# Testing IPTables



## cryingvalor (Nov 4, 2006)

iptabels -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptabels -A OUTPUT -p TCP -j ACCEPT 

im trying to test this using NMAP, i tried to NMAP it using -sT,-sS ...etc
but i always recieved "operation not permitted" but if i removed the state i just place

iptables -A INPUT -P TCP -j ACCEPT
iptabels -A OUTPUT -p TCP -j ACCEPT 

i received a reply displaying the ports.

is there something wrong with the script thats why i cant NMAP it if the state is placed or theres something wrong on how i NMAP it?


----------



## lensman3 (Oct 19, 2007)

What does 
"/sbin/iptables -L -v" say. It will dump the number of packets iptables saw and where the packets were dropped. 

Change the:
iptables -A INPUT -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

to

iptables -A INPUT -p TCP -m state --state NEW -j ACCEPT

and see if it works. The ESTABLISHED,RELATED is for "established" connections on the "INPUT" interface. Your nmap is testing the interface with a "NEW" connection as it scan the port.


----------



## lensman3 (Oct 19, 2007)

Try a setup like this. All it does is add a debug part to the iptables and will print the kind of packet that it is dropping. At a command window look at the output from "dmesg" and see what the kernel iptables stack is reporting. iptables, from my experience is too dumb to report good error messages. 

If your interested email me off list at "j.o.williams at comcast dot net" and I'll send you my version. It is 898 lines line (with comments and commented out commands). Does a lot of port forwarding including "skype", bitstream, and GTK_GNUTELLA, as well as NAT. I also bounce most of Asia, Africa, Eastern Europe, and the DOD (US Department of Defense) but allow computers on my internal lan to get out to those sites (but only with a destination of port 80 (http). The bounced country rules are out of date now and need updated. Rules are also setup for the privileged and unprivileged TCP ports.It also plays around with setting priorities on packets being routed to the internet. I originally wanted to be able to have fast response times surfing, but if I was uploading/downloading and mp3 or avi's from somebody, I wanted those packet streams to have a lower priority. In the end, I never saw any kind of advantage (I couldn't tell the difference!).

iptabels -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -N debug
iptables -A debug -p TCP -j LOG --log-prefix "Dropped TCP packet"
iptables -A debug -p UDP -j LOG --log-prefix "Dropped UDP packet"
ptables -A debug -p ICMP -j LOG --log-prefix "Dropped ICMP packet"
iptables -A debug DROP

iptables -A INPUT -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptabels -A OUTPUT -p TCP -j ACCEPT 
iptables -A -j debug # if packet gets to here dump to error!!!


----------



## linuxmanju (Nov 3, 2007)

As i remmber nmap uses ping initially to test whethere the host is up or not.. Which obviously is an ICMP packet. And your OUTPUT chain happens to allow only tcp and DROP everything else..

May be you should try adding RELATED,ESTABLISHED rule in the output aswell. And Do make sure to allow interface lo ( Loopback ) When you are using DROP. Else your other applications might go for a toss ( Like Xwindow system )


----------



## linuxmanju (Nov 3, 2007)

As i remmber nmap uses ping initially to test whether the host is up or not ( Unless used with a -P0 option).. Which obviously is an ICMP packet. And your OUTPUT chain happens to allow only tcp and DROP everything else..

May be you should try adding RELATED,ESTABLISHED rule in the output aswell. And Do make sure to allow interface lo ( Loopback ) When you are using DROP. Else your other applications might go for a toss ( Like Xwindow system )


----------

