LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-09-2007, 07:00 PM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Rep: Reputation: 60
Vncviewer and blank screen


I am using Fedora 6 and an iptables script. Everytime I attempt to vnc to a client outside of my network I can connect fine(usename and password) but after in connects nothing appears on the screen. That happens from any computer on my LAN so I know that it is not the computer. When I do the samething from my firewall I can connect without any issues and everything is fine. My firewall script is rather large but I will post for feedback. thanks

PHP Code:
 #! /bin/sh





IPTABLES="/sbin/iptables"


case "$1" in
   stop
)
      echo 
"Shutting down firewall..."
      
$IPTABLES -F
      $IPTABLES 
--t mangle
      $IPTABLES 
--t nat
      $IPTABLES 
-X
      $IPTABLES 
--t mangle
      $IPTABLES 
--t nat
      
      $IPTABLES 
-P INPUT ACCEPT
      $IPTABLES 
-P OUTPUT ACCEPT
      $IPTABLES 
-P FORWARD ACCEPT
     
echo "...done"
      
;;
   
status)
      echo $
"Table: filter"
      
iptables --list
      echo $
"Table: nat"
      
iptables -t nat --list
      echo $
"Table: mangle"
      
iptables -t mangle --list
      ;;
   
restart|reload)
      $
0 stop
      
$0 start
      
;;
   
start)
   echo 
"Starting Firewall..."
    
echo ""


##--------------------------Begin Firewall---------------------------------##


#----Default-Interfaces-----#
EXTIF="eth0"
INTIF="eth1"
INTLAN="192.168.7.0/27"
SQUID_FILTER="192.168.7.2"
FIREWALL="192.168.7.1"
#----Special Variables-----#

# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"

# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"

# Specification of X Window System (TCP) ports.
#XWINPORTS="6000:6063"

# Ports for IRC-Connection-Tracking
#IRCPORTS="6665,6666,6667,6668,6669,7000"

# DMZ UDP ports
#DMZUDP="1024:1030,5060:5065,10000:20000"
####PS2 PORTS####


#-----Port-Forwarding Variables-----#


SSH_SERVER="192.168.2.21"

#IP for forwarded HTTP-traffic
HTTPIP="192.168.7.1/27"
DMZ_HTTPIP="192.168.2.1/27"
#IP's for DMZ to VOIP
DMZ_LAN="192.168.2.0/27"
DMZ_IFACE="eth2"
DMZ_IP="192.168.2.1"
#DMZ_PC_IP="192.168.2.2"
#DMZ_VOIP_PHONE="192.168.2.30"
DMZ_VOIP_SERVER="192.168.2.2"
#DMZ_SSH_SERVER="192.168.2.16"

####PS2#######
#PS2_NETWORK="192.168.5.0/28"
#PS2_IFACE="eth1"
#PS2_IP="192.168.5.1/28"
#PS2="192.168.5.10"


#----Flood Variables-----#

# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"

# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"

# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"


echo "Loading IPTABLES modules"

dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
#/sbin/modprobe ip_conntrack_sip
#/sbin/modprobe ip_nat_sip
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6

echo " --- "


#----Clear/Reset all chains-----#

#Clear all IPTABLES-chains

#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES 
--t mangle
$IPTABLES 
--t nat
$IPTABLES 
-X
$IPTABLES 
--t mangle
$IPTABLES 
--t nat

#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES 
-P OUTPUT DROP
$IPTABLES 
-P FORWARD DROP

#$IPTABLES -N DMZ2WAN 
#$IPTABLES -N WAN2DMZ

#----Set network sysctl options-----#
echo "Setting sysctl options"
#Enable forwarding in kernel
echo > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks.
echo > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
echo > /proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo > /proc/sys/net/ipv4/tcp_window_scaling
echo > /proc/sys/net/ipv4/tcp_sack


echo " --- "

echo "Creating user-chains"



#----Create logging chains-----#

#Invalid packets (not ESTABLISHED,RELATED or NEW)
$IPTABLES -N LINVALID
$IPTABLES 
-A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP "
$IPTABLES -A LINVALID -j DROP
#TCP-Packets with one ore more bad flags
$IPTABLES -N LBADFLAG
$IPTABLES 
-A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
$IPTABLES -A LBADFLAG -j DROP
#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)
$IPTABLES -N LSPECIALPORT
$IPTABLES 
-A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP "
$IPTABLES -A LSPECIALPORT -j DROP
    
#Logging of possible TCP-SYN-Floods
$IPTABLES -N LSYNFLOOD
$IPTABLES 
-A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
$IPTABLES -A LSYNFLOOD -j DROP
    
#Logging of possible Ping-Floods
$IPTABLES -N LPINGFLOOD
$IPTABLES 
-A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
$IPTABLES -A LPINGFLOOD -j DROP


#All other dropped packets
$IPTABLES -N LDROP
$IPTABLES 
-A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "
$IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "
$IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
$IPTABLES -A LDROP --m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP "
$IPTABLES -A LDROP -j DROP

#All other rejected packets
$IPTABLES -N LREJECT
$IPTABLES 
-A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT "
$IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT "
$IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT "
$IPTABLES -A LREJECT --m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT "    
$IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES 
-A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES 
-A LREJECT -j REJECT

#----Create Accept-Chains-----#
#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
    
$IPTABLES -N TCPACCEPT
$IPTABLES 
-A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
$IPTABLES 
-A TCPACCEPT -p tcp --syn -j LSYNFLOOD
$IPTABLES 
-A TCPACCEPT -p tcp ! --syn -j ACCEPT

#----Create special User-Chains-----#

#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)

$IPTABLES -N CHECKBADFLAG
$IPTABLES 
-A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
$IPTABLES 
-A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
$IPTABLES 
-A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
$IPTABLES 
-A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
$IPTABLES 
-A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
$IPTABLES 
-A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG

    
#Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)

#SMB-Traffic
$IPTABLES -N SMB
$IPTABLES 
-A SMB -p tcp --dport 137 -j DROP
$IPTABLES 
-A SMB -p tcp --dport 138 -j DROP
$IPTABLES 
-A SMB -p tcp --dport 139 -j DROP
$IPTABLES 
-A SMB -p tcp --dport 445 -j DROP
$IPTABLES 
-A SMB -p udp --dport 137 -j DROP
$IPTABLES 
-A SMB -p udp --dport 138 -j DROP
$IPTABLES 
-A SMB -p udp --dport 139 -j DROP
$IPTABLES 
-A SMB -p udp --dport 445 -j DROP
$IPTABLES 
-A SMB -p tcp --sport 137 -j DROP
$IPTABLES 
-A SMB -p tcp --sport 138 -j DROP
$IPTABLES 
-A SMB -p tcp --sport 139 -j DROP
$IPTABLES 
-A SMB -p tcp --sport 445 -j DROP
$IPTABLES 
-A SMB -p udp --sport 137 -j DROP
$IPTABLES 
-A SMB -p udp --sport 138 -j DROP
$IPTABLES 
-A SMB -p udp --sport 139 -j DROP
$IPTABLES 
-A SMB -p udp --sport 445 -j DROP

    
#Inbound Special Ports
    
$IPTABLES -N SPECIALPORTS
        
#Deepthroat Scan
$IPTABLES -A SPECIALPORTS -p  tcp --dport 6670 -j LSPECIALPORT
  
#Subseven Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
$IPTABLES 
-A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
$IPTABLES 
-A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
$IPTABLES 
-A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
$IPTABLES 
-A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT  
  
#Netbus Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
$IPTABLES 
-A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT
  
#Back Orifice scan
$IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT
  
#X-Win
#$IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS  -j LSPECIALPORT

#Hack'a'Tack 2000
$IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT

#ICMP/TRACEROUTE FILTERING
    
#Inbound ICMP/Traceroute
    
$IPTABLES -N ICMPINBOUND
        
#Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT

$IPTABLES 
-A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD

##Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP

#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP

$IPTABLES 
-A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP

#Block ICMP-address-mask (can help to prevent OS-fingerprinting)

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP

$IPTABLES 
-A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP


          
#Allow all other ICMP in
$IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT


    
    
#Outbound ICMP/Traceroute
    
$IPTABLES -N ICMPOUTBOUND
    
        
#Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP
  
          
#Block ICMP-TTL-Expired
        #MS Traceroute (MS uses ICMP instead of UDp for tracert)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
$IPTABLES 
-A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP
  
          
#Block ICMP-Parameter-Problem
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP
  
          
#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES 
-A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP

          
#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES 
-A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP


          
##Accept all other ICMP going out
$IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT




#----End User-Chains-----#    

echo " --- "

#----Start Ruleset-----#

echo "Implementing firewall rules..."


#################
## INPUT-Chain ## (everything that is addressed to the firewall itself
#################


##GENERAL Filtering

  # Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A INPUT -m state --state INVALID -j LINVALID
  
  
# Check TCP-Packets for Bad Flags 
$IPTABLES -A INPUT -p tcp -j CHECKBADFLAG


##Packets FROM FIREWALL-BOX ITSELF

  #Local IF
$IPTABLES -A INPUT -i lo -j ACCEPT
  
#
  #Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter)
$IPTABLES -A INPUT -d 127.0.0.0 -j LREJECT
$IPTABLES 
-A INPUT -m tcp -p tcp -127.0.0.1 --dport 3128 -j DROP




##Packets FROM INTERNAL NET

 ##Allow unlimited traffic from internal network using legit addresses to firewall-box
 ##If protection from the internal interface is needed, alter it


$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT


########################################DMZ PHONE##############################################################################

$IPTABLES -A INPUT -i $DMZ_IFACE -d $DMZ_LAN -j ACCEPT


##ICMP & Traceroute filtering
  

  #Block UDP-Traceroute

$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP


  
#Drop all SMB-Traffic
$IPTABLES -A INPUT -i $EXTIF -j SMB
  
  
#Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)

$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset


 
##Public services running ON FIREWALL-BOX (comment out to activate):

$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -m state --state ESTABLISHED,RELATED -j TCPACCEPT
#$IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT




############################### ssh ###########################################

#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 513 -m state --state NEW -j TCPACCEPT
 
############Separate logging of special portscans/connection attempts #######################
  

$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS

 
##Allow ESTABLISHED/RELATED connections in
  
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES 
-A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j TCPACCEPT
$IPTABLES 
-A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j ACCEPT
 
##Catch all rule
$IPTABLES -A INPUT -j LDROP

##################
## Output-Chain ## (everything that comes directly from the Firewall-Box)
##################

##Packets TO FIREWALL-BOX ITSELF

  #Local IF
$IPTABLES -A OUTPUT -o lo -j ACCEPT

##Packets TO INTERNAL NET

  #Allow unlimited traffic to internal network using legit addresses


################################## DMZ OUTPUT #########################################################################

$IPTABLES -A OUTPUT -o $EXTIF -s $DMZ_LAN -j ACCEPT

#$IPTABLES -A OUTPUT -o $DMZ_IFACE -p ALL -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTIF -p ALL -j ACCEPT

$IPTABLES 
-A OUTPUT -o $INTIF -p ALL -j ACCEPT

$IPTABLES 
-A OUTPUT -o $EXTIF -s $INTLAN -j ACCEPT

$IPTABLES 
-A OUTPUT -j LDROP

####################
## FORWARD-Chain  ## (everything that passes the firewall, incoming)
####################


##GENERAL Filtering

  #Kill invalid packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
 
  
# Check TCP-Packets for Bad Flags 
$IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG


##Filtering FROM INTERNAL NET
  

  ##Silent Drops/Rejects (Things we don't want in our logs)

   #SMB
#$IPTABLES -A FORWARD -o $EXTIF -j SMB
  


 ##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)

   #HTTP-Forwarding
  
$IPTABLES -A FORWARD -p tcp -s $INTLAN -i $EXTIF -o $INTIF -d $SQUID_FILTER --dport 3128 -j ACCEPT

##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES 
-A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT

$IPTABLES 
-A FORWARD -i $INTIF -o $EXTIF -d $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES 
-A FORWARD -i $INTIF -o $EXTIF -d $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES 
-A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp  -j ACCEPT


##     Filtering FROM EXTERNAL NET
 
################################################# SSH #####################################################################
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d 192.168.2.21 --dport 22 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_SSH_SERVER --dport 513 -m state --state NEW -j ACCEPT




 
   
$IPTABLES -A FORWARD -i $EXTIF -j SMB
 
  
  
##Allow replies coming in
  
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES 
-A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
  $IPTABLES 
-A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT


#  $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp -s 192.168.7.0/27 -m multiport --dports 25,110 -m state --state NEW -j ACCEPT


########################################## DMZ #########################################################################


$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT 
$IPTABLES 
-A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state NEW -j ACCEPT
$IPTABLES 
-A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT
$IPTABLES 
-A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT  


$IPTABLES 
-A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 5050:5065 -m state --state NEW -j ACCEPT
$IPTABLES 
-A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 10000:20000 -m state --state NEW -j ACCEPT

################################################## VOIP ASTERISK WEB Interface ##############################################################################3

#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 80 -m state --state NEW -j ACCEPT

##Catch all rule/Deny every other forwarding

$IPTABLES -A FORWARD -j LDROP

################
## PREROUTING ##
################

##Port-Forwarding (--> Also see chain FORWARD)

######################################################## SSH ################################################################

#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 513 -j DNAT --to-destination $DMZ_SSH_SERVER 
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 22 -j DNAT --to-destination $SSH_SERVER


######################################################### HTTP ############################################################

$IPTABLES -t nat -A PREROUTING -i $EXTIF -$SQUID_FILTER -p tcp --dport 8080 -j DNAT --to $SQUID_FILTER:3128

######################################### ASTERISK VOIP SERVER####################################################################################################3
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 -j DNAT --to-destination $DMZ_VOIP_SERVER

$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $DMZ_VOIP_SERVER
$IPTABLES 
-t nat -A PREROUTING -p udp -i $EXTIF --dport 10000:20000 -j DNAT --to-destination $DMZ_VOIP_SERVER
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $DMZ_HTTPIP --dport 53 -j DNAT --to-destination $DMZ_PC_IP
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_HTTPIP --dport 53 -j DNAT --to-destination $DMZ_PC_IP


$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $DMZ_VOIP_SERVER
$IPTABLES 
-t nat -A PREROUTING -p udp -i $EXTIF --dport 10000:20000 -j DNAT --to-destination $DMZ_VOIP_SERVER

###################
##  POSTROUTING  ##
###################



#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -d $SQUID_FILTER -j MASQUERADE

#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -d $SQUID_FILTER -p tcp -j SNAT --to-source $FIREWALL
 
  #Masquerade from Internal Net to External Net
  
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE



#------End Ruleset------#

echo "...done"
echo ""


echo "--> IPTABLES firewall loaded/activated <--"


##--------------------------------End Firewall---------------------------------##



   
;;
   *)
      echo 
"Usage: firewall (start|stop|restart|status) EXTIF INTIF"
      
exit 1
esac

exit 

Last edited by metallica1973; 12-09-2007 at 09:00 PM.
 
Old 12-09-2007, 08:05 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Your best bet is to have a LOG rule before any DROPs or REJECTs. That way you can see what type of packets are getting filtered when the problem occurs. With that info we can then proceed to diagnose the problem more efficiently.
 
Old 12-09-2007, 10:59 PM   #3
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
Forgive me if I have missed it, but I see no provision in your FORWARD chain for passing back the reply packet that an external VNC server will send on an initial connection setup (TCP SYN,ACK). I see how you can get the original packet out, and (if it were ever established) how traffic would flow on an ESTABLISHED connection. VNC uses TCP port 5901 by default, and you need a rule allowing the SYNACK packet back in from the Internet onto your local net.
 
Old 12-10-2007, 12:18 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by dkm999 View Post
Forgive me if I have missed it, but I see no provision in your FORWARD chain for passing back the reply packet that an external VNC server will send on an initial connection setup (TCP SYN,ACK). I see how you can get the original packet out, and (if it were ever established) how traffic would flow on an ESTABLISHED connection. VNC uses TCP port 5901 by default, and you need a rule allowing the SYNACK packet back in from the Internet onto your local net.
The rule appears there:
Quote:
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
I haven't checked if a rule above it is making it futile, though.
 
Old 12-10-2007, 05:29 AM   #5
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
winsux32,

first of all thanks for the reply. I believe that I have created logging rules that are tracking certain events but it is not sufficient enough. What would be the next step. thanks
 
Old 12-10-2007, 02:56 PM   #6
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
Contrary to what win32sux has posted, you do not have a rule that allows the TCP connection to complete, as far as I can see. The rule cited
Quote:
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
only comes into play after the firewall has seen traffic in both directions on a connection. The missing piece should probably look something like this:
Code:
$IPTABLES -A FORWARD -i $EXTIF -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -j ACCEPT
 
Old 12-10-2007, 11:25 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by metallica1973 View Post
first of all thanks for the reply. I believe that I have created logging rules that are tracking certain events but it is not sufficient enough. What would be the next step. thanks
Yeah i just had another quick look at your script and you do seem to be logging pretty much every filter event. But why isn't that enough? Not sure what you mean by that. You just basically have to monitor the log file the moment the problem occurs. You should be able to tell by the tag which chain filtered the packet. In any case, you can appraoch this from another direction if you want: Start re-building your FORWARD chain from scratch. If you do it step by step, you'll eventually hit the snag which is causing the problem.


BTW, I'm assuming the following stripped-down FORWARD chain doesn't trigger the problem, right?

Code:
iptables -P FORWARD DROP

iptables -F FORWARD

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW -j ACCEPT
Because if it does, then something isn't right somewhere else.


Quote:
Originally Posted by dkm999 View Post
Contrary to what win32sux has posted, you do not have a rule that allows the TCP connection to complete, as far as I can see. The rule cited only comes into play after the firewall has seen traffic in both directions on a connection. The missing piece should probably look something like this:
Code:
$IPTABLES -A FORWARD -i $EXTIF -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -j ACCEPT
The ESTABLISHED state covers the SYN/ACK. If this wasn't the case, he wouldn't even have been able to get the password prompt. I also wouldn't have been able to post this message right now.

Last edited by win32sux; 12-10-2007 at 11:26 PM.
 
Old 12-11-2007, 06:15 AM   #8
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
Here is a stupid question:

In my log files, where would it show that packets are being dropped in regards to vncviewer when connecting to my client? I guess I would look for the external IP of the address that I am connecting to and look for dropped packets statement or can I create a rule that will log stuff that is being dropped outbound?
 
Old 12-11-2007, 11:49 AM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by metallica1973 View Post
In my log files, where would it show that packets are being dropped in regards to vncviewer when connecting to my client? I guess I would look for the external IP of the address that I am connecting to and look for dropped packets statement or can I create a rule that will log stuff that is being dropped outbound?
You'd just need to look for any of the labels you are using in your LOG rules.

I'd recommend you temporarily blocking (if possibke) access to the WAN from all LAN computers except the one you are running the test from. It's not necessary but it would make it much easier to visually spot the relevant packets. Just execute something like this, where $IP is the private IP of the computer you are trying to connect *from*:
Code:
iptables -I FORWARD -i $INTIF -s ! $IP -j REJECT
BTW, did you execute the commands in my previous post? Like I said, if your VNC thing didn't work with that configuration then I'd say it's pointless to continue troubleshooting the FORWARD chain.

Last edited by win32sux; 12-11-2007 at 11:50 AM.
 
Old 12-11-2007, 04:03 PM   #10
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
Do you mean this statement? No I havnt tried but I will in a few minutes!

PHP Code:
iptables -P FORWARD DROP

iptables 
-F FORWARD

iptables 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables 
-A FORWARD -i $INTIF -o $EXTIF -m state --state NEW -j ACCEPT 
 
Old 12-11-2007, 08:19 PM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Yes, those were the commands I was referring to.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora 4 no logon screen - blank screen with X yorgmeister Fedora 15 01-24-2008 09:35 PM
Suse 9.0 Blank screen instead of login in screen damoncf Linux - Distributions 4 02-24-2007 08:49 PM
[root@localhost Desktop]# vncviewer 192.168.0.11:2 vncviewer not viewing kde display nickleus Linux - Software 13 10-27-2006 03:58 AM
VNCViewer - Black Screen When Remoting from FD4->XPPro Wheat_Thins Linux - Software 3 04-02-2006 08:32 PM
Blank screen even before BIOS screen on boot josce Linux - Laptop and Netbook 3 01-04-2005 08:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration