Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ok im running mandriva 2005le with a dsl router and two nics eth0 and eth1. eth0 is connected to my private LAN and eth1 is is connected to the router.
Im running a named, samba, apache and squid.
I have 2xwin2kpro clients in my private LAN
here is my output from
# netstat -ran
Kernel IP routing table
Destination Gateway Genmask Flags Iface
10.0.0.0 10.0.0.138 255.255.255.0 UG eth1
10.0.0.0 0.0.0.0 255.255.255.0 U eth1
192.168.0.0 192.168.0.2 255.255.255.0 UG eth0
192.168.0.0 0.0.0.0 255.255.255.0 U eth0
127.0.0.0 0.0.0.0 255.0.0.0 U lo
0.0.0.0 10.0.0.138 0.0.0.0 UG eth1
0.0.0.0 192.168.0.2 0.0.0.0 UG eth0
everything work fine at my mandriva machine....
problems are for my windows clients,
from these I can
1: access the samba share nps...
2: surf the net, again nps...
3: access the Local http page from apache
4: use the squid proxy server
But I cannot,
1: use any P2P file share (edonkey limewire)
2: retrieve email
3: log on to yahoo java games.
I believe there is a problem with my firewall not having neccessary ports open for these services.
here is a copy of my rc.firewall
#!/bin/sh
#
# rc.firewall-2.4-stronger
FWVER=0.63s
echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
#Setting the EXTERNAL and INTERNAL interfaces for the network
#
EXTIF="eth1"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " ---"
# Specify your Static IP address here or let the script take care of it
# for you.
# Determine the external IP automatically:
# ----------------------------------------
#
EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
echo " External IP: $EXTIP"
echo " ---"
# Assign the internal TCP/IP network and IP address
INTNET="192.168.0.0/24"
INTIP="192.168.0.2/24"
echo " Internal Network: $INTNET"
echo " Internal IP: $INTIP"
echo " ---"
# The location of various iptables and other shell programs
IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
GREP=/bin/grep
AWK=/bin/awk
# Setting a few other local variables
#
UNIVERSE="0.0.0.0/0"
#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en " Loading kernel modules: "
echo -en "ip_tables, "
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_tables
fi
echo -en "ip_conntrack, "
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_conntrack
fi
echo -e "ip_conntrack_ftp, "
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_conntrack_ftp
fi
echo -en " ip_conntrack_irc, "
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_conntrack_irc
fi
echo -en "iptable_nat, "
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
/sbin/insmod iptable_nat
fi
echo -e "ip_nat_ftp"
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_nat_ftp
fi
echo " ---"
# Just to be complete, here is a list of the remaining kernel modules
# and their function. Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# --------------------------------------------------------------------
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#
# iptable_mangle - this target allows for packets to be manipulated
# for things like the TCPMSS option, etc.
#CRITICAL: Enable IP forwarding since it is disabled by default since
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
#############################################################################
# Enable Stronger IP forwarding and Masquerading
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
# Delete all User-specified chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
#Configuring specific CHAINS for later use in the ruleset
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP
echo -e "\n - Loading INPUT rulesets"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
echo " - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j drop-and-log-it
echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#More liberal form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
#$IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to $EXTIP
#######################################################################
echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"
as you can see i have ip forward and MASQ enabled.
any help with getting email to my clients and allowing me to get file shares to them is appreciated.
the thing with the Yahoo games would also be nice
i think all i relly need to do is open
tcp port 4661 and 4662
udp port 10037
for limewire and emule
smtp port 25
pop3 port 110
for email
i dont know what port the yahoo java games use
but her is the output from iptables u asked for
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
drop-and-log-it all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere 10.0.0.1 state RELATED,ESTABLISHED
drop-and-log-it all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
drop-and-log-it all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 10.0.0.1 192.168.0.0/24
ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
drop-and-log-it all -- anywhere 192.168.0.0/24
ACCEPT all -- 10.0.0.1 anywhere
drop-and-log-it all -- anywhere anywhere
Chain drop-and-log-it (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info
DROP all -- anywhere anywhere
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
