Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-22-2007, 07:36 PM
|
#1
|
LQ Newbie
Registered: Oct 2007
Posts: 5
Rep:
|
iptables rules to allow Virus Scanner to Update
Hi -
I have IPCop 1.4.16 running with AdvProxy and have just added the iptables rule to drop all traffic to a variety of ports (see rc.firewall.local below).
The virus scanner wants to go out on port 80 and come back on a port >1024. I had a stab at adding the rules to allow this but it doesn't seem to work. I a newbie with this rules and was trying to glean the proper format from the available online docs. I maked the rules with *out and *in
Any help appreciated!
Don
#!/bin/sh
# Used for private firewall rules
# See how we were called.
case "$1" in
start)
## add your 'start' rules here
#Added for zerina start - BEGIN
/usr/local/bin/openvpnctrl --create-chains-and-rules
#Added for zerina start - END
*out /sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p
TCP -m multiport --dport 80,443 -j ACCEPT
*in /sbin/iptables -A FORWARD -d 0/0 -o eth0 -s 193.86.3.36 -i eth1 -p TCP -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i eth0 -o eth1 -p tcp -m mport --dports 80,81,443,3128,6588,8000,8080,8181 -j DROP
;;
stop)
## add your 'stop' rules here
#Added for zerina stop - BEGIN
/usr/local/bin/openvpnctrl --delete-chains-and-rules
#Added for zerina stop - END
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
*)
echo "Usage: $0 {start|stop|reload}"
;;
esac
|
|
|
10-22-2007, 08:03 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Try changing this:
Code:
/sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP \
-m multiport --dport 80,443 -j ACCEPT
/sbin/iptables -A FORWARD -d 0/0 -o eth0 -s 193.86.3.36 -i eth1 -p TCP \
-m state --state ESTABLISHED -j ACCEPT
To this:
Code:
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP \
-m multiport --dports 80,443 -m state --state NEW -j ACCEPT
Also, is it fair to assume IP forwarding is enabled and your POSTROUTING rule for SNAT/MASQUERADE is being executed somewhere else? I ask because there is nothing of that sort in what you posted. You can confirm this for us by posting these:
Code:
cat /proc/sys/net/ipv4/ip_forward
Code:
iptables -t nat -nvL POSTROUTING
Last edited by win32sux; 10-22-2007 at 08:08 PM.
|
|
|
10-22-2007, 08:36 PM
|
#3
|
LQ Newbie
Registered: Oct 2007
Posts: 5
Original Poster
Rep:
|
Hi -
Thanks for the reply. I changed the rules and still see the virus scanner asking for the outbound connection [SYN] in wireshark. The ip_forward value is 1 and the following table shows the output of the iptables command you suggested:
Chain POSTROUTING (policy ACCEPT 682 packets, 45192 bytes)
pkts bytes target prot opt in out source destination
6773 470K CUSTOMPOSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
6773 470K REDNAT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x1 to:192.168.200.1
Thanks again!
Don
|
|
|
10-22-2007, 08:43 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Did you make sure the old rules were removed from the active configuration before executing the new ones?
Could we see your FORWARD chain?
Code:
iptables -nvL FORWARD
Please use code tags when posting output.
Last edited by win32sux; 10-22-2007 at 08:45 PM.
|
|
|
10-22-2007, 09:43 PM
|
#5
|
LQ Newbie
Registered: Oct 2007
Posts: 5
Original Poster
Rep:
|
Hi -
Here's the output from FORWARD (in code tags this time, sorry). Behavious of the AV seems to be the same :-(
Thanks!
Don
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
154 10352 ipac~fi all -- * * 0.0.0.0/0 0.0.0.0/0
154 10352 ipac~fo all -- * * 0.0.0.0/0 0.0.0.0/0
171 12114 BADTCP all -- * * 0.0.0.0/0 0.0.0.0/0
98 4704 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
171 12114 CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
13 1619 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
60 5791 IPSECVIRTUAL all -- * * 0.0.0.0/0 0.0.0.0/0
60 5791 OPENSSLVIRTUAL all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 state NEW
0 0 DROP all -- * * 0.0.0.0/0 127.0.0.0/8 state NEW
60 5791 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 WIRELESSFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 REDFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PORTFWACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 193.86.3.36 multiport dports 80,443 state NEW
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 193.86.3.36 multiport dports 80,443 state NEW
|
|
|
10-22-2007, 09:57 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Okay, you have tons of user-built chains which the packets must traverse first before getting to your rules. So the packets could be getting filtered in any of those chains. Do you have logging setup for any rule that sends packets to DROP? It's a good idea, as you could see what is happening, and where. That said, a quick fix for your problem could be to simply insert the rules above all the others, so that you know the packets will pass through it. For this, we basically just change the "-A" to a "-I", and invert the order of execution:
Code:
/sbin/iptables -I FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP \
-m multiport --dports 80,443 -m state --state NEW -j ACCEPT
/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
This should definitely work. If it doesn't, then you need to determine why the packets aren't matching.
This would once again imply looking at the log file in most cases.
Last edited by win32sux; 10-22-2007 at 10:08 PM.
|
|
|
10-22-2007, 10:26 PM
|
#7
|
LQ Newbie
Registered: Oct 2007
Posts: 5
Original Poster
Rep:
|
Hi -
Success! By keeping wireshark running, I could see the connection to the site and then it would fail again. The site is actually handing off to another server, so I added a rule for the return IP and voila - successful update!
Thanks so much for all your help - both service and turnaround time are outstanding!
Don
|
|
|
10-22-2007, 10:32 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
I'm glad you got it sorted. BTW, welcome to LQ!!!
|
|
|
10-22-2007, 11:06 PM
|
#9
|
LQ Newbie
Registered: Oct 2007
Posts: 5
Original Poster
Rep:
|
Hi -
I added all the alternate IPs that the AV scanner seems to query (both home and handoff) and it works flawlessly now. My next challenge is to do the same thing for ClamAV but that's tomorrow's problem...
As a Newbie, its very nice to have such great folks helping out. I really appreciate the help!
Cheers!
Don
|
|
|
All times are GMT -5. The time now is 06:13 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|