Try and learn iptables, until you can browse the web

To understand iptables Try opening the port on your laptop (Linux) until you can browse the web.

initial state

 iptables -L        
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Since it is fully open, we will use the whitelist method and open the port to browse the web.

Default policy settings

Use whitelist method

 iptables -P INPUT DROP
 iptables -P FORWARD DROP

If you do not specify the -t option, the default table is the filter table.

I can no longer connect to qiita. OUTPUT is fully open, but INPUT cannot be taken at all. In other words, I can't get a ping response.

 ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

Make ping available

Allow ping because it uses the icmp protocol.

 iptables -A INPUT -p icmp -j ACCEPT
 ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=12.4 ms

Is it possible to resolve the name?

 ping google.com
 ping: google.com: unknown name or service

Allow name resolution

The DNS protocol seems to use udp and tcp on port 53, so you can open both.

 iptables -A INPUT -p udp --sport 53 -j ACCEPT
 iptables -A INPUT -p tcp --sport 53 -j ACCEPT
 dig google.com

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

I can't solve it. .. Strange.

 cat /etc/resolv.conf
 This file is managed by man:systemd-resolved(8). Do not edit.

 This is a dynamic resolv.conf file for connecting local clients to the
 internal DNS stub resolver of systemd-resolved. This file lists all
 configured search domains.

 Run "systemd-resolve --status" to see details about the uplink DNS servers
 currently in use.

 Third party programs must not access this file directly, but only through the
 symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
 replace this symlink by a static file or a different symlink.

 See man:systemd-resolved.service(8) for details about the supported modes of
 operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0
 ss -ln | grep "127.0.0.53"
udp  UNCONN 0      0                                              127.0.0.53%lo:53                                                 0.0.0.0:*                    
tcp  LISTEN 0      128                                            127.0.0.53%lo:53                                                 0.0.0.0:* 

It seems that systemd-resolved makes a primary contract on the local port 53, so it seems necessary to open the destination as well. ** Note again: This is not needed on machines that are not running systemd-resolved **

 iptables -A INPUT -p udp --dport 53 -j ACCEPT
 iptables -A INPUT -p tcp --dport 53 -j ACCEPT
 dig google.com

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62225
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		163	IN	A	172.217.24.142

;; Query time: 13 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Dec 27 17:47:57 JST 2019
;; MSG SIZE  rcvd: 55

It is solved. (Actually, I was really into it: sweat_smile:

But it still doesn't connect to qiita. You need to be able to receive the http (s) response.

Allow http (s) response

 iptables -A INPUT -p tcp --sport 80 -j ACCEPT
 iptables -A INPUT -p tcp --sport 443 -j ACCEPT

I was able to connect to qiita.

Check and save settings

The settings up to this point can be confirmed with the following command, and can be saved by redirect.

iptables-save
 Generated by iptables-save v1.6.1 on Sat Dec 28 13:08:20 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
 Completed on Sat Dec 28 13:08:20 2019
 Generated by iptables-save v1.6.1 on Sat Dec 28 13:08:20 2019
*filter
:INPUT DROP [542:171507]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2523:785906]
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
COMMIT
 Completed on Sat Dec 28 13:08:20 2019

Restore settings

You can restore the settings from the saved configuration file with the following command.

# iptables-restore [configuration file name]

Clean up

To return to the original state

--Delete rule setting with -F option (It is deleted for each table. This time, the -t option is not necessary because it is up to the filter table, but if you modify the nat table, specify it with -t and delete it.) --- P to undo policy

 iptables -F
 iptables -P INPUT ACCEPT
 iptables -P FORWARD ACCEPT

Summary

From the place where all incoming packets are played with the default policy I tried to open the port necessary for browsing the web. Since iptables is a security-related setting, I want to acquire the correct knowledge.

Recommended Posts

Try and learn iptables, until you can browse the web
Until you can read the error log
Until you install Caffe and run the sample
Until you try to let DNN learn the truth of the image using Colab
Until you install Gauge and run the official sample
Until you can install blender and run it with python for the time being
Can you delete the file?
Try and learn iptablse, port forwarding
Until you install and run matplotlib
Procedure until you can create a general user and execute the sudo command on CentOs (memorial note)
You can also check the communication of DB and cache with curl
Until you can borrow VPS with Conoha and authenticate public key with SSH
Try using the web application framework Flask
Until you can use opencv with python
Until you publish a web service on GCP while studying JQuery and Python