LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Desktop (https://www.linuxquestions.org/questions/linux-desktop-74/)
-   -   gnome problem with iptables rules (https://www.linuxquestions.org/questions/linux-desktop-74/gnome-problem-with-iptables-rules-705045/)

haxpak 02-16-2009 08:06 AM
gnome problem with iptables rules
 
hello
i have system with 2 nic's
i have setup iptables with following rules

Code:
#!/bin/sh

IPTABLES=/sbin/iptables
#MODPROBE=/sbin/modprobe
INT_NET=10.168.1.0/24

### flush existing rules and set chain policy setting to DROP

echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

###### INPUT chain ######

echo "[+] Setting up INPUT chain..."

### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -i eth0 -p tcp -s ! $INT_NET --syn -m state --state NEW -j LOG --log-prefix "INTRUSION"
$IPTABLES -A INPUT -i eth0 -p tcp -s ! $INT_NET --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules

$IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j DROP

### ACCEPT rules

$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 8080 -j ACCEPT # 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 4444 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

### default INPUT LOG rule
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

###### OUTPUT chain ######
echo "[+] Setting up OUTPUT chain..."
### state tracking rules

$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for allowing connections out

$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

### default OUTPUT LOG rule

$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
then i said on shell:
Code:
>service iptables save
>chkconfig iptables on
upon restarting my system i found service "rpc.statd" failing

also gnome takes a lot of time to start
and shows the following error

There was an error starting the GNOME Settings Daemon.

Some things, such as themes, sounds, or background settings may not work correctly.

The last error message was:

Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

GNOME will still try to restart the Settings Daemon next time you log in.
[/QUOTE]

please help me with this

thanks in advance

dkm999 02-16-2009 08:33 PM
I applaud your attempts to restrict your system to the fewest number of Internet ports possible. In your case, I think you may have gone too far. On my systems, rpc.statd sits listening on port 789 (ymmv). Given the logging statement that you have put in your output chain, you should have some messages in your logfile indicating that some packets were dropped.

In addition, I think you do not need to restrict either INPUT or OUTPUT on net 127.0.0.1 (the loopback address). Quite a few systems use this address to talk amongst themselves on your server, and you are filtering on this interface as well as eth0 and eth1, as I read the script.

The first rule in my INPUT and OUTPUT chains is
Code:
... -i lo -j ACCEPT
HTH

haxpak 02-25-2009 09:02 AM
thanks

but
i added
Code:
$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A OUTPUT -i lo -j ACCEPT
it gave error that
Quote:
iptables v1.4.1.1: Can't use -i with OUTPUT
so i had to remove
$IPTABLES -A OUTPUT -i lo -j ACCEPT

but the problem persists

dkm999 02-25-2009 09:26 PM
My error. According to the manpage, for the OUTPUT chain, the parameter should be
Code:
...-o lo -j ACCEPT


All times are GMT -5. The time now is 01:01 PM.