LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-10-2004, 10:19 AM   #16
jslmg
Member
 
Registered: Apr 2004
Distribution: Ubuntu 7.10
Posts: 31

Original Poster
Rep: Reputation: 15

OK, I have something new:

I finally got some useful hints from the SHOUTcast forums. One Linux user there recommended I run lokkit to configure my firewall. At first, this was unsuccessful, with error messages during reboot saying firewall removal had failed. But now, on the third try using that user's advice, the server is finally responding. SHOUTcast briefly "saw" my server. But now it has dropped out again.

I think that at the moment the LAN connection is slow because of too much traffic. This is normal for this time of day, and should clear up within an hour or two. I'll find out later whether I can still contact shoutcast.
 
Old 05-10-2004, 11:18 AM   #17
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Ugh, lokkit generates the worst firewall rules I've ever seen. The Red Hat folks should be beaten with sho... wait, this sounds familiar Truthfully, lookit does generate the worst firewall rules I've ever seen, but if it was briefly working, at least something is going right!

By the way, you're earlier output from iptables -L indicated that everything was set to accept on the firewall (I guess you can't actually remove the module from the kernel) so the firewall shouldn't have been posing any issues. The netstat output shows that the sc server is listening on TCP port 8000, so that should be extremely straight-forward. Really, nothing here looks tricky, it all looks very standard for a TCP service--it's just that it isn't working...

Could you locate the lokkit config file and post the contents, please? Chances are the knowledgeable folks here could make some drastic improvements to it.

By the way, you're welcome to provide my comments as feedback to the shoutcast folks, heck you can even link to my LQ profile, I don't care. It really irrates me that we see software developers continue to encourage dangerous cop-out "solutions" as a way to avoid having to provide useful documentation or trouble-shooting tips. In this day and age, no one should be without a firewall unless they've completely hardened all their network applications and their TCP/IP stack by hand. Such people would know much better than the shoutcast folks how to diagnose networking problems, so their error is just ludicrous.

To answer your question about Linux hacking: Yes, it is fairly common. The security forum here at LQ gets around 1 report a week of a rooted box (mostly people who thought "Linux is safe, so I don't need a firewall") and all of a sudden those people get very interested in security and hardening. I suspect there are a lot more users (just like with Windows) who don't have the technical skill to even realize they've been compromised.

On a more interesting note, I work for an enterprise e-mail security company and as part of my job, I do forensics on spam to see where it's originating from and how it's sent. The amount of Linux boxen sending spam is staggering and the circumstances surrounding most instances indicates the boxen were compromised, rather than used intentionally.

Be advised that even a firewall won't prevent all possible attacks. Many Linux boxen are compromised by poorly designed web apps (frequently in PHP) that allow tampering with things outside their environment. When putting together a webserver, it's important to consider what the security implications are of each piece of software that you add to it, even if they don't seem dangerous. For instance one of the most popular exploits for a while was against a PHP photo gallery program.
 
Old 05-10-2004, 07:53 PM   #18
jslmg
Member
 
Registered: Apr 2004
Distribution: Ubuntu 7.10
Posts: 31

Original Poster
Rep: Reputation: 15
Yes, back to square one. The sc_serv once again can't get past the "firewall," whether it's actually the firewall of something else it "thinks" is the firewall

Here's one more way I can tell something is blocking the server: listeners can connect, but they get booted out exactly after 62 seconds. This happens when the I get the firewall message, but it also happened during that brief time when I didn't get the message.

By the way, if the server can contact shoutcast, it should say "yp.shoutcast.com added me successfully." The after that, it should say "yp.shoutcast.com touched". The server can still broadcast and receive listeners successfully even if can't "touch" shoutcast. That touch just means the server has been listed in the shoutcast database of stations. But if I'm getting the firewall message, I'm not touching shoutcast OR connecting successfully with listeners.

I will do those things you recommended in your last post, Chort. I'll find the lokkit config file and paste it here.

The lokkit is the same program that configures firewall during anaconda installation, isn't it? Those settings that I put in during installation never did anything--they seemed to have no affect on the firewall. I remember setting it to "no firewall," then on another installation setting it to "Medium", with customized port settings. None of that ever took hold in the system.
 
Old 05-10-2004, 10:30 PM   #19
jslmg
Member
 
Registered: Apr 2004
Distribution: Ubuntu 7.10
Posts: 31

Original Poster
Rep: Reputation: 15
Here's the output from nmap, which I ran last night just after finally getting that brief connection to shoutcast. This lists all open ports, but I don't see ports 8000 or 8001 listed--the two ports I'm trying to open for the server:

# nmap --vv localhost

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).
Host localhost.localdomain (127.0.0.1) appears to be up ... good.
Initiating SYN Stealth Scan against localhost.localdomain (127.0.0.1)
Adding open port 6000/tcp
Adding open port 111/tcp
Adding open port 22/tcp
Adding open port 25/tcp
Adding open port 631/tcp
The SYN Stealth Scan took 2 seconds to scan 1601 ports.
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1596 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
111/tcp open sunrpc
631/tcp open ipp
6000/tcp open X11
 
Old 05-10-2004, 11:07 PM   #20
jslmg
Member
 
Registered: Apr 2004
Distribution: Ubuntu 7.10
Posts: 31

Original Poster
Rep: Reputation: 15
...And here's the lokkit config file, as suggested by Chort. I hope this helps. Please let me know if there's anything else I can provide. (looks like there are some errors here, huh?)

ERROR - You must be root to run lokkit.
ERROR - only one of 'high', 'medium', and 'disabled' may be specified.
/sbin/iptables -D INPUT -j RH-Lokkit-0-50-INPUT 2>/dev/null /sbin/iptables -D FORWARD -j RH-Lokkit-0-50-INPUT 2>/dev/null /sbin/iptables -F RH-Lokkit-0-50-INPUT 2>/dev/null /sbin/iptables -X RH-Lokkit-0-50-INPUT 2>/dev/null /etc/resolv.conf nameserver w #!/bin/sh
PATH=/sbin:$PATH
iptables /bin/sh %s COMMIT
--syn *filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
iptables -N RH-Lokkit-0-50-INPUT
iptables -F RH-Lokkit-0-50-INPUT
%s-A RH-Lokkit-0-50-INPUT -p %s -m %s --dport %d %s -j ACCEPT
%s-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
%s-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT
%s-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
%s-A RH-Lokkit-0-50-INPUT -i %s -j ACCEPT
%s-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
/sbin/modprobe iptables >/dev/null 2>&1 /sbin/service iptables start >/dev/null 2>&1 %s-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p udp -m udp -s %s --sport 53 -d 0/0 -j ACCEPT
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
/sbin/iptables -F RH-Lokkit-0-50-INPUT
 
Old 05-11-2004, 01:36 AM   #21
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Tsk, tsk. That is just aweful. Someone in Red Hat's security department should be spanked.

Could someone please give this poor guy a working, stateful firewall configuration that doesn't have idiocies like only blocking certain port ranges and allowing anything with a source port of 53... I never did learn iptables (hated the syntax) or I would do it myself.

No NAT/masq needed, just a nice single interface firewall to deny all inbound (except ports 8000/tcp and 8001/tcp), and allow all outbound (tracking state). Come to think of it, better allow bootp and dhcp, too.
 
Old 05-11-2004, 02:56 AM   #22
jslmg
Member
 
Registered: Apr 2004
Distribution: Ubuntu 7.10
Posts: 31

Original Poster
Rep: Reputation: 15
Thank you, Chort! Let's see what people come up with! Sounds like this config is causing all the problems?

Could you also add ports 7995, 7996, 7998, and 7999 to that list? I may need them later for other relays. Or, perhaps just a little hint as to how I might add them, or any ports, when I need them.

Other ports I will probably need later include SSH and FTP, the latter to run a server.

Now... this config file says "Manual configuration is not recommended," but it sounds like changing this text file directly is the best way to get the firewall to do what I want. Is that right? And if I learn to do that, then I get to control my firewall! Right?

Last edited by jslmg; 05-11-2004 at 02:59 AM.
 
Old 06-06-2004, 09:26 AM   #23
fuubar2003
Member
 
Registered: May 2004
Location: Orlando, Florida
Distribution: SLES10/11, RH4/5 svrs, Fedora, Debian/Ubuntu/Mint; FreeBSD/OpenBSD
Posts: 63

Rep: Reputation: 26
Yo. I saw your posts all over the place, shoutcast forum, etc.
I had the same problems w/ipchains on RH AS 2.1 w/Shoutcast. I could grab a stream w/Ipchains stopped w/no problem. But once I started ipchains, boom, no stream. And there was no way I was going to start port forwarding my hardware firewall to my unprotected Linux box. I finally fixed it!

So here is my ipchains script. It allows inbound/outbound SSH and Shoutcast TCP traffic. It also forwards traffic. NOTE: I am quite sure these rules can be cleaned up further and tightend up. I may have some serious security issues as well. It is a work in progress. So be forewarned!

Hope this helps you.

#!/bin/bash
# Anti-spoofing
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

# Flush all rules
ipchains -F input
ipchains -F output
ipchains -F forward

#Deny anything not prevented by following rules except output

ipchains -P input DENY
ipchains -P forward DENY
ipchains -P output ACCEPT

# Do not forward any ICMP and drop incoming ping
ipchains -A forward -p icmp -j DENY
ipchains -A input -j DENY -p icmp --icmp-type ping -i eth0 -s 0/0 -d 192.168.0.7

# Allow all inputs from loopback/internal
ipchains -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT

# Allow DHCP, DNS and SSH
ipchains -A output -i eth0 -p UDP -s 0.0.0.0 68 -d 0/0 67 -j ACCEPT
ipchains -A input -i eth0 -p UDP -s 0.0.0.0 67 -d 0/0 68 -j ACCEPT
ipchains -A input -s 200.150.110.250 53 -d 0/0 -p udp -j ACCEPT
ipchains -A input -s 203.151.0.7 53 -d 0/0 -p udp -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 22 -p tcp -j ACCEPT

# Allow inbound outbound Shoutcast
ipchains -A output -i eth0 -p TCP -s 0/0 8000 -d 0/0 -j ACCEPT
ipchains -A output -i eth0 -p TCP -s 0/0 8010 -d 0/0 -j ACCEPT
ipchains -A output -i eth0 -p TCP -s 0/0 8020 -d 0/0 -j ACCEPT
ipchains -A output -i eth0 -p TCP -s 0/0 8030 -d 0/0 -j ACCEPT
ipchains -A input -i eth0 -p TCP -s 0/0 -d 0/0 8000 -j ACCEPT
ipchains -A input -i eth0 -p TCP -s 0/0 -d 0/0 8010 -j ACCEPT
ipchains -A input -i eth0 -p TCP -s 0/0 -d 0/0 8020 -j ACCEPT
ipchains -A input -i eth0 -p TCP -s 0/0 -d 0/0 8030 -j ACCEPT

#Speed up output of Shoutcast w/TOS arguments
ipchains -A output -p tcp -d 0.0.0.0/0 8000 -t 0x01 0x08
ipchains -A output -p tcp -d 0.0.0.0/0 8010 -t 0x01 0x08
ipchains -A output -p tcp -d 0.0.0.0/0 8020 -t 0x01 0x08
ipchains -A output -p tcp -d 0.0.0.0/0 8030 -t 0x01 0x08
 
Old 06-06-2004, 03:57 PM   #24
fuubar2003
Member
 
Registered: May 2004
Location: Orlando, Florida
Distribution: SLES10/11, RH4/5 svrs, Fedora, Debian/Ubuntu/Mint; FreeBSD/OpenBSD
Posts: 63

Rep: Reputation: 26
How to setup a multiple-stream SHOUTcast server on Red Hat Linux AS 2.1 w/ipchains configuration

The following was performed on a custom built (old) PIII 833Mhz processor (overclocked to 945Mhz) with 512Mb PC133
RAM w/Red Hat Adv Server 2.1 kernel ver. 2.4.9-e.38. I did not include any ‘yp’ configurations for advertising the server
on the SHOUTcast website. (Haven’t gotten there yet.) This is a work in progress.

Linux configuration:
- stop/disable any unnecessary processes/daemons such as telnet, sendmail, mouse
- do not run Xwindows, Gnome, KDE, etc. GUI’s will only use up valuable resources
- patch everything up to date as the intention is to get this thing on the internet

1. Download latest Shoutcast server for Linux:
http://www.shoutcast.com/download/se...tml#scdownload

*As of 6/6/04:
http://www.shoutcast.com/downloads/s...-glibc6.tar.gz

2. Download latest SHOUTcast DSP Plug-In for Mac OS X, Linux and FreeBSD:
http://www.shoutcast.com/download/broadcast.phtml

*As of 6/6/04:
http://www.shoutcast.com/downloads/s..._posix_040.tgz

3. Install server:
a. cd /usr/local
b. mkdir shoutcast
c. copy or download the shoutcast-1-9-4-linux-glibc6.tar.gz to /usr/local/shoutcast
d. gunzip shoutcast-1-9-4-linux-glibc6.tar.gz
e. tar -xvf shoutcast-1-9-4-linux-glibc6.tar

4. Install the DSP plugin w/in /usr/local/shoutcast
a. Make directories for each stream you want to run. IE. if you are going to run
seperate streams for different genres or artists....mkdir sc_trans_techno,
mkdir sc_trans_hiphop
b. gunzip sc_trans_posix_040.tgz (into each sc_trans* directory)
c. tar -xvf sc_trans_posix_040.tar (into each sc_trans* directory)

5. Add content
a. After install of server, you will have a "content" directory. Make new directories
in \content for each genre or artist. IE. mkdir techno, mkdir hiphop.
b. Move .mp3 files into the respective content directories.
c. Create a play list:
find /usr/local/shoutcast/content/techno -type f -name "*.mp3" > techno.lst

6. Configure Shoutcast server:
a. First, copy the sc_serv and sc_serv.conf files to each genre or artist directory
you created in step 5a.
b. Edit the sc_serv.conf files. Each .conf file in each directory created in Step 5a
will have different port numbers, but same IP address and password.

7. Configure Shoutcast DSP plugins:
a. Copy the sc_trans_linux, sc_trans.conf to each directory created in step 4a.
b. Move the playlist you created in step 5c to the appropriate sc_trans_<genre> folder
you created in step 4a. IE. mv techno.lst /usr/local/shoutcast/sc_trans_techno
c. Edit the sc_trans.conf file. You will need to specify the file list (techno.lst in
the last example), and specify bit rate (128k), and same password you used in step
6c, and servername or IP, and same port # used in the sc_serv.conf you edited in
step 6b.

8. Start your server from /usr/local/shoutcast/content/<genre or artist folder>
IE. ./sc_serv&

9. Start your DSP plugin from each /usr/local/shoutcast/sc_trans_<genre or artist folder>
you created in step 4a.
IE. ./sc_trans_linux&

-- You should now be able to connect using Winamp or from MusicMatch by either adding a
URL or clicking a hyperlink on a webpage:
IE. http://<ip_address>:<port# of the genre>/listen.pls
Example: http://192.168.0.7:8010/listen.pls
Example hyperlink on my webpage:
<a href="http://192.168.0.7:8020/listen.pls">Techno</a>

***If you are going to host this on the internet, configure a firewall. The following is
my ipchains configuration for the 3 streams I host, each on a seperate port number
(8000, 8010, 8020, 8030). More port numbers would definitely be necessary the more
users that access the server.


The following ipchains configuration allows only DHCP, DNS, SSH and SHOUTcast ports in/out. Additionally, it uses TOS to give outbound SHOUTcast TCP traffic priority over other traffic….a definite benefit:

#!/bin/bash
# Anti-spoofing
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

# Flush all rules
ipchains -F input
ipchains -F output
ipchains -F forward

#Deny anything not prevented by following rules except output

ipchains -P input DENY
ipchains -P forward DENY
ipchains -P output ACCEPT

# Do not forward any ICMP and drop incoming ping
ipchains -A forward -p icmp -j DENY
ipchains -A input -j DENY -p icmp --icmp-type ping -i eth0 -s 0/0 -d 192.168.0.7

# Allow all inputs from loopback/internal
ipchains -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT

# Allow DHCP, DNS and SSH
ipchains -A output -i eth0 -p UDP -s 0.0.0.0 68 -d 0/0 67 -j ACCEPT
ipchains -A input -i eth0 -p UDP -s 0.0.0.0 67 -d 0/0 68 -j ACCEPT
ipchains -A input -s 200.150.110.250 53 -d 0/0 -p udp -j ACCEPT
ipchains -A input -s 203.151.0.7 53 -d 0/0 -p udp -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 22 -p tcp -j ACCEPT

# Allow inbound Shoutcast
ipchains -A input -i eth0 -p TCP -s 0/0 -d 0/0 8000 -j ACCEPT
ipchains -A input -i eth0 -p TCP -s 0/0 -d 0/0 8010 -j ACCEPT
ipchains -A input -i eth0 -p TCP -s 0/0 -d 0/0 8020 -j ACCEPT
ipchains -A input -i eth0 -p TCP -s 0/0 -d 0/0 8030 -j ACCEPT

#Speed up output of Shoutcast w/TOS arguments
ipchains -A output -p tcp -d 0.0.0.0/0 8000 -t 0x01 0x08
ipchains -A output -p tcp -d 0.0.0.0/0 8010 -t 0x01 0x08
ipchains -A output -p tcp -d 0.0.0.0/0 8020 -t 0x01 0x08
ipchains -A output -p tcp -d 0.0.0.0/0 8030 -t 0x01 0x08
 
Old 06-06-2004, 07:27 PM   #25
fuubar2003
Member
 
Registered: May 2004
Location: Orlando, Florida
Distribution: SLES10/11, RH4/5 svrs, Fedora, Debian/Ubuntu/Mint; FreeBSD/OpenBSD
Posts: 63

Rep: Reputation: 26
Here is my iptables script. It works.

Cheers!

#!/bin/bash

# Anti-spoof
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

# Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#Flush
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

# Rules for incoming packets from local interface
iptables -A INPUT -i lo -j ACCEPT

#Rules for incoming packets from the internet
# Packets for established connections
iptables -A INPUT -p ALL -d 192.168.0.2 -m state --state ESTABLISHED,RELATED -j ACCEPT

# TOS
iptables -A OUTPUT -t mangle -p tcp --sport 8000 -j TOS --set-tos Maximize-Throughput

#Rules for TCP/UDP packets
iptables -A INPUT -p tcp -m tcp -s 0/0 -d 192.168.0.2 --dport 22 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 -d 192.168.0.2 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 8000 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 8000 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 200.150.110.25 --sport 53 -d 0/0 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 203.153.0.53 --sport 53 -d 0/0 -j ACCEPT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
FC4 - Add/Remove Application Tool does not work with DVD disk tabinh Fedora 1 08-19-2005 05:50 AM
How do I disable or remove KsCD? bfair Linux - General 8 03-07-2005 11:36 AM
disable firewalls for vsftpd. santoshraju Linux - Networking 1 12-11-2004 07:36 AM
How do I DISABLE OR REMOVE Linux Hotkeys ???? TauiL| Maya |BR Linux - Newbie 1 02-15-2004 11:04 PM
Linux Firewalls [iso firewalls] yoogie Linux - Networking 3 01-28-2002 06:56 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration