LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables rules to allow Virus Scanner to Update (https://www.linuxquestions.org/questions/linux-security-4/iptables-rules-to-allow-virus-scanner-to-update-593794/)

dontrotter 10-22-2007 06:36 PM

iptables rules to allow Virus Scanner to Update
 
Hi -

I have IPCop 1.4.16 running with AdvProxy and have just added the iptables rule to drop all traffic to a variety of ports (see rc.firewall.local below).

The virus scanner wants to go out on port 80 and come back on a port >1024. I had a stab at adding the rules to allow this but it doesn't seem to work. I a newbie with this rules and was trying to glean the proper format from the available online docs. I maked the rules with *out and *in

Any help appreciated!

Don

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
start)
## add your 'start' rules here
#Added for zerina start - BEGIN
/usr/local/bin/openvpnctrl --create-chains-and-rules
#Added for zerina start - END
*out /sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p
TCP -m multiport --dport 80,443 -j ACCEPT
*in /sbin/iptables -A FORWARD -d 0/0 -o eth0 -s 193.86.3.36 -i eth1 -p TCP -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i eth0 -o eth1 -p tcp -m mport --dports 80,81,443,3128,6588,8000,8080,8181 -j DROP

;;
stop)
## add your 'stop' rules here
#Added for zerina stop - BEGIN
/usr/local/bin/openvpnctrl --delete-chains-and-rules
#Added for zerina stop - END
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
*)
echo "Usage: $0 {start|stop|reload}"
;;
esac

win32sux 10-22-2007 07:03 PM

Try changing this:
Code:

/sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP \
-m multiport --dport 80,443 -j ACCEPT

/sbin/iptables -A FORWARD -d 0/0 -o eth0 -s 193.86.3.36 -i eth1 -p TCP \
-m state --state ESTABLISHED -j ACCEPT

To this:
Code:

/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP \
-m multiport --dports 80,443 -m state --state NEW -j ACCEPT


Also, is it fair to assume IP forwarding is enabled and your POSTROUTING rule for SNAT/MASQUERADE is being executed somewhere else? I ask because there is nothing of that sort in what you posted. You can confirm this for us by posting these:

Code:

cat /proc/sys/net/ipv4/ip_forward
Code:

iptables -t nat -nvL POSTROUTING

dontrotter 10-22-2007 07:36 PM

Hi -

Thanks for the reply. I changed the rules and still see the virus scanner asking for the outbound connection [SYN] in wireshark. The ip_forward value is 1 and the following table shows the output of the iptables command you suggested:

Chain POSTROUTING (policy ACCEPT 682 packets, 45192 bytes)
pkts bytes target prot opt in out source destination
6773 470K CUSTOMPOSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
6773 470K REDNAT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x1 to:192.168.200.1


Thanks again!

Don

win32sux 10-22-2007 07:43 PM

Did you make sure the old rules were removed from the active configuration before executing the new ones?

Could we see your FORWARD chain?
Code:

iptables -nvL FORWARD
Please use code tags when posting output.

dontrotter 10-22-2007 08:43 PM

Hi -

Here's the output from FORWARD (in code tags this time, sorry). Behavious of the AV seems to be the same :-(

Thanks!

Don
Code:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
  154 10352 ipac~fi    all  --  *      *      0.0.0.0/0            0.0.0.0/0         
  154 10352 ipac~fo    all  --  *      *      0.0.0.0/0            0.0.0.0/0         
  171 12114 BADTCP    all  --  *      *      0.0.0.0/0            0.0.0.0/0         
  98  4704 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
  171 12114 CUSTOMFORWARD  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
  13  1619 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
  60  5791 IPSECVIRTUAL  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
  60  5791 OPENSSLVIRTUAL  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
    0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0          state NEW
    0    0 DROP      all  --  *      *      127.0.0.0/8          0.0.0.0/0          state NEW
    0    0 DROP      all  --  *      *      0.0.0.0/0            127.0.0.0/8        state NEW
  60  5791 ACCEPT    all  --  eth0  *      0.0.0.0/0            0.0.0.0/0          state NEW
    0    0 WIRELESSFORWARD  all  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW
    0    0 REDFORWARD  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
    0    0 PORTFWACCESS  all  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW
    0    0 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0    0 ACCEPT    tcp  --  eth0  eth1    0.0.0.0/0            193.86.3.36        multiport dports 80,443 state NEW
    0    0 LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0          limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT '
    0    0 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0    0 ACCEPT    tcp  --  eth0  eth1    0.0.0.0/0            193.86.3.36        multiport dports 80,443 state NEW


win32sux 10-22-2007 08:57 PM

Okay, you have tons of user-built chains which the packets must traverse first before getting to your rules. So the packets could be getting filtered in any of those chains. Do you have logging setup for any rule that sends packets to DROP? It's a good idea, as you could see what is happening, and where. That said, a quick fix for your problem could be to simply insert the rules above all the others, so that you know the packets will pass through it. For this, we basically just change the "-A" to a "-I", and invert the order of execution:
Code:

/sbin/iptables -I FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP \
-m multiport --dports 80,443 -m state --state NEW -j ACCEPT

/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

This should definitely work. If it doesn't, then you need to determine why the packets aren't matching.

This would once again imply looking at the log file in most cases.

dontrotter 10-22-2007 09:26 PM

Hi -

Success! By keeping wireshark running, I could see the connection to the site and then it would fail again. The site is actually handing off to another server, so I added a rule for the return IP and voila - successful update!

Thanks so much for all your help - both service and turnaround time are outstanding!

Don

win32sux 10-22-2007 09:32 PM

I'm glad you got it sorted. BTW, welcome to LQ!!! :)

dontrotter 10-22-2007 10:06 PM

Hi -

I added all the alternate IPs that the AV scanner seems to query (both home and handoff) and it works flawlessly now. My next challenge is to do the same thing for ClamAV but that's tomorrow's problem...

As a Newbie, its very nice to have such great folks helping out. I really appreciate the help!

Cheers!

Don


All times are GMT -5. The time now is 08:01 AM.