Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hallo, messenger work, but my 2 browsers cannot browse.
I can ping web sites, but I cannot browse them.
Eth1 is my ISP
Eth2 is my windows client
Here is my Iptables
Code:
INPUT ACCEPT [179:50132]
:FORWARD ACCEPT [37:1805]
:OUTPUT ACCEPT [217:24615]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Jul 28 20:23:21 2007
# Generated by iptables-save v1.3.8 on Sat Jul 28 20:23:21 2007
*nat
:PREROUTING ACCEPT [10:521]
:POSTROUTING ACCEPT [12:576]
:OUTPUT ACCEPT [12:719]
-A PREROUTING -i eth2 -p tcp -m tcp --dport 6662 -j DNAT --to-destination 192.168.100.20
-A PREROUTING -i eth2 -p tcp -m tcp --dport 48741 -j DNAT --to-destination 192.168.100.20
-A PREROUTING -i eth2 -p udp -m udp --dport 48741 -j DNAT --to-destination 192.168.100.20
-A PREROUTING -i eth2 -p udp -m udp --dport 6672 -j DNAT --to-destination 192.168.100.20
-A PREROUTING -i eth2 -p udp -m udp --dport 3830 -j DNAT --to-destination 192.168.100.20
-A PREROUTING -i eth2 -p tcp -m tcp --dport 3830 -j DNAT --to-destination 192.168.100.20
# I added this rule to try... but I remember that In my old firewall rules I didn't have this rule and it was working fine.
-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.20
-A PREROUTING -i eth2 -p tcp -m tcp --dport 1445 -j DNAT --to-destination 192.168.100.20:443
-A PREROUTING -i eth2 -p tcp -m tcp --dport 1446 -j DNAT --to-destination 192.168.100.20:80
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
This is the traffic when my windows client tries to surf... I can see traffic one way... it seems to be that the firewall is blocking it.
The ports 4252,4 ... always change... when I restarted the 2 computers, the ports on the first side where about 2100. I don't remember precisiously.
Code:
P 192.168.100.20.4252 > 217.146.182.26.80: tcp 0
IP 192.168.100.20.4252 > 192.168.100.20.80: tcp 0
IP 192.168.100.20.4252 > 217.146.182.26.80: tcp 0
IP 192.168.100.20.4252 > 192.168.100.20.80: tcp 0
IP 192.168.100.20.4254 > 62.73.178.61.80: tcp 0
IP 192.168.100.20.4254 > 192.168.100.20.80: tcp 0
IP 192.168.100.20.4254 > 62.73.178.61.80: tcp 0
IP 192.168.100.20.4254 > 192.168.100.20.80: tcp 0
IP 192.168.100.20.4252 > 217.146.182.26.80: tcp 0
IP 192.168.100.20.4252 > 192.168.100.20.80: tcp 0
IP 192.168.100.20.4254 > 62.73.178.61.80: tcp 0
IP 192.168.100.20.4254 > 192.168.100.20.80: tcp 0
and this is the traffic of a messenger running
Code:
IP 217.17.41.85.8074 > 192.168.100.20.4134: tcp 75
IP 192.168.100.20.4134 > 217.17.41.85.8074: tcp 0
IP 217.17.41.85.8074 > 192.168.100.20.4134: tcp 26
IP 192.168.100.20.4134 > 217.17.41.85.8074: tcp 8
IP 217.17.41.85.8074 > 192.168.100.20.4134: tcp 0
IP 217.17.41.85.8074 > 192.168.100.20.4134: tcp 26
IP 192.168.100.20.4134 > 217.17.41.85.8074: tcp 0
this is my route table
Code:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 eth2
62.121.112.0 * 255.255.252.0 U 0 0 0 eth1
loopback * 255.0.0.0 U 0 0 0 lo
default my publib IP 0.0.0.0 UG 0 0 0 eth1
for now I just want everything to work fine... then I will add rules to make it secure...please help me to find where I wrong... There is no drop... so I don't know why I cannot browse...
So outgoing web traffic from the windows client is DNATed (the destination address is changed) to 192.168.100.20. Is that what you want to do? So for a web connection to yahoo, the packet would leave the windows client with yahoo.com as the destination address, the packet would come in eth2, and then get rewritten so that it is now addressed to 192.168.100.20, the packet is then sent to 192.168.100.20 !?!
# Port Forwarding is enabled, so accept forwarded traffic
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 6662 \
--destination 192.168.100.20 -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 6672 \
--destination 192.168.100.20 -j ACCEPT
but without result....
Code:
# Local Settings
#
# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.
SYSCTL="/sbin/sysctl -w"
# To echo the value directly to the /proc file instead
# SYSCTL=""
# IPTables Location - adjust if needed
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth1"
INET_ADDRESS="mypublicIP"
# Local Interface Information
LOCAL_IFACE="eth2"
LOCAL_IP="192.168.100.1"
LOCAL_NET="192.168.100.0/24"
LOCAL_BCAST="192.168.100.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
# Local Settings
#
# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.
SYSCTL="/sbin/sysctl -w"
# To echo the value directly to the /proc file instead
# SYSCTL=""
# IPTables Location - adjust if needed
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth1"
INET_ADDRESS="mypublicIP"
# Local Interface Information
LOCAL_IFACE="eth2"
LOCAL_IP="192.168.100.1"
LOCAL_NET="192.168.100.0/24"
LOCAL_BCAST="192.168.100.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
# Required to enable IPv4 forwarding.
# Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
# Alternatively, it can be set in /etc/sysctl.conf
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="0"
fi
# This enables SYN flood protection.
# The SYN cookies activation allows your system to accept an unlimited
# number of TCP connections while still trying to give reasonable
# service during a denial of service attack.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
# This enables source validation by reversed path according to RFC1812.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
# This kernel parameter instructs the kernel to ignore all ICMP
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
# This option can be used to accept or refuse source routed
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
# However, we'll ensure the secure_redirects option is on instead.
# This option accepts only from gateways in the default gateways list.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
# This option logs packets from impossible addresses.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
# Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Create a chain to filter INVALID packets
$IPT -N bad_packets
# Create another chain to filter bad tcp packets
$IPT -N bad_tcp_packets
# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.
$IPT -N icmp_packets
# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound
# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound
# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound
# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound
# Drop packets received on the external interface
# claiming a source of the local network
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
--log-prefix "fp=bad_packets:2 a=DROP "
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "fp=bad_packets:1 a=DROP "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets
# All good, so return
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "fp=bad_tcp_packets:1 a=DROP "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "fp=bad_tcp_packets:2 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
--log-prefix "fp=bad_tcp_packets:3 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "fp=bad_tcp_packets:4 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
--log-prefix "fp=bad_tcp_packets:5 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "fp=bad_tcp_packets:6 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "fp=bad_tcp_packets:7 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN
# icmp_packets chain
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
--log-prefix "fp=icmp_packets:1 a=DROP "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
# By default, however, drop pings without logging. Blaster
# and other worms have infected systems blasting pings.
# Comment the line below if you want pings logged, but it
# will likely fill your logs.
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
# Ident requests (Port 113) must have a REJECT rule rather than the
# default DROP rule. This is the minimum requirement to avoid
# long delays while connecting. Also see the tcp_inbound rule.
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT
# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN
# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# Ident requests (Port 113) must have a REJECT rule rather than the
# default DROP rule. This is the minimum requirement to avoid
# long delays while connecting. Also see the tcp_inbound rule.
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT
# Web Server
# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# HTTPS (Secure Web Server)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
# FTP Server (Control)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
# FTP Client (Data Port for non-PASV transfers)
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
# Email Server (SMTP)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
# Email Server (POP3)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
# Email Server (IMAP4)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT
# SSL Email Server (POP3)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 995 -j ACCEPT
# SSL Email Server (IMAP4)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 993 -j ACCEPT
# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# ICQ File Transfers & Other Advanced Features
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 5000:5100 -j ACCEPT
# MSN Messenger File Transfers
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 6891:6900 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN
# tcp_outbound chain
# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
###############################################################################
#
# INPUT Chain
#
###############################################################################
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
# Drop them without logging.
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
# Allow DHCP client request packets inbound from internal network
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 \
-j ACCEPT
# Inbound Internet Packet Rules
# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
###############################################################################
#
# FORWARD Chain
#
# Used if forwarding for a private network
# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets
# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
###############################################################################
#
# OUTPUT Chain
#
# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
###############################################################################
#
# POSTROUTING chain
#
$IPT -t nat -A POSTROUTING -o $INET_IFACE \
-j SNAT --to-source $INET_ADDRESS
$IPT -t nat -A POSTROUTING -o $LOCAL_IFACE \
-j SNAT --to-source $INET_ADDRESS
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
In my old firewall I just had:
Code:
-A PREROUTING -i eth2 -p tcp -m tcp --dport 6662 -j DNAT --to-destination 192.168.100.20 -A PREROUTING -i eth2 -p udp -m udp --dport 6672 -j DNAT --to-destination 192.168.100.20
and it was working.....
I'm not sure how, because based on what you've told us so far it shouldn't work. Maybe the interfaces were different or maybe you had another rule that was accepting that traffic.
This rule looks like it should work, but it looks like you've got it commented out? So remove the '#' signs.
This looks like the same problem as I pointed out earlier where the wrong interface is being used. Switch it to $INET_IFACE (You want incoming traffic from the internet to be forwarded to 192.168.100.20, not stuff coming *from* the LOCAL_IFACE)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
