LinuxQuestions.org
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables are not run automatically (https://www.linuxquestions.org/questions/linux-security-4/iptables-are-not-run-automatically-554536/)

Simon Bridge 06-05-2007 06:40 AM
Is it just me or are you a wee bit confused about how to write an iptables script?
i.e. you set default ACCEPT policy on output and have ACCEPT output rules... but it shouldn't stop it working.

How can you tell that this script isn't starting at boot?
(Have you tried iptables -L ?)

Could it be that your iptables script is: /usr/local/sbin/setiptables.bash

It would help a lot if we knew which distribution you are running.

rupertwh 06-05-2007 12:55 PM
Wow, what a firewall script. Thank god most of it is commented out...

No, seriously though -- you'll never get happy if you just keep aimlessly throwing things around and hope they'll just magically work somehow.

Some hints:

1. Decide for a name and location of your firewall script. I have lost count of how many names you have already given for it in this thread.
And make sensible choices. ('iptables' is *not* a good name for your script.)
I'd suggest something like '/usr/local/sbin/firewall'.

2. There is a difference between "/" and "/root", even though "/" is pronounced "root". Yes, it's confusing. Well, not really. Only when you speak about it.

3. As others have already pointed out: you want to call your script from rc.local -- not the other way around. I.e. add a line '/usr/local/sbin/firewall' to your rc.local. Do not add any reference to rc.local to your firewall script. It does not make sense!

4. You want to use modprobe, not insmod.

5. As to your actual firewall script: I don't think it does what you think it does.

Here is a suggestion to get you started: (you need to edit the settings in the top section)
Code:
#!/bin/sh

############# Settings: ######################################################

PUB_IF="ppp0"
PUB_IP=""
PUB_GW=""

PRV_IF="eth1"
PRV_IP="192.168.30.1"
PRV_NET="192.168.30.0/24"

IPT="/sbin/iptables"


#### Public services to allow from anywhere: ####

PUB_TCP_OK="ssh"
PUB_UDP_OK=""

#### End of public services #####################


#### Port forwarding: ###########

# Uncomment the following line to enable port forwarding:
# (and of course adjust this line and the following sections
#  according to your setup...)
#PF_HOSTS="DESKTOP SERVER1 SERVER2"

# to Desktop: forward skype, AOE, BitTorrent
PF_DESKTOP_IP="192.168.30.2"
PF_DESKTOP_PORTS_TCP="1573 2300 6881"
PF_DESKTOP_PORTS_UDP="2350 6881"

# to Server1: dns and smtp
PF_SERVER1_IP="192.168.30.5"
PF_SERVER1_PORTS_TCP="domain smtp"
PF_SERVER1_PORTS_UDP="domain"

# to Server2: www
PF_SERVER2_IP="192.168.30.7"
PF_SERVER2_PORTS_TCP="www"
PF_SERVER2_PORTS_UDP=""

#### End of port forwarding ####

############ End of settings #################################################


if ! [ -x "$IPT" ] ; then
        echo "Cannot find iptables! Disabling all forwarding and aborting!"
        echo 0 > /proc/sys/net/ipv4/ip_forward
        echo 0 > /proc/sys/net/ipv4/conf/all/forwarding
        exit 1
fi


LOCAL="127.0.0.0/8"
PRIV_A="10.0.0.0/8"
PRIV_B="172.16.0.0/12"
PRIV_C="192.168.0.0/16"


echo "Setting policies..."
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP

$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT


echo "Flushing/deleting chains..."

$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush

$IPT --delete-chain
$IPT -t nat --delete-chain
$IPT -t mangle --delete-chain


################## src_check_pub #############################################

CURR=src_check_pub_drop
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR -j LOG --log-prefix "Inv. src on $PUB_IF: "
$IPT -A $CURR -j DROP

CURR=src_check_pub
echo $CURR...
$IPT -N $CURR
test -n "$PUB_GW" && $IPT -A $CURR --src $PUB_GW/32 -j RETURN
$IPT -A $CURR --src $PRIV_A -j src_check_pub_drop
$IPT -A $CURR --src $PRIV_B -j src_check_pub_drop
$IPT -A $CURR --src $PRIV_C -j src_check_pub_drop
$IPT -A $CURR --src $LOCAL -j src_check_pub_drop
$IPT -A $CURR -j RETURN


################## src_check_prv #############################################

CURR=src_check_prv
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR --src $PRV_NET -j RETURN

# Don't block DHCP broadcasts:
$IPT -A $CURR --src 0.0.0.0/32 --dst 255.255.255.255/32 \
        -p udp --sport bootpc --dport bootps -j RETURN

$IPT -A $CURR -j LOG --log-prefix "Inv. src on $PRV_IF: "
$IPT -A $CURR -j REJECT --reject-with icmp-host-prohibited


################## input_pub #################################################

CURR=input_pub
echo "$CURR..."
$IPT -N $CURR
$IPT -A $CURR -j src_check_pub
$IPT -A $CURR -m state --state ESTABLISHED,RELATED -j ACCEPT

for i in echo-request destination-unreachable \
        time-exceeded parameter-problem ; do
        $IPT -A $CURR -p icmp --icmp-type $i -j ACCEPT
done

if [ -n "$PUB_TCP_OK" ] ; then
        for PORT in $PUB_TCP_OK ; do
                $IPT -A $CURR -p tcp --dport $PORT -j ACCEPT
        done
fi

if [ -n "$PUB_UDP_OK" ] ; then
        for PORT in $PUB_UDP_OK ; do
                $IPT -A $CURR -p udp --dport $PORT -j ACCEPT
        done
fi

$IPT -A $CURR -p tcp --dport ident -j REJECT --reject-with tcp-reset

$IPT -A $CURR -j LOG --log-prefix "Conn. attempt on $PUB_IF: "
$IPT -A $CURR -j DROP



################## input_prv #################################################

CURR=input_prv
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR -j src_check_prv
$IPT -A $CURR -p tcp -j ACCEPT
$IPT -A $CURR -p udp -j ACCEPT
$IPT -A $CURR -p icmp -j ACCEPT
$IPT -A $CURR -j LOG --log-prefix "Invalid protocol on $PRV_IF: "
$IPT -A $CURR -j REJECT


################## forward_pub ###############################################

CURR=forward_pub
echo $CURR
$IPT -N $CURR
$IPT -A $CURR -j src_check_pub

$IPT -A $CURR -m state --state ESTABLISHED,RELATED -j ACCEPT
for i in destination-unreachable \
        time-exceeded parameter-problem ; do
        $IPT -A $CURR -p icmp --icmp-type $i -j ACCEPT
done

# Allow packets from port forwarding:
for HOST in $PF_HOSTS ; do
        eval IP=\${PF_${HOST}_IP}
        eval TPORTS=\${PF_${HOST}_PORTS_TCP}
        eval UPORTS=\${PF_${HOST}_PORTS_UDP}
        if [ -n "$TPORTS" ] ; then
                for PORT in $TPORTS; do
                        $IPT -A $CURR -p tcp --dst $IP/32 --dport $PORT \
                                -j ACCEPT
                done
        fi
        if [ -n "$UPORTS" ] ; then
                for PORT in $UPORTS; do
                        $IPT -A $CURR -p udp --dst $IP/32 --dport $PORT \
                                -j ACCEPT
                done
        fi
done

$IPT -A $CURR -j LOG --log-prefix "Fwd attempt on $PUB_IF: "
$IPT -A $CURR -j DROP


################## forward_prv ###############################################

CURR=forward_prv
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR -j src_check_prv
$IPT -A $CURR -p tcp -j ACCEPT
$IPT -A $CURR -p udp -j ACCEPT
$IPT -A $CURR -p icmp -j ACCEPT
$IPT -A $CURR -j LOG --log-prefix "Fwd attempt from $PRV_IF: "
$IPT -A $CURR -j REJECT --reject-with icmp-net-prohibited


################## INPUT #####################################################

echo "INPUT..."
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -i $PUB_IF -j input_pub
$IPT -A INPUT -i $PRV_IF -j input_prv

$IPT -A INPUT -j LOG --log-prefix "Unexpected INPUT packet: "
$IPT -A INPUT -j DROP


################## FORWARD ###################################################

echo "FORWARD..."
$IPT -A FORWARD -i $PUB_IF -j forward_pub
$IPT -A FORWARD -i $PRV_IF -j forward_prv

$IPT -A FORWARD -j LOG --log-prefix "Unexpectd FORWARD package: "
$IPT -A FORWARD -j DROP


################## OUTPUT ####################################################

echo "OUTPUT..."
$IPT -A OUTPUT -j ACCEPT


################## PREROUTING ################################################

echo "PREROUTING..."

# Port forwarding:
for HOST in $PF_HOSTS ; do
        eval IP=\${PF_${HOST}_IP}
        eval TPORTS=\${PF_${HOST}_PORTS_TCP}
        eval UPORTS=\${PF_${HOST}_PORTS_UDP}
        if [ -n "$TPORTS" ] ; then
                for PORT in $TPORTS; do
                        $IPT -t nat -A PREROUTING -p tcp --dport $PORT \
                                -j DNAT --to $IP
                done
        fi
        if [ -n "$UPORTS" ] ; then
                for PORT in $UPORTS; do
                        $IPT -t nat -A PREROUTING -p udp --dport $PORT \
                                -j DNAT --to $IP
                done
        fi
done


################## POSTROUTING  ##############################################

echo "POSTROUTING..."
$IPT -t nat -A POSTROUTING -o $PUB_IF -s $PRV_NET -j MASQUERADE
Cheers

Rupert

suvashan 06-06-2007 12:49 AM
hi simon ....

i just check iptables -L on my terminal.

it's show some detail about my firewall details.


chain INput policy
target prot opt source desination
..

.
.
.
..
.
.
chain FORWARD (policy Accept)
target prot opt source desination
.
.
.
.
...

chain FORWARD (POLICY aCCEPT)
target prot opt source desination





chain OUTPUT (POLICY ACCEPT)
target prot opt source desination





my iptables script path is "/"

not /usr/local/sbin/setiptables.bash"

WHAT SHOULD I DO....?

suvashan 06-06-2007 02:37 AM
hi simon .....

my iptables script path is "/"

not /usr/local/sbin/setiptables.bash"

Simon Bridge 06-06-2007 03:36 AM
Show the following command and the output:

cat /usr/local/sbin/setiptables.bash

... I'll explain:
At the hop of your iptables script, there is a line which goes;

# /usr/local/sbin/setiptables.bash

i.e. a commented filename. This is usually the name of the script file. If this is the case, then your iptables script is actually /usr/local/sbin/setiptables.bash and not /iptables as previously stated. I'd like to verify this.

Simon Bridge 06-06-2007 03:38 AM
Quote:
my iptables script path is "/" not /usr/local/sbin/setiptables.bash"
OK... so it is the result of a previous setting getting deleted.

have you tried

sudo iptables -L

suvashan 06-06-2007 04:20 AM
cat /usr/local/sbin/setiptables.bash

out put is

cat: /usr/local/sbin/setiptables.bash :no such file or directory.

suvashan 06-06-2007 04:41 AM
i was tried " sudo iptables -L"

it's show some detail about my firewall details.


chain INput policy
target prot opt source desination
..

.
.
.
..
.
.
chain FORWARD (policy Accept)
target prot opt source desination
.
.
.
.
...

chain FORWARD (POLICY aCCEPT)
target prot opt source desination





chain OUTPUT (POLICY ACCEPT)
target prot opt source desination

Simon Bridge 06-06-2007 05:05 AM
This is funny ... is that a direct paste or did you edit it?
From that script you should have

Chain INPUT (policy DROP)
target prot opt source desination
... input rules
chain FORWARD (policy ACCEPT)
... forward rules
chain OUTPUT (policy ACCEPT)
... output rules

... this means that the firewall you designed is loaded.

If they are all "policy ACCEPT" and no rules, then the firewall has not loaded.

suvashan 06-06-2007 07:24 AM
It's not direct paste....

and also the output is not noraml....

and also i get the report after i run my script only.....

selvam.

suvashan 06-06-2007 07:49 AM
I just reboot the machine...
and go to terminal...

and type "sudo iptables -L
out put is

chain Input (POLICY aCCEPT)
target prot opt source desination
(blank)
chain FORWARD (POLICY aCCEPT)
target prot opt source desination
(blank)
chain output (POLICY aCCEPT)
target prot opt source desination
(blank)




but once i run my script....

./iptables.

now just type "sudo iptables -L
out put is

chain Input (POLICY aCCEPT)
target prot opt source desination

some ip datails and tcpor udp details and iprange come...
chain FORWARD (POLICY aCCEPT)

some ip datails and tcpor udp details and iprange come...

target prot opt source desination
some ip datails and tcpor udp details and iprange come...

chain output (POLICY aCCEPT)
target prot opt source desination
some ip datails and tcpor udp details and iprange come...

Simon Bridge 06-06-2007 07:54 AM
Well reboot then show result of:

sudo iptables -L [post edit: done while I was typing]

cat /iptables

cat /etc/rc.local

This time, provide direct pastes which include the command with the output. In future, this is how you show someone your results: direct pastes which include the commands. Unless you report exactly what is there, you are wasting my time and yours. Pull your act together!

(It's 1am and I'm getting cranky ... bed time!


All times are GMT -5. The time now is 05:48 PM.
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page