Fedora 7 firewall won't save changes, goes back to defaults

Abe_the_Man · 07-26-2007, 10:02 PM

I've just installed Fedora 7 and am having a few firewall related problems. I'm trying to get some torrents working as well as some other networking issues. As root I am able to make changes (disable, port forwarding etc.) to the firewall through SYSTEM > ADMINISTRATION > FIREWALL AND SELINUX. I confirm the changes with APPLY and OKAY. As soon as I have completed these changes I open up SYSTEM > ADMINISTRATION > FIREWALL AND SELINUX again the changes are all gone and the firewall has gone back to it's default settings (enabled with none of my ports set up). I have tried rebooting as soon as I have made the changes (old windows habits die hard) and have tried installing Firestarter and disabling the firewall through there. Still the issue persists.

At this point I just want to disable the firewall and get on with things. Please if someone can let me know how to disable this thing permanently please let me know.

Thanks

-Abe

Crito · 07-26-2007, 11:13 PM

I wouldn't recommend turning off the firewall if you have an always-on internet connection (and people usually chew me out for turning off too much) but if you really want to... open system --> administration --> services and disable firestarter, iptables and ip6tables by unchecking the little boxes. If you stop the services first you won't have to reboot.

You could also do it from the command line with:
chkconfig firestarter off
chkconfig iptables off
chkconfig ip6tables off

Abe_the_Man · 07-27-2007, 02:45 AM

all of those services are now disabled (as is SELinux) but Azureus still thinks it is behind a firewall. Also when I go through the gui it still says the firewall is enabled. I am convinced the problem with azureus has something to do with this. I do not have a router right now and torrents work when I boot into windows.

randytp · 08-03-2007, 11:24 AM

Hi,
I am having the same problem with a bacula client. It seems that the settings are not saved from system-config-securitylevel.

randytp · 08-03-2007, 11:29 AM

If I stop the ip6tables and iptables services things work so it sort of looks like something is wrong with system-config-securitylevel gui. I guess you have make changes to the iptables services manually.

djbolden · 08-09-2007, 09:24 PM

I'm having the same problem and have arrt the same solution for now. Anybody find a solution yet?

dj

Quote:

Originally Posted by randytp

If I stop the ip6tables and iptables services things work so it sort of looks like something is wrong with system-config-securitylevel gui. I guess you have make changes to the iptables services manually.

TylerD75 · 08-09-2007, 11:09 PM

Are you connected directly to the internet? (Do you have an external ip?)
If yes, you should just open 6880 (or whatever the default listen-port is for torrents).

If no, you need to do port-forwarding in your router/firewall.
Forward port 6880 to the computer with Azureus. This works for me!

Btw. these days some isps block the default torrent port, so you could possibly change the default port in Azureus.
I use port 33001, which makes logging harder for my ISP

( Go to Tools-->Options-->Connection, and change "Incoming TCP listen port", or just use iptables to open the current port.)

A simple iptables script that will work on a computer connected directly to the internet (i.e. a firewall with forwarding). This script also enables torrents on an internal computer. On the firewall/external computer you need to change the Incoming TCP listen port to 33001, and the internal computer will use the default port:

Code:

#!/bin/bash
  EXTIF="ppp0"  # External interface
  LAN="eth0"    # Internal interface

# This is another computer with Azureus installed:
  torrentPC="192.168.0.5"

# Flush/Delete chains/Zero counters:
  $cIP -F
  $cIP -t nat -F
  $cIP -X
  $cIP -Z

# Set default policies:
  $cIP -P INPUT DROP
  $cIP -P OUTPUT ACCEPT
  $cIP -P FORWARD ACCEPT

# Allow already established, related connections, and allow NEW outgoing connections:
  $cIP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  $cIP -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  $cIP -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable MASQUERADING:
  $cIP -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Allow services to communicate with localhost:
  $cIP -A INPUT -i lo -j ACCEPT
  $cIP -A OUTPUT -o lo -j ACCEPT

# Local Open Ports, these ports will be accessible from the internet.
# I have allowed all access from the internal LAN, so internal ports does not need to be explicitly opened.
# The commented lines below can be opened if needed:

#  $cIP -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT    # Open HTTP server port
  $cIP -A INPUT -i $EXTIF -p tcp --dport 33001 -j ACCEPT # Azureus TCP Listen Port
  $cIP -A INPUT -i $EXTIF -p udp --dport 33001 -j ACCEPT # Azureus UDP Listen Port
#  Allow External SSH port (custom port, not the usual 22):
#  $cIP -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT

# Allow all LAN->Internet connections (not stopped by the earlier rules):
  $cIP -A INPUT -i $LAN -j ACCEPT
  $cIP -A OUTPUT -o $LAN -j ACCEPT
  $cIP -A FORWARD -i $LAN -s $LAN0 -j ACCEPT

# Forwarding:
# Forward port 6880 to internal torrent computer (I'll only do TCP):
  $cIP -t nat -A PREROUTING -i $EXTIF -p tcp --dport 6880 -j DNAT --to-destination $torrentPC
  $cIP -A FORWARD -p tcp -i $EXTIF -d $torrentPC --dport 6880 -j ACCEPT

# Enable logging of dropped packages:
  $cIP -A INPUT -j LOG --log-prefix "DROP_INPUT: "
  $cIP -A FORWARD -j LOG --log-prefix "DROP_FORWARD: "
  $cIP -A OUTPUT -j LOG --log-prefix "DROP_OUTPUT: "

# Turn on forwarding:
  echo 1 > /proc/sys/net/ipv4/ip_forward

As I said, the above script is for a basic firewall/gateway with 2 interfaces.
Copy the above into a text file, "chmod +x <textfile_name>" and execute it (./<textfile_name>)

If you only need a local firewall script (only one interface, with an external IP):

Code:

#!/bin/bash

cIP="/sbin/iptables" # Location of iptables

# Flush/delete/zero:
  $cIP -F
  $cIP -t nat -F
  $cIP -X
  $cIP -Z
  $cIP -P INPUT DROP
  $cIP -P OUTPUT ACCEPT

# Allow established incomming, and new outgoing connections:
  $cIP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  $cIP -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Services/programs needs access to loopback device
  $cIP -A INPUT -i lo -j ACCEPT
  $cIP -A OUTPUT -o lo -j ACCEPT

# Open ports 80 (if you have a webserver running), SSH and azureus port 6880:
  $cIP -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT   # SSH
  $cIP -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT   # HTTP
  $cIP -A INPUT -i eth0 -p tcp --dport 6880 -j ACCEPT # TORRENT

# Everything else will be blocked by the default INPUT policy...

# Some logging might be interesting:
  $cIP -A INPUT -j LOG --log-prefix "DROP_INPUT: "
  $cIP -A OUPUT -j LOG --log-prefix "DROP_OUPUT: "

The same procedure of copy/past chmod +x <filename>, ./<filename> goes here...

If any of these scripts fail, check my syntax

might be a syntax error in there. You might also need certain modules compiled or loaded.
If the script fails on the "-j LOG", just try to comment it out (disable/delete it), or recompile your kernel with the correct modules.

The first script is not a bulletproof firewall, but it should be safe enough to get you started. Later it can be made stricter, but as long as you trust the LAN you should be fine.

The second script is ONLY useful if you are directly connected to the internet.
If not, you might need to open some more ports, or possibly allow access from your NFS server (portmap is a b**ch) etc... You will also have to forward port 6880 to the computer running this script.

Hope this can help some of you! I've had the same "Behind firewall" and NAT errors in Azureus, and the above scripts helped me (and even got me higher average download speeds).