# iptables Rules

## 0000000000000

I've been trying out various iptable configuration frontends lately.  ipkungfu didn't seem to do anything, firestarter is no longer in portage, fwbuilder appeared to be too troublesome, and I do not think I am knowledgeable enough to edit iptables directly, so I am trying to use Guarddog again.

I set up my rules through the GUI seemingly as needed.  Then copied the rc.firewall script that guarddog creates to init.d and then added it to default runlevel.  However, when I boot those rules are not initialized.  I have to start guarddog, click apply and ok, and then do they seem to work.  Would it be more sensible to apply those rules, then run "/etc/init.d/iptables save" and put iptables into default runlevel instead of guarddog?

Also, even though I have allowed ports 6881-6889 and have deluge using those ports, I still cannot actually connect to any of the seeders.  They all show up as available, but the download speed stays at 0, and connections stay at 0.  When I disable the guarddog firewall then it connects.

I just want to drop every connection and block all ports other than a select few (http, https, IRC, AIM, YIM, torrent, gnutella, nicotine, and rsync) but am having more trouble than I thought I would...

My question(s) then is/are: is it beneficial to set iptables rules with guarddog, save the rules with "iptables save", and add iptables to default runlevel?

And any idea why I don't connect to seeds despite having seemingly the right ports opened?

Thanks.Last edited by 0000000000000 on Wed May 28, 2008 7:07 am; edited 1 time in total

----------

## Hu

 *0000000000000 wrote:*   

> 
> 
> My question(s) then is/are: is it beneficial to set iptables rules with guarddog, save the rules with "iptables save", and add iptables to default runlevel?

 

Yes.  You should use the Gentoo init script to manage this.  Your current approach may be failing because the Gentoo init scripts do not follow the syntax of init scripts from other distributions.

 *0000000000000 wrote:*   

> And any idea why I don't connect to seeds despite having seemingly the right ports opened?
> 
> 

 

Without seeing the rules, I suspect that you do not have the right ports opened.  If you post your rule set and an exact description of the failed connection, someone should be able to debug them to identify why your traffic is being blocked.

----------

## 0000000000000

edited due to inability to deleteLast edited by 0000000000000 on Wed May 28, 2008 6:36 am; edited 1 time in total

----------

## 0000000000000

okay i just decided to take the plunge and do everything through terminal.

I want to set up a policy to drop everything, then just add what i want accepted, but 

```
Chain INPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

```

does not allow connections though http

i've been reading all sorts of tutorials the past few days, and have not found anything that addresses starting from a default drop policy then allowing only what is wanted.  

thanks for any help

addition:

after altering to look like:

```
Chain INPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 

ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

```

i can now surf the web, but im not sure i want to allow all  "RELATED,ESTABLISHED" connections, partially as I don't know what that means, and i really want just the barest minimum.

----------

## vaguy02

Related and Established shouldn't be a problem. They are "relatively" safe connections, although nothing is 100% safe, there are always exploits.

----------

## 0000000000000

ok, i thought it would be relatively safe, but i still don't know exactly what is opened up by allowing established,related connections, but if anyone cares to take a look at what i have ended up with now and tell me if they think it is a good set up i'd be much appreciative

```
Chain INPUT (policy DROP 63 packets, 11715 bytes)

 pkts bytes target     prot opt in     out     source               destination         

   98  4900 ACCEPT     all  --  lo     any     anywhere             anywhere            

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:domain 

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:domain 

   31  1860 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http 

 199K  144M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:aol 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpts:6881:6889 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:irc 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:rsync 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpts:2234:2239 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:2240 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:gnutella-rtr 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:5050 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpts:1024:1030 

   32  9228 DROP       all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 702 packets, 54882 bytes)

 pkts bytes target     prot opt in     out     source               destination         

51934   34M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 

    8   480 ACCEPT     all  --  any    lo      anywhere             anywhere            

   36  2361 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:domain state NEW 

   65  3900 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http state NEW 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https state NEW 

```

----------

## 0000000000000

still cannot get deluge to connect to any of the available seeders/peers without changing the output policy to ACCEPT, so I'm obviously missing something, but I cannot imagine what, since I have deluge set to use ports 6881-6889

```
Chain INPUT (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

 1135  117K ACCEPT     all  --  lo     any     anywhere             anywhere            

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:domain 

   31  1860 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http 

 569K  390M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:aol 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpts:6881:6889 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:irc 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:rsync 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpts:2234:2239 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:2240 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:gnutella-rtr 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:5050 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpts:1024:1030 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:9050 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:6881 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:6969 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN multiport ports 6881:6889 

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp multiport ports 6881:6889 

    0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp echo-request 

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 2443 packets, 174K bytes)

 pkts bytes target     prot opt in     out     source               destination         

 478K  381M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 

  326 21561 ACCEPT     all  --  any    lo      anywhere             anywhere            

 1698  110K ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:domain state NEW 

 2422  145K ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http state NEW 

    7   420 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https state NEW 

  983 58980 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpts:6881:6889 

   66  3960 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:5050 

   15   900 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:aol 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ircd 

    2   120 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:rsync 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:git 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:9050 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:6881 

   11   660 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:6969 

    0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp echo-request 

```

thanks to anyone who can decipher

----------

## mimosinnet

 *0000000000000 wrote:*   

> i've been reading all sorts of tutorials the past few days, and have not found anything that addresses starting from a default drop policy then allowing only what is wanted.

 

I do know very little about iptables. Nevertheless, I have been able to build the firewall starting from a drop policy from this guide in the gentoo wiki.

----------

## vaguy02

Are you sure you need to have all of those ports open? That seems a bit extreme... it has more holes than a colender. 

3 Main states are New, Established, and Related:

New = New Connection request, your side did not initiate, their side did. this someone else hitting your box first.

Established = You sent a request, the other side got it and replied on the same request. therefore, you start the conversation, this is allowing the otherside to reply to you.

Related = you have a conversation going with an outside host and it spins off another conversation related to the first conversation. therefore it's still partly based on the previous one.

This is as lamen as I can get with it, it's not 100% accurate, but I was going for understanding rather than 100% accuracy right now. I hope that helps. So If you don't need to have someone else "start" the conversation, then don't open that port in the firewall. Like AIM (AOL Instant Messager), you click signon and the conversation goes from there, so it should be covered under the established and related rules and you shouldn't have to open that port to NEW packets.

Sorry if this is confusing.

----------

## bartlm

Hi there.

What im doing is letting the OUTPUT chain to ACCEPT.

I guess this allows me to establish a connection from every port I want.

In the INPUT chain I accept states ESTABISHED, RELATED. 

This should be enough as long as you initiated the connection to somewhere else.

Im doing the same in the FORWARD chain.

In my opinion you should add a "final" chain where you REJECT all packets which are not allowed at this time instead of just DROP them.

My final chain looks like:

```

Chain reject_unaccepted (2 references)

 pkts bytes target     prot opt in     out     source               destination 

 1345 48420 REJECT     all  --  any    any     anywhere             ALL-SYSTEMS.MCAST.NET reject-with icmp-port-unreachable

 4110  179K LOG        all  --  any    any     anywhere             anywhere            LOG level warning prefix `NACK -> '

 4114  179K REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable

```

Rejecting does some kind of "stealth mode" on your ports. And its not obvious for the other side that they are closed by a firewall.

Regards,

Markus

----------

## Hu

 *bartlm wrote:*   

> 
> 
> In my opinion you should add a "final" chain where you REJECT all packets which are not allowed at this time instead of just DROP them.
> 
> My final chain looks like:
> ...

 

No.  DROP instructs the kernel to discard the packet and not send a response.  REJECT instructs the kernel to discard the packet and send an explicit refusal to the originating host.  Using REJECT is polite in private networks since it allows the receiving party to quickly recognize that the connection has been disallowed.  On the Internet, you are better off using DROP since it forces probing systems to timeout and avoids using any bandwidth on your side to send the rejection.  Improperly written rejection rules can highlight the presence of a firewall, since it results in a different behavior than if no firewall were present.

----------

## vaguy02

Drop is much "safer" than Reject. I agree with Hu above.

----------

## bartlm

Well, if you search the internet for DROP or REJECT there are millions of discussions going on whats better to use.

I didnt want to break another one loose.

What i wanted to say is that the FORWARD chain in the example above is closed completely what i cant really understand while in the INPUT chain in my opinion way too much ports are opened.

----------

## mimosinnet

 *0000000000000 wrote:*   

> Also, even though I have allowed ports 6881-6889 and have deluge using those ports, I still cannot actually connect to any of the seeders.  They all show up as available, but the download speed stays at 0, and connections stay at 0.  When I disable the guarddog firewall then it connects.
> 
> I just want to drop every connection and block all ports other than a select few (http, https, IRC, AIM, YIM, torrent, gnutella, nicotine, and rsync) but am having more trouble than I thought I would...

 

I am using the same ports with rtorrent (as I understand it, they have to be open for NEW connections), and all the other protocols (http, https,...) they are accepted in case of RELATED or ESTABLISHED connections. These are my iptables chains:

```
# iptables -L -v

Chain INPUT (policy DROP 66707 packets, 11M bytes)

 pkts bytes target     prot opt in     out     source               destination         

 875K  103M ACCEPT     all  --  lo     any     anywhere             anywhere            

1385K  933M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 

  223 11124 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpts:6881:6890 state NEW 

  244 31844 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:6881 state NEW 

    0     0 REJECT     tcp  --  eth0,ath0,bond0 any     anywhere             anywhere            reject-with tcp-reset 

    0     0 REJECT     udp  --  eth0,ath0,bond0 any     anywhere             anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT 168 packets, 40891 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 126M packets, 85G bytes)

 pkts bytes target     prot opt in     out     source               destination
```

For example, if you do not have a web server you do not need to open the http ports for NEW connections, as the connections will be RELATED (as a response) or ESTABLISHED (because of the current connection). 

In relation to downloading torrents: I had a similar issue because I did not configure port forwarding in my router. 

Cheers!

----------

