Allow apt-get through iptables that drop everything [Ubuntu]

ubuntu iptables package-management port
5,461

Solution 1

I don't know why you need INPUT open on 53 and 80, but if that's for receiving responses of DNS and HTTP, then that's wrong. This is done by the following line:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

(Just as in this answer to the post you mention.)

Solution 2

Hi guys after breaking my poor head on this issue and goingthough user147505's answer 100's of times i finally figured out why it didnt work for me this was my setup before:-

root@myserver:~# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3652
2    ACCEPT     udp  --  anywhere             anywhere             udp dpt:51234
3    DROP       icmp --  anywhere             anywhere
4    DROP       all  --  anywhere             anywhere
5    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

AS you can see above the "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" Rule was added after the drop all traffic rule "iptables -A INPUT -j DROP " Because of this apt update did not work

so finally all i did was switch them like below and everything then worked amazingly :-

num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3652
2    ACCEPT     udp  --  anywhere             anywhere             udp dpt:51234
3    DROP       icmp --  anywhere             anywhere
4    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
5    DROP       all  --  anywhere             anywhere

Guess i learned something about iptables, hopefully will take a course later on to understand this jaba huba

Solution 3

I've dug into the specifics of this with a test system.

I was able to properly configure iptables with the following ruleset and get apt-get to go outbound properly:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 state NEW,RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 state NEW,RELATED,ESTABLISHED

This mirrors your latest configuration that you stated above. I am able to get apt-get to work properly, and to also make DNS queries without issue.

However, it's of importance to note that your system is having issues resolving the hostnames to IP addresses, and is giving you resolution errors.

Make sure that your /etc/resolv.conf is properly configured, and contains at the bare minimum something like this:

nameserver 8.8.8.8
nameserver 8.8.4.4

With an /etc/resolv.conf set up this way, with the same iptables rulesets you have in place, I am able to, without issue, reach out and get proper DNS resolution on my Internet-facing systems and within my own LAN subnets which can go out to the Internet from inside the network.

It sounds more to me like your /etc/resolv.conf is not set up correctly, and the misconfiguration is resulting in your system failing to configure DNS properly.

Share:
5,461

Related videos on Youtube

Code Doggo
Author by

Code Doggo

Updated on September 18, 2022

Comments

  • Code Doggo
    Code Doggo over 1 year

    I have my iptables set up to drop everything by default in the INPUT, OUTPUT, and FORWARD rulebooks. But I need to allow connections through port 80 (HTTP) and all incoming TCP/UDP requests on port 53 (DNS). I have the following setup:

    Chain INPUT (policy DROP)
target      prot opt source            destination 
ACCEPT      tcp  --  anywhere          anywhere           tcp dpt:http
ACCEPT      udp  --  anywhere          anywhere           udp dpt:http  
ACCEPT      udp  --  anywhere          anywhere           udp dpt:domain
ACCEPT      tcp  --  anywhere          anywhere           tcp dpt:domain

Chain FORWARD (policy DROP)
target      prot opt source            destination 

Chain OUTPUT (policy DROP)
target      prot opt source            destination 
ACCEPT      udp  --  anywhere          anywhere           udp dpt:http
ACCEPT      tcp  --  anywhere          anywhere           tcp dpt:http  
ACCEPT      tcp  --  anywhere          anywhere           tcp dpt:domain
ACCEPT      udp  --  anywhere          anywhere           udp dpt:domain

    However, when I try and run sudo apt-get install apache2, the package is found, but it then hangs on actually downloading the package. Through my research, apt-get only needs HTTP and DNS ports to work in most cases. Am I missing anything? I tried to reference this post but to no avail.

    Err:1 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 libapr1 amd64 1.5.2-3
  Temporary failure resolving ‘us.archive.ubuntu.com’
Err:2 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 libaprutil1 amd64 1.5.4-1build1
  Temporary failure resolving ‘us.archive.ubuntu.com’
0% [Connecting to us.archive.ubuntu.com]

    System Information:
    Distributor ID: Ubuntu
    Description: Ubuntu 16.04.3 LTS
    Release: 16.04
    Codename: xenial

    Update: Solution Doesn't Work

    I followed tomasz's answer below again, but it did not work. apt-get is still stuck downloading like in the example above (e.g. apache2) (i.e. no change). Here is my new iptables that I tried used:

    Chain INPUT (policy DROP)
target      prot opt source            destination 
ACCEPT      all  --  anywhere          anywhere           state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target      prot opt source            destination 

Chain OUTPUT (policy DROP)
target      prot opt source            destination 
ACCEPT      tcp  --  anywhere          anywhere           tcp dpt:http state NEW,RELATED,ESTABLISHED
ACCEPT      tcp  --  anywhere          anywhere           tcp dpt:domain state NEW,RELATED,ESTABLISHED
ACCEPT      udp  --  anywhere          anywhere           udp dpt:domain state NEW,RELATED,ESTABLISHED

    I tried versions in the OUTPUT rulebook with and without the state information to no success.

    • ErikF
      ErikF about 6 years
      What does your /etc/resolv.conf show? I'm seeing errors in name resolution, which usually means that the DNS server that you're accessing isn't working for some reason.
    • drjors
      drjors about 6 years
      Include the contents of your /etc/resolv.conf file as an edit to this question. The domain name resolution errors suggest that your DNS may be misconfigured. I replicated your iptables rules locally in a container and was able to get updates without issue, and I have DNS set to use 8.8.8.8 or 8.8.4.4 (Google DNS) directly; this suggests, therefore that your environment doesn't have a proper DNS setup.
  • Code Doggo
    Code Doggo about 6 years
    Why is that wrong? I send out DNS and HTTP responses (OUTPUT), but I need to receive a response back (INPUT) (e.g. a resolved DNS and HTTP data). INPUT and OUTPUT go hand-in-hand, I thought?
  • Hauke Laging
    Hauke Laging about 6 years
    @DanHoynoski If you get an HTTP response then not the destination but the source port is 80/443. Changing that would make your system completely open to anyone who uses that source port. You want a stateful firewall (i.e. conntrack).
  • Admin
    Admin about 6 years
    @DanHoynoski No, they don't. The numbers you're sticking to are the standard server ports. Not the client ports. These are high above 1000 and random. See netstat -t on a working client machine.
  • Admin
    Admin about 6 years
  • drjors
    drjors about 6 years
    @DanHoynoski this is why you need the ESTABLISHED,RELATED state tracker bits, because it'll allow responses back for traffic related to the connections you've already established outbound. It's critical to have that ESTABLISHED,RELATED state matching.
  • Code Doggo
    Code Doggo about 6 years
    @tomasz I tried this line, but it did not work. Take a look at my update above.
  • Code Doggo
    Code Doggo about 6 years
    @ThomasWard After reading your comment and looking into it myself, I completely understand, but even after adding the appropriate state information (e.g. tomasz's answer), I still have no change; nothing is getting through. Take a look at my update in my answer.
  • Admin
    Admin about 6 years
    @DanHoynoski Have you tried to test theses services (DNS, HTTP) with some other tools? Eg. a browser for HTTP and dig for DNS? If you can, you might test apt with INPUT and OUTPUT set to default with ACCEPT. Have you done anything with the other tables (raw, security)? Take a look at the counters with iptables -L -v.
  • indianwebdevil
    indianwebdevil over 4 years
    cool ! It worked Just adding the entries in the resolve.conf.
  • Henrik supports the community
    Henrik supports the community over 2 years
    Why do you have a "drop all traffic rule", that's what the policy is for, and then you won't have problems with it coming too soon in your ruleset.
  • user
    user over 2 years
    @henrik-supports-the-community, oh that makes sense lol
  • Patrick Taylor
    Patrick Taylor over 2 years
    I like to use an "ACCEPT" policy and put a DROP or REJECT for all traffic at the end of my list. For me it's just easier to see what is happening in my file, but Henrik's comment is a good one.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Port can't open on Ubuntu 16.04
ubuntu: open udp port 123
How do I save iptables config?
Node.js is not accessible from external IPs on Ubuntu
how to kill port 80 in ubuntu
Apache default port change not working ubuntu 12.04
Correct way to start docker daemon listening to specific port
Ways to update Ubuntu (debian-based distros) offline
How to remove gzip from Linux
Block port 111 on centos 7