LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-30-2009, 08:38 AM   #1
Dutchy_
LQ Newbie
 
Registered: Jun 2007
Location: The Netherlands
Distribution: Ubuntu, Gentoo, Debian
Posts: 15

Rep: Reputation: 0
iptables and outgoing connections


scenario: I can ping my machine but I cant ping from that machine to other hosts.
I accept icmp and the output chain is default accept

Output of iptables -vL
http://pastebin.com/m58335897

It is fixed when i set the default for input to accept, so i guess im missing something i should accept.
I cant figure out what im doing wrong, could somebody give me a hint?

It seems to be the same for other outgoing connections so it might not be specific for icmp
 
Old 10-30-2009, 09:14 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
What happens if you remove the protocol match from your RELATED,ESTABLISHED rule?
 
Old 10-30-2009, 10:10 AM   #3
Dutchy_
LQ Newbie
 
Registered: Jun 2007
Location: The Netherlands
Distribution: Ubuntu, Gentoo, Debian
Posts: 15

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
What happens if you remove the protocol match from your RELATED,ESTABLISHED rule?
no change

edit: wait, i misunderstood, let me test that
 
Old 10-30-2009, 10:22 AM   #4
Dutchy_
LQ Newbie
 
Registered: Jun 2007
Location: The Netherlands
Distribution: Ubuntu, Gentoo, Debian
Posts: 15

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Dutchy_ View Post
edit: wait, i misunderstood, let me test that
That fixed the problem: can you explain why this failed in the first place? I thought if a rule didnt match it would go to the next one.
 
Old 10-30-2009, 10:32 AM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Dutchy_ View Post
That fixed the problem: can you explain why this failed in the first place?
Actually, I'm not exactly sure. When this box pings another box, the echo reply packet is sent to ACCEPT because it matches ESTABLISHED in the INPUT chain. It wasn't doing that before since the TCP match would prevent the ICMP packet from matching. That said, even with the TCP match enabled, I would have expected the echo reply packet to match the last rule in the chain, which AFAICT sends every ICMP packet to ACCEPT.
Code:
Chain INPUT (policy DROP 270 packets, 31057 bytes)
 pkts bytes target     prot opt in     out     source               destination
56032 7578K ACCEPT     tcp  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
 1056 54516 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:www
    9   540 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
   21  1156 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp
  242 12376 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3
    9   540 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:imap2
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:imaps
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3s
  113  6780 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:mysql
    2   104 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http-alt
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:webmin
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 114K packets, 103M bytes)
 pkts bytes target     prot opt in     out     source               destination
Let me see if I can reproduce this on my box.

Last edited by win32sux; 10-30-2009 at 10:34 AM.
 
Old 10-30-2009, 10:55 AM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Okay, after doing some tests on my box (and re-reading your configuration), I'm willing to bet that although you weren't able to ping by host name, you were able to ping by IP. Can you confirm this?

I suspect that this was simply a case of the DNS lookups not being able to take place, due to their being no way for the returning UDP packets to be allowed. In other words, I theorize that you weren't receiving echo replies at all, because your echo requests weren't being sent in the first place. If I'm correct, then what happened when you removed the TCP match from your RELATED,ESTABLISHED rule was that you allowed DNS lookups to complete.

Last edited by win32sux; 10-30-2009 at 11:00 AM.
 
Old 10-30-2009, 11:08 AM   #7
Dutchy_
LQ Newbie
 
Registered: Jun 2007
Location: The Netherlands
Distribution: Ubuntu, Gentoo, Debian
Posts: 15

Original Poster
Rep: Reputation: 0
You are correct. I should have realised this, because ping gave no output at all.

On to the next problem, with these rules ftp doesn't work yet If you have any suggestions, they are welcome. I am going to wait a bit with debugging till tonight, it's on a production server (don't ask).
 
Old 10-30-2009, 11:12 AM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
You have the FTP connection tracking module loaded, right?
 
Old 10-30-2009, 01:48 PM   #9
Dutchy_
LQ Newbie
 
Registered: Jun 2007
Location: The Netherlands
Distribution: Ubuntu, Gentoo, Debian
Posts: 15

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
You have the FTP connection tracking module loaded, right?
I didn't, I thought it was all one module that could do the tracking I think I'll figure it out now, thanks a lot
 
  


Reply

Tags
icmp, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables isn't allowing any outgoing connections lemx Linux - Security 1 04-10-2009 09:41 PM
google chrome outgoing connections aizkorri General 3 01-04-2009 01:03 AM
iptables: should I ACCEPT incomming pakets for my outgoing connections? iflorea Linux - Networking 2 08-11-2006 06:51 AM
firewall outgoing connections hotrodowner Linux - Security 2 02-22-2004 12:51 PM
outgoing connections DonMiner Linux - Networking 2 05-02-2003 09:51 AM


All times are GMT -5. The time now is 12:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration