LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-11-2006, 10:49 AM   #1
manu55
LQ Newbie
 
Registered: Sep 2006
Location: Brasil
Distribution: FC 5
Posts: 2

Rep: Reputation: 0
FC5 - iptables - slows and stops internet traffic


Hi,

I'm using FC5 as a proxy server / firewall, and I have issues when I try to setup iptables policies.

A friend of mine gave me iptables.conf file that he is using,
I've adapted it and it do not work right

When I load it it works 10 min and after, its slows down and stops...

To enable traffic again, I have to load a very basic iptables conf

Could you please help me ?

Thank you,

Emmanuel




Here is my conf


------------------------------------------------------------------------------------
------------------------------------------------------------------------------------

#!/bin/bash

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables="/sbin/iptables"

####Limpar tabela filter
$iptables -t filter -F

####Limpar tabela nat
$iptables -t nat -F

####Definicao de regra padrao de Proibicao na Tabela Filter Entrada/Saida/Reenvio
$iptables -t filter -P INPUT DROP
$iptables -t filter -P OUTPUT DROP
$iptables -t filter -P FORWARD DROP

####
####Regras para liberacao do INPUT -
####


#------------------sempre colocar o material abaixo----------------------

$iptables -t filter -A INPUT -i lo -j ACCEPT
$iptables -t filter -A INPUT -f -j DROP
$iptables -t filter -A INPUT -m unclean -j DROP
$iptables -t filter -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
$iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j DROP
$iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP


#------------------ Regras ----------------------

$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 22 -j ACCEPT
$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 22 -j ACCEPT
$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 53 -j ACCEPT
$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 53 -j ACCEPT
$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 80 -j ACCEPT
$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 80 -j ACCEPT
$iptables -t filter -A INPUT -s 10.55.10.0/24 -p tcp --dport 3128 -j ACCEPT
$iptables -t filter -A INPUT -s 10.55.10.0/24 -p udp --dport 3128 -j ACCEPT
$iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t filter -A INPUT -m state --state INVALID -j DROP
$iptables -t filter -A INPUT -j DROP


####
####Regras para liberacao do OUTPUT -
####


#------------------sempre colocar o material abaixo----------------------

$iptables -t filter -A OUTPUT -f -j DROP
$iptables -t filter -A OUTPUT -m unclean -j DROP
$iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -t filter -A OUTPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$iptables -t filter -A OUTPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
$iptables -t filter -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$iptables -t filter -A OUTPUT -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j DROP
$iptables -t filter -A OUTPUT -p tcp --tcp-flags ALL ALL -j DROP
$iptables -t filter -A OUTPUT -p tcp --tcp-flags ALL NONE -j DROP


#------------------ Regras ----------------------

$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 20 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 20 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 21 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 21 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 22 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 22 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 53 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 53 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 80 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 80 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 443 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 443 -j ACCEPT
$iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t filter -A OUTPUT -m state --state INVALID -j DROP
$iptables -t filter -A OUTPUT -j DROP



####
####Regras para Liberacao do FORWARD -
####


#------------------sempre colocar o material abaixo----------------------

$iptables -t filter -A FORWARD -f -j DROP
$iptables -t filter -A FORWARD -m unclean -j DROP
$iptables -t filter -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$iptables -t filter -A FORWARD -p tcp --tcp-flags ALL SYN,FIN -j DROP
$iptables -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$iptables -t filter -A FORWARD -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j DROP
$iptables -t filter -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
$iptables -t filter -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP


#------------------ Regras ----------------------

$iptables -t filter -A FORWARD -s 10.55.10.0/24 -p tcp --dport 22 -j ACCEPT
$iptables -t filter -A FORWARD -s 10.55.10.0/24 -p udp --dport 22 -j ACCEPT
$iptables -t filter -A FORWARD -s 10.55.10.0/24 -p tcp --dport 53 -j ACCEPT
$iptables -t filter -A FORWARD -s 10.55.10.0/24 -p udp --dport 53 -j ACCEPT
$iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t filter -A FORWARD -m state --state INVALID -j DROP
$iptables -t filter -A FORWARD -j DROP


####Regras para Ativar o MASQUERADE
$iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

 
Old 09-12-2006, 06:32 AM   #2
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291

Rep: Reputation: 62
Hi and Welcome,

Just a few things we need to know to help you out, firstly is this FC5 machine a dedicated firewall or our you using it as a workstations as well. I ask this because you are using the INPUT and OUTPUT rules which are the same as the FORWARD rules.

When routing between two networks, like between your network and your ISP's network, you only use the FORWARD rules, not the INPUT or OUTPUT rules. The INPUT and OUTPUT are only used if you are connecting to the firewall machine itself.

Also I have notice that you have set all the default policies to DROP, this is a good practice to do, then you have further down set to DROP all the packets again, this is not a bad idea I do it myself with the rules rather than letting default policy always catch them. But you might want to do something a bit more constructive with them like logging them before you drop them.
 
Old 09-12-2006, 09:27 AM   #3
manu55
LQ Newbie
 
Registered: Sep 2006
Location: Brasil
Distribution: FC 5
Posts: 2

Original Poster
Rep: Reputation: 0
Hi,

The server is not used as a workstation, but it is a HTTP proxy (squid / squidguard)

And I've defined the following rules:


Internal Network -> Server (INPUT)

3128 - Squid
22 - SSH
80 - HTTP - There is a apache server for SARG reports

Server - > Internet (OUTPUT)

80 - HTTP (for squid)
443 - HTTPS (for squid)
22 - SSH (for other servers admin)
20 21 - FTP (for squid)
53 - DNS

Internet -> Server (INPUT)

80 - HTTP SARG reports
22 - SSH

Internal Network -> Internet (FORWARD)

53 - DNS (DNS for workstations)
22 - SSH (for other servers admin)



I'm a newbie in the sofisticated world of Iptables... and, indeed, I would like to log the rejected packets !
And build good tables !


Thanks for your help

Emmanuel
 
Old 09-16-2006, 12:04 AM   #4
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291

Rep: Reputation: 62
Quote:
The server is not used as a workstation, but it is a HTTP proxy (squid / squidguard)
OK your running services on there as well, just thought you may have made the similar mistake I made when first using iptables, but you seam to have a good script and some understaning of iptables, although I see -t filter in your rules, I have never seen them in any scripts before, does not mean it should not be there, it may be perfectly ok, my understanding is minimal when it comes to iptables.

Is it all services that are running through the router/firewall running slow? or is only the web side of it that slows down? Iptables itself does cache web pages, it sounds like it maybe a proxy related issue, maybe a problem with squid.

Unfortunately I have no experience with squid at all, if it is the webpages that are slowing down, maybe turn off squid and see if that fixes the problem. If that works then it will certainly be a squid problem and then maybe post a question regarding squid.

Quote:
I would like to log the rejected packets !
Logging DROP packets is pretty easy, most distro you just need to load the modules for logging which you can do by placing a line in your script to load them for you. Or if you are lucky they may have compiled it into the kernel already so you just need to add the logging rule to your iptables script. Here is a list from my script of some modules that are very handy to have which includes the logging module.

Code:
/sbin/modprobe ipt_LOG
/sbin/modprobe iptable_filter 
/sbin/modprobe iptable_mangle 
/sbin/modprobe iptable_nat 
/sbin/modprobe ipt_TOS 
/sbin/modprobe ip_conntrack 
/sbin/modprobe ip_nat_irc 
/sbin/modprobe ip_nat_ftp 
/sbin/modprobe ip_conntrack_ftp 
/sbin/modprobe ip_conntrack_irc 
/sbin/modprobe ipt_limit 
/sbin/modprobe ipt_state 
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_mac	
/sbin/modprobe ipt_recent
/sbin/modprobe ipt_multiport

So for an example of logging:


Code:
$iptables -t filter -A INPUT -f -j LOG --log-prefix "FRAGMENT: "
$iptables -t filter -A INPUT -m unclean --j LOG --log-prefix "UNCLEAN: "
$iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "BADTCP: "
$iptables -t filter -A INPUT -p tcp -j LOG --log-prefix "TCP: "
$iptables -t filter -A INPUT -p udp -j LOG --log-prefix "UDP: "
$iptables -t filter -A INPUT -p icmp -j LOG --log-prefix "ICMP: "
Now all these will be logged in /var/log/messages, since your default policy is set too DROP, they will be dropped after being logged. Also you can cut down on the amount of rules to write by loading the ipt_multiport module:

Code:
$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p udp -m --multiport --dport 22,53,80 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp -m --multiport --dport 20,21,22,53,80,443 -j ACCEPT

Once your gain an understanding of iptables you realise how powerful it can be, but if you can try to keep them a simple as you can, the more complex the script, the harder it is to problem solve. Iptables in its simple form is still very powerful

Last edited by fotoguy; 09-16-2006 at 12:06 AM.
 
Old 09-16-2006, 08:26 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
this box has two network interface cards, right??

if so, what are their names??

BTW, i have a feeling you'd benefit from a simpler iptables script... =/

Last edited by win32sux; 09-16-2006 at 08:33 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Wlan traffic stops Juhis Linux - Wireless Networking 0 09-04-2006 03:49 PM
internet slows down messiahnet Linux - Networking 1 05-08-2005 10:07 PM
amule slows-down the Internet a lot leg_of_pinguin Linux - Newbie 7 04-30-2005 01:41 AM
Internet Slows jrbr1972 Linux - Networking 2 04-04-2004 06:13 PM
system slows down or hangs when connected to the internet flipboi Linux - General 4 12-02-2003 06:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration