Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have IPCop 1.4.16 running with AdvProxy and have just added the iptables rule to drop all traffic to a variety of ports (see rc.firewall.local below).
The virus scanner wants to go out on port 80 and come back on a port >1024. I had a stab at adding the rules to allow this but it doesn't seem to work. I a newbie with this rules and was trying to glean the proper format from the available online docs. I maked the rules with *out and *in
Any help appreciated!
Don
#!/bin/sh
# Used for private firewall rules
# See how we were called.
case "$1" in
start)
## add your 'start' rules here
#Added for zerina start - BEGIN
/usr/local/bin/openvpnctrl --create-chains-and-rules
#Added for zerina start - END
*out /sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p
TCP -m multiport --dport 80,443 -j ACCEPT
*in /sbin/iptables -A FORWARD -d 0/0 -o eth0 -s 193.86.3.36 -i eth1 -p TCP -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i eth0 -o eth1 -p tcp -m mport --dports 80,81,443,3128,6588,8000,8080,8181 -j DROP
;;
stop)
## add your 'stop' rules here
#Added for zerina stop - BEGIN
/usr/local/bin/openvpnctrl --delete-chains-and-rules
#Added for zerina stop - END
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
*)
echo "Usage: $0 {start|stop|reload}"
;;
esac
/sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP \
-m multiport --dport 80,443 -j ACCEPT
/sbin/iptables -A FORWARD -d 0/0 -o eth0 -s 193.86.3.36 -i eth1 -p TCP \
-m state --state ESTABLISHED -j ACCEPT
To this:
Code:
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP \
-m multiport --dports 80,443 -m state --state NEW -j ACCEPT
Also, is it fair to assume IP forwarding is enabled and your POSTROUTING rule for SNAT/MASQUERADE is being executed somewhere else? I ask because there is nothing of that sort in what you posted. You can confirm this for us by posting these:
Thanks for the reply. I changed the rules and still see the virus scanner asking for the outbound connection [SYN] in wireshark. The ip_forward value is 1 and the following table shows the output of the iptables command you suggested:
Chain POSTROUTING (policy ACCEPT 682 packets, 45192 bytes)
pkts bytes target prot opt in out source destination
6773 470K CUSTOMPOSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
6773 470K REDNAT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x1 to:192.168.200.1
Okay, you have tons of user-built chains which the packets must traverse first before getting to your rules. So the packets could be getting filtered in any of those chains. Do you have logging setup for any rule that sends packets to DROP? It's a good idea, as you could see what is happening, and where. That said, a quick fix for your problem could be to simply insert the rules above all the others, so that you know the packets will pass through it. For this, we basically just change the "-A" to a "-I", and invert the order of execution:
Success! By keeping wireshark running, I could see the connection to the site and then it would fail again. The site is actually handing off to another server, so I added a rule for the return IP and voila - successful update!
Thanks so much for all your help - both service and turnaround time are outstanding!
I added all the alternate IPs that the AV scanner seems to query (both home and handoff) and it works flawlessly now. My next challenge is to do the same thing for ClamAV but that's tomorrow's problem...
As a Newbie, its very nice to have such great folks helping out. I really appreciate the help!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.