LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables issue (http://www.linuxquestions.org/questions/linux-security-4/iptables-issue-81027/)

f1uke 08-11-2003 03:18 PM

iptables issue
 
Ive recently been reading and trying to comprehend iptables, a read a howto on ipchains and seems very similar, but I am having troubles with this very simple setup i made. Here are some snip-its from my iptables-save file I created and a iptables -L

# Generated by iptables-save v1.2.7a on Mon Aug 11 10:26:24 2003
*filter
:INPUT ACCEPT [974:89406]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1065:163976]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 33000:44000 -j ACCEPT
-A INPUT -p tcp -j DROP
COMMIT
# Completed on Mon Aug 11 10:26:24 2003

-----------------

level:/etc # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ident
ACCEPT tcp -- anywhere anywhere tcp dpt:hbci
ACCEPT tcp -- anywhere anywhere tcp dpts:33000:44000
DROP tcp -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

------

my issue is I had created a eggdrop which isn't making any connections unless I do a iptables -F

------bot snip-its
[11:15] main: entering loop
[11:15] DNS resolved slamin.ravepimp.com to 66.252.10.159
[11:15] Trying server irc.Qeast.net:6667
[11:15] DNS resolved irc.Qeast.net to 205.210.145.2
[11:17] Timeout: connect to irc.Qeast.net
[11:17] Trying server irc.carrier1.net.uk:6667
[11:17] DNS resolve failed for irc.carrier1.net.uk
[11:17] Failed connect to irc.carrier1.net.uk (DNS lookup failed)

everything seems to timeout, until I flush the tables, The tables I thought were pretty simple and wouldnt conflict since my OUTPUT chain is clear? What am I missing?

yocompia 08-11-2003 04:00 PM

i'm not clear on what an eggdrop is, but i recommend that if you're having troubles w/ iptables you use the LOG target to track down problems. to do this, insert a rule (with appropriate chain title) that looks as follows:

iptables -A INPUT -p ALL -i eth0 -j LOG --log-prefix "packet gets to rule X "

replace eth0 with your internet interface and then look through your syslog (issue "#cat /var/log/syslog | less") for messages with a header matching that in the above rule. if messages show up in syslog, then you know that the packet got at least as far as the LOG rule. use this to track packets.

if you could clarify what you mean by eggdrop and/or what your internet situation is, i could help more.

gl,
y-p

f1uke 08-11-2003 06:50 PM

Ok I went back and created a a log for the input chain, here is a copy. Im going to ping www.blanks.us for a test and reference..

-------------------
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ident
ACCEPT tcp -- anywhere anywhere tcp dpts:33000:44000
DROP tcp -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning prefix `testx '

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
--------------------------

PING blanks.us (66.252.10.247) 56(84) bytes of data.
64 bytes from 66.252.10.247: icmp_seq=1 ttl=47 time=62.5 ms
64 bytes from 66.252.10.247: icmp_seq=5 ttl=47 time=94.9 ms
64 bytes from 66.252.10.247: icmp_seq=6 ttl=47 time=74.0 ms
64 bytes from 66.252.10.247: icmp_seq=7 ttl=47 time=84.1 ms
64 bytes from 66.252.10.247: icmp_seq=8 ttl=47 time=60.5 ms
64 bytes from 66.252.10.247: icmp_seq=10 ttl=47 time=68.9 ms
^X^H64 bytes from 66.252.10.247: icmp_seq=11 ttl=47 time=58.8 ms

--- blanks.us ping statistics ---
11 packets transmitted, 7 received, 36% packet loss, time 34519ms
rtt min/avg/max/mdev = 58.852/71.991/94.913/12.416 ms
------

here is the log from /var/log/messages
------------------
Aug 11 14:37:52 level kernel: testx IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:08:00:20:a2:f7:84:08:00 SRC=128.82.6.17$SRC=128.82.6.176 DST=128.82.6.255 LEN=78 TOS=0x00 PREC=0x00 TTL=1 ID=55261 DF PROTO=UDP SPT=137 DPT=137$ LEN=58

Aug 11 14:41:12 level kernel: testx IN=eth0 OUT= MAC=00:04:75:90:b0:8e:00:01:30:f3:cf:70:08:00 SRC=66.252.10.247 DST=128.82.6.231 LEN=84 TOS=0x00 PREC=0x00 TTL=47 ID=49102 DF PROTO=ICMP TYPE=0 CODE=0 ID=29447 SEQ=1

--------
those were just two lines of many, I would copy all of them but they clear my screen enabling me to copy most of it. My goal with my iptables is to filter incoming and allow all out, eggdrop is just a bot program i use for irc. When I run it and I have my iptables the way they are it can not connect to anything out side, and when i bring the iptables down, and allow it to go back online, then restart my iptables it pings out offline. I am unclear what i am doing wrong in my chain definitions.

Looking_Lost 08-11-2003 08:58 PM

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -p ALL -i lo -j ACCEPT

iptables -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED, RELATED -j ACCEPT

iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j ACCEPT

iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT


You can give that a go and see if it works for you if you want, assuming eth0 is your internet connection.


All times are GMT -5. The time now is 02:22 AM.