Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have searched all over the web and found nothing to help me with my situation. I can use SonicWall VPN to connect to my work when my laptop is connected straight to the Cable Modem, and I have full access as expected. When I try to go through my Linux Server (Gentoo), I can connect, but I can't get to any shared drives. I can ping the servers that host the drive, but there is 0 connection to browse and open the files. I have used FWBuilder to try to get a decent IPTables setup, but that has failed. The below is the latest that I have, and it still does not work.
I connect to the internet via COMCAST with a dynamic IP address. The EXTERNAL IP addresses below are fake, but not really used as where they would be used are commented out.
My internal IP range is 192.168.0.0. My work IP range is 10.0.0.0. I do have to connect to an IP range 192.168.129.0 (I know, the company that hosts that IP range doesn't really understand networks). I can ping servers in 10.0.0.0 and in the 192.168.129.0 ranges, but I just can't get the drives to connect.
Below is my current IPtables setup. Any help to make this work would be greatly appreciated.
Code:
#! /bin/bash
# Copyright (c) 2005
#
# Author: David Mair
#
# /etc/init.d/firewall
#
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $network syslog
# Required-Stop:
# Should-Stop:
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
# Short-Description: Firewall configuration
### END INIT INFO
##############################################################################
# DEFAULT POLICY
SetDefaultPolicy() {
# Drop everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
}
##############################################################################
# FLUSH TABLES
FlushTables() {
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
iptables -X
}
##############################################################################
# ROUTING
EnableRouting() {
echo 1 > /proc/sys/net/ipv4/ip_forward
}
DisableRouting() {
echo 0 > /proc/sys/net/ipv4/ip_forward
}
##############################################################################
# FORWARDING
SetForwardingRules() {
iptables -A FORWARD -i $IF_PUB -o $IF_PRV -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_PRV -o $IF_PUB -j ACCEPT
}
##############################################################################
# LOOPBACK
SetLoopbackRules() {
# Allow everything
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
}
##############################################################################
# PRIVATE INTERFACES
SetPrivateInterfaceRules() {
# Allow everything
iptables -A INPUT -i $IF_PRV -s $NET_PRV -j ACCEPT
iptables -A OUTPUT -o $IF_PRV -d $NET_PRV -j ACCEPT
}
#############################################################################
# PUBLIC INTERFACES
SetPublicInterfaceRules() {
iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_PUB -j ACCEPT
}
##############################################################################
# SOURCE NAT
EnableSourceNAT() {
# Then source NAT everything else
#iptables -t nat -A POSTROUTING -s $NET_PRV -o $IF_PUB -j SNAT --to $IP_PUB
#iptables -t nat -A POSTROUTING -s $NET_PRV -o $IF_PUB -j MASQUERADE
iptables -t nat -A POSTROUTING -o $IF_PUB -j MASQUERADE
}
# Various ICMP
SetICMP_Open() {
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
}
# SSH (on a non-standard port)
SetSSH_Open() {
iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB --dport 2202 -j ACCEPT
}
##############################################################################
# Destination NAT
# smtp
SetSMTP_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j DNAT --to 192.168.1.254
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport smtp -j ACCEPT
}
# pop3
SetPOP3_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport pop3 -j DNAT --to 192.168.10.254
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport pop3 -j ACCEPT
}
# Webmail (444->443)
SetWebmail_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j DNAT --to 192.168.10.254:443
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp --dport 443 -j ACCEPT
}
# http
SetHTTP_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j DNAT --to 192.168.10.253
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport http -j ACCEPT
}
# Blocked protocols
SetBlockedProtocols() {
# Block all normal irc (used by botnets)
iptables -A INPUT -p tcp --dport irc -j DROP
iptables -A INPUT -p udp --dport irc -j DROP
iptables -A INPUT -p tcp --dport irc-serv -j DROP
iptables -A INPUT -p udp --dport irc-serv -j DROP
iptables -A INPUT -p tcp --dport ircs -j DROP
iptables -A INPUT -p udp --dport ircs -j DROP
}
# Blocked hosts
SetBlockedHosts() {
iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with icmp-host-prohibited
}
# Blocked networks
SetBlockedNetworks() {
iptables -A INPUT -i $IF_PUB -s 10.220.232.0/24 -j REJECT --reject-with icmp-net-prohibited
iptables -A FORWARD -i $IF_PUB -d $IP_PUB -s 10.220.232.0/24 -j REJECT --reject-with icmp-net-prohibited
}
# Specify things to drop before logging
SetPrelogDropRules() {
# DHCP
iptables -A INPUT -i $IF_PUB -p udp --sport bootps -j DROP
}
# Log those on the public interface
SetLoggingRules() {
iptables -A INPUT -i $IF_PUB -j LOG --log-prefix="INPUT "
iptables -A OUTPUT -o $IF_PUB -j LOG --log-prefix="OUTPUT "
iptables -A FORWARD -j LOG --log-prefix="FORWARD "
# iptables -t nat -A PREROUTING -i $IF_PUB -j LOG --log-prefix="nPre "
# iptables -t nat -A POSTROUTING -o $IF_PUB -j LOG --log-prefix="nPost "
# iptables -t nat -A OUTPUT -o $IF_PUB -j LOG --log-prefix="NAT OUT "
}
# Drop them all
SetDropRules() {
# Reset tcp connection attempts on all other ports
# This is the standard TCP behaviour for a closed port. Reading
# suggests there is no value in stealthing ports and since some are
# open on this host it doesn't seem to matter. Therefore, let's be a
# good TCP citizen
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
}
##############################################################################
# SCRIPT ENTRY POINT
echo -n "Firewall configuration..."
echo $1
##############################################################################
# ENVIRONMENT
# Private interface
IF_PRV=eth3
IP_PRV=192.168.0.1
NET_PRV=192.168.0.0/24
# Public interface
IF_PUB=eth2
IP_PUB=55.55.55.55
NET_PUB=55.55.55.0/24
# Others
ANYWHERE=0.0.0.0/0
#. /etc/rc.status
#rc_reset
##############################################################################
# COMMAND LINE
case "$1" in
start)
SetDefaultPolicy
FlushTables
EnableRouting
#SetBlockedProtocols
#SetBlockedNetworks
#SetBlockedHosts
SetForwardingRules
SetLoopbackRules
SetPrivateInterfaceRules
SetPublicInterfaceRules
EnableSourceNAT
SetICMP_Open
SetSSH_Open
#SetSMTP_DNAT
#SetPOP3_DNAT
#SetWebmail_DNAT
#SetHTTP_DNAT
SetPrelogDropRules
SetLoggingRules
SetDropRules
;;
stop)
SetDefaultPolicy
FlushTables
SetPrivateInterfaceRules
SetPublicInterfaceRules
;;
restart)
$0 stop
$0 start
;;
*)
;;
esac
#rc_exit
How are the drives shared? NFS? Samba (CIFS)? Something Else?
I see you have rules for ssh, smtp, pop3, webmail and http, but nothing for NFS/SMB/CIFS and no RPC....
If you were to set your policy to accept, rather than drop, you could flush your firewall temporarily and verify whether or not this is the problem. I would also add that since your policy is set to drop, that writing specific drop rules is likely redundant and you may be able to simplify the logic of your rule set.
I don't need them open as I do not need those services passed into internal systems.
What I need is to allow my Windows 7 laptop to passthrough my Linux Firewall (IPTables) with all services/ports. Basically I want all internal computers to have 100% trust to connect outside and receive replies from the outside back in through the firewall.
If you were to set your policy to accept, rather than drop, you could flush your firewall temporarily and verify whether or not this is the problem. I would also add that since your policy is set to drop, that writing specific drop rules is likely redundant and you may be able to simplify the logic of your rule set.
Thanks!
When you say to flush my firewall, I would do this and nothing more?
I am still a bit confused because there is so much misinformation regarding iptables that I have become turned inside/upside down.
When you say to that I am writing duplicity by dropping rules, which rules are you speaking about?
My setup is:
Cable Modem (not a router or firewall) --> Linux Router/Firewall --> LinksKey Switch (LKS-SR16) --> Windows 7
This doesn't work and I think it is the Linux Router.
When I do this:
Cable Mode --> Windows 7
It works fine.
### Update ###
I can't connect http servers after I VPN in.
This is my troubleshoot method:
Routing VPN through Linux Router:
Code:
Ping 10.0.0.7 - get responses
http to 10.0.0.7 - get no response (I get some data: http header and partial (like first 10 bytes of html page)
Windows Explorer to \\10.0.0.7\ - get no response
Routing VPN directly through Cable Modem:
Code:
Ping 10.0.0.7 - get responses
http to 10.0.0.7 - get responses
Windows Explorer to \\10.0.0.7\ - get responses
I verified that it is not my switch. I connected VPN through the following:
Code:
Cable Modem --> LinksKey switch --> Windows 7
Works fine.
When I am in the VPN session, I did "telnet 10.0.0.7 80" the typed "GET /".
It returns the webpage data in text. This should be great, only it won't return the webpage to Chrome. Instead Chrome just hangs.
There is something happening on my Linux Router. (Or there is some disconnect between my router and COMCAST, which I don't know how to trouble shoot that one).
I am utterly stumped. Anyone with any help to get me past this.
Last edited by jazernorth2; 06-16-2012 at 04:43 PM.
Reason: Update to testing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
