IPtables/Guarddog blocking to much. How do I fix this?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
There is something really fishy going on here. YOu should see those images with the firewall enabled. Why not try another firewall or uninstall and reinstall firewall. Or something else of this nature. I have never heard of a problem like yours referencing a firewall. Does Guarddog have a forum where you can ask questions?? If so then I would ask over there.
An example would be when I google something for images the thumbnails dont show up, when I click the disable firewall box in guarddog and hit apply, then I can see them. If I dont start up guarddog the images are shown and it seem to be only thumbs, not all images.
In Guarddog the only boxes I have checked are:
I am not really sure if I am supposed to have all these checked or not but after trial and error I found these are the ones that let me go online.
I haven't used Guarddog in ages, but underneath it's all boils down to Iptables rules, so could you post the output from "/sbin/iptables -n -L -v"? If it's much I think we'd prefer a download location if you can handle it. Scrub your public IP from the file first tho.
if you're not serving something then your basic Iptables shellscript could look like this, you'll have to stop Guarddog to run this:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Loopback device
iptables -A INPUT -i lo -j ACCEPT
# Only ping stuff
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Traffic from connections we initiated
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# The rest gets logged and dropped
iptables -A INPUT -j LOG --log-prefix="IN_block" -m limit --limit 1/s
iptables -A INPUT -j DROP
It isn't complete but it should let you surf while you fix things.
If I try to un-fsck and rip out all the rules with zero traffic it it looks kinda like this:
/sbin/iptables -A INPUT -i lo -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j logaborted # tcp flags:0x04/0x04
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # tcp flags:0x04/0x04
/sbin/iptables -A INPUT -o lo -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # 12
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # 12
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j s1 # 12
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # dpt:80 state NEW
/sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # state NEW
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j logdrop # dpt:21 state NEW
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j logaborted2 # 1/sec burst 10
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG # 7 level 4 prefix ABORTED
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # 7 level 4 prefix `ABORTED
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j logdrop2 # 1/sec burst 10
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG # 7 level 4 prefix `DROPPED
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j DROP # 7 level 4 prefix `DROPPED
...which would mean that apart from filtering for bogon networks, invalid packets or packets with weird TCP flag combo's, ICMP garbage, ICMP rate limiting and detailed logging the previously posted script should work. Now why Guarddog won't work I can't see from here, but it seems to me it's trying to guide traffic through some rules that just won't work.
I'd suggest you try running the previously posted script, backup your firewall script if you want to, and start configuring Guarddog from scratch. Basically what you want is to DROP anything on FORWARD (you don't route for other boxen), DROP anything on INPUT that has the SYN flag set (allowing only ICMP and ESTABLISHED,RELATED) and ACCEPT everything on OUTPUT.
unspawn, I dont understand anything you posted, I am not familiar with iptables or configuring it. I just tried to install firestarter but it would not configure, something about missing gconf-2. I guess its not that big a deal, I just wont see some images with the firewall enabled. Thanks for the help.