LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-01-2005, 09:16 PM   #31
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69

Based on what you've posted, it looks like you're using a mangled iptables script (it looks like a part of a custom script combined with the fedora default). That script doesn't look like it would work. Please post the output of "iptables -vnL" so that we can be sure of what is going on. If you're having problems during boot, then you may need to start in single user mode and then modify the firewall rules. You can also shut off the firewall using "service iptables stop" which should make it more useable.
 
Old 11-05-2005, 07:54 AM   #32
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, sorry for late reply. Here is the output of iptables -vnL. FYI, if i boot using single user mode which I add a "single" to the end of bootup script for the kernel statement it will boot into command prompt only. So the service iptables stop won't help here. Can chkconfig help ?

chain INPUT (policy Accept 2 packets, 64 bytes)
pkts byte target prot opt in out source destination

chain forward (policy Accept 0 packets, 0 bytes)
pkts byte target prot opt in out source destination

chain Output (policy accept 2 packets, 64 bytes)
pkts byte target prot opt in out source destination

Regards
Daniel





Quote:
Originally posted by Capt_Caveman
Based on what you've posted, it looks like you're using a mangled iptables script (it looks like a part of a custom script combined with the fedora default). That script doesn't look like it would work. Please post the output of "iptables -vnL" so that we can be sure of what is going on. If you're having problems during boot, then you may need to start in single user mode and then modify the firewall rules. You can also shut off the firewall using "service iptables stop" which should make it more useable.
 
Old 11-10-2005, 07:48 PM   #33
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, have you talk a look at my iptables ? I can login linux finally after i disable iptables startup. Thanks

Regards
Daniel



Quote:
Originally posted by Capt_Caveman
Based on what you've posted, it looks like you're using a mangled iptables script (it looks like a part of a custom script combined with the fedora default). That script doesn't look like it would work. Please post the output of "iptables -vnL" so that we can be sure of what is going on. If you're having problems during boot, then you may need to start in single user mode and then modify the firewall rules. You can also shut off the firewall using "service iptables stop" which should make it more useable.
 
Old 11-10-2005, 08:25 PM   #34
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
To be honest, I'm not sure what script or rules you're using. The firewall you posted here is total garbage and won't work. Packets on the INPUT chain are never handed to the RH-firewall-1-input chain and your default INPUT policy is DROP, so even traffic on lo is dropped which is why the system is acting bizarre. You need to read the directions I've given you and follow them exactly. You're making signifiicant modifications to critical portions of your system, so you need to very carefull and pay attention to detail when doing this.

Start by replacing the /etc/sysconfig/iptables file with the backup version (you did make the backup right?)
Then restart iptables with 'service iptables start' (the system should function normally again)
Then follow the directions that have been posted in the thread.
 
Old 11-10-2005, 09:04 PM   #35
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, I did add some of the rules you gave and also modify some. The reason I drop the default input chain is that whatever packets not comply to the input chain will be dropped. Is there any flow/structure that I should follow in designing iptables ?

Rgds
Daniel


Quote:
Originally posted by Capt_Caveman
To be honest, I'm not sure what script or rules you're using. The firewall you posted here is total garbage and won't work. Packets on the INPUT chain are never handed to the RH-firewall-1-input chain and your default INPUT policy is DROP, so even traffic on lo is dropped which is why the system is acting bizarre. You need to read the directions I've given you and follow them exactly. You're making signifiicant modifications to critical portions of your system, so you need to very carefull and pay attention to detail when doing this.

Start by replacing the /etc/sysconfig/iptables file with the backup version (you did make the backup right?)
Then restart iptables with 'service iptables start' (the system should function normally again)
Then follow the directions that have been posted in the thread.
 
Old 11-11-2005, 10:07 AM   #36
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
The reason I drop the default input chain is that whatever packets not comply to the input chain will be dropped.
Setting the default policy to drop is fine, however you don't have any rules in the INPUT chain that accept any traffic. All of the rules that accept packets are part of the RH-firewall-1-input chain and you never connect INPUT and RH-firewall-1-input together. So the RH-firewall-1-input chain does nothing because it never sees any packets and as a result, your firewall will never accept any incoming packets at all.

You can't just mix and match sets of iptables rules like that. There is a definite order to the flow of iptables and I would strongly suggest that you use a set of rules that have been designed by someone who understands iptables or at the very least use one of their rulesets as a guide until you understand it better. If you'd like to read up on iptables here are some HOWTOs that might help:

http://iptables-tutorial.frozentux.n...-tutorial.html
http://www.netfilter.org/documentation/index.html
 
Old 11-12-2005, 07:52 PM   #37
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
I thought that RH-firewall-1-input chain is similar to INPUT. What is the different ? I saw most of the article doesn't have RH-firewall-1-input chain. Correct me if i'm wrong. Is it ok to use the rules set by you earlier as guide ?

Rgds
Daniel



Quote:
Originally posted by Capt_Caveman
The reason I drop the default input chain is that whatever packets not comply to the input chain will be dropped.
Setting the default policy to drop is fine, however you don't have any rules in the INPUT chain that accept any traffic. All of the rules that accept packets are part of the RH-firewall-1-input chain and you never connect INPUT and RH-firewall-1-input together. So the RH-firewall-1-input chain does nothing because it never sees any packets and as a result, your firewall will never accept any incoming packets at all.

You can't just mix and match sets of iptables rules like that. There is a definite order to the flow of iptables and I would strongly suggest that you use a set of rules that have been designed by someone who understands iptables or at the very least use one of their rulesets as a guide until you understand it better. If you'd like to read up on iptables here are some HOWTOs that might help:

http://iptables-tutorial.frozentux.n...-tutorial.html
http://www.netfilter.org/documentation/index.html
 
Old 11-13-2005, 12:56 AM   #38
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I thought that RH-firewall-1-input chain is similar to INPUT. What is the different ?
It's designed to handled incoming traffic like the INPUT chain. However it is a custom "user-defined chain" and not one of the standard built-in chains (like INPUT. FORWARD, OUTPUT). For the RH-firewall-1-input chain to function properly, you need to pass packets from the input chain onto RH-firewall-1-input. You do that by using RH-firewall-1-input as a target in the INPUT chain, like this:
Code:
iptables -A INPUT -j RH-firewall-1-input
By doing that, the packets will be handed from the INPUT chain to RH-firewall-1-input. Otherwise the packets will only go through the INPUT chain and never through RH-firewall-1-input. If you look at your 2nd post in this thread, you can see that the original firewall you were using actually did that:
Quote:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2049 1998K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0. 0.0.0/0
I saw most of the article doesn't have RH-firewall-1-input chain.
The RH-firewall-1-input chain is only used by Redhat and other distros that are based off Redhat/Fedora.

Is it ok to use the rules set by you earlier as guide?
Yes, but I would use the whole thing until you understand iptables better.
 
Old 11-13-2005, 08:24 PM   #39
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, what do you mean by based off Redhat/Fedora ? So if i cut and paste is it ok ?

Regards
Daniel



Quote:
Originally posted by Capt_Caveman
I thought that RH-firewall-1-input chain is similar to INPUT. What is the different ?
It's designed to handled incoming traffic like the INPUT chain. However it is a custom "user-defined chain" and not one of the standard built-in chains (like INPUT. FORWARD, OUTPUT). For the RH-firewall-1-input chain to function properly, you need to pass packets from the input chain onto RH-firewall-1-input. You do that by using RH-firewall-1-input as a target in the INPUT chain, like this:
Code:
iptables -A INPUT -j RH-firewall-1-input
By doing that, the packets will be handed from the INPUT chain to RH-firewall-1-input. Otherwise the packets will only go through the INPUT chain and never through RH-firewall-1-input. If you look at your 2nd post in this thread, you can see that the original firewall you were using actually did that:


I saw most of the article doesn't have RH-firewall-1-input chain.
The RH-firewall-1-input chain is only used by Redhat and other distros that are based off Redhat/Fedora.

Is it ok to use the rules set by you earlier as guide?
Yes, but I would use the whole thing until you understand iptables better.
 
Old 11-14-2005, 01:58 AM   #40
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Hi, what do you mean by based off Redhat/Fedora?
A number of distros are built using Redhat as a core and make various modifications. CentOS and Whitebox are examples of distros that are basically clones of Redhat versions.

So if i cut and paste is it ok ?
Yes. In fact that's probably the best way.
 
Old 11-14-2005, 03:05 AM   #41
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
If i cut and paste your sample, then what about the user defined custom REDHAT input chain ?

Regards
Daniel


Quote:
Originally posted by Capt_Caveman
Hi, what do you mean by based off Redhat/Fedora?
A number of distros are built using Redhat as a core and make various modifications. CentOS and Whitebox are examples of distros that are basically clones of Redhat versions.

So if i cut and paste is it ok ?
Yes. In fact that's probably the best way.
 
Old 11-14-2005, 09:14 AM   #42
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Those will need to be deleted. If you follow the directions I posted here then it will do that for you. I would recommend that you do not edit the /etc/sysconfig/iptables file directly.
 
Old 11-14-2005, 07:01 PM   #43
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Hi, I do not understand how that previous discussion would delete those user defined chain and why not directly modify the iptables. That discusion only describe how to make backup and execute it. A bit confused on why need to be deleted now. Please explain ? Thanks

Regards
Daniel


Quote:
Originally posted by Capt_Caveman
Those will need to be deleted. If you follow the directions I posted here then it will do that for you. I would recommend that you do not edit the /etc/sysconfig/iptables file directly.
 
Old 11-14-2005, 09:35 PM   #44
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
See the man page for iptables (man iptables). Specifically the -X option.

The /etc/sysconfig/iptables file is sensitive to formating, so you should really only use the command 'iptables-save > /etc/sysconfig/iptables' to save rules to that file. The command 'service iptables save' just does the same thing. Directly editing it can cause problems that are hard to troubleshoot. For example, not having carrriage returns at proper parts of the file can cause the rules to fail to load even though the rules technically look correct.
 
Old 11-15-2005, 12:00 AM   #45
DanielTan
Member
 
Registered: Sep 2004
Location: Malaysia
Distribution: FC6, Solaris
Posts: 340

Original Poster
Rep: Reputation: 30
Firstly, do you mean using -X option for iptables can automatically deleted those user defined chains ? So in order not to direct editing it, I have to create a backup file ,edit it and make it executable and try loading it to ensure it is ok , right ? If it is ok, then I iptables-save > /etc/sysconfig/iptables and load at bootup ?

Regards
Daniel


Quote:
Originally posted by Capt_Caveman
See the man page for iptables (man iptables). Specifically the -X option.

The /etc/sysconfig/iptables file is sensitive to formating, so you should really only use the command 'iptables-save > /etc/sysconfig/iptables' to save rules to that file. The command 'service iptables save' just does the same thing. Directly editing it can cause problems that are hard to troubleshoot. For example, not having carrriage returns at proper parts of the file can cause the rules to fail to load even though the rules technically look correct.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
setting the firewall one_ro SUSE / openSUSE 2 02-17-2005 05:10 PM
Setting up a firewall myguest Linux - Security 5 08-02-2004 12:32 PM
setting up a firewall behind a router mattmc97 Linux - Security 3 05-05-2004 04:36 PM
Setting up MDK 9.2 Firewall raysr Linux - Newbie 13 01-05-2004 07:46 PM
Setting up firewall linuxfond Linux - Newbie 3 02-21-2003 01:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration