED MORE SECURE WAY OF DOING THIS!!!

iptables -A OPEN-UDP -p udp --dport 1024: -j ACCEPT 

#If the packet doesn't match any of the above rules, drop it.

iptables -A OPEN-UDP -j DROP 

```

I know there's plenty of vulnerabilities (especially since I need this machine to access the internet), but I'll worry about that later.  Right now, I just need a better way of allowing packets through 1024:65535.

Any help will be appreciated.Last edited by Mardok45 on Thu May 27, 2010 6:35 pm; edited 1 time in total

----------

## massimo

 *Mardok45 wrote:*   

> 
> 
> The problem is I can't open up ports 80,443, and 53 without also opening up 1024:65535 in order to get internet access. 
> 
> 

 

Why do you think that this is the case? What applications do you use that need the latter ports open?

----------

## Mardok45

I have no idea why that's the case.

I'm running DHCP, FTP, and other things in a VM on the server but I only want those services on the LAN, which is why I left everything on the LAN side wide open (plus I'm the only one on the LAN, so I don't care what else gets passed around there).

When I remove the UDP rules for ports 1024+ and try a wget, it hangs at DNS resolution.

When I remove the TCP rules for ports 1024+ and try a wget, it hangs when trying to access the website.

I'm new to iptables and NAT, so I'm sorry if this is stupid.

----------

## ocbMaurice

Hi,

I guess you try to simply open a webpage on the gateway.

When you i.e. wget http://somewebpage this traffic should be seen:

OUTPUT (state = NEW, src port = XXX, dst port = 80)

INPUT (state = ESTABLISHED, src port = 80, dst port = XXX)

then maybe some more OUTPUT/INPUT with state ESTABLISHED

The point is that the src/dst ports are exchanged for INPUT and OUTPUT.

So this rule might be enough:

```
iptables -A OPEN-TCP -p tcp --sport 80 -j ACCEPT 

iptables -A OPEN-TCP -p udp --sport 53 -j ACCEPT
```

A far more easier and better way is to:

```
iptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
```

Since iptables is statefull, this should be secure, as you already allowed the connection before.

IMO you only need to ACCEPT specific traffic when the state is NEW.

You may also want to add some logging for rejected packages (lookup -j LOG).

I'm also not sure if it's wise to use the same chain for IN and OUT filtering.

I hope I got this correct from my memory.

Maurice

----------

## Mardok45

 *ocbMaurice wrote:*   

> 
> 
> So this rule might be enough:
> 
> ```
> ...

 

That did it.  Thanks.

And yeah, it probably isn't a good idea to use the same custom chains for IN/OUT, that'll get changed.

----------

