iptables rules to allow Virus Scanner to Update
Hi -
I have IPCop 1.4.16 running with AdvProxy and have just added the iptables rule to drop all traffic to a variety of ports (see rc.firewall.local below). The virus scanner wants to go out on port 80 and come back on a port >1024. I had a stab at adding the rules to allow this but it doesn't seem to work. I a newbie with this rules and was trying to glean the proper format from the available online docs. I maked the rules with *out and *in Any help appreciated! Don #!/bin/sh # Used for private firewall rules # See how we were called. case "$1" in start) ## add your 'start' rules here #Added for zerina start - BEGIN /usr/local/bin/openvpnctrl --create-chains-and-rules #Added for zerina start - END *out /sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP -m multiport --dport 80,443 -j ACCEPT *in /sbin/iptables -A FORWARD -d 0/0 -o eth0 -s 193.86.3.36 -i eth1 -p TCP -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -i eth0 -o eth1 -p tcp -m mport --dports 80,81,443,3128,6588,8000,8080,8181 -j DROP ;; stop) ## add your 'stop' rules here #Added for zerina stop - BEGIN /usr/local/bin/openvpnctrl --delete-chains-and-rules #Added for zerina stop - END ;; reload) $0 stop $0 start ## add your 'reload' rules here ;; *) echo "Usage: $0 {start|stop|reload}" ;; esac |
Try changing this:
Code:
/sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP \ Code:
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT Also, is it fair to assume IP forwarding is enabled and your POSTROUTING rule for SNAT/MASQUERADE is being executed somewhere else? I ask because there is nothing of that sort in what you posted. You can confirm this for us by posting these: Code:
cat /proc/sys/net/ipv4/ip_forward Code:
iptables -t nat -nvL POSTROUTING |
Hi -
Thanks for the reply. I changed the rules and still see the virus scanner asking for the outbound connection [SYN] in wireshark. The ip_forward value is 1 and the following table shows the output of the iptables command you suggested: Chain POSTROUTING (policy ACCEPT 682 packets, 45192 bytes) pkts bytes target prot opt in out source destination 6773 470K CUSTOMPOSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 6773 470K REDNAT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x1 to:192.168.200.1 Thanks again! Don |
Did you make sure the old rules were removed from the active configuration before executing the new ones?
Could we see your FORWARD chain? Code:
iptables -nvL FORWARD |
Hi -
Here's the output from FORWARD (in code tags this time, sorry). Behavious of the AV seems to be the same :-( Thanks! Don Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes) |
Okay, you have tons of user-built chains which the packets must traverse first before getting to your rules. So the packets could be getting filtered in any of those chains. Do you have logging setup for any rule that sends packets to DROP? It's a good idea, as you could see what is happening, and where. That said, a quick fix for your problem could be to simply insert the rules above all the others, so that you know the packets will pass through it. For this, we basically just change the "-A" to a "-I", and invert the order of execution:
Code:
/sbin/iptables -I FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP \ This would once again imply looking at the log file in most cases. |
Hi -
Success! By keeping wireshark running, I could see the connection to the site and then it would fail again. The site is actually handing off to another server, so I added a rule for the return IP and voila - successful update! Thanks so much for all your help - both service and turnaround time are outstanding! Don |
I'm glad you got it sorted. BTW, welcome to LQ!!! :)
|
Hi -
I added all the alternate IPs that the AV scanner seems to query (both home and handoff) and it works flawlessly now. My next challenge is to do the same thing for ClamAV but that's tomorrow's problem... As a Newbie, its very nice to have such great folks helping out. I really appreciate the help! Cheers! Don |
All times are GMT -5. The time now is 08:01 AM. |