Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I can't get FC4's Lokkit to play nice with vsftpd. I check the box for ftp and it will not open up a conection. Now if I select to trust eth0 it works but than I'm not firewalling anything right? Is there a way to edit iptables by hand, if so what entries should I put in? Is there a better firewall out there that works good with FC4?
I can't get FC4's Lokkit to play nice with vsftpd. I check the box for ftp and it will not open up a conection.
Does the ftp client show any useful specific error(codes)?
Now if I select to trust eth0 it works but than I'm not firewalling anything right?
I don't know. Never used Lokkit. Doesn't the documentation tell?
Is there a way to edit iptables by hand, if so what entries should I put in?
By default the rules should be in /etc/sysconfig/iptables.
Post the contants and we'll see.
Is there a better firewall out there that works good with FC4?
There is no firewall but Iptables, you mean a better *front-end*. No recommendations from me there, I prefer to use vi from the commandline. I knwo there's lot's of front-ends, check the FC4 repositories using your favourite package management update tool (synaptic, apt-get, yum, autoupd) or search LQ or search Freshmeat.net.
Here is what my iptable looks like with ftp and ssh checked and trust eth0 checked.
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
This works and I can get ftp though, but it looks like it lets every thing past.
Here it is with out the eth0 box checked and ftp does not work but ssh does.
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
The only thing I can see different is the line:
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
So there must be something wong with my rule for ftp.
Active FTP needs inbound (NEW) access to the control channel (tcp/21), inbound (ESTABLISHED,RELATED) for the data portion and outbound NEW (OUTPUT policy ACCEPT). In your second example they're all there, so I would try a "modprobe ip_conntrack_ftp" if that module isn't loaded. This will help Iptables track the data portion connections (ESTABLISHED,RELATED) it otherwise would not know about. If that still ain't working, and there's no router in front blocking ports, add a line above the "--reject-with icmp-host-prohibited" line:
-A RH-Firewall-1-INPUT -j LOG --log-level info --log-prefix " REJECT"
to have all traffic logged (usually to /var/log/messages) before it's dropped. Good for debugging.
I lied it didn't work
Can you verify the contents are still the same as when you made the changes? AFAIK if you use iptables restart it might use iptables-save to save the in-memory rules and so overwrite changes. You should use iptables start after making changes to /etc/sysconfig/iptables.
I'm not real sure what any of the means.
In short a TCP traffic initiation request from 192.168.1.1 (port 52754) to 192.168.1.2 (port 37717) was rejected. Doesn't seem FTP related to me.
From your second example, add two lines below "-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT". Note spaces in the logline are intentional else itll fsck up your syslog:
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -j LOG --log-level info --log-prefix " ALLOW_LAN "
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -j ACCEPT
What this will do is just allow any traffic from your 192.168.1.0 LAN. It's not what you want, but it'll work.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.