LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   One of my iptables rules is making X not work (https://www.linuxquestions.org/questions/linux-security-4/one-of-my-iptables-rules-is-making-x-not-work-476417/)

krock923 08-22-2006 09:34 PM
One of my iptables rules is making X not work
 
Hello. I use a script to create my iptables configuration. It works very well on my server ( that doesn't have X installed) and does a pretty good job of blocking nmap and nessus. However, when I try to use this on my desktop. . .blammo! X doesn't work correctly. What happens is X starts and gdm starts up fine, i log in and it just hangs. Would anyone mind taking a look at my script and telling me where the problem might be?

Code:
IPTABLES=/sbin/iptables
MYSUBNET=<obfuscated>
SERVER=<obfuscated>

case "$1" in
start)
        echo -n "Starting IP Firewall. . ."
        echo "1" > /proc/sys/net/ipv4/tcp_syncookies

        # Clear old rules
        $IPTABLES -X
        $IPTABLES -F
        $IPTABLES -Z

        #Turning on boolean protections
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
        echo 1 > /proc/sys/net/ipv4/tcp_syncookies
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
        echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
        echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
        echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

        #Create LOGDROP chain
        $IPTABLES -N LOGDROP
        $IPTABLES -A LOGDROP -j LOG --log-level debug
        $IPTABLES -A LOGDROP -j DROP



        ###########################################################################################
        #Stuff between the lines of comments are to block nmap.
        $IPTABLES -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j LOGDROP
        $IPTABLES -A INPUT -i eth0 -f -j LOGDROP
        $IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j LOGDROP
        $IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j LOGDROP
        $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j LOGDROP
        $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOGDROP
        $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOGDROP
        $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOGDROP
        $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j LOGDROP
        $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags URG,ACK URG -j LOGDROP
        $IPTABLES -N syn_flood
        $IPTABLES -A INPUT -p tcp --syn -j syn_flood
        $IPTABLES -A syn_flood -m limit --limit 1/s --limit-burst 2 -j RETURN
        $IPTABLES -A syn_flood -j LOGDROP
        ############################################################################################

        # INPUT Rules - Add to this section the ports you wish to explicitly allow connections on
        #      Below are some common services that are commonly used
        #      Comment out the lines to disable access to these services
        #      The port numbers for other services you may wish to allow can be found in the /etc/services file


        #Refuse input packets spoofed as the looback
        $IPTABLES -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP

        $IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT      #Allows connections you start
        $IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 21 -j ACCEPT        #Allow FTP Connections
        $IPTABLES -A INPUT -i eth0 -p udp -s MYSUBNET --dport 21 -j ACCEPT

        $IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 22 -j ACCEPT  #SSH Connections
        $IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 22 -j ACCEPT

        #NTP
        $IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 123 -j ACCEPT
        $IPTABLES -A INPUT -i eth0 -p udp -s MYSUBNET --dport 123 -j ACCEPT

        #vmware
        $IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 902 -j ACCEPT
        $IPTABLES -A INPUT -i eth0 -p udp -s MYSUBNET --dport 902 -j ACCEPT

        # Allow pings,  from certain hostsbut reject the rest
        $IPTABLES -A INPUT -i eth0 -p icmp -s SERVER -j ACCEPT
        $IPTABLES -A INPUT -i eth0 -p icmp -j LOGDROP
        $IPTABLES -A INPUT -i eth0 -m state --state NEW -j LOGDROP
        $IPTABLES -A INPUT -i eth0 -j DROP

        echo "done."
        ;;
stop)
        echo -n "Stopping IP Firewall and NAT..."
        $IPTABLES -X
        $IPTABLES -F
        $IPTABLES -Z

        # Input Rules
        $IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,related -j ACCEPT
        $IPTABLES -A INPUT -i eth0 -j REJECT
        echo "done."
        ;;

restart)
        echo -n "Restarting IP Firewall and NAT..."
        $0 stop > /dev/null
        sleep 1
        $0 start > /dev/null
        ;;

*)
        echo "Usage: $0 {start|stop|restart}"
        ;;
esac

I'm also getting a problem with a 'too many links' error but I really have no idea what might be causing that.

win32sux 08-22-2006 11:28 PM
looks like you're missing a rule for your loopback interface...
Code:
$IPTABLES -I INPUT -i lo -j ACCEPT

~=gr3p=~ 08-22-2006 11:55 PM
See the best way to troubleshoot iptables is LOG:
add this rule at the end of INPUT chain:

$IPTABLES -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "Firewall: INPUT died: "

And then monitor:

tail -f /var/log/messages

You shuld find the missing rule.

krock923 08-23-2006 09:00 PM
d'oh. Always doing silly stuff like forgetting the loopback. Ah well, at least it was something obvious.

SierraKilo 08-24-2006 01:20 AM
But don't forget $IPTABLES -I OUTPUT -o lo -j ACCEPT ;)

win32sux 08-24-2006 02:10 AM
Quote:
Originally Posted by SierraKilo
But don't forget $IPTABLES -I OUTPUT -o lo -j ACCEPT ;)
yeah, hehe... OTOH, there's no OUTPUT rules in the script, so i think it's safe to assume the OUTPUT policy is set to ACCEPT...


All times are GMT -5. The time now is 08:37 PM.