LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-07-2010, 02:24 PM   #1
pmascari
LQ Newbie
 
Registered: Oct 2010
Posts: 2

Rep: Reputation: 0
Ubuntu ICS Cut Off by Firewall


Extreme Newb here so please be kind. My office is full of Macs and Windows boxes. My IT staff and I only "dabble" in Linux when we get a chance.

So, we're trying to build a simple Firewall/Gateway out of Ubuntu. We have a machine with 2 NICs running the latest version: 10.04.

We have been able to set up the gateway/routing fine using both the built in Internet Connection Sharing as well as using Guidedog. The current setup we are testing is using Guidedog.

For the NICs we have set eth0 as our internet connection and eth1 connects to the LAN. We've manually set all IPs...no DHCP at this time.

Next we try to install a firewall. We have tried both Firestarter and Guarddog. After setup with either, the Ubuntu box is still able to get online and access web sites but the LAN gets cut off. No access at all. We are currently running Guarddog and have set the proper protocols (DNS, HTTP, HTTPS) and have also followed the tutorial found here.

However, no matter what settings we make as soon as we re-enable the firewall the LAN is cut off. Disable the FW...LAN is back online. We even set up an "Allow All" protocol allowing all ports from 1:65535 and still we get cut off as soon as the FW is enabled.

We saw this same thing happen with Firestarter and my understanding is they're using the same basic Linux FW underneath? SO, what is it we're neglecting to do? Why does the FW completely seal off our LAN connection no matter what we've told it to allow?

Ultimately, here's the layout we're after:

Internet (T1) <> Firewalled Ubuntu <> LAN

Thanks in advance!
 
Old 10-07-2010, 03:51 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by pmascari View Post
Extreme Newb here so please be kind. My office is full of Macs and Windows boxes. My IT staff and I only "dabble" in Linux when we get a chance.

So, we're trying to build a simple Firewall/Gateway out of Ubuntu. We have a machine with 2 NICs running the latest version: 10.04.

We have been able to set up the gateway/routing fine using both the built in Internet Connection Sharing as well as using Guidedog. The current setup we are testing is using Guidedog.

For the NICs we have set eth0 as our internet connection and eth1 connects to the LAN. We've manually set all IPs...no DHCP at this time.

Next we try to install a firewall. We have tried both Firestarter and Guarddog. After setup with either, the Ubuntu box is still able to get online and access web sites but the LAN gets cut off. No access at all. We are currently running Guarddog and have set the proper protocols (DNS, HTTP, HTTPS) and have also followed the tutorial found here.

However, no matter what settings we make as soon as we re-enable the firewall the LAN is cut off. Disable the FW...LAN is back online. We even set up an "Allow All" protocol allowing all ports from 1:65535 and still we get cut off as soon as the FW is enabled.

We saw this same thing happen with Firestarter and my understanding is they're using the same basic Linux FW underneath? SO, what is it we're neglecting to do? Why does the FW completely seal off our LAN connection no matter what we've told it to allow?

Ultimately, here's the layout we're after:

Internet (T1) <> Firewalled Ubuntu <> LAN

Thanks in advance!
Hi, welcome to LQ!

You're quite right - all (well, almost) firewalling programs
for Linux are merely front-ends to iptables. At the end of
the day the rule-set your tool creates will be translated
into iptables rules, which then enforces them.

To assess what's happening with your config I suggest you
run
Code:
iptables -L
and post the results here.


Cheers,
Tink
 
Old 10-07-2010, 04:06 PM   #3
pmascari
LQ Newbie
 
Registered: Oct 2010
Posts: 2

Original Poster
Rep: Reputation: 0
Results of iptables -L

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- sdsinc-sightmax 10.55.1.255
ACCEPT all -- 10.42.43.1 10.42.43.255
logaborted tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp flags:RST/RST
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
nicfilt all -- anywhere anywhere
srcfilt all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
srcfilt all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
s1 all -- anywhere anywhere

Chain f0to1 (5 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW
logdrop all -- anywhere anywhere

Chain f0to2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW
logdrop all -- anywhere anywhere

Chain f1to0 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:https state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:ftp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:www state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:http-alt state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8008 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8000 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8888 state NEW
logdrop all -- anywhere anywhere

Chain f1to2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW
logdrop all -- anywhere anywhere

Chain f2to0 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:https state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:http-alt state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8008 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8000 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8888 state NEW
logdrop all -- anywhere anywhere

Chain f2to1 (5 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW
logdrop all -- anywhere anywhere

Chain logaborted (1 references)
target prot opt source destination
logaborted2 all -- anywhere anywhere limit: avg 1/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '

Chain logaborted2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain logdrop (8 references)
target prot opt source destination
logdrop2 all -- anywhere anywhere limit: avg 1/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
DROP all -- anywhere anywhere

Chain logdrop2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED '
DROP all -- anywhere anywhere

Chain logreject (0 references)
target prot opt source destination
logreject2 all -- anywhere anywhere limit: avg 1/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere

Chain logreject2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere

Chain nicfilt (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
logdrop all -- anywhere anywhere

Chain s0 (1 references)
target prot opt source destination
f0to1 all -- anywhere alien-ubuntu.sds.local
f0to1 all -- anywhere 10.55.1.255
f0to1 all -- anywhere 10.42.43.1
f0to1 all -- anywhere 10.42.43.255
f0to1 all -- anywhere localhost
f0to2 all -- anywhere 192.168.1.0/24
logdrop all -- anywhere anywhere

Chain s1 (1 references)
target prot opt source destination
f1to2 all -- anywhere 192.168.1.0/24
f1to0 all -- anywhere anywhere

Chain s2 (1 references)
target prot opt source destination
f2to1 all -- anywhere sdsinc-sightmax
f2to1 all -- anywhere 10.55.1.255
f2to1 all -- anywhere 10.42.43.1
f2to1 all -- anywhere 10.42.43.255
f2to1 all -- anywhere localhost
f2to0 all -- anywhere anywhere

Chain srcfilt (2 references)
target prot opt source destination
s2 all -- 192.168.1.0/24 anywhere
s0 all -- anywhere anywhere
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ICS-- wired Ubuntu 7.10 to vista over ad hoc wifi hydroscrog Linux - Wireless Networking 3 01-10-2008 09:24 PM
[help] ubuntu: configuring ics on it kazi090 Linux - Newbie 2 11-27-2007 04:15 AM
XP to Ubuntu ICS : file configuration query. uncle-c Linux - Networking 19 11-09-2007 04:23 PM
Firewall / ICS asafku Linux - Security 3 08-17-2006 01:28 PM


All times are GMT -5. The time now is 08:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration