iptables rules conflict with downloading LinuxShield virus defs

billgist90018 · 01-16-2006, 03:26 PM

I'm running Red Hat Linux ES v4
I'm running McAfee LinuxShield 1.2.0 SP1

Currently as a workaround, I use the following script
iptables --flush INPUT
/opt/NAI/LinuxShield/bin/nails task --run 1
/etc/init.d/iptables restart active

This disables my INPUT iptables rules long enough to download the virus defs, and then it puts the rules back in place.

I can live with this workaround if I have to. But I thought I'd ask for assistance in case you all have a better solution.

At the end I've pasted in the script I use to generate my iptables rules, and below that I've paste in the output of the iptables -L command.

If I leave out the commands that flushes the input rules I get the following error message in the LinuxShield UI
/pub/antivirus/datfiles/4.x/update.ini: fetch failed

failed to fetch ./update.ini,
no virus definition file updates available,
no virus scanning engine updates available

I posted a problem report with McAfee and the tech there
told me to use "active ftp" and that does cause the update
request to go out on port 20, which I have opened up
in the iptables rules. And with that rule in place I can
leave my OUTPUT iptables rules in place. Unfortunately the data comes back on a randomly chosen port in the range 1025 thru 65535. According to the tech at McAfee
"the rule to accept any traffic on an ESTABLISHED connection is not functioning properly" And he suggested I post a question here.

Thanks for your help.

Here's the script that I use to generate the iptables rules

#reset and save as the inactive state
iptables --flush
/etc/init.d/iptables save inactive
#inbound rules - implemented
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m tcp --dport 55443 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m tcp --dport 65443 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -m icmp -j ACCEPT
iptables -A INPUT -i eth1 -j DROP
#Forwarding Rule
iptables -A FORWARD -o eth1 -j DROP
#outbound rules
iptables --flush OUTPUT
iptables -A OUTPUT -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport 42 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport 137 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport 138 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport 139 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport 65443 -j ACCEPT
iptables -A OUTPUT -o eth1 -p icmp -m icmp -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp -j DROP
#command to save ruleset so it activates on reboot
/etc/init.d/iptables save active

And here's the output of the iptables -L command.

[root@msia-ww2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:55443
ACCEPT tcp -- anywhere anywhere tcp dpt:65443
ACCEPT icmp -- anywhere anywhere icmp any
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:nameserver
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ns
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpt:65443
ACCEPT icmp -- anywhere anywhere icmp any
DROP tcp -- anywhere anywhere tcp

billgist90018 · 01-16-2006, 08:11 PM

The problem that you face with active FTP connection is that the connection is initiated by the FTP server.

For active FTP connections, the FTP server initiates the data connection from port 20. So it means that the firewall should have a mechanism to track a active FTP session and allow transfers accordingly.

Edit the file /etc/sysconfig/iptables-config and add the line
IPTABLES_MODULES="ip_conntrack_ftp"
Then restart iptables.