LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-05-2007, 06:40 AM   #16
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198

Is it just me or are you a wee bit confused about how to write an iptables script?
i.e. you set default ACCEPT policy on output and have ACCEPT output rules... but it shouldn't stop it working.

How can you tell that this script isn't starting at boot?
(Have you tried iptables -L ?)

Could it be that your iptables script is: /usr/local/sbin/setiptables.bash

It would help a lot if we knew which distribution you are running.
 
Old 06-05-2007, 12:55 PM   #17
rupertwh
Member
 
Registered: Sep 2006
Location: Munich, Germany
Distribution: Debian / Ubuntu
Posts: 297

Rep: Reputation: 49
Wow, what a firewall script. Thank god most of it is commented out...

No, seriously though -- you'll never get happy if you just keep aimlessly throwing things around and hope they'll just magically work somehow.

Some hints:

1. Decide for a name and location of your firewall script. I have lost count of how many names you have already given for it in this thread.
And make sensible choices. ('iptables' is *not* a good name for your script.)
I'd suggest something like '/usr/local/sbin/firewall'.

2. There is a difference between "/" and "/root", even though "/" is pronounced "root". Yes, it's confusing. Well, not really. Only when you speak about it.

3. As others have already pointed out: you want to call your script from rc.local -- not the other way around. I.e. add a line '/usr/local/sbin/firewall' to your rc.local. Do not add any reference to rc.local to your firewall script. It does not make sense!

4. You want to use modprobe, not insmod.

5. As to your actual firewall script: I don't think it does what you think it does.

Here is a suggestion to get you started: (you need to edit the settings in the top section)
Code:
#!/bin/sh

############# Settings: ######################################################

PUB_IF="ppp0"
PUB_IP=""
PUB_GW=""

PRV_IF="eth1"
PRV_IP="192.168.30.1"
PRV_NET="192.168.30.0/24"

IPT="/sbin/iptables"


#### Public services to allow from anywhere: ####

PUB_TCP_OK="ssh"
PUB_UDP_OK=""

#### End of public services #####################


#### Port forwarding: ###########

# Uncomment the following line to enable port forwarding:
# (and of course adjust this line and the following sections
#  according to your setup...)
#PF_HOSTS="DESKTOP SERVER1 SERVER2"

# to Desktop: forward skype, AOE, BitTorrent
PF_DESKTOP_IP="192.168.30.2"
PF_DESKTOP_PORTS_TCP="1573 2300 6881"
PF_DESKTOP_PORTS_UDP="2350 6881"

# to Server1: dns and smtp
PF_SERVER1_IP="192.168.30.5"
PF_SERVER1_PORTS_TCP="domain smtp"
PF_SERVER1_PORTS_UDP="domain"

# to Server2: www
PF_SERVER2_IP="192.168.30.7"
PF_SERVER2_PORTS_TCP="www"
PF_SERVER2_PORTS_UDP=""

#### End of port forwarding ####

############ End of settings #################################################


if ! [ -x "$IPT" ] ; then
	echo "Cannot find iptables! Disabling all forwarding and aborting!"
	echo 0 > /proc/sys/net/ipv4/ip_forward
	echo 0 > /proc/sys/net/ipv4/conf/all/forwarding
	exit 1
fi


LOCAL="127.0.0.0/8"
PRIV_A="10.0.0.0/8"
PRIV_B="172.16.0.0/12"
PRIV_C="192.168.0.0/16"


echo "Setting policies..."
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP

$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT


echo "Flushing/deleting chains..."

$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush

$IPT --delete-chain
$IPT -t nat --delete-chain
$IPT -t mangle --delete-chain


################## src_check_pub #############################################

CURR=src_check_pub_drop
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR -j LOG --log-prefix "Inv. src on $PUB_IF: "
$IPT -A $CURR -j DROP

CURR=src_check_pub
echo $CURR...
$IPT -N $CURR
test -n "$PUB_GW" && $IPT -A $CURR --src $PUB_GW/32 -j RETURN
$IPT -A $CURR --src $PRIV_A -j src_check_pub_drop
$IPT -A $CURR --src $PRIV_B -j src_check_pub_drop
$IPT -A $CURR --src $PRIV_C -j src_check_pub_drop
$IPT -A $CURR --src $LOCAL -j src_check_pub_drop
$IPT -A $CURR -j RETURN


################## src_check_prv #############################################

CURR=src_check_prv
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR --src $PRV_NET -j RETURN

# Don't block DHCP broadcasts:
$IPT -A $CURR --src 0.0.0.0/32 --dst 255.255.255.255/32 \
	-p udp --sport bootpc --dport bootps -j RETURN

$IPT -A $CURR -j LOG --log-prefix "Inv. src on $PRV_IF: "
$IPT -A $CURR -j REJECT --reject-with icmp-host-prohibited


################## input_pub #################################################

CURR=input_pub
echo "$CURR..."
$IPT -N $CURR
$IPT -A $CURR -j src_check_pub
$IPT -A $CURR -m state --state ESTABLISHED,RELATED -j ACCEPT

for i in echo-request destination-unreachable \
         time-exceeded parameter-problem ; do
	$IPT -A $CURR -p icmp --icmp-type $i -j ACCEPT
done

if [ -n "$PUB_TCP_OK" ] ; then
	for PORT in $PUB_TCP_OK ; do
		$IPT -A $CURR -p tcp --dport $PORT -j ACCEPT
	done
fi

if [ -n "$PUB_UDP_OK" ] ; then
	for PORT in $PUB_UDP_OK ; do
		$IPT -A $CURR -p udp --dport $PORT -j ACCEPT
	done
fi

$IPT -A $CURR -p tcp --dport ident -j REJECT --reject-with tcp-reset

$IPT -A $CURR -j LOG --log-prefix "Conn. attempt on $PUB_IF: "
$IPT -A $CURR -j DROP



################## input_prv #################################################

CURR=input_prv
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR -j src_check_prv
$IPT -A $CURR -p tcp -j ACCEPT
$IPT -A $CURR -p udp -j ACCEPT
$IPT -A $CURR -p icmp -j ACCEPT
$IPT -A $CURR -j LOG --log-prefix "Invalid protocol on $PRV_IF: "
$IPT -A $CURR -j REJECT


################## forward_pub ###############################################

CURR=forward_pub
echo $CURR
$IPT -N $CURR
$IPT -A $CURR -j src_check_pub

$IPT -A $CURR -m state --state ESTABLISHED,RELATED -j ACCEPT
for i in destination-unreachable \
         time-exceeded parameter-problem ; do
	$IPT -A $CURR -p icmp --icmp-type $i -j ACCEPT
done

# Allow packets from port forwarding:
for HOST in $PF_HOSTS ; do
	eval IP=\${PF_${HOST}_IP}
	eval TPORTS=\${PF_${HOST}_PORTS_TCP}
	eval UPORTS=\${PF_${HOST}_PORTS_UDP}
	if [ -n "$TPORTS" ] ; then
		for PORT in $TPORTS; do
			$IPT -A $CURR -p tcp --dst $IP/32 --dport $PORT \
				-j ACCEPT
		done
	fi
	if [ -n "$UPORTS" ] ; then
		for PORT in $UPORTS; do
			$IPT -A $CURR -p udp --dst $IP/32 --dport $PORT \
				-j ACCEPT
		done
	fi
done

$IPT -A $CURR -j LOG --log-prefix "Fwd attempt on $PUB_IF: "
$IPT -A $CURR -j DROP


################## forward_prv ###############################################

CURR=forward_prv
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR -j src_check_prv
$IPT -A $CURR -p tcp -j ACCEPT
$IPT -A $CURR -p udp -j ACCEPT
$IPT -A $CURR -p icmp -j ACCEPT
$IPT -A $CURR -j LOG --log-prefix "Fwd attempt from $PRV_IF: "
$IPT -A $CURR -j REJECT --reject-with icmp-net-prohibited


################## INPUT #####################################################

echo "INPUT..."
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -i $PUB_IF -j input_pub
$IPT -A INPUT -i $PRV_IF -j input_prv 

$IPT -A INPUT -j LOG --log-prefix "Unexpected INPUT packet: "
$IPT -A INPUT -j DROP


################## FORWARD ###################################################

echo "FORWARD..."
$IPT -A FORWARD -i $PUB_IF -j forward_pub
$IPT -A FORWARD -i $PRV_IF -j forward_prv

$IPT -A FORWARD -j LOG --log-prefix "Unexpectd FORWARD package: "
$IPT -A FORWARD -j DROP


################## OUTPUT ####################################################

echo "OUTPUT..."
$IPT -A OUTPUT -j ACCEPT


################## PREROUTING ################################################

echo "PREROUTING..."

# Port forwarding:
for HOST in $PF_HOSTS ; do
	eval IP=\${PF_${HOST}_IP}
	eval TPORTS=\${PF_${HOST}_PORTS_TCP}
	eval UPORTS=\${PF_${HOST}_PORTS_UDP}
	if [ -n "$TPORTS" ] ; then
		for PORT in $TPORTS; do
			$IPT -t nat -A PREROUTING -p tcp --dport $PORT \
				-j DNAT --to $IP
		done
	fi
	if [ -n "$UPORTS" ] ; then
		for PORT in $UPORTS; do
			$IPT -t nat -A PREROUTING -p udp --dport $PORT \
				-j DNAT --to $IP
		done
	fi
done


################## POSTROUTING  ##############################################

echo "POSTROUTING..."
$IPT -t nat -A POSTROUTING -o $PUB_IF -s $PRV_NET -j MASQUERADE
Cheers

Rupert
 
Old 06-06-2007, 12:49 AM   #18
suvashan
LQ Newbie
 
Registered: Apr 2007
Posts: 16

Original Poster
Rep: Reputation: 0
hi simon ....

i just check iptables -L on my terminal.

it's show some detail about my firewall details.


chain INput policy
target prot opt source desination
..

.
.
.
..
.
.
chain FORWARD (policy Accept)
target prot opt source desination
.
.
.
.
...

chain FORWARD (POLICY aCCEPT)
target prot opt source desination





chain OUTPUT (POLICY ACCEPT)
target prot opt source desination





my iptables script path is "/"

not /usr/local/sbin/setiptables.bash"

WHAT SHOULD I DO....?

Last edited by suvashan; 06-06-2007 at 02:35 AM.
 
Old 06-06-2007, 02:37 AM   #19
suvashan
LQ Newbie
 
Registered: Apr 2007
Posts: 16

Original Poster
Rep: Reputation: 0
hi simon .....

my iptables script path is "/"

not /usr/local/sbin/setiptables.bash"
 
Old 06-06-2007, 03:36 AM   #20
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Show the following command and the output:

cat /usr/local/sbin/setiptables.bash

... I'll explain:
At the hop of your iptables script, there is a line which goes;

# /usr/local/sbin/setiptables.bash

i.e. a commented filename. This is usually the name of the script file. If this is the case, then your iptables script is actually /usr/local/sbin/setiptables.bash and not /iptables as previously stated. I'd like to verify this.
 
Old 06-06-2007, 03:38 AM   #21
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Quote:
my iptables script path is "/" not /usr/local/sbin/setiptables.bash"
OK... so it is the result of a previous setting getting deleted.

have you tried

sudo iptables -L
 
Old 06-06-2007, 04:20 AM   #22
suvashan
LQ Newbie
 
Registered: Apr 2007
Posts: 16

Original Poster
Rep: Reputation: 0
cat /usr/local/sbin/setiptables.bash

out put is

cat: /usr/local/sbin/setiptables.bash :no such file or directory.
 
Old 06-06-2007, 04:41 AM   #23
suvashan
LQ Newbie
 
Registered: Apr 2007
Posts: 16

Original Poster
Rep: Reputation: 0
i was tried " sudo iptables -L"

it's show some detail about my firewall details.


chain INput policy
target prot opt source desination
..

.
.
.
..
.
.
chain FORWARD (policy Accept)
target prot opt source desination
.
.
.
.
...

chain FORWARD (POLICY aCCEPT)
target prot opt source desination





chain OUTPUT (POLICY ACCEPT)
target prot opt source desination
 
Old 06-06-2007, 05:05 AM   #24
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
This is funny ... is that a direct paste or did you edit it?
From that script you should have

Chain INPUT (policy DROP)
target prot opt source desination
... input rules
chain FORWARD (policy ACCEPT)
... forward rules
chain OUTPUT (policy ACCEPT)
... output rules

... this means that the firewall you designed is loaded.

If they are all "policy ACCEPT" and no rules, then the firewall has not loaded.
 
Old 06-06-2007, 07:24 AM   #25
suvashan
LQ Newbie
 
Registered: Apr 2007
Posts: 16

Original Poster
Rep: Reputation: 0
It's not direct paste....

and also the output is not noraml....

and also i get the report after i run my script only.....

selvam.
 
Old 06-06-2007, 07:49 AM   #26
suvashan
LQ Newbie
 
Registered: Apr 2007
Posts: 16

Original Poster
Rep: Reputation: 0
I just reboot the machine...
and go to terminal...

and type "sudo iptables -L
out put is

chain Input (POLICY aCCEPT)
target prot opt source desination
(blank)
chain FORWARD (POLICY aCCEPT)
target prot opt source desination
(blank)
chain output (POLICY aCCEPT)
target prot opt source desination
(blank)




but once i run my script....

./iptables.

now just type "sudo iptables -L
out put is

chain Input (POLICY aCCEPT)
target prot opt source desination

some ip datails and tcpor udp details and iprange come...
chain FORWARD (POLICY aCCEPT)

some ip datails and tcpor udp details and iprange come...

target prot opt source desination
some ip datails and tcpor udp details and iprange come...

chain output (POLICY aCCEPT)
target prot opt source desination
some ip datails and tcpor udp details and iprange come...
 
Old 06-06-2007, 07:54 AM   #27
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Well reboot then show result of:

sudo iptables -L [post edit: done while I was typing]

cat /iptables

cat /etc/rc.local

This time, provide direct pastes which include the command with the output. In future, this is how you show someone your results: direct pastes which include the commands. Unless you report exactly what is there, you are wasting my time and yours. Pull your act together!

(It's 1am and I'm getting cranky ... bed time!

Last edited by Simon Bridge; 06-06-2007 at 07:59 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
A lot of processes run automatically when I run a single process. dalvirgautam Linux - Enterprise 4 12-01-2006 06:10 PM
How do I get /etc/rc.fw to run automatically upon boot? abefroman Linux - Networking 1 04-30-2005 11:02 PM
iptables seems to deactivate automatically? Thoddy Linux - Security 1 03-20-2004 01:27 PM
xmodmap won't run automatically txmjafg Linux - General 3 12-14-2003 09:44 PM
RH8 - how to automatically run iptables rules shell script at boot time nu-B Linux - General 1 10-29-2003 08:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration