LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-02-2004, 11:51 AM   #1
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Rep: Reputation: 15
Console OUTPUT Strange rc.firewall


Hi I am kinda meddling around with the rc.firewall script
http://www.linuxguruz.com/iptables/s...rewall_023.txt

2 things

1>0 we have our own nameservice running

# DNS
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT
# DNS
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT

I hoped that this would be covered with above lines

but with the firewall up nslookup doesn't work anymore and ssh becomes very slow (assuming having no nameservice, falling back to IP) . I have the usual hosts.allow deny thingies in. I have also IP adress range filtering in so I assume that's why it lets me still in even if the DNS goes AWOL.

If I have understood this right anyway since I am new to firewalls

How do I get DNS named working in iptables :/ besides above lines


2.) Next thing. Our ISP offers console login via ssh funnily enough this is now linked to /etc/log/warn like on a desktop system.

I.E. the output generated vi firewall 23 as documented in the file is now on the console. fine for normal desktop systems, but I dont want it there.
fp=TCP:1 a=DROP IN=eth0 OUT= MAC=x SRC=x DST=xLEN=64 TOS=0x00 PREC=0x00 TTL=125 ID=22108 DF PROTO=TCP SPT=3984 DPT=135 WINDOW=16960 RES=0x00 SYN URGP=0

I run on a non destop service. I have no idea how the ISP does this, I assume I have to ask. Or and HOW can I allow ttSY0 access for ssh in the firewall and switch the warnings of. The access is two fold first with a ISP determined login that is then channeled to ttsy0.

Hope my comments weren't to newbie and if they are please teach me
 
Old 09-02-2004, 11:53 AM   #2
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Original Poster
Rep: Reputation: 15
guess for ttyS0:

# SSH serial
$IPTABLES -A INPUT -i ttyS0 -p tcp --dport 22 -j TCPACCEPT
$IPTABLES -A INPUT -i ttyS0 -p udp --dport 22 -j ACCEPT
# SSH serial
$IPTABLES -A OUTPUT -o ttyS0 -p tcp --sport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o ttyS0 -p udp --sport 22 -j ACCEPT


am I correct?

Last edited by DrNeil; 09-02-2004 at 11:54 AM.
 
Old 09-02-2004, 12:06 PM   #3
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Original Poster
Rep: Reputation: 15
another thing,

when firewall is up I did an NMAP scan

and it says domain is up

53/TCP open domain ISC BIND 8.3.4-REL



I have to say another guy on our system did the whole named and zone load and I am not so sure if he did it OK .


Next thing would anyway be to get the version scanning uneffective. At least the OS version scanning goes awol with that rule set Still anyway to kill version scanning on ports? The nmap docus didn't offer much, or I overread

Last edited by DrNeil; 09-02-2004 at 12:07 PM.
 
Old 09-02-2004, 12:22 PM   #4
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Original Poster
Rep: Reputation: 15
Ok dig @ourserver tells me named is up for outside and gives the right answers

but nslookup asking a *rz-ip.net nonauthorative goes awol if the firewall is up.

On which port does that go out, or what do I have to do to get that working?
 
Old 09-02-2004, 01:16 PM   #5
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Original Poster
Rep: Reputation: 15
Tried port forwarding on 53 for that external nameserver to no avail

Enterd the unauth DNS of host in /etc/hosts

no effect.

##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT

there from the beginning

No effect
 
Old 09-02-2004, 01:25 PM   #6
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Original Poster
Rep: Reputation: 15
Rechecked with dig internal nothing goes out to DNS server default

res_nsend

where port and how does that go out ?

NB: have checked google
 
Old 09-02-2004, 01:45 PM   #7
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Original Poster
Rep: Reputation: 15
extended port forwarding to udp

I get:

nslookup: Can't find server name for adress xx.xx.xx.xx: no response from server

dig: res_nsend to server default -- xx.xx.xx.xx: Connection timed out


I thought if xx.xx.xx.xx is in etc/hosts that would be enough in this case :\

Last edited by DrNeil; 09-02-2004 at 01:48 PM.
 
Old 09-02-2004, 02:32 PM   #8
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Original Poster
Rep: Reputation: 15
Now it suddenly works with firewall up

ssh still taking ages though ...

Me not trusting this AT ALL
 
Old 09-02-2004, 08:37 PM   #9
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by DrNeil
guess for ttyS0:

# SSH serial
$IPTABLES -A INPUT -i ttyS0 -p tcp --dport 22 -j TCPACCEPT
# SSH serial
$IPTABLES -A OUTPUT -o ttyS0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Just for completion to posteriority on my monologue:

This seems to work.

The nameserver issue has cleared up after a named reload.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange continuous output Nightfrost Linux - General 2 11-02-2004 04:28 AM
iptables firewall seems to work but strange output in dmesg. ldp Linux - Networking 3 04-17-2004 02:00 PM
very strange dmesg output salparadise Linux - Software 6 04-08-2004 11:34 AM
strange ofstream output maarten Programming 2 09-16-2003 11:42 AM
Console output to X? dcm1878 Linux - Software 4 04-23-2003 08:07 PM


All times are GMT -5. The time now is 07:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration