LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-22-2007, 07:36 PM   #1
dontrotter
LQ Newbie
 
Registered: Oct 2007
Posts: 5

Rep: Reputation: 0
Question iptables rules to allow Virus Scanner to Update


Hi -

I have IPCop 1.4.16 running with AdvProxy and have just added the iptables rule to drop all traffic to a variety of ports (see rc.firewall.local below).

The virus scanner wants to go out on port 80 and come back on a port >1024. I had a stab at adding the rules to allow this but it doesn't seem to work. I a newbie with this rules and was trying to glean the proper format from the available online docs. I maked the rules with *out and *in

Any help appreciated!

Don

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
start)
## add your 'start' rules here
#Added for zerina start - BEGIN
/usr/local/bin/openvpnctrl --create-chains-and-rules
#Added for zerina start - END
*out /sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p
TCP -m multiport --dport 80,443 -j ACCEPT
*in /sbin/iptables -A FORWARD -d 0/0 -o eth0 -s 193.86.3.36 -i eth1 -p TCP -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i eth0 -o eth1 -p tcp -m mport --dports 80,81,443,3128,6588,8000,8080,8181 -j DROP

;;
stop)
## add your 'stop' rules here
#Added for zerina stop - BEGIN
/usr/local/bin/openvpnctrl --delete-chains-and-rules
#Added for zerina stop - END
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
*)
echo "Usage: $0 {start|stop|reload}"
;;
esac
 
Old 10-22-2007, 08:03 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Try changing this:
Code:
/sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP \
-m multiport --dport 80,443 -j ACCEPT

/sbin/iptables -A FORWARD -d 0/0 -o eth0 -s 193.86.3.36 -i eth1 -p TCP \
-m state --state ESTABLISHED -j ACCEPT
To this:
Code:
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP \
-m multiport --dports 80,443 -m state --state NEW -j ACCEPT

Also, is it fair to assume IP forwarding is enabled and your POSTROUTING rule for SNAT/MASQUERADE is being executed somewhere else? I ask because there is nothing of that sort in what you posted. You can confirm this for us by posting these:

Code:
cat /proc/sys/net/ipv4/ip_forward
Code:
iptables -t nat -nvL POSTROUTING

Last edited by win32sux; 10-22-2007 at 08:08 PM.
 
Old 10-22-2007, 08:36 PM   #3
dontrotter
LQ Newbie
 
Registered: Oct 2007
Posts: 5

Original Poster
Rep: Reputation: 0
Hi -

Thanks for the reply. I changed the rules and still see the virus scanner asking for the outbound connection [SYN] in wireshark. The ip_forward value is 1 and the following table shows the output of the iptables command you suggested:

Chain POSTROUTING (policy ACCEPT 682 packets, 45192 bytes)
pkts bytes target prot opt in out source destination
6773 470K CUSTOMPOSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
6773 470K REDNAT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x1 to:192.168.200.1


Thanks again!

Don
 
Old 10-22-2007, 08:43 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Did you make sure the old rules were removed from the active configuration before executing the new ones?

Could we see your FORWARD chain?
Code:
iptables -nvL FORWARD
Please use code tags when posting output.

Last edited by win32sux; 10-22-2007 at 08:45 PM.
 
Old 10-22-2007, 09:43 PM   #5
dontrotter
LQ Newbie
 
Registered: Oct 2007
Posts: 5

Original Poster
Rep: Reputation: 0
Hi -

Here's the output from FORWARD (in code tags this time, sorry). Behavious of the AV seems to be the same :-(

Thanks!

Don
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  154 10352 ipac~fi    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  154 10352 ipac~fo    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  171 12114 BADTCP     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   98  4704 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
  171 12114 CUSTOMFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   13  1619 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   60  5791 IPSECVIRTUAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   60  5791 OPENSSLVIRTUAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 DROP       all  --  *      *       127.0.0.0/8          0.0.0.0/0           state NEW 
    0     0 DROP       all  --  *      *       0.0.0.0/0            127.0.0.0/8         state NEW 
   60  5791 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 WIRELESSFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 REDFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 PORTFWACCESS  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0            193.86.3.36         multiport dports 80,443 state NEW 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT ' 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0            193.86.3.36         multiport dports 80,443 state NEW
 
Old 10-22-2007, 09:57 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Okay, you have tons of user-built chains which the packets must traverse first before getting to your rules. So the packets could be getting filtered in any of those chains. Do you have logging setup for any rule that sends packets to DROP? It's a good idea, as you could see what is happening, and where. That said, a quick fix for your problem could be to simply insert the rules above all the others, so that you know the packets will pass through it. For this, we basically just change the "-A" to a "-I", and invert the order of execution:
Code:
/sbin/iptables -I FORWARD -i eth0 -d 193.86.3.36 -o eth1 -p TCP \
-m multiport --dports 80,443 -m state --state NEW -j ACCEPT

/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
This should definitely work. If it doesn't, then you need to determine why the packets aren't matching.

This would once again imply looking at the log file in most cases.

Last edited by win32sux; 10-22-2007 at 10:08 PM.
 
Old 10-22-2007, 10:26 PM   #7
dontrotter
LQ Newbie
 
Registered: Oct 2007
Posts: 5

Original Poster
Rep: Reputation: 0
Thumbs up

Hi -

Success! By keeping wireshark running, I could see the connection to the site and then it would fail again. The site is actually handing off to another server, so I added a rule for the return IP and voila - successful update!

Thanks so much for all your help - both service and turnaround time are outstanding!

Don
 
Old 10-22-2007, 10:32 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
I'm glad you got it sorted. BTW, welcome to LQ!!!
 
Old 10-22-2007, 11:06 PM   #9
dontrotter
LQ Newbie
 
Registered: Oct 2007
Posts: 5

Original Poster
Rep: Reputation: 0
Talking

Hi -

I added all the alternate IPs that the AV scanner seems to query (both home and handoff) and it works flawlessly now. My next challenge is to do the same thing for ClamAV but that's tomorrow's problem...

As a Newbie, its very nice to have such great folks helping out. I really appreciate the help!

Cheers!

Don
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 10:50 PM
iptables rules conflict with downloading LinuxShield virus defs billgist90018 Linux - Networking 1 01-16-2006 09:11 PM
Virus Scanner jenny_psion Linux - Security 3 11-22-2005 05:05 AM
virus scanner. RoaCh Of DisCor Linux - Software 1 08-24-2004 03:35 PM
Do I Need a Virus Scanner? DeleriA Linux - Security 4 03-08-2003 02:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration