LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   IPtables/Guarddog blocking to much. How do I fix this? (https://www.linuxquestions.org/questions/linux-security-4/iptables-guarddog-blocking-to-much-how-do-i-fix-this-382757/)

M$ISBS 11-13-2005 01:53 PM

IPtables/Guarddog blocking to much. How do I fix this?
 
Guarddog is blocking some images from some websites, when I disable the firewall (iptables/guarddog) I can see the images. What do I need to enable in guarddog to stop it from blocking images?

In Guarddog the only boxes I have checked are:
FTP
HTTP
HTTPS
DNS
KERBEROS
IDENT/AUTH

I am not really sure if I am supposed to have all these checked or not but after trial and error I found these are the ones that let me go online. I am not running server.

Thanks.

brianthegreat 11-13-2005 04:36 PM

Ok!

There is something really fishy going on here. YOu should see those images with the firewall enabled. Why not try another firewall or uninstall and reinstall firewall. Or something else of this nature. I have never heard of a problem like yours referencing a firewall. Does Guarddog have a forum where you can ask questions?? If so then I would ask over there.

M$ISBS 11-13-2005 04:59 PM

An example would be when I google something for images the thumbnails dont show up, when I click the disable firewall box in guarddog and hit apply, then I can see them. If I dont start up guarddog the images are shown and it seem to be only thumbs, not all images.

brianthegreat 11-13-2005 07:18 PM

You need that firewall. Maybe switch to firestarter or get more information regarding this topic. I would do a search via:

www.google.com/linux
www.justlinux.com

Or many other sites out there.

unSpawn 11-13-2005 08:13 PM

In Guarddog the only boxes I have checked are:
FTP
HTTP
HTTPS
DNS
KERBEROS
IDENT/AUTH

I am not really sure if I am supposed to have all these checked or not but after trial and error I found these are the ones that let me go online.


I haven't used Guarddog in ages, but underneath it's all boils down to Iptables rules, so could you post the output from "/sbin/iptables -n -L -v"? If it's much I think we'd prefer a download location if you can handle it. Scrub your public IP from the file first tho.

if you're not serving something then your basic Iptables shellscript could look like this, you'll have to stop Guarddog to run this:
Code:

PATH=/sbin:$PATH
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Loopback device
iptables -A INPUT -i lo -j ACCEPT
# Only ping stuff
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Traffic from connections we initiated
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# The rest gets logged and dropped
iptables -A INPUT -j LOG --log-prefix="IN_block" -m limit --limit 1/s
iptables -A INPUT -j DROP

It isn't complete but it should let you surf while you fix things.

M$ISBS 11-13-2005 09:22 PM

Ok, Heres the output of iptables -n -L -v

/sbin# iptables -n -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18 1708 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 192.168.2.2 255.255.255.255
17 680 logaborted tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp flags:0x04/0x04
20096 21M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 nicfilt all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 srcfilt all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 srcfilt all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18 1708 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
15989 2272K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
788 41818 s1 all -- * * 0.0.0.0/0 0.0.0.0/0

Chain f0to1 (3 references)
pkts bytes target prot opt in out source destination
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain f1to0 (1 references)
pkts bytes target prot opt in out source destination
715 37180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:
dpt:80 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:
dpt:8080 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:
dpt:8008 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:
dpt:8000 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:
dpt:8888 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt: state NEW
63 4118 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:
dpt:21 state NEW
10 520 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logaborted (1 references)
pkts bytes target prot opt in out source destination
17 680 logaborted2 all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED '

Chain logaborted2 (1 references)
pkts bytes target prot opt in out source destination
17 680 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `ABORTED '
17 680 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain logdrop (4 references)
pkts bytes target prot opt in out source destination
10 520 logdrop2 all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop2 (1 references)
pkts bytes target prot opt in out source destination
10 520 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `DROPPED '
10 520 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 logreject2 all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED '
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logreject2 (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `REJECTED '
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain nicfilt (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain s0 (1 references)
pkts bytes target prot opt in out source destination
0 0 f0to1 all -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx
0 0 f0to1 all -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx
0 0 f0to1 all -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain s1 (1 references)
pkts bytes target prot opt in out source destination
f1to0 all -- * * 0.0.0.0/0 0.0.0.0/0

Chain srcfilt (2 references)
pkts bytes target prot opt in out source destination
0 0 s0 all -- * * 0.0.0.0/0 0.0.0.0/0

unSpawn 11-14-2005 01:01 PM

If I try to un-fsck and rip out all the rules with zero traffic it it looks kinda like this:
Code:

/sbin/iptables -A INPUT -i lo -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j logaborted # tcp flags:0x04/0x04
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # tcp flags:0x04/0x04
/sbin/iptables -A INPUT -o lo -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # 12
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # 12
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j s1 # 12
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # dpt:80 state NEW
/sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # state NEW
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j logdrop # dpt:21 state NEW
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j logaborted2 # 1/sec burst 10
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG # 7 level 4 prefix ABORTED
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # 7 level 4 prefix `ABORTED
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j logdrop2 # 1/sec burst 10
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG # 7 level 4 prefix `DROPPED
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j DROP # 7 level 4 prefix `DROPPED

...which would mean that apart from filtering for bogon networks, invalid packets or packets with weird TCP flag combo's, ICMP garbage, ICMP rate limiting and detailed logging the previously posted script should work. Now why Guarddog won't work I can't see from here, but it seems to me it's trying to guide traffic through some rules that just won't work.

I'd suggest you try running the previously posted script, backup your firewall script if you want to, and start configuring Guarddog from scratch. Basically what you want is to DROP anything on FORWARD (you don't route for other boxen), DROP anything on INPUT that has the SYN flag set (allowing only ICMP and ESTABLISHED,RELATED) and ACCEPT everything on OUTPUT.

M$ISBS 11-14-2005 09:42 PM

unspawn, I dont understand anything you posted, I am not familiar with iptables or configuring it. I just tried to install firestarter but it would not configure, something about missing gconf-2. I guess its not that big a deal, I just wont see some images with the firewall enabled. Thanks for the help.


All times are GMT -5. The time now is 07:01 PM.