LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-03-2007, 03:50 PM   #1
GeneralDark
Member
 
Registered: Nov 2007
Location: Sweden
Distribution: Gentoo 2007
Posts: 32

Rep: Reputation: 15
Blocking almost everything with iptables


Hello.
For several days I've been trying to create firewall rules in iptables for my router. I've tried several scripts found on the net but I cant get it to work.
What I want it to do is to:

*Deny everything from the outside, except a few specified rules (like established connections and such)
*Deny all traffic out, except the traffic on a few specified ports
*Masqurade the local LAN

Example: I want to be able to ssh (dosnt matter on what port) to the firewall.
I also want the firewall to block all the traffic from the inside that that I havnt allowed, in case one of the machines gets compromised.

I would like to point out that I'll happy write the rules myself, to hopefully learn something, so if someone could explain how to do it it would be really appriceated. If you want to write the rules anyway, if thats easier, thats fine. Please just try to have a few comments explaining what they do.

I'm posting my own rules here, for you to take a look if you like.
Code:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -N logdrop
iptables -A logdrop -j LOG
iptables -A logdrop -j DROP

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW NOT SYN "
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -A INPUT --source 192.168.0.0/24 -j DROP
iptables -A INPUT --source 172.16.0.0/16 -j DROP

iptables -A INPUT --in-interface lo --source 127.0.0.0/8 -j ACCEPT

iptables -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP

iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

#SSH
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
iptables -A OUTPUT -p tcp --destination-port 22 -j ACCEPT

#WWW
iptables -A OUTPUT -p tcp --destination-port 80 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -j logdrop
Hopefully someone understands my question and know how to help me
Sorry for my bad english.
Thanks in advanced.
 
Old 11-03-2007, 04:27 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Here's a script to get you started (based on the one I use myself at home):
Code:
#!/bin/sh

IPT="/sbin/iptables"
LAN_IFACE="eth1"
WAN_IFACE="eth0"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

# The ubiquitous INPUT rules:
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

# Make sure any incoming TCP packets of state NEW are proper SYNs:
$IPT -A INPUT -p TCP ! --syn -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "
$IPT -A INPUT -p TCP ! --syn -m state --state NEW -j DROP

# Allow SSH from the LAN to this box:
$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 22 -m state --state NEW -j ACCEPT

# Allow SSH from the WAN (Internet) to this box:
#$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 22 -m state --state NEW -j ACCEPT

# Log other packets before they get sent to DROP by our policy:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

# The ubiquitous OUTPUT rules:
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Allow this box to surf the WWW:
$IPT -A OUTPUT -p TCP -o $WAN_IFACE --dport 80 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o $WAN_IFACE --dport 443 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p UDP -o $WAN_IFACE --dport 53 -m state --state NEW -j ACCEPT

# Log other packets before they get sent to DROP by our policy:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "

# The ubiquitous FORWARD rule:
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow boxes on the LAN to surf the WWW:
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE --dport 53 -m state --state NEW -j ACCEPT

# Log other packets before they get sent to DROP by our policy:
$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "

# Do IP masquerading for boxes on the LAN:
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
Let me know if you have any questions. BTW, what distro are you using (maybe add it to your profile)?

Last edited by win32sux; 11-03-2007 at 04:34 PM.
 
Old 11-04-2007, 11:41 AM   #3
GeneralDark
Member
 
Registered: Nov 2007
Location: Sweden
Distribution: Gentoo 2007
Posts: 32

Original Poster
Rep: Reputation: 15
thx alot for the rules
I'm using Gentoo 2007.
I'll try the rules out and come back to tell how it went
 
Old 11-04-2007, 03:59 PM   #4
GeneralDark
Member
 
Registered: Nov 2007
Location: Sweden
Distribution: Gentoo 2007
Posts: 32

Original Poster
Rep: Reputation: 15
ok, so I copied the rules and made the script executeable.
Theres one but tho, when I execute the script nothing happends.
iptables -L dont show anything, any by that i mean nothing at all. theres just a "new line" after that. Not the usual text about the different chains and such. What am I doing wrong?
Its not only this script that acts like this btw.
Edit: Forgot to say that even the scripts that used to work (even if I managed to lock myself out with them) isnt working.

Tried make a normal script with:
Code:
#!/bin/bash
echo "hello"
That worked, so I guess theres something wrong with my scripts.
I've tried substitute all $IPT with iptables and so on, still nothing.

Thanks for help if anyone got experience with this, all iptables scripts works like this. Sorry if this is in the wrong forum.

Last edited by GeneralDark; 11-04-2007 at 04:23 PM.
 
Old 11-04-2007, 04:10 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
You don't need to replace the $IPTs. Just make sure the IPT="" at the top has the right path to your iptables binary. Do you not get some sort of error message when you execute? You're doing this as root, right? Ummm... wait a second... You're saying you get absolutely nothing when you do a "iptables -L"? Something is definitely not right somewhere. Does you kernel have proper iptables support? Not sure what could be wrong.

PS: I just tested the script and it executes fine here.

Last edited by win32sux; 11-04-2007 at 07:01 PM. Reason: Spelling fixes.
 
Old 11-04-2007, 04:41 PM   #6
GeneralDark
Member
 
Registered: Nov 2007
Location: Sweden
Distribution: Gentoo 2007
Posts: 32

Original Poster
Rep: Reputation: 15
I do have proper support for iptables i think, atleat I have almost everything loaded into the kernel (from iptables).
Lets just say I've compiled the kernel for as much support for iptables as possible. Also, I've compiled it for dns and dhcp support if that could help in anyway of figuring this problem out.

Is there any way to post my kernel config? Except for cat /usr/src/linux/.config (since its _very_ long and dont really say anything if you dont know the names of the modules).
Thanks in advanced.

Edit: Yes, I'm doing this as root. And I get absolutly noting from executing the scripts.

Last edited by GeneralDark; 11-04-2007 at 04:44 PM.
 
Old 11-04-2007, 06:50 PM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
The whole config would be too large to post. Maybe grep it for "NETFILTER" and stuff like that. Here's mine FWIW:
Code:
win32sux@candystore:~$ cat /boot/config-2.6.22-14-generic | grep NETFILTER
CONFIG_BRIDGE_NETFILTER=y
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
win32sux@candystore:~$
Code:
win32sux@candystore:~$ cat /boot/config-2.6.22-14-generic | grep IPTABLES
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP6_NF_IPTABLES=m
win32sux@candystore:~$
Code:
win32sux@candystore:~$ cat /boot/config-2.6.22-14-generic | grep _NF_
CONFIG_BRIDGE_NF_EBTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_ENABLED=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
# CONFIG_NF_CONNTRACK_SANE is not set
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CT_PROTO_GRE=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_NAT_PROTO_GRE=m
CONFIG_NF_NAT_TFTP=m
CONFIG_DECNET_NF_GRABULATOR=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_MATCH_AH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_MH=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IPV6=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_CT_PROTO_SCTP=m
CONFIG_NF_NAT_H323=m
CONFIG_NF_NAT_SIP=m
CONFIG_NF_NAT_SNMP_BASIC=m
win32sux@candystore:~$

Last edited by win32sux; 11-04-2007 at 07:07 PM.
 
Old 11-05-2007, 04:11 AM   #8
GeneralDark
Member
 
Registered: Nov 2007
Location: Sweden
Distribution: Gentoo 2007
Posts: 32

Original Poster
Rep: Reputation: 15
Solved it
After recompiling iptables it works again
Thx for the help=)
 
Old 11-07-2007, 11:13 AM   #9
GeneralDark
Member
 
Registered: Nov 2007
Location: Sweden
Distribution: Gentoo 2007
Posts: 32

Original Poster
Rep: Reputation: 15
Ok, sorry to be back. The problem is that I cant do anything but ssh on the WAN interface, in and out. When trying to ping or surf or whatever it always timeout. When I remove the rules, everything is fine again. I admit, I did edit the script but only stuff that I thought was safe... However when I try to ping or nslookup on a dns it finds the IP adress of the dnsname, even those that I havnt visited so apperently some traffic is going out and back. Also when I try to surf links is trying to connect so i guess the packets are going to the server but not back.
While trying to fix this firewall I'm behind a hardware router, this is how it looks like:
http://static3.filefront.com/images/...rrmgueohyr.jpg

After editing the script to the following have both me and my friends tried to figure out whats wrong:
Code:
#!/bin/sh

IPT="/sbin/iptables"
LAN_IFACE="eth0"
WAN_IFACE="eth1"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

# The ubiquitous INPUT rules:
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

# Make sure any incoming TCP packets of state NEW are proper SYNs:
$IPT -A INPUT -p TCP ! --syn -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "
$IPT -A INPUT -p TCP ! --syn -m state --state NEW -j DROP

# Allow SSH from the LAN to this box:
$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 22 -m state --state NEW -j ACCEPT

# Allow SSH from the WAN (Internet) to this box:

# Log other packets before they get sent to DROP by our policy:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
# The ubiquitous OUTPUT rules:
$IPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Allow this box to surf the WWW:
$IPT -A OUTPUT -p TCP -o $WAN_IFACE --dport 80 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o $WAN_IFACE --dport 443 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p UDP -o $WAN_IFACE --dport 53 -m state --state NEW -j ACCEPT
#$IPT -A OUTPUT -p TCP -o $WAN_IFACE --dport 53 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p tcp -o $WAN_IFACE --dport 'rsync' -m state --state NEW -j ACCEPT

# Log other packets before they get sent to DROP by our policy:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "

# The ubiquitous FORWARD rule:
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow boxes on the LAN to surf the WWW:
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE --dport 53 -m state --state NEW -j ACCEPT

#Allow services @ LAN -> WAN
#Torrent
$IPT -A FORWARD -p tcp -i $LAN_IFACE -o $WAN_IFACE --dport 58052 -m state --state NEW -j ACCEPT
#IRC
$IPT -A FORWARD -p tcp -i $LAN_IFACE -o $WAN_IFACE --dport 'ircd' -m state --state NEW -j ACCEPT
#MSN
$IPT -A FORWARD -p tcp -i $LAN_IFACE -o $WAN_IFACE --dport 1863 -m state --state NEW -j ACCEPT
#ICQ
$IPT -A FORWARD -p tcp -i $LAN_IFACE -o $WAN_IFACE --dport 5190 -m state --state NEW -j ACCEPT

#Portforward
#Torrent
$IPT -t nat -A PREROUTING -i eth1 -p tcp -d 58052 -j DNAT --to 10.0.0.50:58052
$IPT -A FORWARD -i eth1 -o eth0 -p tcp -d 10.0.0.50 -j ACCEPT
$IPT -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.0.0.50

#Remote desktop
$IPT -t nat -A PREROUTING -i eth1 -p tcp -d 3398 -j DNAT --to 10.0.0.50:3389
$IPT -A FORWARD -i eth1 -o eth0 -p tcp -d 10.0.0.50 -j ACCEPT
$IPT -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.0.0.50

# Log other packets before they get sent to DROP by our policy:
$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "

# Do IP masquerading for boxes on the LAN
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
Thankful for abit more help

Edit: How do I link images? :S [img] doesnt work like i phpBB...

Last edited by GeneralDark; 11-07-2007 at 11:20 AM.
 
Old 11-07-2007, 12:06 PM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by GeneralDark View Post
Ok, sorry to be back. The problem is that I cant do anything but ssh on the WAN interface, in and out.
Is this on the router itself or on LAN clients?

Quote:
When trying to ping or surf or whatever it always timeout.
Well, the ping timeout is understandable, as there is no rules allowing pings. In any case, the script I posted logs any packet which is filtered, so take a look at the log file while attempting to surf in order to see what is happening. If you post the relevant lines from the log, we can help determine why it is happening.
 
Old 11-07-2007, 03:05 PM   #11
GeneralDark
Member
 
Registered: Nov 2007
Location: Sweden
Distribution: Gentoo 2007
Posts: 32

Original Poster
Rep: Reputation: 15
I am ssh:ing from the other machine in the picture, 192.168.0.2, into the gentoo router WAN interface.
Sorry that it didnt cross my mind to check the logs, should have been obvious... Anyway, heres the output of it:
Code:
Nov  7 22:00:01 firewall cron[32202]: PAM [dlerror: /lib/security/pam_limits.so: symbol pam_syslog, version LIBPAM_EXTENSION_1.0 not defined in file libpam.so.0 with link time reference]
Nov  7 22:00:01 firewall cron[32202]: PAM adding faulty module: /lib/security/pam_limits.so
Nov  7 22:00:01 firewall cron[32202]: Module is unknown
Am I reading this correct that I should need another module in the kernel?
/var/log/messages is the correct file to read, right?
/var/log/dmesg contains the following(did only paste the last lines):
Code:
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (4096 buckets, 16384 max)
ctnetlink v0.93: registering with nfnetlink.
ip_tables: (C) 2000-2006 Netfilter Core Team
ClusterIP Version 0.8 loaded successfully
arp_tables: (C) 2002 David S. Miller
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Using IPI Shortcut mode
kjournald starting.  Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
VFS: Mounted root (ext3 filesystem) readonly.
Freeing unused kernel memory: 284k freed
EXT3 FS on hda3, internal journal
EXT2-fs warning (device hda1): ext2_fill_super: mounting ext3 filesystem as ext2
Adding 498004k swap on /dev/hda2.  Priority:-1 extents:1 across:498004k
I dont find enything in any of them thats intresting really. The PAM thing is the inloggsystem, right?

btw, can I have the logs from iptables in a separate logfile?

Last edited by GeneralDark; 11-07-2007 at 03:22 PM.
 
Old 11-07-2007, 05:04 PM   #12
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Actually I was expecting to see "DROP" entries in the /var/log/syslog file.

You should try to SSH to the LAN side in addition to the WAN side.
 
Old 11-08-2007, 02:31 PM   #13
GeneralDark
Member
 
Registered: Nov 2007
Location: Sweden
Distribution: Gentoo 2007
Posts: 32

Original Poster
Rep: Reputation: 15
made a cat /var/log/messages | grep DROP (dont have any /var/log/syslog , syslog-ng conf file is only refering to this file anyway).
Here is some of the results (did cut most of it and replaced my MAC adresses):
MAC with only xx = eth0 (LAN interface)
MAC with only yy = the interface in my box thats connected to the gentoo directly (on the gentoos LAN, eth0, interface)
Code:
Nov  8 21:14:51 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=16883 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:14:52 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=18505 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:14:54 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=19915 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:14:57 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=22917 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:14:58 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=24555 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:00 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=25990 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:00 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=25999 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:01 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=27576 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:03 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=28963 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:03 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=28969 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:04 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=30297 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:06 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=31966 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:06 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=31971 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:07 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=33505 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:09 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=35031 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:12 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=38221 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:13 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=39679 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:15 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=41080 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:15 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=41082 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:16 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=42642 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:18 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=47474 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:18 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=47518 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov  8 21:15:19 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=56891 PROTO=UDP SPT=137 DPT=137 LEN=76
I did find another intresting line tho, it tries to, via broadcast, search for the domain (If I understood it correctly).
eth0: LAN interface
eth1: WAN interface
192.168.0.2 My comp on the WAN network (seen from the gentoobox' view)
10.0.0.100 My comp on the LAN network (seen from the gentoobox' view)
10.0.0.1 Gentoo eth0 (LAN)
firewall=Gentoobox' hostname

Edit: found the following line aswell:
Code:
Nov  8 21:16:56 firewall INPUT DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.255.255.255 LEN=244 TOS=0x00 PREC=0x00 TTL=128 ID=23322 PROTO=UDP SPT=138 DPT=138 LEN=224
If I read the logs right the box is trying to find the domains on the local network

Did it bring any light?

Last edited by GeneralDark; 11-08-2007 at 02:38 PM.
 
Old 11-08-2007, 03:10 PM   #14
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Those look like Samba packets. You don't have any Samba rules, so the script seems to be working as it should.
 
Old 11-08-2007, 03:29 PM   #15
GeneralDark
Member
 
Registered: Nov 2007
Location: Sweden
Distribution: Gentoo 2007
Posts: 32

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
Those look like Samba packets. You don't have any Samba rules, so the script seems to be working as it should.
I don't have Samba installed :S
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
blocking an IP using iptables picox Linux - Security 7 12-10-2010 02:00 PM
Blocking an IP with iptables asif2k Linux - Security 4 04-18-2006 11:22 PM
iptables blocking traffic JJX Linux - Networking 4 11-07-2005 05:36 AM
Blocking squid through iptables jomy Linux - Networking 1 12-20-2004 09:24 AM
Iptables blocking certain websites?? Ikik Linux - Security 3 09-29-2003 02:39 AM


All times are GMT -5. The time now is 01:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration