To understand iptables Try opening the port on your laptop (Linux) until you can browse the web.
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Since it is fully open, we will use the whitelist method and open the port to browse the web.
Use whitelist method
iptables -P INPUT DROP
iptables -P FORWARD DROP
If you do not specify the -t option, the default table is the filter table.
I can no longer connect to qiita. OUTPUT is fully open, but INPUT cannot be taken at all. In other words, I can't get a ping response.
ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
Allow ping because it uses the icmp protocol.
iptables -A INPUT -p icmp -j ACCEPT
ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=12.4 ms
Is it possible to resolve the name?
ping google.com
ping: google.com: unknown name or service
The DNS protocol seems to use udp and tcp on port 53, so you can open both.
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
dig google.com
; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached
I can't solve it. .. Strange.
cat /etc/resolv.conf
This file is managed by man:systemd-resolved(8). Do not edit.
This is a dynamic resolv.conf file for connecting local clients to the
internal DNS stub resolver of systemd-resolved. This file lists all
configured search domains.
Run "systemd-resolve --status" to see details about the uplink DNS servers
currently in use.
Third party programs must not access this file directly, but only through the
symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
replace this symlink by a static file or a different symlink.
See man:systemd-resolved.service(8) for details about the supported modes of
operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0
ss -ln | grep "127.0.0.53"
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
It seems that systemd-resolved makes a primary contract on the local port 53, so it seems necessary to open the destination as well. ** Note again: This is not needed on machines that are not running systemd-resolved **
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
dig google.com
; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62225
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 163 IN A 172.217.24.142
;; Query time: 13 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Dec 27 17:47:57 JST 2019
;; MSG SIZE rcvd: 55
It is solved. (Actually, I was really into it: sweat_smile:
But it still doesn't connect to qiita. You need to be able to receive the http (s) response.
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
I was able to connect to qiita.
The settings up to this point can be confirmed with the following command, and can be saved by redirect.
iptables-save
Generated by iptables-save v1.6.1 on Sat Dec 28 13:08:20 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
Completed on Sat Dec 28 13:08:20 2019
Generated by iptables-save v1.6.1 on Sat Dec 28 13:08:20 2019
*filter
:INPUT DROP [542:171507]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2523:785906]
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
COMMIT
Completed on Sat Dec 28 13:08:20 2019
You can restore the settings from the saved configuration file with the following command.
# iptables-restore [configuration file name]
To return to the original state
--Delete rule setting with -F option (It is deleted for each table. This time, the -t option is not necessary because it is up to the filter table, but if you modify the nat table, specify it with -t and delete it.) --- P to undo policy
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
From the place where all incoming packets are played with the default policy I tried to open the port necessary for browsing the web. Since iptables is a security-related setting, I want to acquire the correct knowledge.