Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: Iptables for newbies. PART II: Securing your Network
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
kannX
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jul 2002
Posts: 76

PostPosted: Tue Sep 21, 2004 5:09 pm    Post subject: Reply with quote

krunk wrote:

Code:

$IPT -A PREROUTING -i $INTIF1 -s $INTNET1 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -A INPUT -i $INTIF1 -d ! $INTIP1 -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT


hmm, doesn't work for me:
Code:

iptables -A PREROUTING -i eth0 -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables: No chain/target/match by that name
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Wed Sep 22, 2004 12:16 am    Post subject: Reply with quote

I'm an idiot, that's what I get for posting before coffee. Pay no attention to my previous post.
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
ilyung
n00b
n00b


Joined: 30 Apr 2004
Posts: 10
Location: South Korea

PostPosted: Fri Oct 01, 2004 2:20 am    Post subject: ntp-client problem Reply with quote

I really appreciate this HOWTO.
However, I am having some trouble with ntp.
I followed every step on this HOWTO. Everything works fine except NTP.
On the boot, ntp-client does not work properly. Actually, this service won't start at all.
Here is the log info.
--------------
[ntpd] Frequency format error in /var/lib/ntp/ntp.drift
[ntpd] sendto(204.17.42.198) : Operation not permitted
----------------
I wonder if this problem is connected to firewall?

Thank you in advance,
Back to top
View user's profile Send private message
59729
Apprentice
Apprentice


Joined: 21 Jun 2004
Posts: 279

PostPosted: Fri Oct 01, 2004 2:35 am    Post subject: Reply with quote

kannX wrote:
krunk wrote:

Code:

$IPT -A PREROUTING -i $INTIF1 -s $INTNET1 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -A INPUT -i $INTIF1 -d ! $INTIP1 -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT


hmm, doesn't work for me:
Code:

iptables -A PREROUTING -i eth0 -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables: No chain/target/match by that name


I think you have to create the CHAIN first

Code:

# Have this before the rule that require this CHAIN
$IPT -N REDIRECT


I am not sure though
Back to top
View user's profile Send private message
kannX
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jul 2002
Posts: 76

PostPosted: Fri Oct 01, 2004 2:45 am    Post subject: Reply with quote

ntpd uses broadcasts to sync clients, maybe you want to allow them
Code:

$IPT -A OUTPUT   -o $INTIF1 -s $INTIP1 -d $INTBC1  -p udp --sport ntp -j ACCEPT


and of course you must allow ntp requests in
Code:

$IPT -A INPUT    -i $INTIF1 -s $INTNET1 -d $INTIP1  -p udp --dport ntp -j  ACCEPT
$IPT -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET1  -p udp --sport ntp -j ACCEPT


if you use bootp you probably want to allow this
Code:

$IPT -A INPUT    -i $INTIF1 -s $INTNET1 -d $INTIP1  -p udp --sport bootpc --dport bootps -j ACCEPT
$IPT -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTBC1  -p udp --sport bootps --dport bootpc -j  ACCEPT


Last edited by kannX on Fri Oct 01, 2004 2:51 am; edited 1 time in total
Back to top
View user's profile Send private message
kannX
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jul 2002
Posts: 76

PostPosted: Fri Oct 01, 2004 2:50 am    Post subject: Reply with quote

lappen wrote:


I think you have to create the CHAIN first

Code:

# Have this before the rule that require this CHAIN
$IPT -N REDIRECT


I am not sure though


REDIRECT is a build in target and only valid in the nat table.
Code:

   REDIRECT
       This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are  only
       called from those chains.  It alters the destination IP address to send the packet to the machine itself (locally-gener-
       ated packets are mapped to the 127.0.0.1 address).  It takes one option:

       --to-ports port[-port]
              This specifies a destination port or range of ports to use: without this, the destination port is never  altered.
              This is only valid if the rule also specifies -p tcp or -p udp.
Back to top
View user's profile Send private message
ilyung
n00b
n00b


Joined: 30 Apr 2004
Posts: 10
Location: South Korea

PostPosted: Fri Oct 01, 2004 4:52 am    Post subject: Another question! Reply with quote

KannX,

Thank you so much for the help. I could solve this problem with your advice.
By the way, I have another question about firewall..(It sucks!)
One of my friend is running ftp service with a certain port rather than 21.
He is running with 1xxxx port for ftp.
I edited firewall so I could connect this ftp server. However, I am not able to see the contents in it. I mean, I can log in but I can not list up the files for example.

Thanks in advance,
Back to top
View user's profile Send private message
59729
Apprentice
Apprentice


Joined: 21 Jun 2004
Posts: 279

PostPosted: Fri Oct 01, 2004 1:02 pm    Post subject: Reply with quote

You probably need to use the module 'ip_conntrack_ftp'

If I remember correctly you only have to allow the port, then add something like
modprobe ip_conntrack_ftp(portnr)


If you don' have that module you have to enable it in the kernel,
make menuconfig
#find enable the connection tracking module for ftp
make && make modules
# make install # maybe? don't remember
Back to top
View user's profile Send private message
nadsys
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2004
Posts: 97
Location: Darmstadt, Germany

PostPosted: Sat Oct 02, 2004 2:32 am    Post subject: Reply with quote

krunk or neurolabs,

i am using neurolabs script which is a redo of krunks. i cant get my clients out to the internet or even to ping anything. i keep getting "connect: network is unreachable" with a ping or with an ftp session.

please advise. i have my configuration on another post:
https://forums.gentoo.org/viewtopic.php?t=230953

thank you for any advise. i like the firewall, just getting hacked off i cant fully understand it all yet and small things dont work. odd.

maybe you never intended for clients to have internet access but from the section saying "allow internal machine to use services" i assume you did?
_________________
how do i change directory, try init 6
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Sat Oct 02, 2004 3:48 am    Post subject: Reply with quote

from the scirpt in you post looks like you copy'd and pasted the one before I corrected an error at the bottom.

change the last iptables entries from 'iptables' to $IPT and give it a shot. when you run the script look for errors.
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
nadsys
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2004
Posts: 97
Location: Darmstadt, Germany

PostPosted: Sat Oct 02, 2004 11:20 am    Post subject: Reply with quote

ty for quick reply krunk. the script on page 2 of this thread posted by you (the neurolabs redo) still has that iptables error in it. hence why i had it :).

i changed script, ran it. only error i get are two warnings about the two modules already busy, think its more of a red herring.

i have put the script that i now run in the last post of my link above. in it the only changes i made were to add two variables. one for ports i want to use for ftp'ing, second for ports i want the ftp client/firewall to use for passive (still not sure how to tell it to use the range of 14000:14500). i read up on the ftp firewalling rules. it talks about the "related" rule being what you need and that is near the bottom of your script so i would assume it would have worked. yet it doesn't work on any other port than 21.

just to clarify, this is not for an ftp server, this is for an ftp client, ftp server works fine.

also, my client PC still cannot see the outside world, keeps getting "connect : Netowrk is unreachable. only thing it can do is ping the server. it does work when firewalls off. so it is a firewall related problem. nothing else (using dnsmasq and dhcp, they still work).

any help/suggestions welcome.

thank you klunk + anyone else who is brave enough to take this on :)

Neil
_________________
how do i change directory, try init 6
Back to top
View user's profile Send private message
nadsys
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2004
Posts: 97
Location: Darmstadt, Germany

PostPosted: Sat Oct 02, 2004 12:06 pm    Post subject: Reply with quote

quick note, i thought "what the hell", lets try it on my second pc, the 12.168.0.10 machine. so i booted it up and tried "ping www.yahoo.com", it worked, then i tried a mozilla session, bingo, worked first time.

so why does one pc work and the other (192.168.0.9) not work. any idea's?

the .10 machine runs fedora core 2. the .9 machine is gentoo 2.6.7, server .25 is gentoo 2.6.8

thank you,

Neil
_________________
how do i change directory, try init 6
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Sat Oct 02, 2004 4:32 pm    Post subject: Reply with quote

Sorry bout the error, I've edited (for real) now so no one else wil l have to deal with it.

That is very odd. But here is what I would suggest:

On machine where iptables is running do a:
Code:
tail -f /var/log/messages

*or where ever your logs are being sent to*

Than attempt a connection, if iptables is blocking the packets you should see the logs begin to scroll in which case post the appropriate ones here.

Secondly, if the rule set works on one machine and not the other, I would expect a configuration error somewhere on the client. The rules dynamically grab ip's and netmasks of appropriate devices. It would better help us wrap our mind around the issue with a network schematic like the [url
=http://www.tuxmac.homelinux.org/~james/Documents/network_schematic_example.jpg]following[/url[

See, as far as your server is concerned in the vast majority of cases, there should be any rule difference between xxx.xxx.xxx.9 and xxx.xxx.xxx.10 as long as they are on the same subnet or unless you have some ip specific filters running. In otherwords, most rules which client your are coming from, but which subnet. (e.g. the subnet of a particular interface).

So post/check everything related to networking on the trouble client you can as well as logs of dropped packets.
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
nadsys
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2004
Posts: 97
Location: Darmstadt, Germany

PostPosted: Sun Oct 03, 2004 7:31 am    Post subject: Reply with quote

ok, fixed it. forgot about the conf.d/net file. the 2nd pc was setup as a server at one point so dhcp settings were slightly off. needed to add gateway and -N -h to make it a client.

sorry to have wasted your time.

BUT there still does remain a problem. the firewall script i posted will only allow Active ftp on port 21. i cant get passive to work on any port, or active on any port except 21.

the ports i have been trying are in my script as a variable. so i can connect to server, but when it tries to list "list -a OR -aL" it fails.

im assuming this is because the ports its trying to use for passive are not the ones i want it to use. i.e. the range of 14000:14500.

any idea's/hints on what i should check.

last but not least, everyone talks about /var/log/messages. i use metalog, there is no such file. i have /everything/current or /kernel/current. but no /messages.

many thanx,

Neil
_________________
how do i change directory, try init 6
Back to top
View user's profile Send private message
59729
Apprentice
Apprentice


Joined: 21 Jun 2004
Posts: 279

PostPosted: Sun Oct 03, 2004 1:16 pm    Post subject: Reply with quote

Passive uses several ports, one for connection and another for transfer and listing, if I remember correctly... don't know which ports I think it's randomized between all high port numbers

I think thats what the ftp tracking module should do ip_conntrack_ftp which should be included with your kernel sources and are very easy to add
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Sun Oct 03, 2004 3:44 pm    Post subject: Reply with quote

lappen wrote:
I think thats what the ftp tracking module should do ip_conntrack_ftp which should be included with your kernel sources and are very easy to add


Your are exactly correct.
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
nadsys
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2004
Posts: 97
Location: Darmstadt, Germany

PostPosted: Sun Oct 03, 2004 9:11 pm    Post subject: Reply with quote

to answer you above, i do have conntrack_ftp and nat_ftp running as modules. i seem to be getting more success with the server off of port 21, still not 100% but i'll look into it further.

easier example then, playing yahoo games, should only require http port, correct? + it runs on java so java must be installed but thats not an issue.

works when firewall is off, not when its on. firewall reject messages are as below. is it safe to tell the server to allow all ports above 1024 and if so how?

or is it possible to say "for this application allow all traffic on these ports" i.e. application filtering. im used to kerio personal firewall and all i had to do was block all lower ports except ones i needed, then add rules for eevery app and ports it used so they were filtered then deny all at the bottom, worked like a charm. no such ability to do that for say mozilla/gftp?

Code:

Oct  3 22:42:48 [kernel] FIREWALL REJECT UNKNOWN:IN= OUT=ppp0 SRC=84.57.35.49 DST=66.218.71.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30774 DF PROTO=TCP SPT=34173 DPT=11999 WINDOW=5808 RES=0x00 SYN URGP=0
Oct  3 22:42:51 [kernel] FIREWALL REJECT UNKNOWN:IN= OUT=ppp0 SRC=84.57.35.49 DST=66.218.71.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30775 DF PROTO=TCP SPT=34173 DPT=11999 WINDOW=5808 RES=0x00 SYN URGP=0


thanx for any advice :)
_________________
how do i change directory, try init 6
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Sun Oct 03, 2004 11:44 pm    Post subject: Reply with quote

Allowing all ports above 1024 is like not having a firewall at all for about 55,000 of the 65,556 ports available. (not too advised)
The web games must use other ports besides http. The logs below indicate that ip 84.57.35.49 is attempted to connect from port 34173 to port 11999.

You don't have to open them all up, just those two and only going in one direction.

$IPT -A INPUT -s 84.57.35.49 --sport 34173 -p tcp --dport 11999 -j ACCEPT

(I think anyway, you may have to play around with the syntax)
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
woodm
Tux's lil' helper
Tux's lil' helper


Joined: 18 Jun 2002
Posts: 75

PostPosted: Fri Nov 05, 2004 1:40 am    Post subject: How does one undo this script? Reply with quote

This firewall script works flawlessly for me. Which is fantastic.

However, I want to dig into it, and see exactly what's happening (damn curiosity. Hey, wher's my cat?) anyway, I can't seem to undo this monster at all.

I try:
Code:

[doorman:~] > /sbin/iptables -F
[doorman:~] > /sbin/iptables -X
[doorman:~] > /sbin/iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
[doorman:~] > ssh (somewhere else known to work)
ssh: (location): Temporary failure in name resolution
[doorman:~] > ping yahoo.com
ping: unknown host yahoo.com
[doorman:~] > ping 128.138.240.1
PING 128.138.240.1 (128.138.240.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted


I don't understand why that would happen at all.

I even try running the script from your FIRST HOW-TO which just kinda gets everything up and running. Even if I completely shutdown the machine and make sure the iptables-restore is empty, I still can't get to the outside world.

I don't understand how that's possible, but then again, I don't understand what's happening within this script anyway. It seems to me that the only non /sbin/iptables commands that are entered are the envirnment variables and echo 1/0 > /proc/**** commands. I've tried matching these to other linux boxes I have, but nothing seems to work.

Anyone have any ideas?

I mean, I do have a working firewall, but I can't really change it, and I don't understand what's going on. These 2 things are bugging the crap out of me. :evil:

[edit]

Oh, here may be a hint for those that know more than me (everyone): I ran your big script above with bash's debug flag (-x) on, and I noticed the following:
Code:

+ /sbin/iptables -N DROPl
+ /sbin/iptables -A DROPl -j LOG --log-prefix DROPl:
+ /sbin/iptables -A DROPl -j DROP
+ /sbin/iptables -N REJECTl
+ /sbin/iptables -A REJECTl -j LOG --log-prefix REJECTl:
+ /sbin/iptables -A REJECTl -j REJECT
iptables: No chain/target/match by that name



No chain by that name? That seems strange.

BTW, I have read the above posts, but that doesn't necessarily mean that I haven't missed something ridiculously embarrassing. You don't have to be gentle at all. :lol:
[/edit]

Anyway, thanks guys. This is clearly the best forum in existence. 8)
_________________
There are thousands of types of people in this world:
The type that seperates people into two groups,
and the thousands of other types.
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Fri Nov 05, 2004 3:12 am    Post subject: Reply with quote

In the first case, if you notice your default policies are 'DROP' this means if anything is not covered by a rule it is dropped. This is the first thing set by the script.

Secondly, you'll see this in the script:

Code:
$ECHO 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts


which blocks all icmp type packets.....ping included.

cheers

btw you should check out the iptables howto at FrozenTux.net

FrozenTux
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
woodm
Tux's lil' helper
Tux's lil' helper


Joined: 18 Jun 2002
Posts: 75

PostPosted: Fri Nov 05, 2004 4:36 am    Post subject: ??? Reply with quote

So the default policie for DROP isn't removed when I flush the system? Do you just have to change the default to ACCEPT then?

Intersting.

/me goes and reads a LOT more how-tos.
_________________
There are thousands of types of people in this world:
The type that seperates people into two groups,
and the thousands of other types.
Back to top
View user's profile Send private message
kannX
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jul 2002
Posts: 76

PostPosted: Fri Nov 05, 2004 9:25 am    Post subject: Reply with quote

krunk wrote:

Code:
$ECHO 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

which blocks all icmp type packets.....ping included.

Well, i think it drops all incoming icmp send to the boradcast address.
Icmp with the right address (INTIP1, INTIP2) from clients int INTNET1, INTNET2 and icmp outgoing should work .
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Fri Nov 05, 2004 2:28 pm    Post subject: Reply with quote

kannX wrote:
krunk wrote:

Code:
$ECHO 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

which blocks all icmp type packets.....ping included.

Well, i think it drops all incoming icmp send to the boradcast address.
Icmp with the right address (INTIP1, INTIP2) from clients int INTNET1, INTNET2 and icmp outgoing should work .


Actually, I double checked and you are right. Wouldn't the default POLICY of DROP be at the root though?
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
jimbob0i0
n00b
n00b


Joined: 25 Jun 2003
Posts: 22

PostPosted: Sun Nov 14, 2004 9:20 pm    Post subject: Reply with quote

I've been trying to get this script to work for me but have a problem....
I have an internal mailserver running imaps, smtp and smtp on port 2525 (girlfiriend's ISP blocks 25 for her so she can't connect on that)

I put in:

#Mail systems from the outside world to the internal server
$IPT -t nat -A PREROUTING -p tcp --dport 25 -i $EXTIF -j DNAT --to $CENTRAL
$IPT -t nat -A PREROUTING -p tcp --dport 993 -i $EXTIF -j DNAT --to $CENTRAL
$IPT -t nat -A PREROUTING -p tcp --dport 2525 -i $EXTIF -j DNAT --to $CENTRAL

Which I thought should have done it ($CENTRAL is defined as the IP address of the machine on the local network) but port scans show these ports as closed if I also put in a $IPT -A INPUT rule for those ports or stealthed if I try forward or forward&input

The logs show:
Code:
Nov 14 20:57:38 gateway DROPl:IN=eth1 OUT= MAC=00:09:5b:1b:72:09:00:0b:fc:43:c0:a8:08:00 SRC=204.1.226.228 DST=82.43.43.146 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=32768 PROTO=TCP SPT=62263 DPT=2525 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 14 20:57:05 gateway DROPl:IN=eth1 OUT= MAC=00:09:5b:1b:72:09:00:0b:fc:43:c0:a8:08:00 SRC=204.1.226.228 DST=82.43.43.146 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=32768 PROTO=TCP SPT=62228 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 14 19:46:34 gateway DROPl:IN=eth1 OUT= MAC=00:09:5b:1b:72:09:00:0b:fc:43:c0:a8:08:00 SRC=204.1.226.228 DST=82.43.43.146 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=32768 PROTO=TCP SPT=56955 DPT=993 WINDOW=8192 RES=0x00 SYN URGP=0



Any ideas guys? I'd really like to lock down my firewall better than it is now.
Back to top
View user's profile Send private message
Jerri
Guru
Guru


Joined: 03 Apr 2003
Posts: 353

PostPosted: Mon Jan 24, 2005 1:26 am    Post subject: Reply with quote

does anyone sufer from extremely huge log files?
I let my router run (using this script) for a week and a half, without checking on it. /var/log/messages was over 25 MB. That seems a touch excessive.

I realise that its probably a good idea to review all the packets dropped. But... something doesn't sit very well with me on that one. I don't know.

I guess what i'm interested in hearing from others, is whats your policy on logging every dropped packet? what do you do with your log files? i suppose i could run a cron job, to compress them every couple of days and store them somewhere. The only problem is that my router is running out of space. I mean, i have a 1.2 GB hard disk. thats not a huge amount of room to work with.

Anyways. The script works well. Much obliged for the HOWTO :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5  Next
Page 3 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum