How to pass to NFQUEUE all incoming connection packets - linux

I develop an application to inspect packets arriving on a linux machine.
I would like to send in NFQUEUE all the incoming connection packets and only the incoming ones. Not only --state NEW but also --state ESTABLISHED, RELATED for connections that are initiated by a client.
One last thing, to make the tcp handshake for all ports I need this rule to works in addition:
iptables -A PREROUTING -t nat -p tcp -match multiport! --dport 64646 -j REDIRECT --to-ports 1234
Any help would be very appreciated.
Thank you!

I found the solution if it interests someone.
# Accept our ssh on a modified port
iptables -A PREROUTING -t raw -p tcp --dport 64646 -j ACCEPT
# Mark all packets of incoming NEW connection with mark 1 (netfilter connmark)
iptables -A PREROUTING -t mangle -m state --state NEW -j CONNMARK --set-mark 1
# Push into nfqueue all marked packets (netfilter nfqueue)
iptables -A PREROUTING -t mangle -m connmark --mark 1 -j NFQUEUE --queue-num 0
# Redirect all incoming connections to the userland listener to make TCP handshake
iptables -A PREROUTING -t nat -p tcp --match multiport ! --dport 64646 -j REDIRECT --to-ports 1234
Finally all the incoming packets go into nfqueue but if I work on the machine (update, upgrade, install...) packets do not match the rules.
In addition the redirection applies after nfqueue decision, so I log the base port (not 1234).

Related

Can't Access Port number 80 and 443 after adding Iptables rules

In my CentOS 6 i added a IPtables rules like DROP all the policy like
iptables -P INPUT DROP
Then I allow Port NO 22,80,443 with this command,
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
Now can access SSH with putty. But i can't access Internet. I have to know the exact problem of this.? Please help me.
Ofcourse you cannot access the Internet. You just added a rule that drops all incoming traffic (except for traffic coming in to ports 22, 80 and 443).
When you try to access the internet (if you're using a browser), your machine establishes a connection from
<local IP>:<port1> <----> <remote IP>:80
When the remote server responds to you, it will respond back to the same port1 that you sent the request from (which will NOT be 22, or 80, or 443. It will be a number usually higher than 32768), so it will get dropped by iptables.
Try these rules instead:
iptables -P INPUT DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
The second rule tells IP tables to ACCEPT traffic that is coming to us, if it's coming to a port that we used to send outgoing traffic. This will allow you to see the response from the server, which you were dropping.
However, there's still a problem with DNS traffic, since it uses UDP not TCP. You can work around that by changing the first rule to:
iptables -P INPUT -p tcp DROP
so it only drops TCP traffic but not UDP traffic. There may be other ways to work around the DNS problem, depending on what exactly you want to do.
So your final ruleset should look like this:
iptables -P INPUT -p tcp DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

iptables allow request started by server

As you can image, we need iptables to block the ports we do not need to protect server.
But I need to request some third party resource, and I got confuse on how to do it.
Here are my iptables rules
iptables -F
iptables -A INPUT -p UDP -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 110.75.147.65/32 -j ACCEPT
iptables -A INPUT -s localhost -j ACCEPT
iptables -A INPUT -j DROP
And 110.75.147.65/32 is the one of third party servers' IP, I wonder if there are any way to allow all connection started by my server such as curl https://www.google.com/, otherwise I need to add all my third party servers' IP to the iptables rules.
How about
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Port forwarding with VPSGet

I bought a domain on GoDaddy but developed the website using Node.js. So, I bought a VPS on VPSGet and deployed the server. I managed to link the domain name to the VPS IP address. However, since my node.js application is running a particular port number I needed to do port forwarding so that www.domain-name.com will redirect to the process and port on the VPS. I tried to configure my firewall as follows
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 7497
COMMIT
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbounds connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbounds traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere. Here, we use normal ports for http and ssl
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow http connections to node.js app
-A INPUT -p tcp --dport 7497 -j ACCEPT
-A INPUT -p tcp --dport 7525 -j ACCEPT
-A INPUT -p tcp --dport 2368 -j ACCEPT
# Allow forwarding to port 7497
-A FORWARD -p tcp -m tcp --dport 7497 -j ACCEPT
# Allow ports for testing
-A INPUT -p tcp --dport 8080:8099 -j ACCEPT
# Allow ports for mobile shell
-A INPUT -p tcp --dport 60000:61000 -j ACCEPT
# Allow ssh connections
-A INPUT -p tcp -m state --state NEW --dport 7112 -j ACCEPT
# Allow Ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied:" --log-level 7
# Reject all other outbounds
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
However, the redirection is not working. Could someone tell me what I am doing wrong? Please note that I am running a Ubuntu 12.04 on the VPS.
Thanks,
José
Have you tried to create the support request with detailed explanation to vpsget.com ?
Regarding to the wiki
http://wiki.vpsget.com/index.php/Forward_(redirect/nat)_traffic_with_iptables
you should use venet0 instead eth0

Allow ssh incoming/outgoing and blocking all outgoing besides specific ports

I am trying to create iptable rules that will allow incoming and outgoing ssh connections, and then allow outbound connections to specific ports, then finally drop anything that doesnt match.
These are the rules I have come up with, the SSH rules work, but when I tunnel into the box I cant seem to access http (port 80) even though i've allowed it. Can anyone spot the mistake?
#!/bin/bash
#clear iptables
iptables -F
iptables -X
#set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#accept everything no matter port on localhost
iptables -A INPUT -i lo -j ACCEPT
#allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow input on port 22, (established connections auto accepted)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#allow traffic going to specific outbound ports
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6697 -j ACCEPT
#...
#drop anything that doesnt match the rules above
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
Thanks for your time.
You might want to add the DNS ports, otherwise you may not be able to resolve any hostnames.
Allowing OUTPUT for TCP and UDP Port 53 should help.
You need to open port 80 for input and output with a rule like this:
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

iptables FORWARD and INPUT

I have a home network with Linux pc's, which all had iptables running. I think it is easier to put my LAN behind a Linux gateway/firewall, so I've put a pc (with fedora,no gui) between my router and LAN and configured iptables. No problem here, INPUT only allows dns an http (and some local stuff), forwarding works fine: LAN connects to internet.
But my question is: does FORWARD allows all from the outside, or only the ports I configured with INPUT? Do FORWARD and INPUT work together or are they separate?
This is my iptables:
*nat
:PREROUTING ACCEPT [16:1336]
:INPUT ACCEPT [14:840]
:OUTPUT ACCEPT [30:2116]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o p1p1 -j MASQUERADE
COMMIT
# Completed on Tue Oct 16 09:55:31 2012
# Generated by iptables-save v1.4.14 on Tue Oct 16 09:55:31 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [91:9888]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p UDP --dport 53 -j ACCEPT
-A INPUT -p TCP --dport 53 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i p1p1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i p1p1 -p tcp -m multiport --dports 20,21,443 -j DROP
-A INPUT -i p1p1 -p tcp --dport 5000:5100 -j DROP
-A INPUT -i p1p1 -p icmp -m icmp --icmp-type 8 -j DROP
-A FORWARD -s 192.168.2.0/24 -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A OUTPUT -j LOG --log-prefix "denied out: "
COMMIT
p1p1 (.1.x) is my external nic, p3p1 (.2.x) is internal.
RedHat has a great doc about iptables (a little bit long), but the subject to cover is complex and there are so many different use cases that I don't see how to avoid it.
Here is the chapter about FORWARD and NAT Rules. As it states:
For example, if you want to forward incoming HTTP requests to your
dedicated Apache HTTP Server at 172.31.0.23, use the following command
as the root user:
~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80
Here is what happens:
your linux gateway receives a packet from your router. The packet header has:
source: x.x.x.x:y (sender IP from the internet & source port used for packet transmission)
destination: 192.168.1.1:80 (assuming your linux gateway IP on external NIC, ie p1p1)
your linux gateway applies the PREROUTING chain to find a match. Assuming that you have typed what's above, the packet matches the rule and then calls (jumps -j) to the DNAT function (Destination Network Address Translation) which changes the destination of the packet header from the initial 192.168.1.1:80 to 172.31.0.23:80.
then, the packet arrives to the Routing Decision. The packet destination is now 172.31.0.23:80.
Your linux gateway asks itself: Is it for me (192.168.1.1:80) ? No, so I won't send it to the INPUT chain.
=> I'll send it to the FORWARD chain.
since you have set the rules to FORWARD all on your local network (table filter chain FORWARD), the packet should be forwarded correctly to your local Apache HTTP Server (for example).
Hope it'll help to understand a little bit more how internal routing works with iptables.
INPUT, FORWARD, and OUTPUT are separate. A packet will only hit one of the three chains.
If the destination is to this server, it hits the INPUT chain. If its source is from this server, it hits OUTPUT. If its source and destination are both other machines—it's being routed through the server—then it hits the FORWARD chain.

Resources