IPtables/Guarddog blocking to much. How do I fix this?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IPtables/Guarddog blocking to much. How do I fix this?
Guarddog is blocking some images from some websites, when I disable the firewall (iptables/guarddog) I can see the images. What do I need to enable in guarddog to stop it from blocking images?
In Guarddog the only boxes I have checked are:
FTP
HTTP
HTTPS
DNS
KERBEROS
IDENT/AUTH
I am not really sure if I am supposed to have all these checked or not but after trial and error I found these are the ones that let me go online. I am not running server.
There is something really fishy going on here. YOu should see those images with the firewall enabled. Why not try another firewall or uninstall and reinstall firewall. Or something else of this nature. I have never heard of a problem like yours referencing a firewall. Does Guarddog have a forum where you can ask questions?? If so then I would ask over there.
An example would be when I google something for images the thumbnails dont show up, when I click the disable firewall box in guarddog and hit apply, then I can see them. If I dont start up guarddog the images are shown and it seem to be only thumbs, not all images.
In Guarddog the only boxes I have checked are:
FTP
HTTP
HTTPS
DNS
KERBEROS
IDENT/AUTH
I am not really sure if I am supposed to have all these checked or not but after trial and error I found these are the ones that let me go online.
I haven't used Guarddog in ages, but underneath it's all boils down to Iptables rules, so could you post the output from "/sbin/iptables -n -L -v"? If it's much I think we'd prefer a download location if you can handle it. Scrub your public IP from the file first tho.
if you're not serving something then your basic Iptables shellscript could look like this, you'll have to stop Guarddog to run this:
Code:
PATH=/sbin:$PATH
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Loopback device
iptables -A INPUT -i lo -j ACCEPT
# Only ping stuff
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Traffic from connections we initiated
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# The rest gets logged and dropped
iptables -A INPUT -j LOG --log-prefix="IN_block" -m limit --limit 1/s
iptables -A INPUT -j DROP
It isn't complete but it should let you surf while you fix things.
If I try to un-fsck and rip out all the rules with zero traffic it it looks kinda like this:
Code:
/sbin/iptables -A INPUT -i lo -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j logaborted # tcp flags:0x04/0x04
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # tcp flags:0x04/0x04
/sbin/iptables -A INPUT -o lo -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # 12
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # 12
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j s1 # 12
/sbin/iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # dpt:80 state NEW
/sbin/iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # state NEW
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j logdrop # dpt:21 state NEW
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j logaborted2 # 1/sec burst 10
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG # 7 level 4 prefix ABORTED
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # 7 level 4 prefix `ABORTED
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j logdrop2 # 1/sec burst 10
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG # 7 level 4 prefix `DROPPED
/sbin/iptables -A INPUT -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j DROP # 7 level 4 prefix `DROPPED
...which would mean that apart from filtering for bogon networks, invalid packets or packets with weird TCP flag combo's, ICMP garbage, ICMP rate limiting and detailed logging the previously posted script should work. Now why Guarddog won't work I can't see from here, but it seems to me it's trying to guide traffic through some rules that just won't work.
I'd suggest you try running the previously posted script, backup your firewall script if you want to, and start configuring Guarddog from scratch. Basically what you want is to DROP anything on FORWARD (you don't route for other boxen), DROP anything on INPUT that has the SYN flag set (allowing only ICMP and ESTABLISHED,RELATED) and ACCEPT everything on OUTPUT.
unspawn, I dont understand anything you posted, I am not familiar with iptables or configuring it. I just tried to install firestarter but it would not configure, something about missing gconf-2. I guess its not that big a deal, I just wont see some images with the firewall enabled. Thanks for the help.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
