Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We run a site where are sales team can download and view sales quotes using PDF files.
Recently I have implemented IPTables on the server and lock down access.
However the issue is that with IPTables enabled the users cannot access the PDF files although they can access everything else fine.
If I stop the IPtables they can view the PDF's.
I have tried running a TCPdump and used TCPview to see the ports that are being opened to the server and the only port looking to be used is HTTP.
I have also tried opening the firewall up to allow any UDP ports requested by the client this has made no difference, I then opened the firewall to allow all ports from the source computer again no difference.
The only conclusion I can come to is that IPTables is preventing the PDF from being downloaded.
Has anyone come across this before?
Below is the output from the failed attempt to load the PDF while the IPTables is enabled:
ERROR: No HTML files!
HTMLDOC Version 1.8.23 Copyright 1997-2002 Easy Software Products, All Rights Reserved.
This software is governed by the GNU General Public License, Version 2, and
is based in part on the work of the Independent JPEG Group.
Instinctively, I'd say that you might want to try alowing the RELATED state as well as the ESTABLISHED state. But after watching a PDF download with tcpdump, it looks like one continuous tcp stream, so I don't think that will help, but it's still worth a shot.
Second, try putting some logging rules before and after your --dport 80 drop rules (make sure to give each one a distinct log prefix so that you can distinguish them) and also add one at the end of the script to catch any packets that hit the default drop policy. Then try a download and see if you can trace the packet until it's dropped. If that doesn't work, put them around all the drop rules.
Although I had allow loopback connections to the system from 127.0.0.1, the Htmldoc command seemed to be using it's internet address but over the lo inetrface after I allowed this address access the PDF's were downloaded with out a problem.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
This is usually the case for most ethernet drivers: If you try to establish a connection from the IP assigned to your NIC, back to that same IP, it won't actually go "on the wire" but rather to the lo0 device (loopback, i.e. pseudo adaptor). You wouldn't see this traffic with a tcpdump of the session because tcpdump looks at "the wire" for the adaptor it's monitoring (e.g. eth0). You would have needed to run two simultaneous tcpdumps (one on eth0, one on lo0) to see the complete behavior.
It seems you were quite resourceful and managed to discover that on your own, because that's what I was going to suggest before I scrolled down and read your last post
I found the issue by running the tcpdump on the lo interface and saw the packets hitting this once the IPTables was stopped so all I did was add a rule:
-A INPUT -s <eth0 IP Address on system> -j ACCEPT
And that sorted the issue, should have thought of that earlier really
I'd recommend against using that rule, as it'll allow incoming packets that are spoofed with your own IP on the external interface. Maybe one of these might be better:
iptables -A INPUT -i lo -s <eth0 IP Address on system> -j ACCEPT
or
iptables -A INPUT -i ! external_interface -s <eth0 IP Address on system> -j ACCEPT
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Yes, you defnitely want to specify the device because these packets don't use the physical interface. Write a rule to just allow in all sourced (supposedly) from your external IP would open you up to serious spoofing attacks, as Capt pointed out.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.