| NoWone |
01-07-2009 11:57 AM |
iptables madness with moblock on Slackware box
Hello. I'm kind of new to linux firewalling, and I'm trying to set up iptables on my Slackware box. I recently learned about moblock and I decided to give it a try. I compiled the code and it worked quite well. Maybe too well, since it's now blocking my entire LAN traffic. In the ipfilter.dat file I'm using, one of the ranges covers my LAN (192.168.0.0)
Code:
192.167.224.000 - 192.168.255.255 , 000 , Consiglio
Now, I don't know what's the best way to fix the problem. I've been browing the Internet and I read that the best way is to set iptables to allow all traffic (generated by the LAN && directed to the LAN). My question is: being a iptables illiterate, how can I achive the result?
The script I'm using is MoBlock-nfq.sh which is the following:
Code:
#!/bin/sh
#
# MoBlock.sh - MoBlock start script
# ---------------------------------
ACTIVATE_CHAINS=1
WHITE_TCP_IN=""
WHITE_UDP_IN=""
WHITE_TCP_OUT=""
WHITE_UDP_OUT=""
WHITE_TCP_FORWARD=""
WHITE_UDP_FORWARD=""
PIDF=/var/run/moblock.pid
FNAME=`basename $0 .sh`
MODE=`echo $FNAME|awk -F- '{print $2}'`
if [ -f $PIDF ]; then
PID=`cat $PIDF`
if [ `ps -p $PID|wc -l` -gt 1 ]; then
echo "$0: $PIDF exists and processs seems to be running. Exiting."
exit 1;
fi;
fi;
if [ $MODE == "ipq" ]; then
modprobe ip_queue
TARGET="QUEUE"
elif [ $MODE == "nfq" ]; then
modprobe ipt_NFQUEUE
TARGET="NFQUEUE"
fi;
modprobe ipt_state
# Filter all traffic, edit for your needs
iptables -N MOBLOCK_IN
iptables -N MOBLOCK_OUT
iptables -N MOBLOCK_FW
if [ $ACTIVATE_CHAINS -eq 1 ]; then
iptables -I INPUT -p all -m state --state NEW -j MOBLOCK_IN
iptables -I OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
iptables -I FORWARD -p all -m state --state NEW -j MOBLOCK_FW
fi;
iptables -I MOBLOCK_IN -p all -j $TARGET
#iptables -I MOBLOCK_IN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I MOBLOCK_OUT -p all -j $TARGET
#iptables -I MOBLOCK_OUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I MOBLOCK_FW -p all -j $TARGET
#iptables -I MOBLOCK_FW -m state --state ESTABLISHED,RELATED -j ACCEPT
for PORT in $WHITE_TCP_OUT; do
iptables -I MOBLOCK_OUT -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_OUT; do
iptables -I MOBLOCK_OUT -p udp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_TCP_IN; do
iptables -I MOBLOCK_IN -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_IN; do
iptables -I MOBLOCK_IN -p udp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_TCP_FORWARD; do
iptables -I MOBLOCK_FW -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_FORWARD; do
iptables -I MOBLOCK_FW -p udp --dport $PORT -j ACCEPT
done
# Loopback traffic fix
iptables -I INPUT -p all -i lo -j ACCEPT
iptables -I OUTPUT -p all -o lo -j ACCEPT
# Here you can change block list and log files
/usr/bin/moblock -d /etc/moblock/ipfilter.dat /var/log/moblock.log
# On exit delete the rules we added
if [ $ACTIVATE_CHAINS -eq 1 ]; then
iptables -D INPUT -p all -m state --state NEW -j MOBLOCK_IN
iptables -D OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
iptables -D FORWARD -p all -m state --state NEW -j MOBLOCK_FW
fi;
iptables -D INPUT -p all -i lo -j ACCEPT
iptables -D OUTPUT -p all -o lo -j ACCEPT
iptables -F MOBLOCK_IN
iptables -X MOBLOCK_IN
iptables -F MOBLOCK_OUT
iptables -X MOBLOCK_OUT
iptables -F MOBLOCK_FW
iptables -X MOBLOCK_FW
if [ -f $PIDF ]; then
rm $PIDF;
fi
My guess was to add a rule just under the "loopback traffic fix". Something like:
Code:
iptables -I INPUT -p all -o eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -I OUTPUT -p all -o eth0 -d 192.168.0.0/24 -j ACCEPT
Am I heading the right way? Can anyone please tell me how to get the thing working? Thank you in advance! |
