LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-22-2006, 10:34 PM   #1
krock923
Member
 
Registered: Jul 2004
Posts: 171

Rep: Reputation: 30
One of my iptables rules is making X not work


Hello. I use a script to create my iptables configuration. It works very well on my server ( that doesn't have X installed) and does a pretty good job of blocking nmap and nessus. However, when I try to use this on my desktop. . .blammo! X doesn't work correctly. What happens is X starts and gdm starts up fine, i log in and it just hangs. Would anyone mind taking a look at my script and telling me where the problem might be?

Code:
IPTABLES=/sbin/iptables
MYSUBNET=<obfuscated>
SERVER=<obfuscated>

case "$1" in
start)
        echo -n "Starting IP Firewall. . ."
        echo "1" > /proc/sys/net/ipv4/tcp_syncookies

        # Clear old rules
        $IPTABLES -X
        $IPTABLES -F
        $IPTABLES -Z

        #Turning on boolean protections
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
        echo 1 > /proc/sys/net/ipv4/tcp_syncookies
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
        echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
        echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
        echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

        #Create LOGDROP chain
        $IPTABLES -N LOGDROP
        $IPTABLES -A LOGDROP -j LOG --log-level debug
        $IPTABLES -A LOGDROP -j DROP



        ###########################################################################################
        #Stuff between the lines of comments are to block nmap.
        $IPTABLES -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j LOGDROP
        $IPTABLES -A INPUT -i eth0 -f -j LOGDROP
        $IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j LOGDROP
        $IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j LOGDROP
        $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j LOGDROP
        $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOGDROP
        $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOGDROP
        $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOGDROP
        $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j LOGDROP
        $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags URG,ACK URG -j LOGDROP
        $IPTABLES -N syn_flood
        $IPTABLES -A INPUT -p tcp --syn -j syn_flood
        $IPTABLES -A syn_flood -m limit --limit 1/s --limit-burst 2 -j RETURN
        $IPTABLES -A syn_flood -j LOGDROP
        ############################################################################################

        # INPUT Rules - Add to this section the ports you wish to explicitly allow connections on
        #       Below are some common services that are commonly used
        #       Comment out the lines to disable access to these services
        #       The port numbers for other services you may wish to allow can be found in the /etc/services file


        #Refuse input packets spoofed as the looback
        $IPTABLES -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP

        $IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT       #Allows connections you start
        $IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 21 -j ACCEPT        #Allow FTP Connections
        $IPTABLES -A INPUT -i eth0 -p udp -s MYSUBNET --dport 21 -j ACCEPT

        $IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 22 -j ACCEPT  #SSH Connections
        $IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 22 -j ACCEPT

        #NTP
        $IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 123 -j ACCEPT
        $IPTABLES -A INPUT -i eth0 -p udp -s MYSUBNET --dport 123 -j ACCEPT

        #vmware
        $IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 902 -j ACCEPT
        $IPTABLES -A INPUT -i eth0 -p udp -s MYSUBNET --dport 902 -j ACCEPT

        # Allow pings,  from certain hostsbut reject the rest
        $IPTABLES -A INPUT -i eth0 -p icmp -s SERVER -j ACCEPT
        $IPTABLES -A INPUT -i eth0 -p icmp -j LOGDROP
        $IPTABLES -A INPUT -i eth0 -m state --state NEW -j LOGDROP
        $IPTABLES -A INPUT -i eth0 -j DROP

        echo "done."
        ;;
stop)
        echo -n "Stopping IP Firewall and NAT..."
        $IPTABLES -X
        $IPTABLES -F
        $IPTABLES -Z

        # Input Rules
        $IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,related -j ACCEPT
        $IPTABLES -A INPUT -i eth0 -j REJECT
        echo "done."
        ;;

restart)
        echo -n "Restarting IP Firewall and NAT..."
        $0 stop > /dev/null
        sleep 1
        $0 start > /dev/null
        ;;

*)
        echo "Usage: $0 {start|stop|restart}"
        ;;
esac

I'm also getting a problem with a 'too many links' error but I really have no idea what might be causing that.
 
Old 08-23-2006, 12:28 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
looks like you're missing a rule for your loopback interface...
Code:
$IPTABLES -I INPUT -i lo -j ACCEPT

Last edited by win32sux; 08-23-2006 at 05:11 AM.
 
Old 08-23-2006, 12:55 AM   #3
~=gr3p=~
Member
 
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227

Rep: Reputation: 30
See the best way to troubleshoot iptables is LOG:
add this rule at the end of INPUT chain:

$IPTABLES -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "Firewall: INPUT died: "

And then monitor:

tail -f /var/log/messages

You shuld find the missing rule.
 
Old 08-23-2006, 10:00 PM   #4
krock923
Member
 
Registered: Jul 2004
Posts: 171

Original Poster
Rep: Reputation: 30
d'oh. Always doing silly stuff like forgetting the loopback. Ah well, at least it was something obvious.
 
Old 08-24-2006, 02:20 AM   #5
SierraKilo
LQ Newbie
 
Registered: Jun 2004
Location: Germany
Distribution: Various Ubuntu LTS
Posts: 22

Rep: Reputation: 15
But don't forget $IPTABLES -I OUTPUT -o lo -j ACCEPT
 
Old 08-24-2006, 03:10 AM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SierraKilo
But don't forget $IPTABLES -I OUTPUT -o lo -j ACCEPT
yeah, hehe... OTOH, there's no OUTPUT rules in the script, so i think it's safe to assume the OUTPUT policy is set to ACCEPT...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
need help with iptables rules asimov Linux - Security 2 07-19-2006 03:44 PM
Iptables Rules metallica1973 Linux - Security 26 09-14-2005 01:10 AM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM
Iptables keeps changing the order of the rules –will this still work? dholingw Linux - Security 11 06-22-2004 01:01 AM
IPTables rules dkny01 Linux - Networking 6 10-23-2003 01:52 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration