Guarddog iptables and DHCP conflict (web-browsing impossible)
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Guarddog iptables and DHCP conflict (web-browsing impossible)
Hello Community!
As my first post on linuxquestions, I'd like to start off with a problem that has been annoying the living crap outta me for the past couple of weeks. Just recently did I set up my iptables using Guarddog, and here's the problem: upon a fresh boot, I can't seem to browse the web or fetch pop3 mail. These services simply get stuck on "Connecting...". I know the connection to my ISP has been resolved with DHCP, and ping works just fine. It's probably the case that only icmp packets are allowed through the iptables filters.
But here's the weird part: when I run Guarddog again (click "Apply"), it applies the rules again and everything is fine once again. So I have to run Guarddog as root every single time I boot my comp to be connected to the net in any useful way, which as you can imagine, is bloody aggravating.
Here's hoping someone has a clue whats wrong.
nomind
My iptables rules:
Code:
# Generated by iptables-save v1.3.2 on Fri Sep 2 23:18:48 2005
*nat
:PREROUTING ACCEPT [20595:1358422]
:POSTROUTING ACCEPT [29881:1453660]
:OUTPUT ACCEPT [11805:731516]
COMMIT
# Completed on Fri Sep 2 23:18:48 2005
# Generated by iptables-save v1.3.2 on Fri Sep 2 23:18:48 2005
*mangle
:PREROUTING ACCEPT [606995:817058192]
:INPUT ACCEPT [606683:816962566]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [606448:31079040]
:POSTROUTING ACCEPT [606367:31078448]
COMMIT
# Completed on Fri Sep 2 23:18:48 2005
# Generated by iptables-save v1.3.2 on Fri Sep 2 23:18:48 2005
*filter
:INPUT DROP [2:96]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:f0to1 - [0:0]
:f1to0 - [0:0]
:logaborted - [0:0]
:logaborted2 - [0:0]
:logdrop - [0:0]
:logdrop2 - [0:0]
:logreject - [0:0]
:logreject2 - [0:0]
:nicfilt - [0:0]
:s0 - [0:0]
:s1 - [0:0]
:srcfilt - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -s (my ipaddr) -d 69.192.9.255 -i eth0 -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m tcp --tcp-flags RST RST -j logaborted
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -j nicfilt
-A INPUT -j srcfilt
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A FORWARD -j srcfilt
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A OUTPUT -j s1
-A f0to1 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A f0to1 -p udp -m udp --dport 6970:7170 -j ACCEPT
-A f0to1 -p tcp -m tcp --dport 1411:1415 -m state --state NEW -j ACCEPT
-A f0to1 -p udp -m udp --dport 1411:1415 -j ACCEPT
-A f0to1 -p tcp -m tcp --sport 1024:65535 --dport 6881:6889 -m state --state NEW -j ACCEPT
-A f0to1 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j logreject
-A f0to1 -p udp -m udp --sport 1024:65535 --dport 2300:2400 -j logreject
-A f0to1 -p tcp -m tcp --sport 1024:65535 --dport 41000:41999 -m state --state NEW -j logreject
-A f0to1 -p udp -m udp --sport 1024:65535 --dport 41170 -j logreject
-A f0to1 -j logdrop
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 873 -m state --state NEW -j ACCEPT
-A f1to0 -p udp -m udp --sport 1024:5999 --dport 37 -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 37 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 21 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 3306 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 16001 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 2628 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 1863 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 995 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 6969 -m state --state NEW -j ACCEPT
-A f1to0 -p udp -m udp --dport 123 -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 123 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 5222 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 5223 -m state --state NEW -j ACCEPT
-A f1to0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 143 -m state --state NEW -j ACCEPT
-A f1to0 -p udp -m udp --dport 143 -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 993 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 2401 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A f1to0 -p udp -m udp --dport 53 -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 888 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 443 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --dport 554 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --dport 7070 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 411:415 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 1411:1415 -m state --state NEW -j ACCEPT
-A f1to0 -p udp -m udp --sport 1024:5999 --dport 411:415 -j ACCEPT
-A f1to0 -p udp -m udp --sport 1024:5999 --dport 1411:1415 -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1411:1415 -m state --state NEW -j ACCEPT
-A f1to0 -p udp -m udp --sport 1411:1415 -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 6000:6063 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 110 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --dport 6346 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --dport 1755 -m state --state NEW -j ACCEPT
-A f1to0 -p udp -m udp --dport 1755 -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 25 -m state --state NEW -j ACCEPT
-A f1to0 -p udp -m udp --dport 177 -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 19150 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 6881:6889 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 119 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 80 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 8080 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 8008 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 8000 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 8888 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 3632 -m state --state NEW -j ACCEPT
-A f1to0 -p tcp -m tcp --dport 111 -m state --state NEW -j ACCEPT
-A f1to0 -p udp -m udp --dport 111 -j ACCEPT
-A f1to0 -p tcp -m tcp --dport 1024:65535 -m state --state NEW -j ACCEPT
-A f1to0 -p udp -m udp --dport 1024:65535 -j ACCEPT
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 11999 -m state --state NEW -j logreject
-A f1to0 -p udp -m udp --dport 4000 -j logreject
-A f1to0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j logreject
-A f1to0 -p tcp -m tcp --dport 13223 -m state --state NEW -j logreject
-A f1to0 -p udp -m udp --dport 13223 -j logreject
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 47624 -m state --state NEW -j logreject
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 2300:2400 -m state --state NEW -j logreject
-A f1to0 -p udp -m udp --sport 1024:65535 --dport 2300:2400 -j logreject
-A f1to0 -p udp -m udp --dport 27910 -j logreject
-A f1to0 -p udp -m udp --dport 26000 -j logreject
-A f1to0 -p udp -m udp --dport 27500 -j logreject
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 3000 -m state --state NEW -j logreject
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 8500 -m state --state NEW -j logreject
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 80 -m state --state NEW -j logreject
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 41000:41999 -m state --state NEW -j logreject
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 7000 -m state --state NEW -j logreject
-A f1to0 -p udp -m udp --sport 1024:5999 --dport 1024:65535 -j logreject
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 7002 -m state --state NEW -j logreject
-A f1to0 -p udp -m udp --sport 1024:65535 --dport 27010 -j logreject
-A f1to0 -p udp -m udp --sport 1024:65535 --dport 27005:27050 -j logreject
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 79 -m state --state NEW -j logreject
-A f1to0 -p udp -m udp --dport 79 -j logreject
-A f1to0 -p tcp -m tcp --dport 6112 -m state --state NEW -j logreject
-A f1to0 -p tcp -m tcp --dport 4000 -m state --state NEW -j logreject
-A f1to0 -p udp -m udp --sport 1024:65535 --dport 41170 -j logreject
-A f1to0 -p tcp -m tcp --dport 389 -m state --state NEW -j logreject
-A f1to0 -p tcp -m tcp --dport 522 -m state --state NEW -j logreject
-A f1to0 -p tcp -m tcp --dport 1503 -m state --state NEW -j logreject
-A f1to0 -p tcp -m tcp --dport 1720 -m state --state NEW -j logreject
-A f1to0 -p tcp -m tcp --dport 1731 -m state --state NEW -j logreject
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 1024:65535 -m state --state NEW -j logreject
-A f1to0 -p udp -m udp --sport 1024:5999 --dport 1024:65535 -j logreject
-A f1to0 -p tcp -m tcp --sport 1024:5999 --dport 5190:5193 -m state --state NEW -j logreject
-A f1to0 -p udp -m udp --sport 1024:5999 --dport 5190:5193 -j logreject
-A f1to0 -j logdrop
-A logaborted -m limit --limit 1/sec --limit-burst 10 -j logaborted2
-A logaborted -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "LIMITED "
-A logaborted2 -j LOG --log-prefix "ABORTED " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaborted2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A logdrop -m limit --limit 1/sec --limit-burst 10 -j logdrop2
-A logdrop -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "LIMITED "
-A logdrop -j DROP
-A logdrop2 -j LOG --log-prefix "DROPPED " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop2 -j DROP
-A logreject -m limit --limit 1/sec --limit-burst 10 -j logreject2
-A logreject -m limit --limit 2/min --limit-burst 1 -j LOG --log-prefix "LIMITED "
-A logreject -p tcp -j REJECT --reject-with tcp-reset
-A logreject -p udp -j REJECT --reject-with icmp-port-unreachable
-A logreject -j DROP
-A logreject2 -j LOG --log-prefix "REJECTED " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logreject2 -p tcp -j REJECT --reject-with tcp-reset
-A logreject2 -p udp -j REJECT --reject-with icmp-port-unreachable
-A logreject2 -j DROP
-A nicfilt -i eth0 -j RETURN
-A nicfilt -i eth0 -j RETURN
-A nicfilt -i lo -j RETURN
-A nicfilt -j logdrop
-A s0 -d (my ipaddr) -j f0to1
-A s0 -d 69.192.9.255 -j f0to1
-A s0 -d 127.0.0.1 -j f0to1
-A s0 -j logdrop
-A s1 -j f1to0
-A srcfilt -j s0
COMMIT
# Completed on Fri Sep 2 23:18:48 2005
PS: Although iptables-save after a fresh boot produces output similar to that displayed above, the rules are in a different order. Could this be a cause for concern?
First of all someone correctly if I'm wrong anywhere. I some experience with Firewalls but I prefer to have all my ports closed except the ones I need.
That is rather long swiss cheese iptables conf file as you have. Apparently you your packages being nated but there are no rules in the file for that. This conf file appears to be for routing packet just like a gateway but just with one interface. Also you have the traffic opened for ICMP, BOOTP,TFTP and some more.
So if what ou want is to have your machine in a standalone mode i.e. your machine will not server as a gateway, have a look at this conf file from my machine, it changes the default policy of all default rules to DROP except output rule.
Then it opens port 25 and 80 for my mail and web servers, it also opens loop back and eth0 as this last is my internal interface. Iptables also check for new and established connections to drop or allow them to pass.
This conf file was generated with System-config-securitylevel from FC2 and then edited to add some more details.
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Fragments#################################
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -f --tcp-flags FIN,RST,URG,PSH FIN,RST,URG,PSH --state NEW,INVALID -j DROP
#########################################
-A RH-Firewall-1-INPUT -m state -m tos --state NEW,INVALID --tos Maximize-Throughput -j DROP
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 25 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j DROP
COMMIT
*mangle
:FORWARD DROP [0:0]
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:Fedora_2 - [0:0]
:POSTROUTING ACCEPT [0:0]
# Fedora_2
-A INPUT -j Fedora_2
# Fedora_2
-A FORWARD -j Fedora_2
# Non Fragments
-A Fedora_2 -m state ! -f --state ESTABLISHED,RELATED -j ACCEPT
# Fragments
-A Fedora_2 -f -j DROP
COMMIT
# Completed
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
Remember this COMPLITELY OPENS ETH0 AND DOES NOT ALLOW YOU TO USE YOUR MACHINE AS GATEWAY, THIS ONLY SERVES FOR A STAND ALONE MACHINE ACCESS THE INTERNET.
Thanks for the reply jdogpc!
Yeah, I did consider remaking my rules by hand instead of relying on a GUI like Guarddog, because I think the extra chains in my table (like s0, logdrop and whatnot) are in some way responsible for the problem. You're right, for simple web-browsing and e-mail, your simple rules work perfectly. But the reason why I've opened up so many ports is because I want to allow things like Bittorrent, pop3, ftp, and other stuff that I use pretty often.
Most of the time, my machine doesn't act as a server. And I'm only connected through eth0. So I'll try to remove the rules for function as a gateway and see if that fixes it.
Sorry for the delay.
the rules I sent you allow you to make whatever connections you want from your machine to the internet and get back the answer. However you can add the following lines:
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 113 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 21 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 20 --state NEW -j ACCEPT
Above '-A RH-Firewall-1-INPUT -j DROP'
These rules are for pop3 port 113 and ftp ports 20 and 21.
For your bittorrent I don't know what port or ports it uses, but just follow the above thinkline.
I can't possibly thank you enough for the rules, jdogpc!
However, are you sure it's safe to have the policy of the OUTPUT chain default to ACCEPT? I mean, this is a really good way to leak important personal information, no?
SORRY FOR MY LAST POST I SAID PORT 113 AS POP3 INSTEAD OF PORT 110 POP3
For the time being I still believe that linux is safer than MS, in my case i'm not to worried about the info on my box and beside that I have not found any unwanted info going out of my box.
in your case you can still add some more rules to iptables to block traffic you don't want to go out.
:OUTPUT DROP [0:0]
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp -m state -m tcp --sport 1024:65535 --dport 80 --state NEW -j ACCEPT
-A OUTPUT -p tcp -m state -m tcp --sport 1024:65535 --dport 443 --state NEW -j ACCEPT
-A OUTPUT -p tcp -m state -m tcp --sport 1024:65535 --dport 21 --state NEW -j ACCEPT
-A OUTPUT -p tcp -m state -m tcp --sport 1024:65535 --dport 20 --state NEW -j ACCEPT
-A OUTPUT -p tcp -m state -m tcp --sport 1024:65535 --dport 110 --state NEW -j ACCEPT
-A OUTPUT -p tcp -m state -m tcp --sport 1024:65535 --dport 143 --state NEW -j ACCEPT
-A OUTPUT -p tcp -m state -m tcp --sport 1024:65535 --dport 25 --state NEW -j ACCEPT
-A OUTPUT -p tcp -m state -m tcp --sport 1024:65535 --dport 53 --state NEW -j ACCEPT
No worries. I figured that pop3 is 110 (Wikipedia's list of ports and protocols really helps).
I had originally tried OUTPUT chain rules similar to the ones you have posted, and that completely killed off my browsing-ability. Seems like something else is needed, which is why I've set the default output policy to accept for now, but I'll be soon be modelling my output rules according to the ones of Guarddog (minus the extra unnecessary chains of course). I'm just paranoid about leaking passwords after my box was rooted a few weeks ago (I wasn't using a firewall back then).
Wow, taking the time to write out custom output rules that you don't use yourself AND providing appropriate descriptions: now that's quality help . You're too kind jdogpc.
Once again, thanks for all the help!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
. You're too kind jdogpc.
