LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-13-2003, 11:28 PM   #1
Patryn999
LQ Newbie
 
Registered: Jun 2003
Posts: 5

Rep: Reputation: 0
Why wont this work? (Firewall)


Hey i pieced a firewall together from a couple of exemplars making my own adjustments but i cant get it to foward properly. Squid works fine and so does SSH. But actual packet fowarding seems to get dropped or denied somewhere.
I adjusted the Foward ruleset to the basics and it still wont work so if you can see the problem or have any ieda could you please tell me?

(You can see the old way still @ bottem (commented) but that didn't work either.


Cheers
Patryn


####################################################################
# Pre-Rules firewall stuff
####################################################################
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
#echo " - Verifying that all kernel modules are ok"
#$DEPMOD -a

echo -en " Loading kernel modules: "

#Load the main body of the IPTABLES module - "ip_tables"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
$INSMOD ip_tables
fi


#Load the IPTABLES filtering module - "iptable_filter"
#
# - Loaded automatically when filter policies are activated


#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module

# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack
fi


#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_conntrack_ftp, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack_ftp
fi


#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en " ip_conntrack_irc, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack_irc
fi


#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$INSMOD iptable_nat
fi


#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_nat_ftp"
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$INSMOD ip_nat_ftp
fi

echo " ---"

# Just to be complete, here is a list of the remaining kernel modules
# and their function. Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# --------------------------------------------------------------------
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS modul
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#
# iptable_mangle - this target allows for packets to be manipulated
# for things like the TCPMSS option, etc.


#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable the following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " ---"




####################################################################
# The RULES!!!!!!
####################################################################
echo "Assigning Rule-based variables"

# Internal Variables
INTIF="eth0"
INTIP="192.168.0.11"
INTRANGE="192.168.0.0/24"

# External Variables
EXTIF="ppp0"
EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

# Rate Limits
SYNOPT="-m limit --limit 5/second --limit-burst 10"
LOGOPT="--log-level info -m limit --limit 1/second --limit-burst 10"

# BAD stuff
BADIPS="0.0.0.0/8 10.0.0.0/8 127.0.0.1/8 255.255.255.255"
BADPORT="135:139 445 79 113"
SHUNIP=""

# Others
CARL="192.168.0.1"
NICK="192.168.0.3"
TONY="192.168.0.5"
LO="127.0.0.1"
SSH="$CARL $NICK $TONY $LO"
SQUID="$CARL $NICK $TONY $LO"
SQUIDPRTS="21 25 80 443 8080 110 53"
ALL="0.0.0.0/0"
US="$CARL $NICK $TONY"
PING="$US"

# So where does IPtables live?
IPT="/sbin/iptables"

####################################################################
# Clear existing rules
####################################################################

echo "Clearing existing Rules"

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -F
$IPT -X

for table in filter nat mangle
do
$IPT -t $table -F
$IPT -t $table -X
$IPT -t $table -Z
done

####################################################################
# Loging chains
####################################################################

echo "Making LOG chains"
# LOG-and-DROP chain
$IPT -N LDROP
$IPT -A LDROP -j LOG --log-prefix "DROP : " $LOGOPT
$IPT -A LDROP -j DROP

# INPUT LOG-and-DROP chain
$IPT -N LDROPI
$IPT -A LDROPI -j LOG --log-prefix "INPUT DROP : " $LOGOPT
$IPT -A LDROPI -j DROP

# OUTPUT LOG-and-DROP chain
$IPT -N LDROPO
$IPT -A LDROPO -j LOG --log-prefix "OUTPUT DROP : " $LOGOPT
$IPT -A LDROPO -j DROP

# FORWARD LOG-and-DROP chain
$IPT -N LDROPF
$IPT -A LDROPF -j LOG --log-prefix "FORWARD DROP : " $LOGOPT
$IPT -A LDROPF -j DROP

# BADIP (LOG-and-DROP)
$IPT -N LBADIP
$IPT -A LBADIP -j LOG --log-prefix "BADIP : " $LOGOPT
$IPT -A LBADIP -j DROP

# BADPORT (DROP-and-LOG)
$IPT -N LBADPRT
$IPT -A LBADPRT -j LOG --log-prefix "BADPORT : " $LOGOPT
$IPT -A LBADPRT -j DROP

# SHUN (LOG-and-DROP)
$IPT -N LSHUN
$IPT -A LSHUN -j LOG --log-prefix "SHUN'd : " $LOGOPT
$IPT -A LSHUN -j DROP

# FLOOD (LOG-and-DROP)
$IPT -N LFLOOD
$IPT -A LFLOOD -j LOG --log-prefix "FLOOD : " $LOGOPT
$IPT -A LFLOOD -j DROP

# bad FLAGS (LOG-and-DROP)
$IPT -N LFLAGS
$IPT -A LFLAGS -j LOG --log-prefix "BADFLAGS : " $LOGOPT
$IPT -A LFLAGS -j DROP

####################################################################
# BAD IP's
####################################################################

echo "Badip's WILL die"
$IPT -N BADIP
for ip in $BADIPS
do
$IPT -A BADIP -s $ip -j LBADIP
$IPT -A BADIP -d $ip -j LBADIP
done
$IPT -A BADIP -j RETURN

####################################################################
# BAD PORTS
####################################################################

echo "And Badports will too"
$IPT -N BADPORTS
for port in $BADPORT
do
$IPT -A BADPORTS -p tcp --dport $port -j LBADPRT
$IPT -A BADPORTS -p tcp --sport $port -j LBADPRT
$IPT -A BADPORTS -p udp --dport $port -j LBADPRT
$IPT -A BADPORTS -p udp --sport $port -j LBADPRT
done
$IPT -A BADPORTS -j RETURN

####################################################################
# SHUN LIST
####################################################################

echo "SHUNdlers list"
$IPT -N SHUN
for ip in $SHUNIP
do
$IPT -A SHUN -s $ip -j LSHUN
$IPT -A SHUN -d $ip -j LSHUN
done
$IPT -A SHUN -j RETURN

####################################################################
# SYN Flood Protection (TCP SYN datagrams)
####################################################################

echo "Flood me? i think not"
$IPT -N FLOOD

# To accept non floods (Specific rate)
$IPT -A FLOOD $SYNOPT -j RETURN
$IPT -A FLOOD -j LFLOOD


####################################################################
# TCP Flag Validation (TCP Datagrams)
####################################################################

echo "TCP Flag validation"
$IPT -N FLAGS
$IPT -A FLAGS -p tcp --tcp-flags ACK,FIN FIN -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ACK,PSH PSH -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ACK,URG URG -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags FIN,RST FIN,RST -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL ALL -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL NONE -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL FIN,PSH,URG -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LFLAGS
$IPT -A FLAGS -j RETURN
# Other combinations are valid.

####################################################################
# Inbound ICMP messages
####################################################################

echo "Inbound ICMP rules"

# PING variable has us in it so this is invalid unless we find some need to ping up, then add :P
$IPT -N IN_ICMP
for sip in $PING
do
$IPT -A IN_ICMP -p icmp --icmp-type echo-request -s $sip -d $INTIP \
-j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type echo-reply -s $sip -d $INTIP \
-j ACCEPT
done
$IPT -A IN_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type source-quench -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPT -A IN_ICMP -j RETURN

####################################################################
# Outbound ICMP messages
####################################################################

echo "Outbound ICMP rules"
$IPT -N OUT_ICMP
for dip in $PING
do
$IPT -A OUT_ICMP -p icmp --icmp-type echo-reply -d $dip -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type echo-request -d $dip -j ACCEPT
done
$IPT -A OUT_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type fragmentation-needed -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type source-quench -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPT -A OUT_ICMP -j RETURN


####################################################################
# Input TCP/UDP datagrams
####################################################################

echo "Rules for incoming TCP/UDP datagrams"
$IPT -N IN
$IPT -A IN -p icmp -j IN_ICMP
$IPT -A IN -p tcp -j FLAGS
$IPT -A IN -p tcp --syn -j FLOOD
$IPT -A IN -m state --state ESTABLISHED,RELATED -j ACCEPT


# Accept (new) inbound connections
# Full access for US
for sip in $US
do
$IPT -A IN -p tcp -i $INTIF -s $sip -j ACCEPT
$IPT -A IN -p udp -i $INTIF -s $sip -j ACCEPT
done

# Others will be logged and dropped
$IPT -A IN -j RETURN

####################################################################
# Output TCP/UDP datagrams
####################################################################

echo "Outgoing rules for TCP/UDP datagrams"
$IPT -N OUT
$IPT -A OUT -p icmp -j OUT_ICMP
$IPT -A OUT -p tcp -j FLAGS
$IPT -A OUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept (NEW) outbound connections

$IPT -A OUT -m state --state NEW -p tcp --dport 21 -j ACCEPT # FTP

# ALL to us valid
for dip in $US
do
$IPT -A OUT -p tcp -d $dip -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUT -p udp -d $dip -m state --state ESTABLISHED,RELATED -j ACCEPT
done


for port in $SQUIDPRTS
do
$IPT -A OUT -p tcp --dport $port -j ACCEPT
$IPT -A OUT -p udp --dport $port -j ACCEPT
done

$IPT -A OUT -j RETURN






####################################################################
# Outbound TCP/UDP datagrams from local
####################################################################

echo "Outbound datagrams FROM local"
$IPT -N OUT_NETWORK
$IPT -A OUT_NETWORK -p icmp -j OUT_ICMP
$IPT -A OUT_NETWORK -p tcp -j FLAGS
$IPT -A OUT_NETWORK -i $INTIF -o $EXTIF -j ACCEPT



####################################################################
# Inbound TCP/UDP datagrams to local
####################################################################

echo "Inbound datagrams TO local"
$IPT -N IN_NETWORK
$IPT -A IN_NETWORK -p icmp -j IN_ICMP
$IPT -A IN_NETWORK -p tcp -j FLAGS
$IPT -A IN_NETWORK -p tcp --syn -j FLOOD
$IPT -A IN_NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A IN_NETWORK -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT



####################################################################
# FOWARDING RULES (Test to see if the bloodything works and it doesn't
####################################################################


$IPT -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT


####################################################################
# Rules for non-custom chains.
####################################################################

echo "Setting them all together through Default chains"
(Here you can see were it used to go, That didn't work either.)
#$IPT -A FORWARD -j SHUN
#$IPT -A FORWARD -j BADPORTS
#$IPT -A FORWARD -i $EXTIF -j IN_NETWORK
#$IPT -A FORWARD -i $INTIF -j OUT_NETWORK
#$IPT -A FORWARD -j LDROPF

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -j BADIP
$IPT -A INPUT -j BADPORTS
$IPT -A INPUT -j SHUN
$IPT -A INPUT -p ! icmp -j IN
$IPT -A INPUT -p icmp -j IN_ICMP
$IPT -A INPUT -j LDROPI

$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -j BADIP
$IPT -A OUTPUT -j BADPORTS
$IPT -A OUTPUT -j SHUN
$IPT -A OUTPUT -p ! icmp -j OUT
$IPT -A OUTPUT -p icmp -j OUT_ICMP
$IPT -A OUTPUT -j LDROPO
 
Old 09-14-2003, 05:46 AM   #2
duelly
LQ Newbie
 
Registered: Sep 2003
Distribution: ArchLinux
Posts: 10

Rep: Reputation: 0
Patryn999,

When you say forward I assume you mean allowing your LAN network access to the outside world. Try:

$IPT -t nat -A POSTROUTING -i $INTIF -o $EXTIF -j MASQUERADE

Sorry if I mistook your requirements.

duelly
 
Old 09-14-2003, 11:59 PM   #3
Patryn999
LQ Newbie
 
Registered: Jun 2003
Posts: 5

Original Poster
Rep: Reputation: 0
ARRRRRRRRRRGGGGGGGG
THATS is *Looks and feels real stupid*

Why didn't i realise that? Because i spent too bloody long with IPChains (This was my first attempt @ IPTables firewall)


*Sigh*
CHEERS
Patryn
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
networked smb printer wont print thru windows xp firewall smaudlin Linux - General 1 11-22-2005 02:43 AM
Firewall wont run laeeqdesigns Linux - Newbie 2 07-26-2005 09:04 PM
ok got fglrx 2d to work, now why wont 3d work? bvav22 Linux - Software 1 05-01-2005 07:25 PM
FALCONS EYE (nethack) FAILS ON STARTUP, use to work, wont work even after reinstall roorings Linux - Software 0 10-08-2003 11:39 PM
Why wont it work?? Nrub Linux - Distributions 1 11-18-2002 08:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration