Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am encountering problems to configure my firewall (through iptables) to allow apt-get features, like update and install.
I have the latest debian server running in a virtual machine in my windows xp and therefore I have two interfaces in this debian server:
- NAT Interface
inet: 10.0.2.15
- Host Only Interface
inet: 192.168.56.101
So far my iptable rules drop all packets for default, in exception icmp and ssh that I allow to ping and connect from my windows xp. Both of them I use only the Host interface (192...) to connect to another 192... interface on my windows. Those are working fine, but apt is not. I know, in this very moment it shouldn't. But I made a lot of attempts trying to configure the iptables allow connections through the 80 and 21 ports from/to NAT and Host. I think I made all possible combination (or not, because it didnt work). But I'm wondering if someone more experient can help me solve this problem...
I am encountering problems to configure my firewall (through iptables) to allow apt-get features, like update and install.
I have the latest debian server running in a virtual machine in my windows xp and therefore I have two interfaces in this debian server:
- NAT Interface
inet: 10.0.2.15
- Host Only Interface
inet: 192.168.56.101
So far my iptable rules drop all packets for default, in exception icmp and ssh that I allow to ping and connect from my windows xp. Both of them I use only the Host interface (192...) to connect to another 192... interface on my windows. Those are working fine, but apt is not. I know, in this very moment it shouldn't. But I made a lot of attempts trying to configure the iptables allow connections through the 80 and 21 ports from/to NAT and Host. I think I made all possible combination (or not, because it didnt work). But I'm wondering if someone more experient can help me solve this problem...
Your question is not very clear, we need more information to help you.
Can you post the output of:
Code:
iptables-save
ifconfig
Are you sure that it is iptables causing the issues?
try disabling iptables and see if the issue is sill there.
If disabling iptables does not fix the issue, post the output of:
Code:
cat /etc/apt/sources.list
Well yes, I'm sure it iptables causing the issue (my rules actually), because when I reset the iptables rules to accept everything, I can use apt features normally.
So I'm going to post everything here now (ifconfig, rules and source.list):
# Generated by iptables-save v1.4.2 on Mon Apr 26 10:27:16 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -s 192.168.56.1/32 -d 192.168.56.101/32 -p icmp -j ACCEPT
-A INPUT -s 192.168.56.1/32 -d 192.168.56.101/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -s 192.168.56.101/32 -d 192.168.56.1/32 -p icmp -j ACCEPT
-A OUTPUT -s 192.168.56.101/32 -d 192.168.56.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Mon Apr 26 10:27:16 2010
source.list
Code:
# regular update for lenny
deb http://ftp.br.debian.org/debian/ lenny main contrib
deb-src http://ftp.br.debian.org/debian/ lenny main contrib
# security updates for lenny
deb http://security.debian.org/ lenny/updates main contrib
deb-src http://security.debian.org/ lenny/updates main contrib
# volatile
deb http://volatile.debian.org/debian-volatile lenny/volatile main contrib
deb-src http://volatile.debian.org/debian-volatile lenny/volatile main contrib
I know that those rules wont let me connect to ports 21 and 80, the ones that I saw it is used by apt. But like I said before I made a lot of combinations allowing from/to 192.168.56.101 to everywhere, even from/to 10.0.2.15 from/to everywhere on ports 21 and 80, but it dindt work. I was unable to update, search and install using apt-get with all these attempts...
With this information, what rules should I use to allow apt features to workd, I mean in a secure way, because I'm using this virtualbox to be like a mirror from my real server that I'm supposed to take real good care of the firewall...
from your rules...you block all OUTGOING traffic(except ssh to one destination), how do you aspect it to work..
you should at least allow outgoing traffic to ftp.br.debian.org port 80 and use the bottom rule with -m state.
Also you should allow loopback traffic, outgoing dns queries(--dport 53 -p udp) , incoming dns replies(--sport 53 -p udp) ( -m state ESTABLISHED,RELATED will solve that)
iptables -A INPUT -i ethX -m state --state ESTABLISHED,RELATED -j ACCEPT will allow incoming traffic related to your outgoing connections.
please read a tutorial on linux firewall ...it might help you
Last edited by ddaemonunics; 04-27-2010 at 01:15 AM.
As ddaemonunics said, you need to allow more traffic through. This would be a start...
Code:
# Generated by SuperJediWombat's iptables configurator of awesome.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp --dport 21 -d ftp.br.debian.org -j ACCEPT
-A OUTPUT -p tcp --dport 21 -d security.debian.org -j ACCEPT
-A OUTPUT -p tcp --dport 21 -d volatile.debian.org -j ACCEPT
-A OUTPUT -p tcp --dport 80 -d ftp.br.debian.org -j ACCEPT
-A OUTPUT -p tcp --dport 80 -d security.debian.org -j ACCEPT
-A OUTPUT -p tcp --dport 80 -d volatile.debian.org -j ACCEPT
-A OUTPUT -s 192.168.56.101/32 -d 192.168.56.1/32 -p icmp -j ACCEPT
-A OUTPUT -s 192.168.56.101/32 -d 192.168.56.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
Keep in mind that iptables will attempt to do the DNS lookup for those domains when you add the rule set, and the IP may change. Also if you are having DNS issues, it obviously will not work.
from your rules...you block all OUTGOING traffic(except ssh to one destination), how do you aspect it to work..
you should at least allow outgoing traffic to ftp.br.debian.org port 80 and use the bottom rule with -m state.
Also you should allow loopback traffic, outgoing dns queries(--dport 53 -p udp) , incoming dns replies(--sport 53 -p udp) ( -m state ESTABLISHED,RELATED will solve that)
iptables -A INPUT -i ethX -m state --state ESTABLISHED,RELATED -j ACCEPT will allow incoming traffic related to your outgoing connections.
please read a tutorial on linux firewall ...it might help you
Thanks for your, reply, I will study a bit more about these established and related connections...
Oh and by the way, I was expecting it to work, because, like I said in my previous post, I made A LOT off attempts like allowing INPUT and OUTPUT packets on both ports 80 and 21 with different sources and destinations... I just didn't put them here because they didn't work and because I made a really lot of different combinations...
As ddaemonunics said, you need to allow more traffic through. This would be a start...
Code:
# Generated by SuperJediWombat's iptables configurator of awesome.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp --dport 21 -d ftp.br.debian.org -j ACCEPT
-A OUTPUT -p tcp --dport 21 -d security.debian.org -j ACCEPT
-A OUTPUT -p tcp --dport 21 -d volatile.debian.org -j ACCEPT
-A OUTPUT -p tcp --dport 80 -d ftp.br.debian.org -j ACCEPT
-A OUTPUT -p tcp --dport 80 -d security.debian.org -j ACCEPT
-A OUTPUT -p tcp --dport 80 -d volatile.debian.org -j ACCEPT
-A OUTPUT -s 192.168.56.101/32 -d 192.168.56.1/32 -p icmp -j ACCEPT
-A OUTPUT -s 192.168.56.101/32 -d 192.168.56.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
Keep in mind that iptables will attempt to do the DNS lookup for those domains when you add the rule set, and the IP may change. Also if you are having DNS issues, it obviously will not work.
Thanks for your reply too, very enlightening I would say. Just to be sure, if someone send a ESTABLISHED packet to my server that my server was not expecting it wouldnt be stupid to accept this unexpected packet right?
No, every packet falls into either ESTABLISHED, RELATED, NEW or INVALID. A packet that was claiming to be part of an existing connection, would be INVALID if it was not recorded by the connection tracker.
The reason your earlier attempts probably failed is that you did not allow DNS traffic through, and your computer could not have resolved the IP addresses of the Debian apt servers.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
