Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So... been the noob I am, I readed some of the iptables documentations and I got kinda overwhelmed... so I descided to first use a front-end as guardog for now untill I learn enough to do my own iptables script.
Unfortunately, none of them work.
GuardDog
The script generated produce a bunch of errors. Network trafic = partial.
-------------------------------------------
Using iptables.
Resetting firewall rules.
Loading kernel modules.
Setting kernel parameters.
Configuring firewall rules.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
Finished.
---------------------------------------------
For each rule I set in guarddog, one error line is added.
FireStarter
Network trafic = partial
No errors are shown by this one.
With partial trafic I mean; the web browser would find the URL, then will time out. (same results regardless configuration.)
--------- Question. ------------
Could this be related to my kernel configuration ???
Am I going to be forced to learn iptables ???
Note: Kernel includes iptables. (NO ipchains)
[edit] typo...
[edit] Kernel version 2.6.5 (custom)
Could this be related to my kernel configuration ???
Possibly. How do you include support for iptables, as modules or built into the kernel (monolithic)?
Couple of other questions:
What versions of guarddog and firestarter are you using?(2.6 support is relatively recent)
Can you also give us the output of iptables -L ? Make sure to remove/change any identifiable IP addresses
Can you ping by ip address? by hostname (ping www.yahoo.com)?
Guarddog Ver 2.3.0-2
Firestarter Ver 0.9.2-4
Debian 'Sarge'
----------------------
~$ ping www.yahoo.com
PING www.yahoo.akadns.net (66.94.230.37) 56(84) bytes of data.
64 bytes from p6.www.scd.yahoo.com (66.94.230.37): icmp_seq=1 ttl=52 time=35.1 ms
~$ ping 66.94.230.45
PING 66.94.230.45 (66.94.230.45) 56(84) bytes of data.
64 bytes from 66.94.230.45: icmp_seq=1 ttl=52 time=36.9 ms
----------------------
And my borwser will only say...
"Resolving host www.yahoo.com ..."
"Connecting to www.yahoo.com ..."
And thats it... no juice... no page.. it will wait there forever (until timeout) trying to load the page....
Ugg, I hate these Guarddog scripts. They might actually be easier to debug if they were in hex or Aramaic. /***FIGHTING URGE TO RANT ABOUT STUPIDITY OF NAMING CHAINS f1to3 ****/ Sorry :-]
Just looking at the script, there are some weird things going on. First there are a million udp ports opened, but no tcp ports. I'm not sure if that is an option that may have been disabled or something, but you will certainly need them open. That might also explain why ping works (there are rules that allow icmp, but no tcp). Does it work if the firewalll is off?
Last edited by Capt_Caveman; 05-10-2004 at 10:35 PM.
Yes it works with firewall off. No problems there.
And yes, those naming are not easy to debug.. I tried !!! I swear !! But my noobiness would not let me go to far when I was trying to decyphere the darn script.
So, to not waste your time. I gonna put the efort to make my own ipchains, and just get over these firewall front ends.
Just give me some pice of mind and tell me I dont need a new kernel !!! ;P
Was the darn kernel. While I had all the iptables modules, I was missing one more module that seems to be crucial with these filtering thingy.
Module IP_NF_CONTRACK neds to be in the kernel. After analizing some log files, and digging in the kernel configuration, is how I got some clues.
Then a tutorial in iptables confirmed the need for such module.
I use 'make xconfig' to configure my kernels (32 so far since 02/22/04), and the description fo this one got me confused since I am not doing NAT (or at least I thought so, LOL). This is my only PC, so I thought NAT was not necesary.
But then again, What there is for a noob to know such dark matters ?
I noticed the missing modules, but it didn't click. That's why there are no tcp rules, because they all are loaded with the state match "NEW". You're actually short a couple of modules:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.