LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-07-2009, 11:57 AM   #1
NoWone
LQ Newbie
 
Registered: Jan 2005
Location: Italy
Distribution: Slackware
Posts: 18

Rep: Reputation: 0
iptables madness with moblock on Slackware box


Hello. I'm kind of new to linux firewalling, and I'm trying to set up iptables on my Slackware box. I recently learned about moblock and I decided to give it a try. I compiled the code and it worked quite well. Maybe too well, since it's now blocking my entire LAN traffic. In the ipfilter.dat file I'm using, one of the ranges covers my LAN (192.168.0.0)
Code:
192.167.224.000 - 192.168.255.255 , 000 , Consiglio
Now, I don't know what's the best way to fix the problem. I've been browing the Internet and I read that the best way is to set iptables to allow all traffic (generated by the LAN && directed to the LAN). My question is: being a iptables illiterate, how can I achive the result?

The script I'm using is MoBlock-nfq.sh which is the following:
Code:
#!/bin/sh
#
# MoBlock.sh - MoBlock start script
# ---------------------------------

ACTIVATE_CHAINS=1
WHITE_TCP_IN=""
WHITE_UDP_IN=""
WHITE_TCP_OUT=""
WHITE_UDP_OUT=""
WHITE_TCP_FORWARD=""
WHITE_UDP_FORWARD=""


PIDF=/var/run/moblock.pid

FNAME=`basename $0 .sh`
MODE=`echo $FNAME|awk -F-  '{print $2}'`

if [ -f $PIDF  ]; then
	PID=`cat $PIDF`
	if [ `ps -p $PID|wc -l` -gt 1 ]; then
		echo "$0: $PIDF exists and processs seems to be running. Exiting."
		exit 1;
	fi;
fi;

if [ $MODE == "ipq" ]; then
	modprobe ip_queue
	TARGET="QUEUE"
elif [ $MODE == "nfq" ]; then
	modprobe ipt_NFQUEUE
	TARGET="NFQUEUE"
fi;

modprobe ipt_state

# Filter all traffic, edit for your needs

iptables -N MOBLOCK_IN
iptables -N MOBLOCK_OUT
iptables -N MOBLOCK_FW

if [ $ACTIVATE_CHAINS -eq 1 ]; then
	iptables -I INPUT -p all -m state --state NEW -j MOBLOCK_IN
	iptables -I OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
	iptables -I FORWARD -p all -m state --state NEW -j MOBLOCK_FW	
fi;


iptables -I MOBLOCK_IN -p all -j $TARGET
#iptables -I MOBLOCK_IN -m state --state ESTABLISHED,RELATED -j ACCEPT 

iptables -I MOBLOCK_OUT -p all -j $TARGET
#iptables -I MOBLOCK_OUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

iptables -I MOBLOCK_FW -p all -j $TARGET
#iptables -I MOBLOCK_FW -m state --state ESTABLISHED,RELATED -j ACCEPT 

for PORT in $WHITE_TCP_OUT; do
	iptables -I MOBLOCK_OUT -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_OUT; do
	iptables -I MOBLOCK_OUT -p udp --dport $PORT -j ACCEPT
done

for PORT in $WHITE_TCP_IN; do
	iptables -I MOBLOCK_IN -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_IN; do
	iptables -I MOBLOCK_IN -p udp --dport $PORT -j ACCEPT
done

for PORT in $WHITE_TCP_FORWARD; do
	iptables -I MOBLOCK_FW -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_FORWARD; do
	iptables -I MOBLOCK_FW -p udp --dport $PORT -j ACCEPT
done


# Loopback traffic fix

iptables -I INPUT -p all -i lo -j ACCEPT
iptables -I OUTPUT -p all -o lo -j ACCEPT

# Here you can change block list and log files
/usr/bin/moblock -d /etc/moblock/ipfilter.dat /var/log/moblock.log

# On exit delete the rules we added

if [ $ACTIVATE_CHAINS -eq 1 ]; then
	iptables -D INPUT -p all -m state --state NEW -j MOBLOCK_IN
	iptables -D OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
	iptables -D FORWARD -p all -m state --state NEW -j MOBLOCK_FW
fi;

iptables -D INPUT -p all -i lo -j ACCEPT
iptables -D OUTPUT -p all -o lo -j ACCEPT

iptables -F MOBLOCK_IN
iptables -X MOBLOCK_IN
iptables -F MOBLOCK_OUT
iptables -X MOBLOCK_OUT
iptables -F MOBLOCK_FW
iptables -X MOBLOCK_FW

if [ -f $PIDF ]; then	
	rm $PIDF;
fi
My guess was to add a rule just under the "loopback traffic fix". Something like:
Code:
iptables -I INPUT -p all -o eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -I OUTPUT -p all -o eth0 -d 192.168.0.0/24 -j ACCEPT
Am I heading the right way? Can anyone please tell me how to get the thing working? Thank you in advance!
 
Old 01-16-2009, 04:20 PM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
I really don't know anything about moblock, but I'll try to give you my thoughts, for what they are worth
  • Do you really need moblock? Can you define what you are trying to do that you cannot ordinarily achieve with iptables?
  • What kernel/moblock version are you using?
    Quote:
    From version 0.6 it uses by default the new kernel interface netlink_queue through ipt_NFQUEUE kernel module that was added in kernel 2.6.14 that deprecated the old ip_queue/libipq interface.
 
Old 01-17-2009, 03:40 AM   #3
NoWone
LQ Newbie
 
Registered: Jan 2005
Location: Italy
Distribution: Slackware
Posts: 18

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by salasi View Post
  • Do you really need moblock? Can you define what you are trying to do that you cannot ordinarily achieve with iptables?
I just think moblock's a good idea. Producing iptable rules from a peerguardian files enables you to p2p a litte safely without the world watching. I'd like to use my server machine as a download server also.
Quote:
Originally Posted by salasi View Post
  • What kernel/moblock version are you using?
    kernel 2.6.26.5 and Moblock 0.8/nfq
Thank you for your post!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Anybody tried MoBlock with Slackware 12.1? Slackovado Slackware 0 06-17-2008 02:31 PM
madwifi, wpa_supplicant and slackware v12 madness Brettley Linux - Wireless Networking 1 03-06-2008 01:19 AM
Madness all day long installing errr.. trying to install slackware rant........:O M$ISBS General 4 07-02-2006 11:33 PM
slackware 8.0 madness! [cacheflow] Linux - Software 10 02-04-2002 05:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration