Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-22-2006, 10:34 PM
|
#1
|
Member
Registered: Jul 2004
Posts: 171
Rep:
|
One of my iptables rules is making X not work
Hello. I use a script to create my iptables configuration. It works very well on my server ( that doesn't have X installed) and does a pretty good job of blocking nmap and nessus. However, when I try to use this on my desktop. . .blammo! X doesn't work correctly. What happens is X starts and gdm starts up fine, i log in and it just hangs. Would anyone mind taking a look at my script and telling me where the problem might be?
Code:
IPTABLES=/sbin/iptables
MYSUBNET=<obfuscated>
SERVER=<obfuscated>
case "$1" in
start)
echo -n "Starting IP Firewall. . ."
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Clear old rules
$IPTABLES -X
$IPTABLES -F
$IPTABLES -Z
#Turning on boolean protections
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Create LOGDROP chain
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG --log-level debug
$IPTABLES -A LOGDROP -j DROP
###########################################################################################
#Stuff between the lines of comments are to block nmap.
$IPTABLES -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j LOGDROP
$IPTABLES -A INPUT -i eth0 -f -j LOGDROP
$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j LOGDROP
$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j LOGDROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j LOGDROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOGDROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOGDROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOGDROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j LOGDROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags URG,ACK URG -j LOGDROP
$IPTABLES -N syn_flood
$IPTABLES -A INPUT -p tcp --syn -j syn_flood
$IPTABLES -A syn_flood -m limit --limit 1/s --limit-burst 2 -j RETURN
$IPTABLES -A syn_flood -j LOGDROP
############################################################################################
# INPUT Rules - Add to this section the ports you wish to explicitly allow connections on
# Below are some common services that are commonly used
# Comment out the lines to disable access to these services
# The port numbers for other services you may wish to allow can be found in the /etc/services file
#Refuse input packets spoofed as the looback
$IPTABLES -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #Allows connections you start
$IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 21 -j ACCEPT #Allow FTP Connections
$IPTABLES -A INPUT -i eth0 -p udp -s MYSUBNET --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 22 -j ACCEPT #SSH Connections
$IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 22 -j ACCEPT
#NTP
$IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 123 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -s MYSUBNET --dport 123 -j ACCEPT
#vmware
$IPTABLES -A INPUT -i eth0 -p tcp -s MYSUBNET --dport 902 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -s MYSUBNET --dport 902 -j ACCEPT
# Allow pings, from certain hostsbut reject the rest
$IPTABLES -A INPUT -i eth0 -p icmp -s SERVER -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp -j LOGDROP
$IPTABLES -A INPUT -i eth0 -m state --state NEW -j LOGDROP
$IPTABLES -A INPUT -i eth0 -j DROP
echo "done."
;;
stop)
echo -n "Stopping IP Firewall and NAT..."
$IPTABLES -X
$IPTABLES -F
$IPTABLES -Z
# Input Rules
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,related -j ACCEPT
$IPTABLES -A INPUT -i eth0 -j REJECT
echo "done."
;;
restart)
echo -n "Restarting IP Firewall and NAT..."
$0 stop > /dev/null
sleep 1
$0 start > /dev/null
;;
*)
echo "Usage: $0 {start|stop|restart}"
;;
esac
I'm also getting a problem with a 'too many links' error but I really have no idea what might be causing that.
|
|
|
08-23-2006, 12:28 AM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
looks like you're missing a rule for your loopback interface...
Code:
$IPTABLES -I INPUT -i lo -j ACCEPT
Last edited by win32sux; 08-23-2006 at 05:11 AM.
|
|
|
08-23-2006, 12:55 AM
|
#3
|
Member
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227
Rep:
|
See the best way to troubleshoot iptables is LOG:
add this rule at the end of INPUT chain:
$IPTABLES -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "Firewall: INPUT died: "
And then monitor:
tail -f /var/log/messages
You shuld find the missing rule.
|
|
|
08-23-2006, 10:00 PM
|
#4
|
Member
Registered: Jul 2004
Posts: 171
Original Poster
Rep:
|
d'oh. Always doing silly stuff like forgetting the loopback. Ah well, at least it was something obvious.
|
|
|
08-24-2006, 02:20 AM
|
#5
|
LQ Newbie
Registered: Jun 2004
Location: Germany
Distribution: Various Ubuntu LTS
Posts: 22
Rep:
|
But don't forget $IPTABLES -I OUTPUT -o lo -j ACCEPT
|
|
|
08-24-2006, 03:10 AM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by SierraKilo
But don't forget $IPTABLES -I OUTPUT -o lo -j ACCEPT
|
yeah, hehe... OTOH, there's no OUTPUT rules in the script, so i think it's safe to assume the OUTPUT policy is set to ACCEPT...
|
|
|
All times are GMT -5. The time now is 03:40 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|