Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-09-2007, 07:10 PM
|
#1
|
Member
Registered: Oct 2004
Location: Michigan
Distribution: Debian Squeeze (2.6.32-5)
Posts: 137
Rep:
|
Firewalled too much..
Apparently I've firewalled myself enough not to be able to resolve domain names. Not sure why though, but heres the settings:
[root@radio276 ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `BANDWIDTH_IN:'
ACCEPT all -- localhost.localdomain localhost.localdomain
DROP tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtps
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:qmqp
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:atmtcp
DROP tcp -- !localhost.localdomain anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:irdmi
DROP tcp -- anywhere anywhere tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `BANDWIDTH_OUT:'
LOG all -- anywhere anywhere LOG level debug prefix `BANDWIDTH_IN:'
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `BANDWIDTH_OUT:'
|
|
|
03-09-2007, 07:52 PM
|
#2
|
Senior Member
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555
Rep:
|
DNS uses port 53. I never really liked reading Iptable from that view, to me its much more complicated that looking at the actual rules.
|
|
|
03-09-2007, 08:04 PM
|
#3
|
Member
Registered: Oct 2004
Location: Michigan
Distribution: Debian Squeeze (2.6.32-5)
Posts: 137
Original Poster
Rep:
|
Opening port 53 doesn't seem to help
|
|
|
03-09-2007, 09:07 PM
|
#4
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
You'll need to open UDP port 53 for DNS.
|
|
|
03-09-2007, 09:12 PM
|
#5
|
Member
Registered: Oct 2004
Location: Michigan
Distribution: Debian Squeeze (2.6.32-5)
Posts: 137
Original Poster
Rep:
|
I did. I figured it was UDP not TCP.
|
|
|
03-09-2007, 10:40 PM
|
#6
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
Does that mean it's working now? If not, are your rules something like the following for UDP port 53?
Code:
iptables -t filter -A OUTPUT -p UDP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -p UDP --sport 53 -m state --state ESTABLISHED -j ACCEPT
|
|
|
03-09-2007, 10:47 PM
|
#7
|
Member
Registered: Oct 2004
Location: Michigan
Distribution: Debian Squeeze (2.6.32-5)
Posts: 137
Original Poster
Rep:
|
ESTABLISHED helped a bit, now it hangs at making an http connection
|
|
|
03-09-2007, 10:59 PM
|
#8
|
Member
Registered: Oct 2004
Location: Michigan
Distribution: Debian Squeeze (2.6.32-5)
Posts: 137
Original Poster
Rep:
|
Applied the same idea to http/https/ftp. That fixed that. Any other common protocols I should add?
|
|
|
03-10-2007, 06:57 AM
|
#9
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by jmoschetti45
Applied the same idea to http/https/ftp. That fixed that. Any other common protocols I should add?
|
are you referring to the ESTABLISHED rule?? if so, i'd recommend you just add a rule like this:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
to the top of your INPUT chain and you won't have to worry about making RELATED,ESTABLISHED rules for particular services (they would only need rules for packets of state NEW)... for example:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP --dport 443 -m state --state NEW -j ACCEPT
# Etc, etc, etc...
Last edited by win32sux; 03-10-2007 at 07:05 AM.
|
|
|
03-10-2007, 04:48 PM
|
#10
|
Member
Registered: Oct 2004
Location: Michigan
Distribution: Debian Squeeze (2.6.32-5)
Posts: 137
Original Poster
Rep:
|
Thanks! Seems to be working fine now.
|
|
|
03-13-2007, 07:49 PM
|
#11
|
Member
Registered: Oct 2004
Location: Michigan
Distribution: Debian Squeeze (2.6.32-5)
Posts: 137
Original Poster
Rep:
|
Whats a good port range to allow for passive ftp?
|
|
|
03-14-2007, 01:58 AM
|
#12
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by jmoschetti45
Whats a good port range to allow for passive ftp?
|
thankfully, there is no need to open a port range for this (unlike back in the ipchains days), because it would be a security weakness... you only need port 21 to send packets of state NEW to ACCEPT, the rest is handled by the RELATED,ESTABLISHED rule at the top of the chain... ftp connection tracking will allow netfilter to inspect the tcp packets and detect which random port is being used for the passive ftp connection, hence no need for netfilter to have prior knowledge or opened port ranges... if your kernel doesn't have ftp conntrack support built-in then load the module/helper on your own:
Code:
/sbin/modprobe ip_conntrack_ftp
Last edited by win32sux; 03-14-2007 at 04:49 AM.
|
|
|
All times are GMT -5. The time now is 02:16 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|