krock923 |
08-22-2006 09:34 PM |
One of my iptables rules is making X not work
Hello. I use a script to create my iptables configuration. It works very well on my server ( that doesn't have X installed) and does a pretty good job of blocking nmap and nessus. However, when I try to use this on my desktop. . .blammo! X doesn't work correctly. What happens is X starts and gdm starts up fine, i log in and it just hangs. Would anyone mind taking a look at my script and telling me where the problem might be?
Code:
IPTABLES=/sbin/iptables
MYSUBNET=<obfuscated>
SERVER=<obfuscated>
case "$1" in
start)
echo -n "Starting IP Firewall. . ."
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Clear old rules
$IPTABLES -X
$IPTABLES -F
$IPTABLES -Z
#Turning on boolean protections
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Create LOGDROP chain
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG --log-level debug
$IPTABLES -A LOGDROP -j DROP
###########################################################################################
#Stuff between the lines of comments are to block nmap.
$IPTABLES -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j LOGDROP
$IPTABLES -A INPUT -i eth0 -f -j LOGDROP
$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j LOGDROP
$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j LOGDROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j LOGDROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOGDROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOGDROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOGDROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j LOGDROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags URG,ACK URG -j LOGDROP
$IPTABLES -N syn_flood
$IPTABLES -A INPUT -p tcp --syn -j syn_flood
$IPTABLES -A syn_flood -m limit --limit 1/s --limit-burst 2 -j RETURN
$IPTABLES -A syn_flood -j LOGDROP
############################################################################################
# INPUT Rules - Add to this section the ports you wish to explicitly allow connections on
# Below are some common services that are commonly used
# Comment out the lines to disable access to these services
# The port numbers for other services you may wish to allow can be found in the /etc/services file
#Refuse input packets spoofed as the looback
$IPTABLES -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #Allows connections you start
$IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 21 -j ACCEPT #Allow FTP Connections
$IPTABLES -A INPUT -i eth0 -p udp -s MYSUBNET --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 22 -j ACCEPT #SSH Connections
$IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 22 -j ACCEPT
#NTP
$IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 123 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -s MYSUBNET --dport 123 -j ACCEPT
#vmware
$IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 902 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -s MYSUBNET --dport 902 -j ACCEPT
# Allow pings, from certain hostsbut reject the rest
$IPTABLES -A INPUT -i eth0 -p icmp -s SERVER -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp -j LOGDROP
$IPTABLES -A INPUT -i eth0 -m state --state NEW -j LOGDROP
$IPTABLES -A INPUT -i eth0 -j DROP
echo "done."
;;
stop)
echo -n "Stopping IP Firewall and NAT..."
$IPTABLES -X
$IPTABLES -F
$IPTABLES -Z
# Input Rules
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,related -j ACCEPT
$IPTABLES -A INPUT -i eth0 -j REJECT
echo "done."
;;
restart)
echo -n "Restarting IP Firewall and NAT..."
$0 stop > /dev/null
sleep 1
$0 start > /dev/null
;;
*)
echo "Usage: $0 {start|stop|restart}"
;;
esac
I'm also getting a problem with a 'too many links' error but I really have no idea what might be causing that.
|