Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all,
im in the process of modifying the main script of homeLANsecurity iptables firewall http://homelansecurity.sourceforge.net/script.php found
in
/etc/hls but dont quite understand certain things. also i have
completely
turned custom.conf OFF as i dont wonna use it. I realise that the
firewall
allows all traffic e.g DNS by default albeit i have changed the DNS_WAN
function
so that dns doesnt work (just for testing) but it still allows
dns...smae
thing for http. i wonder if someone could help me out. In precis i cant get
major
functions like DNS_WAN, SSH_WAN etc to work when i change the target
from
ACCEPT to DROP. many thanks in advance
>
> something like:
>
Code:
> $IPT -A OUTPUT -o $WANIFACE -p tcp --sport 53 \
> --m state --state NEW,ESTABLISHED --dport 53 -j DROP
> $IPT -A INPUT -o $WANIFACE -p tcp --sport 53 \
> --m state --state ESTABLISHED --dport 53 -j DROP
>
Output of iptables -L
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ICMP icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-reply state ESTABLISHED
INVALID tcp -- anywhere anywhere
BASIC all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp spt:ssh dpt:ssh state ESTABLISHED
DROP tcp -- anywhere 192.168.114.128 tcp spts:1024:65535 dpt:domain
DROP tcp -- anywhere 192.168.114.128 tcp spts:1024:65535 dpt:http
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp spt:ssh dpt:ssh state NEW,ESTABLISHED
DROP tcp -- 192.168.114.128 anywhere tcp spt:domain dpts:1024:65535
DROP tcp -- 192.168.114.128 anywhere tcp spt:http dpts:32768:61001
Chain BASIC (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
DROP all -- 192.168.114.128 anywhere
DROP all -- localhost.localdomain anywhere
RETURN all -- anywhere anywhere
Chain ICMP (1 references)
target prot opt source destination
Chain INVALID (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
RETURN all -- anywhere anywhere
many thanks
PS:i do apologise if i have posted in the wrong thread...i just couldnt post on the networking section for some reason. if this post can be moved to that section that'll be great. thanks
I can't correlate the iptables commands you posted with the iptables listing you provided (unless homeLANsecurity is subsequently inserting 192.168.114.128 into the commands as destination or source address). None-the-less, I have a few observations that might be userful to you.
DNS queries are supposed to be tried first on udp, and if that fails they are tried on tcp, although I have never alctually seen them on tcp. I noticed both of your iptables rules specified tcp If you want to be sure to block, you should block both.
You appear to be requiring both source and destination ports to be port 53 on both commands. This is incorrect. It is port 53 only on the (remote) DNS server. What might be the corresponding rule in the listing, however, appears to be correct.
If you want to see the input and ouput ports specified when you list the rules, add -v to the parameters you give iptables. This will also list packet and byte counts for each rule. Personally, I also like to use -n, but that is a personal choice.
Last edited by blackhole54; 04-23-2007 at 07:12 AM.
When you modified the script, did you then actually run the script? The state of iptables does not correlate with the commands you posted. Are you attempting to block traffic to the firewall host itself, or to nodes behind the firewall? The INPUT & OUTPUT chains are used to manage traffic to the firewall; the FORWARD chain should be used to manage traffic through the firewall.
thanks for the posts but still cant get it working. i have changed the protocol to udp. never knew dns used that. It seems to me that the program by default is developed to allow external access to network services like dns server etc. Im not running any server whatsoever on m y machine also i am not using NAT.
I am attempting to block access to the firewall using the output chain and then inbound traffic using input chain. In other words i shouldnt be able to send e.g DNS queries or even SSH if i set targets to DROP. The script runs after modifications.
theNbomr i have tried commenting out the 'function ESTABLISHED' because it allows all traffic to and from the firewall after reset...not sure about this because it now blocks everything!
Put another way, i am designing a web based front end (using php) for this program so i have completely 'turned off' custom.conf. The idea is that for instance if i want to block icmp pings, i'll just click a check box say, which then calls the icpm function from the script or say i want to disable DNS then i'll click a check box on the GUI which theb calls DNS_WAN from the shell script.
NB: I am using just one interface (eth0) ie. its not a gateway or router at all
I've never actually tried to block DNS, but as I understand the protocol, you would have to block it on both udp and tcp.
If I correctly understood your comment about ESTABLISHED, that (combined with RELATED) is the normal way for returning packets to be allowed back through the firewall. If you disable that, nothing will be able to return unless you create another rule to specifically allow it. If you want to block something coming back, you can add a DROP or REJECT rule for such a packet prior to the ESTABLISHED/ACCEPT rule. Generally once a packet matches a rule with a target (-j option) it will go no further in that chain ("first match wins"). A LOG target is an exception to this.
If you are trying to debug what is happening on your firewall, the byte and packet counters that you get when you do a verbose (-v) listing can sometimes be quite useful.
I don't think you want to disable the ESTABLISHED function, because the default DROP policy will then be in force. The general idiom is to restrict the establishment of connections, but once a connection has been successfully made, freely allow all traffic on that connection.
I assume you run /usr/local/bin/hls reload to restart the firewall after each iteration of editing the script? Do you still see a mismatch of the iptables config listing vs. the commands expected to run in the script?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.