LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 10-03-2003, 08:44 AM   #1
sedulous
LQ Newbie
 
Registered: Aug 2003
Posts: 24

Rep: Reputation: 15
iptables; confusing internal access error


This sure is confusing.

I have a rh8 gateway, which acts as router, firewall, etc.

This is my iptables script.

The problem is that only two workstations 192.168.0.2 and 192.168.0.3 can access all ports, however, my recent addition a Dell Inspiron laptop 192.168.0.4 cannot access anything other than higher ports > 1024 and squid proxy - for internet surfing.

Quote:
###############################################
#
# Set input, forward policies to DROP everything
# and flush existing rules
#
/sbin/iptables -P INPUT DROP
/sbin/iptables -F INPUT
/sbin/iptables -P FORWARD DROP
#we want to allow everything out
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
#
########################

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 192.168.0.1/24 -o eth1 -j MASQUERADE
echo "1"> /proc/sys/net/ipv4/ip_forward

# Allow established and related packets back in:
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all packets on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

local_net=192.168.0.0/24
# allow from local net
iptables -A INPUT -s $local_net -j ACCEPT
# allow all from trusted lan hosts
iptables -A FORWARD -s $local_net -i eth0 -o eth1 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth1 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 113 -j DNAT --to 192.168.0.3

# Accept SMTP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
# Accept POP3
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
The only thing I can think of that would be the problem is my previous iptables script
Quote:
###############################################

# Squid Server
#
/sbin/iptables -A INPUT -i $extint -p tcp --sport 80 -d $extip --dport 1024:65535 -j ACCEPT

#############################################
/sbin/iptables -t nat -A PREROUTING -i $intint -p tcp --dport 80 -j REDIRECT --to-port 3128
Those two tables.


This machine 192.168.0.4 - notebook - is running Windows XP Home.


Any ideas.

Thanks in advance.
 
Old 10-05-2003, 03:21 PM   #2
clacour
Member
 
Registered: Sep 2003
Location: Dallas, Tx, USA
Distribution: Red Hat, Gentoo, Libranet
Posts: 98

Rep: Reputation: 16
I don't see anything in this that would treat the XP box differently from any of the others. A possibility: Maybe something on the XP box is preventing you from accessing certain ports.

No, the more I think about it, that doesn't make much sense, but it brings up a point that needs clarifying. What do you mean when you say "can't access ports below 1024"? Are you trying to do things like telnet and ftp? If so, double-check your hosts.allow. It might not be the firewall preventing you from getting in.

I did see something else that worried me about your firewall script, though.


Quote:
# Set input, forward policies to DROP everything
# and flush existing rules
#
/sbin/iptables -P INPUT DROP
/sbin/iptables -F INPUT
/sbin/iptables -P FORWARD DROP
#we want to allow everything out
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
#########################
Unless things changed drastically between ipchains and iptables, flushing a chain/table (iptables -F xxx) wipes out everything that was done before on that table, and the default setting is "accept". So if you have your flush (-F input) AFTER your policy (-P input DROP), it's going to get wiped out.

All of that becomes moot in this case, though, because of what you have below:

Quote:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 192.168.0.1/24 -o eth1 -j MASQUERADE
This is setting your policy to ACCEPT, and you don't have any DENY rules, so effectively, you have no firewall at all.

If this is the firewall script you were using to test the XP box, I can almost guarantee that your problem is not the firewall, because this script effectively turned it off. (ACCEPT on everything is the "turned off" state.)

Do an "iptables -nL" to double-check my logic, but if you don't see any DROP rules, you might as well just shut the firewall off. It's not doing you any good.

I would recommend setting each chain/table up this way:

iptables -F INPUT
iptables -P INPUT DROP
iptables -A INPUT ~~~~~ (rule 1) ~~~~~~~
iptables -A INPUT ~~~~~ (rule 2) ~~~~~~~

and so on.

An input policy of "DROP" is a major pain in the butt (believe me, I know!), but if you use a policy of ACCEPT, then you have to depend on getting every DROP that you need right, or else there's a hole in your armor. I don't know about you, but I stopped being perfect years ago.

Good luck,

CHL
 
Old 10-07-2003, 02:59 AM   #3
sedulous
LQ Newbie
 
Registered: Aug 2003
Posts: 24

Original Poster
Rep: Reputation: 15
Yes, thanks for your reply.

I see a few problems with the firewall - yes there are a few flaws.

So i've fixed them.

Problem is stillthe same. Ican't access ports below 1024. For example ftp, pop3 etc.

I can use webbrowsing no problem.

I am pretty sure its a problem on the xp box.

Ill check the hosts.allow file just incase.


Thanks
 
Old 10-07-2003, 03:01 AM   #4
sedulous
LQ Newbie
 
Registered: Aug 2003
Posts: 24

Original Poster
Rep: Reputation: 15
As i said before, ftp and mail server access is restricted however I can access everything hosted on the gateway/server machine.
 
Old 10-09-2003, 10:35 AM   #5
sedulous
LQ Newbie
 
Registered: Aug 2003
Posts: 24

Original Poster
Rep: Reputation: 15
I think it's a problem with my caching nameserver. I think I half set it up! So the only thing I could access was my gateway.

I removed the drop, and filtered it by a few accept rules.

I've changed the XP machine to rh9 now, and now I can't access anything other than squids proxy - ie web browsing.
 
Old 10-09-2003, 09:46 PM   #6
clacour
Member
 
Registered: Sep 2003
Location: Dallas, Tx, USA
Distribution: Red Hat, Gentoo, Libranet
Posts: 98

Rep: Reputation: 16
I've gotten a little lost. If I've understood and remembered everything right, you have:

A Linux gateway/firewall machine (192.168.0.1) which can get to any port (telnet, ssh, ftp, http, etc) on any machine, local or Internet.

You have two workstations (192.168.0.2 and -.3) which use 192.168.0.1 as their gateway, and can get to any port on any machine.

You have a new laptop, which was running XP and is now running RH 9, which can get to ports above 1024 on Internet addresses, and get can get to any port on the gateway machine. (I strongly suspect it will be able to get to any port on the other two workstations, although I don't think you've said.)

This one canNOT get to ports below 1024 on Internet hosts, so you can't do things like FTP from any Internet site.

One thing I don't think you've mentioned: How does it fail? You've said "I don't have access", but what tells you that?

I'd like to see a few things:

Contents of your firewall script (current).
Output of "route" on your gateway machine
Output of "route" on one of the working desktops
Output of "route" on the laptop

Contents of "/etc/resolv.conf" on the gateway.
Contents of "/etc/resolv.conf" on a working workstation.
Contents of "/etc/resolv.conf" on the laptop.

It shouldn't matter, but I did notice an oddity in your firewall script. Your line that says "iptables -t nat -A POSTROUTING -s 192.168.0.1/24 -o eth1 -j MASQUERADE" should be 192.168.0.0, I'm pretty sure. With the /24 on there, that shouldn't make any difference, but a problem with the forwarding rules would make excellent sense, given the symptoms.

Given that you've had the problem with both XP and RH9, it almost HAS to be on your firewall box.
 
Old 10-10-2003, 12:52 AM   #7
sedulous
LQ Newbie
 
Registered: Aug 2003
Posts: 24

Original Poster
Rep: Reputation: 15
Sorry, thanks for your reply.

I forgot to mention that I did fix it. It was indeed my firewall box. One line right at the bottom of the firewall script was uncommented. It was a DENY all.

Testing different accessing of ports and different times led me to the conclusion that one machine could access ports XY and the other couldn't. Thanksf ro you help.


I think i'll search around for a good linux iptables guide and securemy box. Thanks for your help nevertheless
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
somewhat confusing gcc error orgcandman Programming 2 01-26-2005 01:49 PM
IPtables - cannot access internal webserver tantric Linux - Security 3 03-17-2004 03:20 AM
iptables blocking internal access? complus Linux - Networking 17 03-09-2004 12:14 AM
confusing BIND error messages noisybastard Linux - Newbie 1 11-21-2003 01:40 AM
iptables does not allow me to access internal web server. JawjLindo Linux - Security 2 11-10-2003 03:23 PM


All times are GMT -5. The time now is 09:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration