Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
05-19-2002, 03:43 PM
|
#1
|
LQ Newbie
Registered: May 2002
Location: toronto
Distribution: redhat 7.2
Posts: 3
Rep:
|
Iptables rules for allowing rhn_register (up2date)?
After installing an iptables firewall i cant seem to find the correct
ruleset to allow rhn_register to connect to xmlrpc.rhn.redhat.com.https
which is for up2date. Below I have all the info I can possibly find.
Error from running rhn_register:
A socket error occured:SSLconnecterror attempt 1
A socket error occured:SSLconnect error, attempt 2
A socket error occured: SSL_connect error, attempt #4
A socket error occured: SSL_connect error, attempt #5
command: netstat -anp
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 412 0 24.X.X.X:33008 216.148.218.160:443 CLOSE_WAIT
21879/python
command: tcpdump -i eth0 dst net 216.148.218.160/24 > /output.txt
16:53:53.941113 24.1.1.1.33003 > xmlrpc.rhn.redhat.com.https: . ack
1842393439 win 5840 (DF)
16:53:53.943882 24.1.1.1.33003 > xmlrpc.rhn.redhat.com.https: P 0:124(124)
ack 1 win 5840 (DF)
16:53:54.104313 24.1.1.1.33003 > xmlrpc.rhn.redhat.com.https: . ack 1461 win
8760 (DF)
16:53:54.104501 24.1.1.1.33003 > xmlrpc.rhn.redhat.com.https: . ack 1633 win
8760 (DF)
16:53:54.112465 24.1.1.1.33003 > xmlrpc.rhn.redhat.com.https: P 124:131(7)
ack 1633 win 8760 (DF)
16:53:54.252767 24.1.1.1.33003 > xmlrpc.rhn.redhat.com.https: . ack 1634 win
8760 (DF)
16:53:55.131729 24.1.1.1.33004 > xmlrpc.rhn.redhat.com.https: SWE
1922505889:1922505889(0) win 5840
Iptables v1.2.6 rules:
$IPTABLES -A OUTPUT -o eth0 -p tcp -d xmlrpc.rhn.redhat.com --dport 443 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp -s 24.1.1.1 --sport 32000:34000 -m
state --state NEW ESTABLISHED -j ACCEPT
Are the rules that Ive put in iptables allowing enough information to let
rhn_register run? Any info is appreciated.
Thank you
Andy
|
|
|
05-19-2002, 09:13 PM
|
#2
|
LQ Guru
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163
Rep:
|
what are your policies?
especially your input policy
|
|
|
05-19-2002, 09:23 PM
|
#3
|
LQ Newbie
Registered: May 2002
Location: toronto
Distribution: redhat 7.2
Posts: 3
Original Poster
Rep:
|
#!/bin/sh
IPTABLES="/sbin/iptables"
INSMOD="/sbin/insmod"
for blah in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $blah
done
$INSMOD ip_conntrack_ftp
$INSMOD ip_nat_ftp
$INSMOD ip_conntrack_irc
$IPTABLES --flush
$IPTABLES --table nat --flush
$IPTABLES --delete-chain
$IPTABLES --table nat --delete-chain
$IPTABLES --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
$IPTABLES --append FORWARD --in-interface eth1 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A INPUT -i lo -p all -j ACCEPT
$IPTABLES -A OUTPUT -o lo -p all -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp -d xmlrpc.rhn.redhat.com --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp -s X.X.X.X --sport 32000:34000 -m state --state NEW ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -s X.X.X.X --sport 53 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp -d X.X.X.X --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -s X.X.X.X --sport 53 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp -d X.X.X.X --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 -d X.X.X.X\24 --dport 64000 -j ACCEPT # ssh tcp
$IPTABLES -A INPUT -p udp -s 0/0 -d X.X.X.X\24 --dport 64000 -j ACCEPT # ssh udp
$IPTABLES -A INPUT -p tcp -s 0/0 -d X.X.X.X\24 --dport 64111 -j ACCEPT # TEMP SSH2
$IPTABLES -A INPUT -p udp -s 0/0 -d X.X.X.X\24 --dport 64111 -j ACCEPT # TEMP SSH2
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --dport 64006 -j ACCEPT # ftp
$IPTABLES -A INPUT -p udp -s 0/0 -d 0/0 --dport 64006 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --dport 64007 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 -d 0/0 --dport 64007 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 -d X.X.X.X\24 --dport 64006 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 64001 -j DNAT --to-dest 192.168.0.2:64001
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 64005 -j DNAT --to-dest 192.168.0.2:64005
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 64004 -j DNAT --to-dest 192.168.0.2:64004
$IPTABLES -P INPUT DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
#Temporary monitoring
#IPTABLES -A INPUT -j LOG --log-prefix "INPUT_DROP: "
#IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
|
|
|
05-20-2002, 12:13 PM
|
#4
|
Member
Registered: Apr 2002
Distribution: Fedora Core 5 & 6
Posts: 47
Rep:
|
Here are the rules I added to my iptables script to get rhn_register and up2date working last week:
iptables -A OUTPUT -o eth0 -p tcp -d 216.148.218.160/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 216.148.218.160/24 -m state --state ESTABLISHED -j ACCEPT
I keep all my policies on DROP which is why I need the output rule -- I can't tell what you do so you may not need the first rule. Also, those programs tend to use different IP addresses sometimes which demands the /24.
I didn't have any errors about SSL.
|
|
|
05-20-2002, 06:30 PM
|
#5
|
Moderator
Registered: May 2001
Posts: 29,415
|
[OT]
Kewl. Btw, doesn't iptables mind wacky CIDR notation?
IIRC it should be 3 quads: xxx.xxx.xxx.0/24, and rhn only uses aprox 4-5 addresses, try "host rhn.redhat.com".
|
|
|
All times are GMT -5. The time now is 05:26 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|