I'm trying to make a simple restriction on www packets under two rules:
- Allow inbound/outbound www packets. (This works.)
- Drop inbound traffic to port 80 from source ports below 1024. (This does not work.)
Now, technically, when I use hping to test my rules,
hping3 192.168.100.100 -S -p80 -s 1023
I should not receive any packets. However, I still receive packets, which means that my rule about dropping packets from ports below 1024 does not work.
Does anyone know why?
This is my iptables rules in shell-script so far:
##!/bin/sh
INTERNET=eth0
SERVER_IP="192.168.7.100"
ALLOWED_WWW_PORT=80
IPT="/sbin/iptables"
clear
# Flushing all rules
$IPT -F
$IPT -X
# DROP all incomming traffic
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# Drop inbound traffic to port 80(http) from source ports less than 1024
$IPT -A INPUT -p tcp -i $INTERNET -s 0/0 --sport 0:1023 -d $SERVER_IP --dport 80 -j DROP
# Permit inbound www(80) packets.
$IPT -A INPUT -p tcp -i $INTERNET -s 0/0 -d $SERVER_IP --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -o $INTERNET -s $SERVER_IP --sport 80 -d 0/0 -m state --state ESTABLISHED -j ACCEPT
# Permit outbound www(80) packets.
$IPT -A OUTPUT -p tcp -o $INTERNET -s $SERVER_IP -d 0/0 --dport $ALLOWED_WWW_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -i $INTERNET -s 0/0 --sport $ALLOWED_WWW_PORT -d $SERVER_IP -m state --state ESTABLISHED -j ACCEPT
# Log and drop all other packets to file /var/log/messages
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
# make sure nothing comes or goes out of this box
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
# save, restart, and check the iptables
service iptables save
service iptables restart
iptables -L -n -v -x
When I run my shell script, here's the Chain INPUT result:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- eth0 * 0.0.0.0/0 192.168.7.100 tcp spts:0:1023 dpt:80
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.7.100 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.7.100 tcp spt:80 state ESTABLISHED
What is the correct way to use hping to test my rule from another machine?
Here's my packets result:
[root@daniel-laptop ~]# hping2 192.168.7.100 -S -p 80 -s 1023
HPING 192.168.7.100 (eth0 192.168.7.100): S set, 40 headers + 0 data bytes
len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=1 win=0 rtt=0.5 ms
len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=2 win=0 rtt=0.3 ms
len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=3 win=0 rtt=0.4 ms
len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=4 win=0 rtt=0.5 ms
len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=5 win=0 rtt=0.5 ms
len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=6 win=0 rtt=0.3 ms
len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=7 win=0 rtt=0.4 ms
^C
--- 192.168.7.100 hping statistic ---
8 packets tramitted, 7 packets received, 13% packet loss
round-trip min/avg/max = 0.3/0.4/0.5 ms
[root@daniel-laptop ~]#
Best Answer
Re-arrange your script file a bit; move the "Drop inbound traffic to port 80..." rule above the "Permit inbound www(80) traffic" rule.
Right now the ACCEPT rule is evaluated before the DROP rule, so the traffic can get through even from ports <1024.
You can verify this with
iptables -vL
and see which rules are getting hits.