LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-15-2009, 05:10 AM   #1
haxpak
Member
 
Registered: Jan 2009
Location: India
Distribution: fc9 x86_64
Posts: 35

Rep: Reputation: 15
Unhappy iptables rules causing problems


hello
i have system with 2 nic's
i have setup iptables with following rules

Code:
#!/bin/sh

IPTABLES=/sbin/iptables
#MODPROBE=/sbin/modprobe
INT_NET=10.168.1.0/24

### flush existing rules and set chain policy setting to DROP

echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

###### INPUT chain ######

echo "[+] Setting up INPUT chain..."

### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -i eth0 -p tcp -s ! $INT_NET --syn -m state --state NEW -j LOG --log-prefix "INTRUSION"
$IPTABLES -A INPUT -i eth0 -p tcp -s ! $INT_NET --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules

$IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j DROP

### ACCEPT rules

$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 8080 -j ACCEPT # 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 4444 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

### default INPUT LOG rule
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

###### OUTPUT chain ######
echo "[+] Setting up OUTPUT chain..."
### state tracking rules

$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for allowing connections out

$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

### default OUTPUT LOG rule

$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
then i said on shell:
[CODE]
>service iptables save
>chkconfig iptables on
[CODE]

upon restarting my system i found service "rpc.statd" failing

also gnome takes a lot of time to start
and shows the following error

Quote:
There was an error starting the GNOME Settings Daemon.

Some things, such as themes, sounds, or background settings may not work correctly.

The last error message was:

Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

GNOME will still try to restart the Settings Daemon next time you log in.
please help me with this

thanks in advance
 
Old 02-15-2009, 05:23 AM   #2
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
give some love to loopback

iptables -I INPUT -s 127.0.0.1 -j ACCEPT
 
Old 02-15-2009, 05:30 AM   #3
haxpak
Member
 
Registered: Jan 2009
Location: India
Distribution: fc9 x86_64
Posts: 35

Original Poster
Rep: Reputation: 15
no sir
i added
$IPTABLES -I INPUT -s 127.0.0.1 -j ACCEPT

but it did not help
 
Old 02-15-2009, 05:41 AM   #4
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
You've got some logging statements... Are there any log entries in /var/log/messages regarding dropped packets?
 
Old 02-15-2009, 08:27 AM   #5
haxpak
Member
 
Registered: Jan 2009
Location: India
Distribution: fc9 x86_64
Posts: 35

Original Poster
Rep: Reputation: 15
yes there are many

Feb 15 15:24:35 localhost kernel: DROP IN= OUT=eth1 SRC=10.168.1.20 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF OPT (94040000) PROTO=2

is one of the examples

and
Feb 14 00:25:55 localhost kernel: DROP IN= OUT=eth0 SRC=192.168.1.5 DST=90.185.61.79 LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=37392 DF PROTO=TCP SPT=55861 DPT=12562 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A006BC7180000000001030307)

does it mean something??
 
Old 02-15-2009, 09:44 PM   #6
haxpak
Member
 
Registered: Jan 2009
Location: India
Distribution: fc9 x86_64
Posts: 35

Original Poster
Rep: Reputation: 15
please also tell me as to where do the system messages go?

as, if gnome is causing problems it should have generated some error messages regarding the same
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 10:50 PM
iptables causing system to hang @ boot blackdragonblood Linux - General 2 06-23-2005 05:57 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM
IPtables firewall causing network slowdown lucktsm Linux - Security 3 05-12-2004 12:37 AM
IPTables rules dkny01 Linux - Networking 6 10-23-2003 01:52 AM


All times are GMT -5. The time now is 08:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration