I've set up a small web server on a debian 7 machine, and added a firewall so that it works. Here are the rules.
#!/bin/sh
echo "Stopping firewall and allowing everyone..."
ipt="/sbin/iptables"
## Failsafe - die if /sbin/iptables not found
[ ! -x "$ipt" ] && { echo "$0: \"${ipt}\" command not found."; exit 1; }
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
$ipt -t raw -F
$ipt -t raw -X
echo "Adding rules so that only SFTP,SSH,HTTP and DNS are allowed..."
$ipt -A INPUT -p tcp -m tcp -m multiport --dports 21,22,80,443 -j ACCEPT
$ipt -A INPUT -m conntrack -j ACCEPT --ctstate RELATED,ESTABLISHED
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A INPUT -p udp --sport 53 -j ACCEPT
$ipt -A INPUT -p tcp --sport 53 -j ACCEPT
$ipt -A INPUT -i lo -p all -j ACCEPT
$ipt -A INPUT -j DROP
$ipt -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -p tcp --sport 22 -j ACCEPT
$ipt -A OUTPUT -p udp --dport 53 -j ACCEPT
$ipt -A OUTPUT -p tcp --dport 53 -j ACCEPT
$ipt -A OUTPUT -o lo -p all -j ACCEPT
$ipt -A OUTPUT -j DROP
$ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -j DROP
This works well for SFTP,SSH,HTTP and HTTPS. Any idea why DNS not working? I've tried many more complex solutions on the web but none working...
sudo iptables -A OUTPUT -p udp --sport 1024:65535 -d 213.186.33.99 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo echo -n "hi" > /dev/udp/213.186.33.99/53
echo: write error: Operation not permitted
Any help appreciated :)
I think your rule is fine:
# iptables -A OUTPUT -p udp --sport 1024:65535 -d 127.0.0.1 --dport 55 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p udp --dport 55 -j DROP
# iptables -nL OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 udp spts:1024:65535 dpt:55 state NEW,ESTABLISHED
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:55
# nc -u -l 127.0.0.1 55
hi
^C
# iptables -vnL OUTPUT
Chain OUTPUT (policy ACCEPT 169 packets, 63116 bytes)
pkts bytes target prot opt in out source destination
1 31 ACCEPT udp -- * * 0.0.0.0/0 127.0.0.1 udp spts:1024:65535 dpt:55 state NEW,ESTABLISHED
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:55
Try your test again with netcat, nc(1)
, instead of bash.