Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to give the internal network internet access, but I only want to let in specific ports from the internet, and later I want to direct them to specific ports on specific internal ip's. But that's for later. What I was trying to accomplish was giving the internal network internet access, and drop incoming new and invalid packets. Is anything incorrect/redundant?
My /etc/rc.d/rc.local contains the following part for iptables:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t filter -A INPUT -m state --state NEW,INVALID -i eth0 -j DROP
iptables -t filter -A INPUT -p tcp --syn -i eth0 -j DROP
iptables -t filter -A INPUT -i eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
My nat table comes out looking like it should according to my script I think:
My best guess would be that dhcpcd is adding this "RH-Lokkit-0-50-INPUT" chain (which I've tried deleting but reappears on reboot) and all the other stuff in there. I thought that this might be the reason my internal lan doesn't have internet access, so I flushed the filter and nat tables and then exceuted /etc/rc.d/rc.local again. The nat table obviously looked thet same, but the filter table looked like:
thanks hazza, I deleted "iptables -t filter -A INPUT -p tcp --syn -i eth0 -j DROP" I guess because it wouldn't do anything, but FIREWALL_MODS=no didn't work. I added the line and rebooted, but it was still there. So I thought maybe I had to delete it first, so I deleted it then rebooted, it came back again. I ended up removing it because it seems to have no effect.
2 questions:
1) What's wrong with my setup? even when I fix by hand what "FIREWALL_MODS=no" in /etc/sysconfig/network was supposed to fix it doesn't work.
2) What is the chain RH-Lokkit-0-50-INPUT for? there has to be a purpose for it and what is creating it?
The RH-Lokkit-0-50-INPUT chain is used by the lokkit program that comes with RH9. The rules created by lokkit are put in there. It also uses it to "punch" through rules to allow your ISPs DNS servers to reply to you. You don't need those specific rules when your using a stateful firewall. After you configure your firewall the way you want the you don't want to run lokkit again. To be even safer you should remove it.
The only reference I was able to find of RH-Lokkit-0-50-INPUT under /etc was in /etc/sysconfig/network-scripts/ifup and /etc/sysconfig/network-scripts/ifup-post. When you bring a nework interface up the ifup-post script checks for the existance of the RH-Lokkit-0-50-INPUT chain and then adds the rules for the nameservers.
I removed the line "FIREWALL_MODS=no" from /etc/sysconfig/network and ran lokkit to bring back the RH-Lokkit-0-50-INPUT. I wasn't able to get that chain back without running lokkit. Now my firewall looks like this:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [59:5996]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 192.168.0.1 -p udp -m udp --sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
COMMIT
Keep in mind that I'm testing this out not on the computer that I'm posting this from. My network setup looks a bit different but the procedure should be about the same. I've sshed into this box so I can find a procedure you'll be able to use even if you're not working directly on the firewall box. I'm going to call eth0 for my box $INT_IN. For your setup it should $INT_IN eth1 and $EXT_IN should be eth0. Next I did
Now this is all on one line so as to not break the ssh connection I'm using to connect to this box. This is what my INPUT chain looks like now:
# iptables -vL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
93 7108 ACCEPT all -- eth0 any anywhere anywhere
For you it should look something like this:
# iptables -vL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
93 7108 ACCEPT all -- eth1 any anywhere anywhere
Next you should add:
# iptables -A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
I also add a rule to reject identd probes as it speeds up some ftp connections.
Now your INPUT chain should look something like this:
# iptables -vL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
501 38228 ACCEPT all -- eth1 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 REJECT tcp -- any any anywhere anywhere tcp dpt:auth reject-with tcp-reset
The packet and byte counts may differ but that's nothing to worry about. Now you can remove the RH-Lokkit-0-50-INPUT chain. I've found that there is also a reference to this in the FORWARD chain as well so you have to remove that first.
At this stage the entire filter table should look something like this:
# iptables -t filter -vL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
1016 76160 ACCEPT all -- eth0 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 REJECT tcp -- any any anywhere anywhere tcp dpt:auth reject-with tcp-reset
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1218 packets, 134K bytes)
pkts bytes target prot opt in out source destination
You can see that the RH-Lokkit-0-50-INPUT chain is now gone. You'll want to make sure that the nat table still has the rule in there for masquerading. So it should look something like this:
Just to be cautious, make sure there's a new line at the end of /etc/sysconfig/network. Now just to be safe, remove the packages lokkit and gnome-lokkit with
rpm -e lokkit gnome-lokkit
or
apt-get remove lokkit gnome-lokkit
if you have apt available.
Now you're ready to bring down the public interface and then bring it back up again to check if the RH-Lokkit-0-50-INPUT chain comes back.
# ifdown $EXT_IN
# ifup $EXT_IN
For my box the chain RH-Lokkit-0-50-INPUT did not come back. I rebooted my computer just to double check that the chain RH-Lokkit-0-50-INPUT does not come back. On my box
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any ppp0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
1775 134K ACCEPT all -- eth0 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 REJECT tcp -- any any anywhere anywhere tcp dpt:auth reject-with tcp-reset
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1679 packets, 190K bytes)
pkts bytes target prot opt in out source destination
confirmed that the RH-Lokkit-0-50-INPUT chain did not come back.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.