How can I log outgoing TCP to IP and not (HTTP) iptables - linux

I'm new to iptables and Linux-firewall in general. Can somebody help me with it?
I want to write a table using iptables that will log outgoing TCP connections to a specific IP address, except these that go through port 80 (HTTP).
Her is what I have so far:
iptables -N LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -p tcp -m tcp --dport 80 -j DROP
iptables -A LOGGING -p tcp -m tcp -d 149.20.4.69 -j LOG --log-prefix "My logging: " --log-level 4
Here is my previous try. This should log all outgoing connections to the chosen IP but I don't know how to filter out port 80 (HTTP).
iptables -A OUTPUT -p tcp -s 149.20.4.69 -j LOG —log-prefix 'OUTPUT TCP: ' —log-level 4

You could just use a not condition to exclude port 80
# Log TCP traffic to x.x.x.x for all destination ports except 80
iptables -A OUTPUT -p tcp -d x.x.x.x ! --dport 80 -j LOG

Related

express demo node server not receiving any request on port 80

I'm trying to create a Node server with express. I did the following:
npm init
npm i express
and copied this sample code from express:
const express = require('express')
const app = express()
app.get('/', function (req, res) {
res.send('Hello World!')
})
app.listen(80, function () {
console.log('Example app listening on port 80!')
})
On localhost, that works. On my VPS from OVH, I got this issue that I solved with:
setcap 'cap_net_bind_service=+ep' $(which node)
I also have the following Firewall configuration:
# Vider les tables actuelles
iptables -t filter -F
# Vider les règles personnelles
iptables -t filter -X
# Interdire toute connexion entrante et sortante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
# ---
# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# ---
# SSH In
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
# SSH Out
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
# FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
# FTP In
modprobe ip_conntrack_ftp # ligne facultative avec les serveurs OVH
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
I guess that my express code is ok. But when I try to make a request to my website, I get no answer and no trace of it on the server, even when using the direct IP of the server.
But netstat -tulpn | grep LISTEN tells me that Node is listening on port 80...
If I do everything on port 3000, everything works fine...
I have Node version 12.11.1.
I have absolutely no clue what to do next to understand the problem...
Port 80 is the default port for HTTP requests, therefore when trying to access a website on port 80 you may be having a conflicting issue given that port may already be in use.
There are numerous reason not to run a web server on port 80. One of these being that if your node process is compromised it would have access to run sudo commands on your server. Generally, you shouldn't be running anything as root on port 80, however using a reverse proxy and nginx can utilise port 80 given they have the correct start up code to bind to the port using downgraded permissions.
If you're creating a demo application, stay away from running the express server on either port 80 or port 443 in order to maintain best practices. Port 3000 would be fine to use and should be ok for everything.
Not sure where you found the sample code, but express documentation recommends using port 3000 in the hello world example.
https://expressjs.com/en/starter/hello-world.html

Can't Access Port number 80 and 443 after adding Iptables rules

In my CentOS 6 i added a IPtables rules like DROP all the policy like
iptables -P INPUT DROP
Then I allow Port NO 22,80,443 with this command,
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
Now can access SSH with putty. But i can't access Internet. I have to know the exact problem of this.? Please help me.
Ofcourse you cannot access the Internet. You just added a rule that drops all incoming traffic (except for traffic coming in to ports 22, 80 and 443).
When you try to access the internet (if you're using a browser), your machine establishes a connection from
<local IP>:<port1> <----> <remote IP>:80
When the remote server responds to you, it will respond back to the same port1 that you sent the request from (which will NOT be 22, or 80, or 443. It will be a number usually higher than 32768), so it will get dropped by iptables.
Try these rules instead:
iptables -P INPUT DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
The second rule tells IP tables to ACCEPT traffic that is coming to us, if it's coming to a port that we used to send outgoing traffic. This will allow you to see the response from the server, which you were dropping.
However, there's still a problem with DNS traffic, since it uses UDP not TCP. You can work around that by changing the first rule to:
iptables -P INPUT -p tcp DROP
so it only drops TCP traffic but not UDP traffic. There may be other ways to work around the DNS problem, depending on what exactly you want to do.
So your final ruleset should look like this:
iptables -P INPUT -p tcp DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

Port forwarding with VPSGet

I bought a domain on GoDaddy but developed the website using Node.js. So, I bought a VPS on VPSGet and deployed the server. I managed to link the domain name to the VPS IP address. However, since my node.js application is running a particular port number I needed to do port forwarding so that www.domain-name.com will redirect to the process and port on the VPS. I tried to configure my firewall as follows
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 7497
COMMIT
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbounds connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbounds traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere. Here, we use normal ports for http and ssl
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow http connections to node.js app
-A INPUT -p tcp --dport 7497 -j ACCEPT
-A INPUT -p tcp --dport 7525 -j ACCEPT
-A INPUT -p tcp --dport 2368 -j ACCEPT
# Allow forwarding to port 7497
-A FORWARD -p tcp -m tcp --dport 7497 -j ACCEPT
# Allow ports for testing
-A INPUT -p tcp --dport 8080:8099 -j ACCEPT
# Allow ports for mobile shell
-A INPUT -p tcp --dport 60000:61000 -j ACCEPT
# Allow ssh connections
-A INPUT -p tcp -m state --state NEW --dport 7112 -j ACCEPT
# Allow Ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied:" --log-level 7
# Reject all other outbounds
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
However, the redirection is not working. Could someone tell me what I am doing wrong? Please note that I am running a Ubuntu 12.04 on the VPS.
Thanks,
José
Have you tried to create the support request with detailed explanation to vpsget.com ?
Regarding to the wiki
http://wiki.vpsget.com/index.php/Forward_(redirect/nat)_traffic_with_iptables
you should use venet0 instead eth0

Configuration proxy due iptables

i have to configure my server to redirect from 80 and 443 port due to 8443 using iptables
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80:443 -j REDIRECT --to-ports 8443
when i browse like https protocol everything is working, but when from http, i can just donwnload a file, and don't see anything
8443 port is intended mainly to use as HTTPS proxy. Sending plain HTTP to this port will not work. You should keep separated HTTP and HTTPS traffic by sending them to a different port (normally 8080) of your transparent proxy.
using this rule :
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80:443 -j REDIRECT --to-ports 8443
you allowed only incoming traffic to to be sent to port 8443, but still the outgoing traffic needs to be routed

Allow ssh incoming/outgoing and blocking all outgoing besides specific ports

I am trying to create iptable rules that will allow incoming and outgoing ssh connections, and then allow outbound connections to specific ports, then finally drop anything that doesnt match.
These are the rules I have come up with, the SSH rules work, but when I tunnel into the box I cant seem to access http (port 80) even though i've allowed it. Can anyone spot the mistake?
#!/bin/bash
#clear iptables
iptables -F
iptables -X
#set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#accept everything no matter port on localhost
iptables -A INPUT -i lo -j ACCEPT
#allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow input on port 22, (established connections auto accepted)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#allow traffic going to specific outbound ports
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6697 -j ACCEPT
#...
#drop anything that doesnt match the rules above
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
Thanks for your time.
You might want to add the DNS ports, otherwise you may not be able to resolve any hostnames.
Allowing OUTPUT for TCP and UDP Port 53 should help.
You need to open port 80 for input and output with a rule like this:
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

Resources