LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-13-2005, 01:53 PM   #1
M$ISBS
Member
 
Registered: Aug 2003
Posts: 818

Rep: Reputation: 30
IPtables/Guarddog blocking to much. How do I fix this?


Guarddog is blocking some images from some websites, when I disable the firewall (iptables/guarddog) I can see the images. What do I need to enable in guarddog to stop it from blocking images?

In Guarddog the only boxes I have checked are:
FTP
HTTP
HTTPS
DNS
KERBEROS
IDENT/AUTH

I am not really sure if I am supposed to have all these checked or not but after trial and error I found these are the ones that let me go online. I am not running server.

Thanks.
 
Old 11-13-2005, 04:36 PM   #2
brianthegreat
Member
 
Registered: Oct 2005
Posts: 518

Rep: Reputation: 32
Ok!

There is something really fishy going on here. YOu should see those images with the firewall enabled. Why not try another firewall or uninstall and reinstall firewall. Or something else of this nature. I have never heard of a problem like yours referencing a firewall. Does Guarddog have a forum where you can ask questions?? If so then I would ask over there.
 
Old 11-13-2005, 04:59 PM   #3
M$ISBS
Member
 
Registered: Aug 2003
Posts: 818

Original Poster
Rep: Reputation: 30
An example would be when I google something for images the thumbnails dont show up, when I click the disable firewall box in guarddog and hit apply, then I can see them. If I dont start up guarddog the images are shown and it seem to be only thumbs, not all images.
 
Old 11-13-2005, 07:18 PM   #4
brianthegreat
Member
 
Registered: Oct 2005
Posts: 518

Rep: Reputation: 32
You need that firewall. Maybe switch to firestarter or get more information regarding this topic. I would do a search via:

www.google.com/linux
www.justlinux.com

Or many other sites out there.
 
Old 11-13-2005, 08:13 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
In Guarddog the only boxes I have checked are:
FTP
HTTP
HTTPS
DNS
KERBEROS
IDENT/AUTH

I am not really sure if I am supposed to have all these checked or not but after trial and error I found these are the ones that let me go online.


I haven't used Guarddog in ages, but underneath it's all boils down to Iptables rules, so could you post the output from "/sbin/iptables -n -L -v"? If it's much I think we'd prefer a download location if you can handle it. Scrub your public IP from the file first tho.

if you're not serving something then your basic Iptables shellscript could look like this, you'll have to stop Guarddog to run this:
Code:
PATH=/sbin:$PATH
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Loopback device
iptables -A INPUT -i lo -j ACCEPT
# Only ping stuff
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Traffic from connections we initiated
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# The rest gets logged and dropped
iptables -A INPUT -j LOG --log-prefix="IN_block" -m limit --limit 1/s
iptables -A INPUT -j DROP
It isn't complete but it should let you surf while you fix things.
 
Old 11-13-2005, 09:22 PM   #6
M$ISBS
Member
 
Registered: Aug 2003
Posts: 818

Original Poster
Rep: Reputation: 30
Ok, Heres the output of iptables -n -L -v

/sbin# iptables -n -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18 1708 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 192.168.2.2 255.255.255.255
17 680 logaborted tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp flags:0x04/0x04
20096 21M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 nicfilt all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 srcfilt all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 srcfilt all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18 1708 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
15989 2272K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
788 41818 s1 all -- * * 0.0.0.0/0 0.0.0.0/0

Chain f0to1 (3 references)
pkts bytes target prot opt in out source destination
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain f1to0 (1 references)
pkts bytes target prot opt in out source destination
715 37180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:
dpt:80 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:
dpt:8080 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:
dpt:8008 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:
dpt:8000 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:
dpt:8888 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt: state NEW
63 4118 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:
dpt:21 state NEW
10 520 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logaborted (1 references)
pkts bytes target prot opt in out source destination
17 680 logaborted2 all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED '

Chain logaborted2 (1 references)
pkts bytes target prot opt in out source destination
17 680 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `ABORTED '
17 680 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain logdrop (4 references)
pkts bytes target prot opt in out source destination
10 520 logdrop2 all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop2 (1 references)
pkts bytes target prot opt in out source destination
10 520 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `DROPPED '
10 520 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 logreject2 all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED '
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logreject2 (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `REJECTED '
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain nicfilt (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain s0 (1 references)
pkts bytes target prot opt in out source destination
0 0 f0to1 all -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx
0 0 f0to1 all -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx
0 0 f0to1 all -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain s1 (1 references)
pkts bytes target prot opt in out source destination
f1to0 all -- * * 0.0.0.0/0 0.0.0.0/0

Chain srcfilt (2 references)
pkts bytes target prot opt in out source destination
0 0 s0 all -- * * 0.0.0.0/0 0.0.0.0/0
 
Old 11-14-2005, 01:01 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
If I try to un-fsck and rip out all the rules with zero traffic it it looks kinda like this:
Code:
/sbin/iptables -A INPUT -i lo -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j logaborted # tcp flags:0x04/0x04
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # tcp flags:0x04/0x04
/sbin/iptables -A INPUT -o lo -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # 12
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # 12
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j s1 # 12
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # dpt:80 state NEW
/sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # state NEW
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j logdrop # dpt:21 state NEW
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j logaborted2 # 1/sec burst 10
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG # 7 level 4 prefix ABORTED
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # 7 level 4 prefix `ABORTED
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j logdrop2 # 1/sec burst 10
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG # 7 level 4 prefix `DROPPED
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j DROP # 7 level 4 prefix `DROPPED
...which would mean that apart from filtering for bogon networks, invalid packets or packets with weird TCP flag combo's, ICMP garbage, ICMP rate limiting and detailed logging the previously posted script should work. Now why Guarddog won't work I can't see from here, but it seems to me it's trying to guide traffic through some rules that just won't work.

I'd suggest you try running the previously posted script, backup your firewall script if you want to, and start configuring Guarddog from scratch. Basically what you want is to DROP anything on FORWARD (you don't route for other boxen), DROP anything on INPUT that has the SYN flag set (allowing only ICMP and ESTABLISHED,RELATED) and ACCEPT everything on OUTPUT.
 
Old 11-14-2005, 09:42 PM   #8
M$ISBS
Member
 
Registered: Aug 2003
Posts: 818

Original Poster
Rep: Reputation: 30
unspawn, I dont understand anything you posted, I am not familiar with iptables or configuring it. I just tried to install firestarter but it would not configure, something about missing gconf-2. I guess its not that big a deal, I just wont see some images with the firewall enabled. Thanks for the help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
UT2004, Guarddog/iptables, and LAN games - ?? achallenger1 Linux - Games 3 09-19-2005 12:52 PM
Guarddog is blocking my networked computer.. r3dhatter Linux - Networking 3 08-11-2005 10:17 AM
Blocking HSRP with Guarddog Lame Linux - Security 1 08-28-2004 06:00 AM
Failed Dependencies for Guarddog: Iptables Electronkz Linux - Security 1 04-27-2004 03:42 AM
rsync through Guarddog/IPTables on Gentoo Chip D Linux - Security 3 01-05-2004 05:40 PM


All times are GMT -5. The time now is 08:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration