LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-19-2002, 03:43 PM   #1
andy_sco123
LQ Newbie
 
Registered: May 2002
Location: toronto
Distribution: redhat 7.2
Posts: 3

Rep: Reputation: 0
Question Iptables rules for allowing rhn_register (up2date)?


After installing an iptables firewall i cant seem to find the correct
ruleset to allow rhn_register to connect to xmlrpc.rhn.redhat.com.https
which is for up2date. Below I have all the info I can possibly find.


Error from running rhn_register:

A socket error occured:SSLconnecterror attempt 1
A socket error occured:SSLconnect error, attempt 2
A socket error occured: SSL_connect error, attempt #4
A socket error occured: SSL_connect error, attempt #5

command: netstat -anp

Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 412 0 24.X.X.X:33008 216.148.218.160:443 CLOSE_WAIT
21879/python

command: tcpdump -i eth0 dst net 216.148.218.160/24 > /output.txt

16:53:53.941113 24.1.1.1.33003 > xmlrpc.rhn.redhat.com.https: . ack
1842393439 win 5840 (DF)
16:53:53.943882 24.1.1.1.33003 > xmlrpc.rhn.redhat.com.https: P 0:124(124)
ack 1 win 5840 (DF)
16:53:54.104313 24.1.1.1.33003 > xmlrpc.rhn.redhat.com.https: . ack 1461 win
8760 (DF)
16:53:54.104501 24.1.1.1.33003 > xmlrpc.rhn.redhat.com.https: . ack 1633 win
8760 (DF)
16:53:54.112465 24.1.1.1.33003 > xmlrpc.rhn.redhat.com.https: P 124:131(7)
ack 1633 win 8760 (DF)
16:53:54.252767 24.1.1.1.33003 > xmlrpc.rhn.redhat.com.https: . ack 1634 win
8760 (DF)
16:53:55.131729 24.1.1.1.33004 > xmlrpc.rhn.redhat.com.https: SWE
1922505889:1922505889(0) win 5840

Iptables v1.2.6 rules:

$IPTABLES -A OUTPUT -o eth0 -p tcp -d xmlrpc.rhn.redhat.com --dport 443 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp -s 24.1.1.1 --sport 32000:34000 -m
state --state NEW ESTABLISHED -j ACCEPT

Are the rules that Ive put in iptables allowing enough information to let
rhn_register run? Any info is appreciated.
Thank you
Andy
 
Old 05-19-2002, 09:13 PM   #2
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Rep: Reputation: 58
what are your policies?


especially your input policy
 
Old 05-19-2002, 09:23 PM   #3
andy_sco123
LQ Newbie
 
Registered: May 2002
Location: toronto
Distribution: redhat 7.2
Posts: 3

Original Poster
Rep: Reputation: 0
#!/bin/sh

IPTABLES="/sbin/iptables"
INSMOD="/sbin/insmod"
for blah in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $blah
done
$INSMOD ip_conntrack_ftp
$INSMOD ip_nat_ftp
$INSMOD ip_conntrack_irc

$IPTABLES --flush
$IPTABLES --table nat --flush
$IPTABLES --delete-chain
$IPTABLES --table nat --delete-chain
$IPTABLES --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
$IPTABLES --append FORWARD --in-interface eth1 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A INPUT -i lo -p all -j ACCEPT
$IPTABLES -A OUTPUT -o lo -p all -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp -d xmlrpc.rhn.redhat.com --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp -s X.X.X.X --sport 32000:34000 -m state --state NEW ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -s X.X.X.X --sport 53 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp -d X.X.X.X --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -s X.X.X.X --sport 53 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp -d X.X.X.X --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 -d X.X.X.X\24 --dport 64000 -j ACCEPT # ssh tcp
$IPTABLES -A INPUT -p udp -s 0/0 -d X.X.X.X\24 --dport 64000 -j ACCEPT # ssh udp
$IPTABLES -A INPUT -p tcp -s 0/0 -d X.X.X.X\24 --dport 64111 -j ACCEPT # TEMP SSH2
$IPTABLES -A INPUT -p udp -s 0/0 -d X.X.X.X\24 --dport 64111 -j ACCEPT # TEMP SSH2
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --dport 64006 -j ACCEPT # ftp
$IPTABLES -A INPUT -p udp -s 0/0 -d 0/0 --dport 64006 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --dport 64007 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 -d 0/0 --dport 64007 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 -d X.X.X.X\24 --dport 64006 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 64001 -j DNAT --to-dest 192.168.0.2:64001
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 64005 -j DNAT --to-dest 192.168.0.2:64005
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 64004 -j DNAT --to-dest 192.168.0.2:64004
$IPTABLES -P INPUT DROP
echo 1 > /proc/sys/net/ipv4/ip_forward

#Temporary monitoring
#IPTABLES -A INPUT -j LOG --log-prefix "INPUT_DROP: "
#IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
 
Old 05-20-2002, 12:13 PM   #4
the theorist
Member
 
Registered: Apr 2002
Distribution: Fedora Core 5 & 6
Posts: 47

Rep: Reputation: 15
Here are the rules I added to my iptables script to get rhn_register and up2date working last week:

iptables -A OUTPUT -o eth0 -p tcp -d 216.148.218.160/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 216.148.218.160/24 -m state --state ESTABLISHED -j ACCEPT

I keep all my policies on DROP which is why I need the output rule -- I can't tell what you do so you may not need the first rule. Also, those programs tend to use different IP addresses sometimes which demands the /24.

I didn't have any errors about SSL.
 
Old 05-20-2002, 06:30 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607
[OT]

Kewl. Btw, doesn't iptables mind wacky CIDR notation?
IIRC it should be 3 quads: xxx.xxx.xxx.0/24, and rhn only uses aprox 4-5 addresses, try "host rhn.redhat.com".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables allowing a range adm1329 Linux - Networking 2 02-01-2005 02:04 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM
Iptables not allowing outbound https john8675309 Linux - Software 3 09-13-2004 11:41 PM
Certificate used by up2date and rhn_register stitch_n_milo Linux - Newbie 9 05-01-2004 06:39 AM
iptables - allowing hostnames from ip addresses chrisfirestar Linux - Security 13 01-20-2004 10:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration