Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
09-11-2006, 10:49 AM
|
#1
|
LQ Newbie
Registered: Sep 2006
Location: Brasil
Distribution: FC 5
Posts: 2
Rep:
|
FC5 - iptables - slows and stops internet traffic
Hi,
I'm using FC5 as a proxy server / firewall, and I have issues when I try to setup iptables policies.
A friend of mine gave me iptables.conf file that he is using,
I've adapted it and it do not work right
When I load it it works 10 min and after, its slows down and stops...
To enable traffic again, I have to load a very basic iptables conf
Could you please help me ?
Thank you,
Emmanuel
Here is my conf
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables="/sbin/iptables"
####Limpar tabela filter
$iptables -t filter -F
####Limpar tabela nat
$iptables -t nat -F
####Definicao de regra padrao de Proibicao na Tabela Filter Entrada/Saida/Reenvio
$iptables -t filter -P INPUT DROP
$iptables -t filter -P OUTPUT DROP
$iptables -t filter -P FORWARD DROP
####
####Regras para liberacao do INPUT -
####
#------------------sempre colocar o material abaixo----------------------
$iptables -t filter -A INPUT -i lo -j ACCEPT
$iptables -t filter -A INPUT -f -j DROP
$iptables -t filter -A INPUT -m unclean -j DROP
$iptables -t filter -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
$iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j DROP
$iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#------------------ Regras ----------------------
$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 22 -j ACCEPT
$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 22 -j ACCEPT
$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 53 -j ACCEPT
$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 53 -j ACCEPT
$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 80 -j ACCEPT
$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 80 -j ACCEPT
$iptables -t filter -A INPUT -s 10.55.10.0/24 -p tcp --dport 3128 -j ACCEPT
$iptables -t filter -A INPUT -s 10.55.10.0/24 -p udp --dport 3128 -j ACCEPT
$iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t filter -A INPUT -m state --state INVALID -j DROP
$iptables -t filter -A INPUT -j DROP
####
####Regras para liberacao do OUTPUT -
####
#------------------sempre colocar o material abaixo----------------------
$iptables -t filter -A OUTPUT -f -j DROP
$iptables -t filter -A OUTPUT -m unclean -j DROP
$iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -t filter -A OUTPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$iptables -t filter -A OUTPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
$iptables -t filter -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$iptables -t filter -A OUTPUT -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j DROP
$iptables -t filter -A OUTPUT -p tcp --tcp-flags ALL ALL -j DROP
$iptables -t filter -A OUTPUT -p tcp --tcp-flags ALL NONE -j DROP
#------------------ Regras ----------------------
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 20 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 20 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 21 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 21 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 22 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 22 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 53 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 53 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 80 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 80 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p tcp --dport 443 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp --dport 443 -j ACCEPT
$iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t filter -A OUTPUT -m state --state INVALID -j DROP
$iptables -t filter -A OUTPUT -j DROP
####
####Regras para Liberacao do FORWARD -
####
#------------------sempre colocar o material abaixo----------------------
$iptables -t filter -A FORWARD -f -j DROP
$iptables -t filter -A FORWARD -m unclean -j DROP
$iptables -t filter -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$iptables -t filter -A FORWARD -p tcp --tcp-flags ALL SYN,FIN -j DROP
$iptables -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$iptables -t filter -A FORWARD -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j DROP
$iptables -t filter -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
$iptables -t filter -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
#------------------ Regras ----------------------
$iptables -t filter -A FORWARD -s 10.55.10.0/24 -p tcp --dport 22 -j ACCEPT
$iptables -t filter -A FORWARD -s 10.55.10.0/24 -p udp --dport 22 -j ACCEPT
$iptables -t filter -A FORWARD -s 10.55.10.0/24 -p tcp --dport 53 -j ACCEPT
$iptables -t filter -A FORWARD -s 10.55.10.0/24 -p udp --dport 53 -j ACCEPT
$iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t filter -A FORWARD -m state --state INVALID -j DROP
$iptables -t filter -A FORWARD -j DROP
####Regras para Ativar o MASQUERADE
$iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
|
|
|
09-12-2006, 06:32 AM
|
#2
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
Hi and Welcome,
Just a few things we need to know to help you out, firstly is this FC5 machine a dedicated firewall or our you using it as a workstations as well. I ask this because you are using the INPUT and OUTPUT rules which are the same as the FORWARD rules.
When routing between two networks, like between your network and your ISP's network, you only use the FORWARD rules, not the INPUT or OUTPUT rules. The INPUT and OUTPUT are only used if you are connecting to the firewall machine itself.
Also I have notice that you have set all the default policies to DROP, this is a good practice to do, then you have further down set to DROP all the packets again, this is not a bad idea I do it myself with the rules rather than letting default policy always catch them. But you might want to do something a bit more constructive with them like logging them before you drop them.
|
|
|
09-12-2006, 09:27 AM
|
#3
|
LQ Newbie
Registered: Sep 2006
Location: Brasil
Distribution: FC 5
Posts: 2
Original Poster
Rep:
|
Hi,
The server is not used as a workstation, but it is a HTTP proxy (squid / squidguard)
And I've defined the following rules:
Internal Network -> Server (INPUT)
3128 - Squid
22 - SSH
80 - HTTP - There is a apache server for SARG reports
Server - > Internet (OUTPUT)
80 - HTTP (for squid)
443 - HTTPS (for squid)
22 - SSH (for other servers admin)
20 21 - FTP (for squid)
53 - DNS
Internet -> Server (INPUT)
80 - HTTP SARG reports
22 - SSH
Internal Network -> Internet (FORWARD)
53 - DNS (DNS for workstations)
22 - SSH (for other servers admin)
I'm a newbie in the sofisticated world of Iptables... and, indeed, I would like to log the rejected packets !
And build good tables !
Thanks for your help
Emmanuel
|
|
|
09-16-2006, 12:04 AM
|
#4
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
Quote:
The server is not used as a workstation, but it is a HTTP proxy (squid / squidguard)
|
OK your running services on there as well, just thought you may have made the similar mistake I made when first using iptables, but you seam to have a good script and some understaning of iptables, although I see -t filter in your rules, I have never seen them in any scripts before, does not mean it should not be there, it may be perfectly ok, my understanding is minimal when it comes to iptables.
Is it all services that are running through the router/firewall running slow? or is only the web side of it that slows down? Iptables itself does cache web pages, it sounds like it maybe a proxy related issue, maybe a problem with squid.
Unfortunately I have no experience with squid at all, if it is the webpages that are slowing down, maybe turn off squid and see if that fixes the problem. If that works then it will certainly be a squid problem and then maybe post a question regarding squid.
Quote:
I would like to log the rejected packets !
|
Logging DROP packets is pretty easy, most distro you just need to load the modules for logging which you can do by placing a line in your script to load them for you. Or if you are lucky they may have compiled it into the kernel already so you just need to add the logging rule to your iptables script. Here is a list from my script of some modules that are very handy to have which includes the logging module.
Code:
/sbin/modprobe ipt_LOG
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_TOS
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_recent
/sbin/modprobe ipt_multiport
So for an example of logging:
Code:
$iptables -t filter -A INPUT -f -j LOG --log-prefix "FRAGMENT: "
$iptables -t filter -A INPUT -m unclean --j LOG --log-prefix "UNCLEAN: "
$iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "BADTCP: "
$iptables -t filter -A INPUT -p tcp -j LOG --log-prefix "TCP: "
$iptables -t filter -A INPUT -p udp -j LOG --log-prefix "UDP: "
$iptables -t filter -A INPUT -p icmp -j LOG --log-prefix "ICMP: "
Now all these will be logged in /var/log/messages, since your default policy is set too DROP, they will be dropped after being logged. Also you can cut down on the amount of rules to write by loading the ipt_multiport module:
Code:
$iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -p udp -m --multiport --dport 22,53,80 -j ACCEPT
$iptables -t filter -A OUTPUT -s 0.0.0.0/0.0.0.0 -p udp -m --multiport --dport 20,21,22,53,80,443 -j ACCEPT
Once your gain an understanding of iptables you realise how powerful it can be, but if you can try to keep them a simple as you can, the more complex the script, the harder it is to problem solve. Iptables in its simple form is still very powerful
Last edited by fotoguy; 09-16-2006 at 12:06 AM.
|
|
|
09-16-2006, 08:26 AM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
this box has two network interface cards, right??
if so, what are their names??
BTW, i have a feeling you'd benefit from a simpler iptables script... =/
Last edited by win32sux; 09-16-2006 at 08:33 AM.
|
|
|
All times are GMT -5. The time now is 04:17 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|