# [SOLVED] Can't configure iptables

## somethin

I can't understand how to configure iptables.

I use the following script to configure it:

```
#!/bin/bash

iptables -F

iptables -X

iptables -Z

iptables -N TCP

iptables -N UDP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -P INPUT DROP

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP

iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
```

This script is from Arch Linux Wiki and I should be able to open ports only by adding rules to the TCP (or UDP) chain.

But nmap says that some ports are open

```
$ nmap $(wget http://ipinfo.io/ip -qO -)

Starting Nmap 7.01 ( https://nmap.org ) at 2016-06-10 19:37 EEST

Nmap scan report for litenet1.ett.ua (78.154.164.202)

Host is up (0.017s latency).

Not shown: 990 closed ports

PORT     STATE    SERVICE

21/tcp   filtered ftp

22/tcp   filtered ssh

23/tcp   filtered telnet

53/tcp   open     domain

80/tcp   open     http

1723/tcp open     pptp

3784/tcp filtered bfd-control

8001/tcp open     vcom-tunnel

8009/tcp open     ajp13

8291/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds
```

Why are these ports open and how can I open only specific ports ?Last edited by somethin on Mon Jun 13, 2016 4:26 pm; edited 1 time in total

----------

## szatox

```
nmap $(wget http://ipinfo.io/ip -qO -) 
```

Are you aware that you're testing your ISP's router?

By the services it discovered I'm almost sure that it's not your own PC, and you're behind NAT

----------

## somethin

...So, Do I need to run "nmap localhost" or "nmap 192.168.0.100" ?

----------

## somethin

Btw, I can acces internet with web browser, so port 80 is still open.

----------

## cboldt

You should scan your computer from an unrelated network, if you want to see what is open to others on unrelated networks.

http://www.whatsmyip.org/port-scanner/ has a selection of scanning routines.

----------

## somethin

1. http://www.whatsmyip.org/port-scanner/ show that ports 53,80,1723,,8001,8009,8291 are open.

2. Here is an experiment:

```
$ sudo iptables-save

# Generated by iptables-save v1.4.21 on Fri Jun 10 23:41:19 2016

*mangle

:PREROUTING ACCEPT [3:640]

:INPUT ACCEPT [2:64]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

COMMIT

# Completed on Fri Jun 10 23:41:19 2016

# Generated by iptables-save v1.4.21 on Fri Jun 10 23:41:19 2016

*filter

:INPUT DROP [2:64]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [0:0]

COMMIT

# Completed on Fri Jun 10 23:41:19 2016

$ netstat -t

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

$ sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

$ chromium-browser https://google.com &> /dev/null & disown

[1] 3280

$ netstat -t

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

tcp        0      0 192.168.0.100:57476     173.194.113.215:https   ESTABLISHED

tcp        0      0 192.168.0.100:36760     bud02s23-in-f13.1:https TIME_WAIT  

tcp      398      0 192.168.0.100:32774     bud02s22-in-f3.1e:https ESTABLISHED

tcp      398      0 192.168.0.100:57480     173.194.113.215:https   ESTABLISHED

tcp      398      0 192.168.0.100:57478     173.194.113.215:https   ESTABLISHED

tcp        0      0 192.168.0.100:36774     bud02s23-in-f13.1:https ESTABLISHED

tcp        0      0 192.168.0.100:48004     bud02s23-in-f14.1:https ESTABLISHED

tcp        0      0 192.168.0.100:41708     lf-in-f239.1e100.:https ESTABLISHED

tcp        0      0 192.168.0.100:41694     lf-in-f239.1e100.:https TIME_WAIT  

tcp        0      0 192.168.0.100:47994     bud02s23-in-f14.1:https TIME_WAIT  

tcp        0      0 192.168.0.100:32772     bud02s22-in-f3.1e:https ESTABLISHED

tcp        0      0 192.168.0.100:58260     173.194.113.216:https   TIME_WAIT
```

It seems that "sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" opens every port, but it shouldn't.

----------

## cboldt

 *Quote:*   

> It seems that "sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" opens every port, but it shouldn't.

 

It opens all the ports, but only for traffic that started at the firewalled machine.  Otherwise, you'd have had to make firewall rules for incoming to those higher number ports like 57576, or incoming from 443 (https).

As for your router/network showing ports 3,80,1723,,8001,8009,8291 as open, your netstat command isn't showing the inactive but open and listening ports, and it isn't showing the UDP ports.  Try `netstat -tul` to see both TCP and UDP packets, but only the ports that are LISTENING.  You can also do `netstat -tua` to see all the ports, LISTENING, ESTABLISHED, and WAITING.  Depending on your preference for reading the report, you can add a "n" to show the numeric port instead of named, and you can add a "p" to show the program that has that port open.

----------

## somethin

1. sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT should allow traffic that is already ESTABLISHED or RELATED to established connection. There is different state for NEW connections. See man iptables-extensions(8 ).

2. netstat -tua before applying rule right after the reboot shows only udp        0      0 0.0.0.0:bootpc          0.0.0.0:*                          .

----------

## cboldt

So far, so good.  When you open chromium, or another browser, and hook up to a website or three, you will have connections between the firewalled computer and http/https ports at the websites.

Still a mystery as to what is opening that handful of ports (53,80,1723,,8001,8009,8291), but `netstat -tuap`will show what is running on the firewalled machine, that might be LISTENING for packets destined for those ports.  Your router might offer some ports to the outside world too.

----------

## somethin

Just to clarify the problem.

What I do:

```
sudo iptables -F

sudo iptables -X

sudo iptables -Z

sudo iptables -P FORWARD DROP

sudo iptables -P OUTPUT ACCEPT

sudo iptables -P INTPUT DROP

sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

```

What I expect to happen: All ports are closed unless I do

```
sudo iptables -N TCP

sudo iptables -N UDP

sudo iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP

sudo iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

sudo iptables -A <TCP/UDP> -p <tcp/udp> --dport <port> -j ACCEPT

```

What happens: All ports are open (not all ports because, maybe, I am behind my router's firewall).

----------

## cboldt

How do you reach the conclusion that any port is open?

If you leave the firewall in the condition you just described, and use the port scanner form an external website, any ports that the port scanner sees are NOT on the computer running the firewall.  You can prove that with `netstat -tua`.

If you want all the ports to the outside closed, including RELATED and ESTABLISHED connections, you won't be able to do much on the external network.

----------

## somethin

Well, when I leave the firewall in the condition I just described, I am able to use web browser to load any page, which means ports 80 and 443 are open and can be further proven with netstat -tua.

And, why open ports determined via port scanner are NOT on my computer, which is running firewall ?

----------

## cboldt

From the `netstat -tua` lines you gave before, ports 80 and 443 are open on the HOST computer (website server, "Foreign address" column in the netstat report), not the computer that the browser/firewall are running on (Local address).

We haven't figured out why ports 53,80,1723,8001,8009,8291 are shown as open when you probe from the outside, but if those ports don't show up in the "Local address" column of `netstat -tua`, then those ports aren't open on your computer.

Where are they open?  Well, your router is a separate computer, and you are going to have to learn how to read its configuration.  On the system I have here, the router can forward certain NEW packets to any computer I choose, on the local network.  My router forwards SSH packets to one computer on the inside, and forwards TELNET and FTP packets to a separate machine that runs as a honeypot (no telnet or ftp service running, but the packets come through - persistent attempts result in closing the firewall to blocks of IP address).  When I portscan from the outside, it looks like the system has live TELNET and FTP services, the ports are opern, but there is nobody home (`netstat -tua` shows no open TELNET or FTP port, no service running there).

----------

## Ant P.

 *somethin wrote:*   

> 1. sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT should allow traffic that is already ESTABLISHED or RELATED to established connection.

 

Such as the connection you establish by sending a SYN packet from your web browser...

----------

## szatox

 *Quote:*   

> Well, when I leave the firewall in the condition I just described, I am able to use web browser to load any page, which means ports 80 and 443 are open 

 

No, it doesn't.

When you use web browser to load "any page", it means that the "any" machine hosting that any page has port 80 open. You are using random port to initiate the connection, and firewalls are usually set to allow outgoing traffic (output policy accept) and accept incoming traffic you expected (conntrac ESTABLISHED,RELATED accept).

Still, if you want to test your firewall, you must first ensure you're testing the correct machine.

Use another computer within your LAN to scan your machine's IP. Within LAN you can compare MAC reported by nmap to the one assigned to the interface you want to scan.

Also, make sure to accept all traffic incoming via local loopback.

----------

## somethin

Ok, thanks, I understand now. And, I guess, open ports are because of the router.

----------

