from UFW to IPtables

Discussion in 'Installation/Configuration' started by Peter Oudenes, Mar 27, 2023.

  1. Peter Oudenes

    Peter Oudenes Member

    Hi All,

    Im using UFW for a long period. But want learn how to do it all in IPtables itself. Below I have accept all ports with UFW:

    sudo ufw allow in 25/tcp
    sudo ufw allow in 53/tcp
    sudo ufw allow in 80/tcp
    sudo ufw allow in 143/tcp
    sudo ufw allow in 443/tcp
    sudo ufw allow in 465/tcp
    sudo ufw allow in 587/tcp
    sudo ufw allow in 993/tcp
    sudo ufw allow in 7045/tcp
    sudo ufw allow in 8080/tcp
    sudo ufw allow in 8081/tcp

    I read lot of articles but not everything is working when I change this to IPtables rules itself. Most of the things working. But emails, dns lookup are not work for example.
    Below all the lines I add to test and see if everything will work. Still stuck on email (send/receive) and DNS part not work. I know the ordering of the rules are important. I think this is the correct ordering. Do I miss something to let everything work on a clear ISPconfig (automated) installation?

    I also thing all iptables -A OUTPUT are not needed because I have OUTPUT ACCEPT in 3rd line?
    (as I say, I read lot of articles. So maybe some parts are not needed at all)

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

    iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

    iptables -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT

    iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
    iptables -A INPUT -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 587 -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --dport 3000 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 3000 -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --dport 7045 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 7045 -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT

    iptables -A INPUT -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 8081 -m state --state ESTABLISHED -j ACCEPT

    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -A INPUT -p udp --sport 53 -j ACCEPT

    iptables -N LOGINPUT
    iptables -A INPUT -j LOGINPUT
    iptables -A LOGINPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables input Dropped: " --log-level 7
    iptables -A LOGINPUT -j DROP

    iptables -N LOGOUTPUT
    iptables -A OUTPUT -j LOGOUTPUT
    iptables -A LOGOUTPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables output Dropped: " --log-level 7
    iptables -A LOGOUTPUT -j DROP

     
  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    Code:
    iptables -P OUTPUT ACCEPT
    
    I also thing all iptables -A OUTPUT are not needed because I have OUTPUT ACCEPT in 3rd line?
    
    no. that -P is to set the default policy for that chain if no other rules are already matched. you could (most likely will) have specific block rules you'll want to match against before this.. you could have different chains.. you can have different ip block sets, with different rules applied to them..
    with prerouting, postrouting, mangle, forward, and different tables such as NAT...
    iptables can get very complicated, very quickly. it can be a whole different level of crazy..

    ufw is a frontend to iptables.. and a damn sight simpler to use..
    if you configure your rules in ufw, they're still set in iptables / netfilter.. you'll see all those rules you created using ufw if you run
    Code:
    iptables -L -n -v
    
    and don't forget, if you get everything configured using iptables directly. you'll need to do it all again in ip6tables.
    and install and run iptables-persistent if you want to save the rules you've configured and use them after your next reboot.

    also you say some things aren't working when you configure using iptables, eg, you show for dns 53/tcp.. but what about udp?
    DNS uses TCP for Zone transfer and UDP for name, and queries either regular (primary) or reverse.
     
  3. Peter Oudenes

    Peter Oudenes Member

    Thanks for the reply and all information.
    It's for my own VPS server. Website and Email. So no difficult things.
    i have added rule for DNS udp:

    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -A INPUT -p udp --sport 53 -j ACCEPT


    and you mean with iptables -P OUTPUT ACCEPT that because of -P I need add all the OUTPUT rules?
    Otherwise when there are no rules there is nothing to accept?
     
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    no, i mean -P sets the default policy for when no rules are matched.. if you're not going to try to block anything then that may be all you need.

    but you'd need to go through everything thoroughly.. are you applying any pre-routing / post-routing to any output.. exactly what order are things being applied in.. it's very easy to end up actually allowing something that you thought was being blocked.


    also.. for dns in. set the dport, not the source port.. ie, specify the port your service is listening on.. you won't know what source port is going to be used.. and for dns out, set the sport.

     
    Th0m likes this.
  5. Peter Oudenes

    Peter Oudenes Member

    eimm sounds very complicated.... and that just for 2 websites and email (personal use)
    Its fun to learn a lot, but didn't know it was this difficult... Thanks let me think about it if I proceed my plans
     
  6. Peter Oudenes

    Peter Oudenes Member

    Now checked more articles and have those rules now. Everything seems to work:

    Code:
    iptables -F                                                                                                                                                                                                                                                                 
    iptables -X                                                                                                                                                                                                                                                                 
    
    iptables -P INPUT DROP                                                                                                                                                                                                                                                       
    iptables -P FORWARD DROP                                                                                                                                                                                                                                                     
    iptables -I OUTPUT -j ACCEPT                                                                                                                                                                                                                                                 
    
    iptables -A INPUT -i lo -j ACCEPT                                                                                                                                                                                                                                           
    iptables -A OUTPUT -o lo -j ACCEPT                                                                                                                                                                                                                                           
    
    iptables -A INPUT -p tcp -m multiport --dports 80,443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT                                                                                                                                                                 
    
    iptables -A INPUT -p tcp -m multiport --dports 25,465,587,993,7045,8080,8081 -j ACCEPT                                                                                                                                                                                       
    iptables -A OUTPUT -p tcp -m multiport --dports 25,80,443,465,587,993,7045,8080,8081 -j ACCEPT                                                                                                                                                                               
    
    iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT                                                                                                                                                                                                                               
    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT                                                                                                                                                                                                                               
    
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT                                                                                                                                                                                                                 
    iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT                                                                                                                                                                                                               
    
    iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT                                                                                                                                                                                                                   
    iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT                                                                                                                                                                                                                 
    
    iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT                                                                                                                                                                                                             
    
    iptables -N LOGINPUT                                                                                                                                                                                                                                                         
    iptables -A INPUT -j LOGINPUT                                                                                                                                                                                                                                               
    iptables -A LOGINPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables input Dropped: " --log-level 7                                                                                                                                                                     
    iptables -A LOGINPUT -j DROP                                                                                                                                                                                                                                                 
    
    iptables -N LOGOUTPUT                                                                                                                                                                                                                                                       
    iptables -A OUTPUT -j LOGOUTPUT                                                                                                                                                                                                                                             
    iptables -A LOGOUTPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables output Dropped: " --log-level 7                                                                                                                                                                   
    iptables -A LOGOUTPUT -j DROP                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
    
    Code:
    Chain INPUT (policy DROP)                                                                                                                                                                                                                                                   
    num  target     prot opt source               destination                                                                                                                                                                                                                   
    1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED                                                                                                                                                                                 
    2    ACCEPT     all  --  anywhere             anywhere                                                                                                                                                                                                                       
    3    ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https limit: avg 25/min burst 100                                                                                                                                                   
    4    ACCEPT     tcp  --  anywhere             anywhere             multiport dports smtp,submissions,submission,imaps,7045,http-alt,tproxy                                                                                                                                   
    5    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request                                                                                                                                                                                         
    6    ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply                                                                                                                                                                                           
    7    LOGINPUT   all  --  anywhere             anywhere                                                                                                                                                                                                                       
    
    Chain FORWARD (policy DROP)                                                                                                                                                                                                                                                 
    num  target     prot opt source               destination                                                                                                                                                                                                                   
    
    Chain OUTPUT (policy DROP)                                                                                                                                                                                                                                                   
    num  target     prot opt source               destination                                                                                                                                                                                                                   
    1    ACCEPT     all  --  anywhere             anywhere                                                                                                                                                                                                                       
    2    ACCEPT     all  --  anywhere             anywhere                                                                                                                                                                                                                       
    3    ACCEPT     tcp  --  anywhere             anywhere             multiport dports smtp,http,https,submissions,submission,imaps,7045,http-alt,tproxy                                                                                                                       
    4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain                                                                                                                                                                                           
    5    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain                                                                                                                                                                                           
    6    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request                                                                                                                                                                                         
    7    ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply                                                                                                                                                                                           
    8    LOGOUTPUT  all  --  anywhere             anywhere                                                                                                                                                                                                                       
    
    Chain LOGINPUT (1 references)                                                                                                                                                                                                                                               
    num  target     prot opt source               destination                                                                                                                                                                                                                   
    1    LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "IPTables input Dropped: "                                                                                                                               
    2    DROP       all  --  anywhere             anywhere                                                                                                                                                                                                                       
    
    Chain LOGOUTPUT (1 references)                                                                                                                                                                                                                                               
    num  target     prot opt source               destination                                                                                                                                                                                                                   
    1    LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "IPTables output Dropped: "                                                                                                                               
    2    DROP       all  --  anywhere             anywhere     
    
     

Share This Page