Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am using Fedora 6 and an iptables script. Everytime I attempt to vnc to a client outside of my network I can connect fine(usename and password) but after in connects nothing appears on the screen. That happens from any computer on my LAN so I know that it is not the computer. When I do the samething from my firewall I can connect without any issues and everything is fine. My firewall script is rather large but I will post for feedback. thanks
PHP Code:
#! /bin/sh
IPTABLES="/sbin/iptables"
case "$1" in stop) echo "Shutting down firewall..." $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat
#IP for forwarded HTTP-traffic HTTPIP="192.168.7.1/27" DMZ_HTTPIP="192.168.2.1/27" #IP's for DMZ to VOIP DMZ_LAN="192.168.2.0/27" DMZ_IFACE="eth2" DMZ_IP="192.168.2.1" #DMZ_PC_IP="192.168.2.2" #DMZ_VOIP_PHONE="192.168.2.30" DMZ_VOIP_SERVER="192.168.2.2" #DMZ_SSH_SERVER="192.168.2.16"
#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)
$IPTABLES -N CHECKBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG
#Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)
#SMB-Traffic $IPTABLES -N SMB $IPTABLES -A SMB -p tcp --dport 137 -j DROP $IPTABLES -A SMB -p tcp --dport 138 -j DROP $IPTABLES -A SMB -p tcp --dport 139 -j DROP $IPTABLES -A SMB -p tcp --dport 445 -j DROP $IPTABLES -A SMB -p udp --dport 137 -j DROP $IPTABLES -A SMB -p udp --dport 138 -j DROP $IPTABLES -A SMB -p udp --dport 139 -j DROP $IPTABLES -A SMB -p udp --dport 445 -j DROP $IPTABLES -A SMB -p tcp --sport 137 -j DROP $IPTABLES -A SMB -p tcp --sport 138 -j DROP $IPTABLES -A SMB -p tcp --sport 139 -j DROP $IPTABLES -A SMB -p tcp --sport 445 -j DROP $IPTABLES -A SMB -p udp --sport 137 -j DROP $IPTABLES -A SMB -p udp --sport 138 -j DROP $IPTABLES -A SMB -p udp --sport 139 -j DROP $IPTABLES -A SMB -p udp --sport 445 -j DROP
#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to prevent OS-fingerprinting) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP
##Accept all other ICMP going out $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT
#----End User-Chains-----#
echo " --- "
#----Start Ruleset-----#
echo "Implementing firewall rules..."
################# ## INPUT-Chain ## (everything that is addressed to the firewall itself #################
##GENERAL Filtering
# Kill INVALID packets (not ESTABLISHED, RELATED or NEW) $IPTABLES -A INPUT -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG
##Packets FROM FIREWALL-BOX ITSELF
#Local IF $IPTABLES -A INPUT -i lo -j ACCEPT # #Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter) $IPTABLES -A INPUT -d 127.0.0.0 -j LREJECT $IPTABLES -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
##Packets FROM INTERNAL NET
##Allow unlimited traffic from internal network using legit addresses to firewall-box ##If protection from the internal interface is needed, alter it
################################################# SSH ##################################################################### $IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d 192.168.2.21 --dport 22 -m state --state NEW -j ACCEPT #$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_SSH_SERVER --dport 513 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -j SMB
##Allow replies coming in $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
# $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp -s 192.168.7.0/27 -m multiport --dports 25,110 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 5050:5065 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 10000:20000 -m state --state NEW -j ACCEPT
################################################## VOIP ASTERISK WEB Interface ##############################################################################3
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 80 -m state --state NEW -j ACCEPT
Your best bet is to have a LOG rule before any DROPs or REJECTs. That way you can see what type of packets are getting filtered when the problem occurs. With that info we can then proceed to diagnose the problem more efficiently.
Forgive me if I have missed it, but I see no provision in your FORWARD chain for passing back the reply packet that an external VNC server will send on an initial connection setup (TCP SYN,ACK). I see how you can get the original packet out, and (if it were ever established) how traffic would flow on an ESTABLISHED connection. VNC uses TCP port 5901 by default, and you need a rule allowing the SYNACK packet back in from the Internet onto your local net.
Forgive me if I have missed it, but I see no provision in your FORWARD chain for passing back the reply packet that an external VNC server will send on an initial connection setup (TCP SYN,ACK). I see how you can get the original packet out, and (if it were ever established) how traffic would flow on an ESTABLISHED connection. VNC uses TCP port 5901 by default, and you need a rule allowing the SYNACK packet back in from the Internet onto your local net.
The rule appears there:
Quote:
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
I haven't checked if a rule above it is making it futile, though.
first of all thanks for the reply. I believe that I have created logging rules that are tracking certain events but it is not sufficient enough. What would be the next step. thanks
Contrary to what win32sux has posted, you do not have a rule that allows the TCP connection to complete, as far as I can see. The rule cited
Quote:
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
only comes into play after the firewall has seen traffic in both directions on a connection. The missing piece should probably look something like this:
first of all thanks for the reply. I believe that I have created logging rules that are tracking certain events but it is not sufficient enough. What would be the next step. thanks
Yeah i just had another quick look at your script and you do seem to be logging pretty much every filter event. But why isn't that enough? Not sure what you mean by that. You just basically have to monitor the log file the moment the problem occurs. You should be able to tell by the tag which chain filtered the packet. In any case, you can appraoch this from another direction if you want: Start re-building your FORWARD chain from scratch. If you do it step by step, you'll eventually hit the snag which is causing the problem.
BTW, I'm assuming the following stripped-down FORWARD chain doesn't trigger the problem, right?
Code:
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW -j ACCEPT
Because if it does, then something isn't right somewhere else.
Quote:
Originally Posted by dkm999
Contrary to what win32sux has posted, you do not have a rule that allows the TCP connection to complete, as far as I can see. The rule cited only comes into play after the firewall has seen traffic in both directions on a connection. The missing piece should probably look something like this:
The ESTABLISHED state covers the SYN/ACK. If this wasn't the case, he wouldn't even have been able to get the password prompt. I also wouldn't have been able to post this message right now.
In my log files, where would it show that packets are being dropped in regards to vncviewer when connecting to my client? I guess I would look for the external IP of the address that I am connecting to and look for dropped packets statement or can I create a rule that will log stuff that is being dropped outbound?
In my log files, where would it show that packets are being dropped in regards to vncviewer when connecting to my client? I guess I would look for the external IP of the address that I am connecting to and look for dropped packets statement or can I create a rule that will log stuff that is being dropped outbound?
You'd just need to look for any of the labels you are using in your LOG rules.
I'd recommend you temporarily blocking (if possibke) access to the WAN from all LAN computers except the one you are running the test from. It's not necessary but it would make it much easier to visually spot the relevant packets. Just execute something like this, where $IP is the private IP of the computer you are trying to connect *from*:
Code:
iptables -I FORWARD -i $INTIF -s ! $IP -j REJECT
BTW, did you execute the commands in my previous post? Like I said, if your VNC thing didn't work with that configuration then I'd say it's pointless to continue troubleshooting the FORWARD chain.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.