Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Rule order can be a real "gotcha" sometimes. The -I option will insert the rule at the beginning of the firewall while -A will "append" it to the bottom. So I'm guessing you had a rule earlier on in the firewall that was dropping or rejecting packets before they got to your rule. You can use -A, but you'd need to modify your firewall script and put that rule towards the top.
By the way, you'll need to save your modified firewall rules otherwise the firewall will reset after a reboot. How to save your rules can vary depending on your distro, so which one are you using?
So, do you mean its not enough if I just add that line to the firewall script? If I will reboot, when firewall will be launched, then that line would be executed too, right?
I use a custom firewall, nothing fancy (didnt really get what you mean by that sir), and distro is slackware, firewall resides in /etc/rc.d/rc.firewall
So, do you mean its not enough if I just add that line to the firewall script? If I will reboot, when firewall will be launched, then that line would be executed too, right?
If you are adding it to a script, then yes it should be loaded on boot. I wasn't sure if you were doing that or just running the command from the command line. So you should be all set.
It would probably help if you posted your firewall script, but based on the above I'd guess that the problem has to do with rule order. Since you're using the -I option, whichever rule is entered last is inserted at the top. Like this:
Here is our example firewall script:
iptables -A rule X
iptables -A rule Y
iptables -A rule Z
If you look at the order these rules appear in the actual firewall, it will look like this:
rule X
rule Y
rule Z
So when a packet is received, it will be processed in the order X->Y->Z
So let's add your first rule (the one with the ACCEPT target), which I'll just call rule 1:
iptables -A rule X
iptables -A rule Y
iptables -A rule Z
iptables -I rule 1
Since that rule uses the -I option it is added to the beginning of the firewall, so if you look at the rule order in the firewall using iptables -L you would see this:
rule 1
rule X
rule Y
rule Z
And packets would be processed in the order 1->X->Y->->Z
Now add the second rule (the one that drops packets from the rest of the LAN) which I'll call rule 2:
iptables -A rule X
iptables -A rule Y
iptables -A rule Z
iptables -I rule 1
iptables -I rule 2
This time the firewall looks like this:
rule 2
rule 1
rule X
rule Y
rule Z
So rule 2 is actually coming before rule 1 and packets are processed like this 2->1->X->Y->Z. So all our packets are getting dropped.
Now just to use an example in order to clarify -I vs -A, say you had a third rule (rule 3) and you decided to use -A instead. You enter the rules like this:
iptables -A rule X
iptables -A rule Y
iptables -A rule Z
iptables -I rule 1
iptables -I rule 2
iptables -A rule 3
When you look at the firewall, it would look like this:
rule 2
rule 1
rule X
rule Y
rule Z
rule 3
and our packets would get process in the order 2->1->X->Y->Z->3
Hopefully that clears up -A vs -I and rule ordering a bit.
You can fix this by switching the order you are entering rule 1 and 2 or what you really should do is use the -A option for *all* the rules, but just make sure everything is in the proper order. If you post your firewall ruleset, I'll give you a hand doing that. Make sure to remove any public IP addresses from your rules before posting.
The firewall I use its "inherited" if i can say so from the former network administrator, who is a good friend of mine but he will be gone for the next 4 months out of the country so he cannot help me much. His firewall is much "scripted" and "automated" - hey, im the newbie here - think he has declared some variables like nat...internal interface, ext interface, spoof, DOS protection, syn.. etc.. etc... and using those. I think this is the part where the firewall does not need to be modified. BUT the firewall loads a file called "custom-rules" where I'm supposed to be able to insert some rules...the custom-rules file is not loaded neither at the beginning or the end of the firewall execution script... somewhere in the middle (after some spoofing/dos/syn protection thingy)
I think I have tried adding the rules with -A instead of -I to that custom-rules file.. restarted firewall but I think it didnt work.... have not tried using -I and reversing the order as you suggested because I'm not logged into that machine, but I might be able to try it tomorrow.
been tampering with the firewall (the custom-rules part I have) after you were so kind to explain to me the order and using -A INPUT to allow ssh from one ip then -A INPUT to deny for the rest of the LAN. Actually at first i was just adding the rules from command line and they didnt seem to work. After I inserted those lines into the custom-rules and restarting the firewal... TADAAAA.. it was working.
Think you heard that before, but you rule Capt_Caveman
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
- think he has declared some variables like nat...internal interface, ext interface, spoof, DOS protection, syn.. etc.. etc... and using those. I think this is the part where the firewall does not need to be modified. BUT the firewall loads a file called "custom-rules" where I'm supposed to be able to insert some rules...the custom-rules file is not loaded neither at the beginning or the end of the firewall execution script... somewhere in the middle (after some spoofing/dos/syn protection thingy)
