LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-31-2002, 04:29 AM   #1
dwynter
Member
 
Registered: Jun 2002
Distribution: Centos 4.4
Posts: 82

Rep: Reputation: 15
iptables trouble, LAN to MySQL on Firewall


Hi,

I have MySQL running on my firewall machine (MDK 8.2), not ideal but I don't have enough PCs to run it on a different box. When I try to connect to MySQL via JDBC it fails. So I tried pinging the gateway PC on 10.0.0.1, it times out. Here is my entire iptable script, the sections on lan-if and if-lan are the relevant ones for LAN to firewall machine.

It is passing everything from firewall/gateway to LAN

## $IPTABLES -A if-lan -j ACCEPT

and certain ports in the other direction, including that for MySQL (3306)

# MySQL JDBC - (3306/TCP) JDBC access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 3306 -j ACCEPT



Any ideas?

Here is the whole script.


#!/bin/bash
#
# Startup script to setup iptables firewall.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with iptables.
#
# Script Author: Gawain Lynch <gawain@felicity.net.au>
# Maurice van der Pot <griffn26@lycos.nl>
#
# To jump to different parts of this script, search for:
#
# EXTIF (traffic from the internet to the firewall)
# EXTLAN (traffic from the internet to the local network)
# IFEXT (traffic from the firewall to the internet)
# IFLAN (traffic from the firewall to the local network)
# LANEXT (traffic from the local network to the internet)
# LANIF (traffic from the local network to the firewall)
#
# ----------------------------------------------------------------------------
#


# ----------------------------------------------------------------------------
# General Declarations
#

IPTABLES="/sbin/iptables" # iptables binary location
#IPTABLES=echo
ECHO="echo Firewall -"

case "$1" in
stop)
$ECHO "Shutting down firewall..."
$IPTABLES -P FORWARD DROP
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t mangle -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -X
;;

status)
$ECHO "Status is not supported for firewall"
;;
restart|reload)
$0 stop
$0 start
;;
start)

$ECHO "Loading required modules"

/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

#
# Support for owner matching
#
#/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP and IRC.
#
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

#
# Support for NAT
#
/sbin/modprobe ip_nat_ftp

$ECHO "Defining script variables"
# ----------------------------------------------------------------------------
# Interface Declarations
#
LOOPBACK="127.0.0.0/8" # Loopback interface
LAN_IF="eth0" # First internal interface
EXT_IF="ppp0" # First external interface
LAN_IF_ADDR="10.0.0.1" # IP Address of internal interface
EXT_IF_ADDR="213.***.***.**" # Leave blank if dynamically obtained
LANSUBNET="10.0.0.0/8" # Local network address range
#
# ----------------------------------------------------------------------------
# IP Network Declarations
#
ANY="any/0" # anywhere
CLASS_A="10.0.0.0/8" # Class A Private Network
CLASS_B="172.16.0.0/12" # Class B Private Network
CLASS_C="192.168.0.0/16" # Class C Private Network
CLASS_D_MULTICAST="224.0.0.0/4" # Class D Multicast Network
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E Reserved Network
BROADCAST_SRC="0.0.0.0" # Broadcast Source Address
BROADCAST_DEST="255.255.255.255" # Broadcast Dest. Address
#
# ----------------------------------------------------------------------------
# External servers
#
SYSLOGHOST=""
#
# ----------------------------------------------------------------------------
# External servers
#
DNS1=""
DNS2=""
#
# ----------------------------------------------------------------------------
# Banned addresses
#
# Enter host or network addresses separated by a space. If you need to wrap
# around to a new line, then finish the existing line with a backslash "\".
#
# BANNED_ADDR="1.2.3.4 1.4.210.0/24 \
# 101.2.34.5"
#
BANNED_ADDR=""
#
# ----------------------------------------------------------------------------
# Set up IP address for external interface if the address setting is left
# blank in the variables section. Exit with 1 if address not found
#
if [ -z $EXT_IF_ADDR ] ; then
$ECHO "Determining external interface dynamic address"
export EXT_IF_ADDR_DYN="`ifconfig $EXT_IF 2>/dev/null | \
grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`/32"
#
if [ $EXT_IF_ADDR_DYN = "/32" ] ; then
$ECHO "External interface not active... Exiting without changes!"
exit 1
else
$ECHO "External interface dynamic address is: " $EXT_IF_ADDR_DYN
fi
fi
#

# We always flush the ruleset before starting so that we don't just add
# to the existing ruleset when the script is run.
#
$ECHO "Flushing rules"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -t mangle -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -X
#
#--------------------------------------------------------------------
$ECHO "Setting default filter policy"
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# ----------------------------------------------------------------------------
$ECHO "Blocking everything till configuration loaded... Pucker!"
# Still allow unlimited traffic on the loopback interface
# This allows local apps to function but denys all other
# traffic on all other interfaces
# Inserting these rules forcefully at rule #1 may be overkill,
# but how many previously theoretical exploits are now possible!
$IPTABLES --insert INPUT 1 -i ! lo -j DROP
$IPTABLES --insert OUTPUT 1 -j DROP
$IPTABLES --insert FORWARD 1 -j DROP
#
# ----------------------------------------------------------------------------
# Unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#

$ECHO "Creating Chains"
# ----------------------------------------------------------------------------
# Create Local Packet Filtering Chains
# We create one chain for each source/destination pair
$ECHO " Created Packet Filtering Chains for Local Packets"
$IPTABLES -N lan-if
$IPTABLES -N ext-if
$IPTABLES -N if-lan
$IPTABLES -N if-ext
#
# Create Packet Filtering Chains for Through Packets
# Split forward chain into various user chains depending on source/dest
# interfaces; this breaks the problem down into manageable chunks.
$ECHO " Created Packet Filtering Chains for Forward Packets"
$IPTABLES -N lan-ext
$IPTABLES -N ext-lan
#
# Create Packet Filtering Chain for ICMP Packets
# Accepting standard error ICMPs is a common thing to do,
# so we create a chain for it.
#
$ECHO " Created Packet Filtering Chains for Forward ICMP Packets"
$IPTABLES -N icmp-acc
#
# Create Packet Filtering Chain for permanently banned addresses
# Sometimes IP addresses can be identified as bad for what ever reason
# By adding rules to this chain you can block all traffic to and from
# an IP address of range. This is very useful for things like
# known sources for Trojans and some worms.
# Packets will flow through this chain and if they don't match any
# rules, they will be returned to the calling chain.
#
$ECHO " Created Packet Filtering Chains for Banned Addresses"
$IPTABLES -N banned
#
# Create Packet Sanity Chain
# This chains checks incoming packets to make sure they are valid
# Internet addresses. There are several ranges of IP addresses that
# have been set aside by IANA for use on private networks and
# therefore should NEVER be accepted as a source address from the
# Internet.
#
$ECHO " Created Packet Sanity Chain"
$IPTABLES -N sanity
#
# Create Attack Chain
# This chains drops and logs all incoming packets indicating
# several types of attacks/scans
$ECHO " Created Attack Chain"
$IPTABLES -N attack
# Create Blocked Traffic Chain
# This chains checks incoming packets to make sure they are valid
#
$ECHO " Created Blocked Traffic Chain"
$IPTABLES -N blocked
#

#
# Masquerading
NATENTRY="$IPTABLES -t nat -A PREROUTING -i $EXT_IF -d $EXT_IF_ADDR -j DNAT"

$ECHO "Enabling masquerading"
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to-source $EXT_IF_ADDR
#
$ECHO "Adding NAT rules"
#
# Example of a NAT entry
# $NATENTRY -p tcp --dport 2234 --to-destination 192.168.188.2
#

$ECHO "Jumps"
# ----------------------------------------------------------------------------
# Jumps From forward Chain
# Unfortunately, we only know (in the forward chain) the outgoing
# interface. Thus, to figure out what interface the packet came in on,
# we use the source address (the anti-spoofing prevents address faking).
#
# Note that we log anything which doesn't match any of these (obviously,
# this should never happen).
# ----------------------------------------------------------------------------
# INPUT jumps
$ECHO " Input Jumps"
#
# Check for packet sanity
$IPTABLES -A INPUT -i $EXT_IF -j sanity
#
# Check for banned addresses
$IPTABLES -A INPUT -j banned
#
# Check for attacks
$IPTABLES -A INPUT -j attack
#
# Local interface input
$IPTABLES -A INPUT -i $EXT_IF -d $EXT_IF_ADDR -j ext-if
$IPTABLES -A INPUT -i $LAN_IF -d $LAN_IF_ADDR -j lan-if
#
# A rule to allow INPUT from the LAN to get to the outside
$IPTABLES -A INPUT -i $LAN_IF -d $EXT_IF_ADDR -j lan-if
#
# Deny and log all other traffic
$IPTABLES -A INPUT -j blocked
#
# FORWARD jumps
# We don't care where inbound traffic is coming from,
# only that it is not from internal
$ECHO " Forward Jumps"
#
# Check for packet sanity on traffic from the Internet only
$IPTABLES -A FORWARD -s ! $LANSUBNET -j sanity
#
# Check for attack on traffic from the Internet only
$IPTABLES -A FORWARD -s ! $LANSUBNET -j attack
#
$IPTABLES -A FORWARD -s $LANSUBNET -o $EXT_IF -j lan-ext
$IPTABLES -A FORWARD -s $ANY -o $LAN_IF -j ext-lan
#
# Deny and log all other traffic
$IPTABLES -A FORWARD -j blocked
#
# OUTPUT jumps
$ECHO " Output Jumps"
# Check for banned addresses
$IPTABLES -A OUTPUT -j banned
#
# Local interface output
$IPTABLES -A OUTPUT -o $EXT_IF -s $EXT_IF_ADDR -j if-ext
$IPTABLES -A OUTPUT -o $LAN_IF -s $LAN_IF_ADDR -j if-lan
#
#
$IPTABLES -A OUTPUT -o $LAN_IF -s $EXT_IF_ADDR -j if-lan
#
# Reject and log all other traffic
$IPTABLES -A OUTPUT -j DROP
#

$ECHO "Building LAN to LAN Interface Chain"
# ----------------------------------------------------------------------------
#
# LANIF
#
# LAN to LAN interface restrictions:
# - ftp - File transfer from the LAN to the firewall
# - ssh - Secure shell access from the LAN to the firewall
# - telnet - Shell access from the LAN to the firewall
# - smtp - Shell access from the LAN to the firewall
# - pop - Shell access from the LAN to the firewall
# - sftp - Secure file transfer from the LAN to the firewall
#
# FTP - (21/TCP) Ftp access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport ftp -j ACCEPT
#
# SSH - (22/TCP) Secure shell access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport ssh -j ACCEPT
#
# TELNET - (23/TCP) Telnet access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport telnet -j ACCEPT
#
# SMTP - (25/TCP) SMTP access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport mail -j ACCEPT
#
# POP - (110/TCP) POP access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport pop-3 -j ACCEPT
#
# HTTP - (80) HTTP
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport www -j ACCEPT
#
# SMB - (137/UDP) Netbios NS access
$IPTABLES -A lan-if -p udp -s $LANSUBNET --dport 137 -j ACCEPT
#
# SMB - (137/TCP) Netbios NS access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 137 -j ACCEPT
#
# SMB - (138/TCP) Netbios DGM access
$IPTABLES -A lan-if -p udp -s $LANSUBNET --dport 138 -j ACCEPT
#
# SMB - (138/TCP) Netbios DGM access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 138 -j ACCEPT
#
# SMB - (139/TCP) Netbios SSN access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 139 -j ACCEPT
#
# MySQL JDBC - (3306/TCP) JDBC access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 3306 -j ACCEPT
#
# Servlet - (8080/TCP) Servlet access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 8080 -j ACCEPT
#
# Servlet - (8081/TCP) Servlet access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 8081 -j ACCEPT
#
# SFTP - (115/TCP) Secure ftp (over ssh)
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport sftp -j ACCEPT
#
# SYSLOG - (514/UDP) System and kernel logging to central logging host.
# This logging is done in case an attacker wipes the logs
# on your firewall machine.
#
# Remote logging helps to reconstruct what happens around the
# time of an attempted system/network compromise. This information
# can also be submitted to the DShield.org database for Internet
# nasties. See www.dshield.org for more information.
#
# To achieve remote logging, add the following line to your
# /etc/syslog.conf on your firewall machine:
#
# ker.*;authpriv.*;*.warn;*.err @loghost.yourdomain
#
# And your Syslog host, change the script command that starts
# syslogd to include the -r switch, usually found in
# /etc/init.d/syslog. This tells syslog to accept remote logging
# from remote hosts
#
# NOTE: You must restart syslogd or reboot to make these changes
# work.
#
#$IPTABLES -A lan-if -p udp -s $LAN_IF_ADDR \
# -d $SYSLOGHOST syslog -j ACCEPT
#
# ICMP Chain Jump
$IPTABLES -A lan-if -j icmp-acc
#
# Allow related packets
$IPTABLES -A lan-if -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Reject remaining traffic
$IPTABLES -A lan-if -j blocked
#

$ECHO "Building LAN Interface to LAN Chain"
# ----------------------------------------------------------------------------
#
# IFLAN
#
# This chain handles all traffic from the firewall to the rest of the LAN
#
# Accept all traffic
$IPTABLES -A if-lan -j ACCEPT
#

$ECHO "Building Internet to External Interface Chain"
# ----------------------------------------------------------------------------
#
# EXTIF
#
# External interface restrictions:
# - ftp - File transfer from the internet to the firewall
# - ssh - Secure shell access from the internet to the firewall
# - telnet - Shell access from the internet to the firewall
# - smtp - Shell access from the internet to the firewall
# - pop - Shell access from the internet to the firewall
# - sftp - Secure file transfer from the internet to the firewall
#
# FTP - (21/TCP) Ftp access
$IPTABLES -A ext-if -p tcp --dport ftp -j ACCEPT
#
# SSH - (22/TCP) Secure shell access
$IPTABLES -A ext-if -p tcp --dport ssh -j ACCEPT
#
# TELNET - (23/TCP) Telnet access
$IPTABLES -A ext-if -p tcp --dport telnet -j ACCEPT
#
# SMTP - (25/TCP) SMTP access
$IPTABLES -A ext-if -p tcp --dport mail -j ACCEPT
#
# POP - (110/TCP) POP access
$IPTABLES -A ext-if -p tcp --dport pop-3 -j ACCEPT
#
# HTTP - (80/TCP) HTTP access
$IPTABLES -A ext-if -p tcp --dport www -j ACCEPT
#
# Servlet - (8080/TCP) Servlet access
$IPTABLES -A ext-if -p tcp --dport 8080 -j ACCEPT
#
# Servlet - (8081/TCP) Servlet access
$IPTABLES -A ext-if -p tcp --dport 8081 -j ACCEPT
#
# SFTP - (115/TCP) Secure ftp (over ssh)
$IPTABLES -A ext-if -p tcp --dport sftp -j ACCEPT
#
# eDonkey - (4661-4665/UDP-TCP)
$IPTABLES -A ext-if -p tcp --dport 4661:4665 -j ACCEPT
$IPTABLES -A ext-if -p udp --dport 4661:4665 -j ACCEPT
#
# Rules for outbound traceroute
$IPTABLES -A ext-if -p tcp --dport 61000:65095 -j ACCEPT
$IPTABLES -A ext-if -p udp --dport 61000:65095 -j ACCEPT
#
# ICMP Chain Jump
$IPTABLES -A ext-if -j icmp-acc
#
# Allow related packets
$IPTABLES -A ext-if -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A ext-if -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Reject remaining traffic
$IPTABLES -A ext-if -j blocked
#

$ECHO "Building External Interface to Internet Chain"
# ----------------------------------------------------------------------------
#
# IFEXT
#
# Accept all traffic
$IPTABLES -A if-ext -j ACCEPT
#

$ECHO "Building LAN -> External Chain"
# ----------------------------------------------------------------------------
#
# LANEXT
#
# This chain handles all forwarded traffic originating from the
# internal LAN destined for the Internet.
#
# Accept all traffic
$IPTABLES -A lan-ext -j ACCEPT
#

$ECHO "Building External -> LAN Chain"
# ----------------------------------------------------------------------------
#
# EXTLAN
#
# This chain handles all forwarded traffic originating from the
# External destined for the internal LAN
# External -> LAN restrictions:
#
# Accept all incoming traffic (non-masqueraded traffic will be
# blocked by the EXTIF chain.
$ECHO " Accepting all masqueraded traffic"
$IPTABLES -A ext-lan -j ACCEPT
#

$ECHO "Building ICMP Chain"
# ----------------------------------------------------------------------------
$IPTABLES -A icmp-acc -p icmp --icmp-type redirect -j blocked
$IPTABLES -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
#

$ECHO "Building Banned Chain"
# ----------------------------------------------------------------------------
for banned_addr in $BANNED_ADDR ; do
$IPTABLES -A banned -p tcp -d $banned_addr -j blocked
$IPTABLES -A banned -p tcp -s $banned_addr -j blocked
done
#
# Send valid packets back to the chain that they came from.
$IPTABLES -A banned -j RETURN
#

$ECHO "Building Attack Chain"
# ----------------------------------------------------------------------------
$IPTABLES -A attack -p tcp --dport 6670 -m limit -j LOG --log-level 6 --log-prefix "Deepthroat scan "
$IPTABLES -A attack -p tcp --dport 6670 -j DROP
$IPTABLES -A attack -p tcp --dport 6711 -m limit -j LOG --log-level 6 --log-prefix "Subseven scan "
$IPTABLES -A attack -p tcp --dport 6711 -j DROP
$IPTABLES -A attack -p tcp --dport 6712 -m limit -j LOG --log-level 6 --log-prefix "Subseven scan "
$IPTABLES -A attack -p tcp --dport 6712 -j DROP
$IPTABLES -A attack -p tcp --dport 6713 -m limit -j LOG --log-level 6 --log-prefix "Subseven scan "
$IPTABLES -A attack -p tcp --dport 6713 -j DROP
$IPTABLES -A attack -p tcp --dport 12345 -m limit -j LOG --log-level 6 --log-prefix "Netbus scan "
$IPTABLES -A attack -p tcp --dport 12345 -j DROP
$IPTABLES -A attack -p tcp --dport 12346 -m limit -j LOG --log-level 6 --log-prefix "Netbus scan "
$IPTABLES -A attack -p tcp --dport 12346 -j DROP
$IPTABLES -A attack -p tcp --dport 20034 -m limit -j LOG --log-level 6 --log-prefix "Netbus scan "
$IPTABLES -A attack -p tcp --dport 20034 -j DROP
$IPTABLES -A attack -p tcp --dport 31337 -m limit -j LOG --log-level 6 --log-prefix "Back orifice scan "
$IPTABLES -A attack -p tcp --dport 31337 -j DROP
$IPTABLES -A attack -p tcp --dport 6000 -m limit -j LOG --log-level 6 --log-prefix "X-Windows Port "
$IPTABLES -A attack -p tcp --dport 6000 -j DROP
$IPTABLES -A attack -j RETURN

$ECHO "Building Sanity Chain"
# ----------------------------------------------------------------------------
$IPTABLES -A sanity -s $CLASS_A -j blocked
$IPTABLES -A sanity -s $CLASS_B -j blocked
$IPTABLES -A sanity -s $CLASS_C -j blocked
$IPTABLES -A sanity -s $CLASS_D_MULTICAST -j blocked
$IPTABLES -A sanity -s $CLASS_E_RESERVED_NET -j blocked
$IPTABLES -A sanity -j RETURN
#
$ECHO "Building Blocked Traffic Chain"
# ----------------------------------------------------------------------------
# Block everything that enters this chain
$IPTABLES -A blocked -i ! $EXT_IF -j REJECT

# Only log everything that gets past the previous lines
$IPTABLES -A blocked -s ! $LANSUBNET -m limit -j LOG --log-level 6 --log-prefix "BLOCKED EXT PACKET: "
$IPTABLES -A blocked -s $LANSUBNET -m limit -j LOG --log-level 6 --log-prefix "BLOCKED SPOOFED PACKET: "
$IPTABLES -A blocked -j REJECT
#
$ECHO "Finishing configuration"
# ----------------------------------------------------------------------------
#
$ECHO " Remove initial fail-safe Blocking Rules"
$IPTABLES -D INPUT 1
$IPTABLES -D FORWARD 1
$IPTABLES -D OUTPUT 1
# For debugging
$IPTABLES -L -v
# ----------------------------------------------------------------------------
# Set security proc flags
$ECHO " Setting proc flags"
#
# Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Enable TCP SYN Cookie Protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
#
# Enable always defragging Protection
#echo 1 > /proc/sys/net/ipv4/ip_always_defrag
#
# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#
# Enable IP spoofing protection, turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
#
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
#
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
#
##############################################################################
# End of Script
 
Old 10-31-2002, 02:14 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
The essence of tracing lost packets is to fill the script with -j LOG rules, then look at your chosen logfile to see what is dropped and where.
A default log file will be /var/log/messages, but if you add
kern.=info /var/log/info
to your /etc/sylog.conf file and restart syslog, you will have a clearer file /var/log/info to read.
Watch for connections from your pc and then for rejections. The --log-prefix " " will tell you where the rule that did/didn't match is.
Have a look at the -j LOG examples here.

Also do netstat -tan and -uan to make sure the firewall is listening on the MySQL ports.

Regards,
Peter

Last edited by peter_robb; 10-31-2002 at 03:09 PM.
 
Old 10-31-2002, 05:10 PM   #3
dwynter
Member
 
Registered: Jun 2002
Distribution: Centos 4.4
Posts: 82

Original Poster
Rep: Reputation: 15
No info file created?

Hi Peter,

I followed your instructions and added th eline

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

to my iptables script just after the OUTPUT jumps. I restarted syslog after taking the comment out of the line syslog.conf for the .kern logging. I then tried to connect via JDBC from the W2K PC to MySQL running on my Linux box and it failed as expected ( I had checked, the Linux box is listening on port 3306).

I had a look at the info file and it had no lines added since trying to connect. The most recent were for for packets from external (ppp0). What do you suggest next?

David
 
Old 11-01-2002, 06:50 AM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Change all the "-j LOG --log-level" entries to 6 or info.
This will direct them to /var/log/messages by default.

If you have added the "kern.=info /var/log/info" line to /etc/sylog.conf file, you will also get them there to read.

Add these lines to the end of the script to make some logging entries.
$IPTABLES -t nat -I PREROUTING -j LOG --log-prefix "incoming_nat " --log-level 6
$IPTABLES -t nat -A PREROUTING -j LOG --log-prefix "leaving_nat " --log-level 6
$IPTABLES -I INPUT -j LOG --log-prefix "incoming_input " --log-level 6
$IPTABLES -A INPUT -j LOG --log-prefix "leaving_input " --log-level 6

This will make 4 log entries for a packet that successfully entered the firewall localhost.
If the packets don't get to any of the log rules, they are being dropped before that rule.
Next job is to move the log rules around until you can identify the offending rule...
To find which rule belongs on which line use
iptables -t nat -nL --line-numbers
iptables -nL --line-numbers

Regards,
Peter

Last edited by peter_robb; 11-01-2002 at 06:53 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 07:20 AM
Iptables firewall in multiple lan interfaces Neelesh Linux - Security 3 07-31-2004 01:19 PM
LAN & firewall problem ZaphyR Linux - Networking 2 07-28-2004 02:43 PM
programming iptables for LAN. josedsilva Linux - Networking 0 04-29-2002 05:24 AM
FTP from LAN by using IPTABLES fddi1 Linux - Networking 0 10-03-2001 06:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration