LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-23-2006, 06:42 PM   #1
keithdj
LQ Newbie
 
Registered: Aug 2005
Location: New Zealand
Distribution: Fedora 4.0
Posts: 27

Rep: Reputation: 15
Issues getting iptables to work


When I first installed linux about 6 months ago, I had trouble getting samba shares and VNC to work, so I turned iptables off and eveything came right, now I need them again and they don't work

I have set up my linux box to provide web content filtering for my kids. All the client PC's run either XP or win 98.

I have successfully got dhcp, squid and dansguardian running.

dhcp is set to make the linux box the default gateway, squid is more or less configured as it came, I did play around with time based ACL rules but they didn't work (see posting elsewhere) and network ip ranges etc, dansguardian is again almost as it came, mostly a few changes to blocked websites.

I am now trying to tighten up security, and fix a few surrounding problems.

Using Fedora 4, on an old'ish P2 266. Its a bit slow but acceptable for us at the moment. Internet connection is via ADSL.

Problem 1

When I try to start iptables as a service (using the gui) it fails, but if I use the command 'service iptables start' I get no output to tell me the state. I was getting something, but now I get no response.

I have also entered a couple of redirection chains to redirect all port 80 & port 3128 requests to port 8080. But this doesn't seem to work.

I also can't seem to find a command that allows me to display the configured chains


Problem 2

I think is related to problem 1, things like skype, avg anti virus, adaware (spyware remover) etc are no longer able to contact their servers to look for updates.


As always any help gratefully recieved.
 
Old 04-23-2006, 09:33 PM   #2
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian
Posts: 2,210

Rep: Reputation: 341Reputation: 341Reputation: 341Reputation: 341
Quote:
Originally Posted by keithdj
When I try to start iptables as a service (using the gui) it fails, but if I use the command 'service iptables start' I get no output to tell me the state. I was getting something, but now I get no response.
I can't understand what you're saying here. Forget the GUI for the moment (no need muddying the waters). What exactly are you typing on the command line? You don't just type "iptables" and expect something to happen. You can't see a process named iptables running, if that's what you're looking for. You run the iptables command multiple times, building up different rules each time you run it, depending on what you specify. Once you've got your rules built up, you can see them by typing "iptables --list". Or you can wipe them out by typing "iptables -F".

Your description of your problems makes me think you don't exactly know what to expect from iptables. Please excuse me if I'm wrong, but it sounds like you're expecting something different than what iptables does.

Here's an example file to setup iptables rules. It's the one I use on my home system. I put the file in /etc/init.d/firewall and symlinked to appropriate filenames in my /etc/rc*.d directories, for automatic startup at various runlevels. You can see I actually call iptables multiple times:
Code:
#!/bin/sh

IPTABLES=/sbin/iptables

case "$1" in

start)
    echo -n "Starting IP Firewall ... "

    # Clear any existing rules, zero counters
    $IPTABLES -t nat    -F
    $IPTABLES -t mangle -F
    $IPTABLES -t filter -F
    $IPTABLES -Z

    # Set default policies
    $IPTABLES -P INPUT   DROP
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P OUTPUT  ACCEPT

    # Allow loopback (LOCALHOST, 127.0.0.1)
    $IPTABLES -A INPUT -i lo -j ACCEPT

    # DROP everything to/from the DMZ (192.168.0.254)
    # These two rules need to come BEFORE the LAN-ACCEPT rule below
    $IPTABLES -A OUTPUT -d 192.168.0.254 -j DROP
    $IPTABLES -A INPUT  -s 192.168.0.254 -j DROP

    # Allow packets from established or related connections (LAN, INTERNET)
    # This rule affects all protocols (tcp, udp, icmp)
    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allow incoming PING, SSH, HTTP, MYSQL, & SMB from LAN computers (LAN)
    # For port_number-to-service_name mappings, see /etc/services
    $IPTABLES -A INPUT -s 192.168.0.0/24 -p icmp --icmp-type 8        -j ACCEPT
    $IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp  --dport ssh          -j ACCEPT
    $IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp  --dport www          -j ACCEPT
    $IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp  --dport mysql        -j ACCEPT
    $IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp  --dport microsoft-ds -j ACCEPT
    $IPTABLES -A INPUT -s 192.168.0.0/24 -p udp  --dport netbios-ns   -j ACCEPT
    $IPTABLES -A INPUT -s 192.168.0.0/24 -p udp  --dport netbios-dgm  -j ACCEPT
    $IPTABLES -A INPUT -s 192.168.0.0/24 -p udp  --dport netbios-ssn  -j ACCEPT

    # Allow nmblookup responses from LAN computers (LAN)
    # Not sure why the ESTABLISHED,RELATED rule above does not cover
    # these reply packets, but it appears not to
    $IPTABLES -A INPUT -s 192.168.0.0/24 -p udp --sport netbios-ns -j ACCEPT

    # Be kind to the LAN, and REJECT unwanted packets rather than DROP them
    $IPTABLES -A INPUT -s 192.168.0.0/24 -j REJECT

    # Allow incoming SSH from PC at work (INTERNET)
    $IPTABLES -A INPUT -s aaa.bbb.ccc.ddd -p tcp --dport ssh -j ACCEPT

    echo "done"
    ;;

stop)
    echo -n "Stopping IP Firewall ... "

    # Clear any existing rules, zero counters
    $IPTABLES -t nat    -F
    $IPTABLES -t mangle -F
    $IPTABLES -t filter -F
    $IPTABLES -Z

    # Allow everything
    $IPTABLES -P INPUT   ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    $IPTABLES -P OUTPUT  ACCEPT

    echo "done"
    ;;

restart)
    echo -n "Restarting IP Firewall ... "

    # Stop, then start
    $0 stop  > /dev/null
    sleep 1
    $0 start > /dev/null

    echo "done"
    ;;

lock|lockdown|panic|shutdown|deny|denyall)
    echo -n "Locking down IP Firewall (disallow all network traffic) ... "

    # Clear any existing rules, zero counters
    $IPTABLES -t nat    -F
    $IPTABLES -t mangle -F
    $IPTABLES -t filter -F
    $IPTABLES -Z

    # Shut everything down
    $IPTABLES -P INPUT   DROP
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P OUTPUT  DROP

    # Allow loopback (LOCALHOST, 127.0.0.1)
    $IPTABLES -A INPUT  -i lo -j ACCEPT
    $IPTABLES -A OUTPUT -i lo -j ACCEPT

    echo "done"
    ;;

*)
    echo "Usage: $0 {start|stop|restart|panic}"
    ;;

esac
Here's what comes back from commands issued from the shell. Note the lack of a process called "iptables":
Code:
# ps -ef | grep iptables
#
# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  192.168.0.254        anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  localnet/24          anywhere            icmp echo-request
ACCEPT     tcp  --  localnet/24          anywhere            tcp dpt:ssh
ACCEPT     tcp  --  localnet/24          anywhere            tcp dpt:www
ACCEPT     tcp  --  localnet/24          anywhere            tcp dpt:mysql
ACCEPT     tcp  --  localnet/24          anywhere            tcp dpt:microsoft-ds
ACCEPT     udp  --  localnet/24          anywhere            udp dpt:netbios-ns
ACCEPT     udp  --  localnet/24          anywhere            udp dpt:netbios-dgm
ACCEPT     udp  --  localnet/24          anywhere            udp dpt:netbios-ssn
ACCEPT     udp  --  localnet/24          anywhere            udp spt:netbios-ns
REJECT     all  --  localnet/24          anywhere            reject-with icmp-port-unreachable
ACCEPT     tcp  --  ddd.ccc.bbb.aaa.in-addr.arpa  anywhere            tcp dpt:ssh

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             192.168.0.254
#
 
Old 04-24-2006, 07:27 AM   #3
keithdj
LQ Newbie
 
Registered: Aug 2005
Location: New Zealand
Distribution: Fedora 4.0
Posts: 27

Original Poster
Rep: Reputation: 15
I did have slightly the wrong idea about how the command 'iptables' worked, but using the info you supplied, and playing around a bit I have started to get some results, and a clearer picture of how to use it. Thanks

I have now managed to successfully forward ports 80 & 3128 to 8080, but now have some new questions


1.
I cleared all the rules etc, but I still could not get my anti virus software (running on xp client) to contact its update server, this works fine if I point my client directly at my router, any ideas ?

2.
A bit of topic, but how do you invoke the iptables script you supplied ?
 
Old 04-24-2006, 11:41 AM   #4
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian
Posts: 2,210

Rep: Reputation: 341Reputation: 341Reputation: 341Reputation: 341
Quote:
Originally Posted by keithdj
I cleared all the rules etc, but I still could not get my anti virus software (running on xp client) to contact its update server
Besides clearing the rules, you need to set default policies to ACCEPT also. Somethign like this:
Code:
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
I recommend the following tutorial to learn how to use iptables (don't worry, it doesn't take as long to get through it as your first envision, when you see the size of the document!)
http://www.linuxsecurity.com/resourc...-tutorial.html
Quote:
A bit of topic, but how do you invoke the iptables script you supplied ?
That script I cut/pasted is located in a file /etc/init.d/firewall. (I created the file from scratch). /etc/init.d is a standard place to find startup scripts on many Linux distros, including Debian, which is what I run. As root, I can run this script manually if I want: /etc/init.d/firewall start or /etc/init.d/firewall stop

However, you probably want this automated. That's where the symlinks I mentioned earlier come into play. I maintain my system "the manual way", so be aware there are other methods to do what I do. There's some program called "chkconfig" I believe. And something called "updaterc" (or something like that). These just automate the same symlinking that I do manually, AFAIK.

Another thread a while back regarding iptables is here: http://www.linuxquestions.org/questi...d.php?t=430360 In that thread I posted much the same script I did on this thread, but also listed the specific symlinks I setup to automate things. There are other ways to automate your firewall. In the thread I just mentioned, look for the post by dopehouse talking about using iptables-save and iptables-restore.

I'll be glad to help you out more with this, but I think referring to that other post and the iptables tutorial might better serve you for more in-depth understanding.
 
Old 04-24-2006, 11:15 PM   #5
keithdj
LQ Newbie
 
Registered: Aug 2005
Location: New Zealand
Distribution: Fedora 4.0
Posts: 27

Original Poster
Rep: Reputation: 15
Will work thru the tutorial, yes it does look a bit daunting but no bother.

I have also flicked thru the other thread you posted, will print out and examine more closely.

I tried clearing the rules etc, as per above, and the anti virus still can't connect. I am starting to wonder if its something to do with the DHCP, or DNS. In the top of my dhcpd.conf file there are two lines that are commented out.

ddns-update-style none
ignore client-updates

If I enable these lines and restart the DHCP server I get errors. I assume the first line has something to do with DNS, and that this is why my updates etc won't work.
 
Old 04-25-2006, 12:26 AM   #6
drkstr
Senior Member
 
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191

Rep: Reputation: 45
dhcpd does not have built in functionality for DNS. The best way to do this is through dnsmasq. It is meant for home linux routers and it combines DNS and DHCP into one connivent service. Slackware comes with it as an addon but you can also download and install it from their homepage:

http://thekelleys.org.uk/dnsmasq/doc.html

It might not be the specific cause to the problem, but I found it essential to setting up my home network.

regards,
...drkstr
 
Old 04-26-2006, 04:34 AM   #7
keithdj
LQ Newbie
 
Registered: Aug 2005
Location: New Zealand
Distribution: Fedora 4.0
Posts: 27

Original Poster
Rep: Reputation: 15
Thanks for that, Got it working, but things still aren't working yet, but I'm seeing an improvement so must be heading in the right direction.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES Issues Soulful93 Linux - Security 21 09-19-2005 07:38 PM
Gentoo/iptables/ppp0 DNS Issues switch007 Linux - Networking 4 12-02-2004 09:57 AM
iptables issues TreeHugger Linux - Networking 3 11-15-2004 06:27 AM
Issues with iptables and suse pshepperd Linux - Security 1 05-14-2004 10:35 PM
Iptables & squid issues sedulous Linux - Networking 1 10-05-2003 03:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration