RH9 Unable to access internet after setting Firewall? posted Today 07:08 PM

[novkhan]

Goodday!

Tried to setup Firewall using the Guide "RedHat Linux 9 for Dummies"

I follow every single steps , and the firewall is succesfully setup.

But i cannot access the internet when the Firewall is up.

Below is what i have done!

[root@localhost root]# iptables --flush
[root@localhost root]# iptables --flush -t nat
[root@localhost root]# iptables --policy INPUT DROP
[root@localhost root]# iptables --policy OUTPUT DROP
[root@localhost root]# iptables --policy FORWARD DROP
[root@localhost root]# iptables -A OUTPUT -j ACCEPT -o lo
[root@localhost root]# iptables -A INPUT -j ACCEPT -i lo
[root@localhost root]# iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED --j ACCEPT
[root@localhost root]# iptables -A OUTPUT -m state --state RELATED,ESTABLISHED --j ACCEPT
[root@localhost root]# iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT --dport 22
[root@localhost root]# cd /etc/init.d/
[root@localhost init.d]# sshd start
Extra argument start.
[root@localhost init.d]# iptables -A OUTPUT -m state --state RELATED,ESTABLISHED --j ACCEPT
[root@localhost init.d]# iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT --dport 80
[root@localhost init.d]# cd /etc/init.d/
[root@localhost init.d]# sshd start
Extra argument start.
[root@localhost root]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:ssh

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain RH-Lokkit-0-50-INPUT (0 references)
target prot opt source destination
[root@localhost root]# iptables-save > /etc/sysconfig/iptables



After i type the command below i cant access the internet!
[root@localhost root]# /etc/init.d/iptables start
Flushing all current rules and user defined chains: [ OK ]
Clearing all current rules and user defined chains: [ OK ]
Applying iptables firewall rules: [ OK ]

Thankyou!

 

[fgaliegue]

Goodday!

Hello and first of all, have a look at a post of mine I posted earlier (https://www.techspot.com/vb/topic43874.html), if you follow its guidelines you should be set up. And also...

But i cannot access the internet when the Firewall is up.

This is normal, your rules are broken!

[...]
[root@localhost root]# iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED --j ACCEPT
[root@localhost root]# iptables -A OUTPUT -m state --state RELATED,ESTABLISHED --j ACCEPT

The second command here is useless, all packets it matches are already matched by the previous one.

[root@localhost root]# iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT --dport 22

OK, why not, but I hope you understand that this allows incoming SSH traffic to your host?

[root@localhost root]# cd /etc/init.d/
[root@localhost init.d]# sshd start
Extra argument start.

NO! Be with me here, THE CURRENT DIRECTORY IS NEVER INCLUDED IN THE PATH VARIABLE BY DEFAULT. What you are trying to do here is launching /usr/sbin/sshd start, and this is why you get that "Extra argument start" - which is ignored by sshd.

Solution: type either of these:

• service sshd start
• /etc/init.d/sshd start

On to the following...

[root@localhost init.d]# iptables -A OUTPUT -m state --state RELATED,ESTABLISHED --j ACCEPT

Similarly, this command is useless, all packets defined here already are matched by the previous rule.

[root@localhost init.d]# iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT --dport 80

And this opens up your HTTP port. Do you actually want to run a webserver?

In short, all that your firewall accepts in the INPUT chain are packets that allow people from the outside to reach your SSH and HTTP server! Certainly not what you want...

Oh, the packets you send out will be accepted, yes, but the problem is that returning packets will get dropped!

If you want more details, read my thread, the URL of which I posted at the start of this post.

 

[fgaliegue]

The quick fix

OK, here is a firewall that shoud set you on the way. First of all, flush all your chains, by typing:

service iptables stop​

Then do the following:

#
# The central part of it - conntrack, ie stateful firewalling
#
iptables -N connstate
iptables -A connstate -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A connstate -m state --state INVALID -j DROP
iptables -A connstate -m state --state NEW -p tcp ! --syn -m limit --limit 2/sec -j LOG --log-prefix "NEWNOTSYN: "
iptables -A connstate -m state --state NEW -p tcp ! --syn -j REJECT --reject-with tcp-reset
iptables -A connstate -m state --state NEW -j RETURN
iptables -A connstate -j LOG --log-level CRIT --log-prefix "CONNTRACK BARF: "
iptables -A connstate -j DROP

#
# For all three filter chains: drop everything by default - first chain to go through is
# connstate
#
for i in INPUT OUTPUT FORWARD; do
iptables -P $i DROP
iptables -A $i -j connstate
done

#
# Deal with the loopback special case
#
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

#
# Accept everything from the local machine to the Internet - assuming the net
# interface is ppp0
#
iptables -N local_to_ppp0
iptables -A local_to_ppp0 -j ACCEPT
iptables -A OUTPUT -o ppp0 -j local_to_ppp0

#
# End, save this all after resetting all counters
#
for i in mangle nat filter; do iptables -Z $i;done
iptables-save >/etc/sysconfig/iptables
​