LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-16-2005, 06:13 AM   #1
rjkfsm
Member
 
Registered: Apr 2004
Location: Charleston, SC
Distribution: RHEL, CentOS, Debian, Gentoo, Knoppix & DSL
Posts: 126

Rep: Reputation: 15
X Stops working when firewall runs


The subject is self-explanatory. When I run my firewall script, KDE doesn't launch apps. Right click contexts don't work either. When I flush my tables, then all the commands that I executed come flooding in.

Can anyone tell me what I'm doing wrong? My firewall script follows.

Thanks in advance

RK

Quote:
#!/bin/bash

IPTABLES="/sbin/iptables"

echo "Initializing rules..."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

echo "Creating Tables"
$IPTABLES -N tcp-in
$IPTABLES -N udp-in
$IPTABLES -N icmp-in
$IPTABLES -N http-in
$IPTABLES -N sshd-in
$IPTABLES -N tcp-samba-in
$IPTABLES -N udp-samba-in
$IPTABLES -N distcc-in
$IPTABLES -N allowed
$IPTABLES -N lo
$IPTABLES -N bad-flags
$IPTABLES -N tcp-os-fingerprint
$IPTABLES -N udp-os-fingerprint
$IPTABLES -N icmp-os-fingerprint
$IPTABLES -N invalid-packets
$IPTABLES -N bad-ports

echo "Creating allowed services"
$IPTABLES -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Exempting localhost"
$IPTABLES -A lo -s 127.0.0.0/8 -j ACCEPT
$IPTABLES -A lo -d 127.0.0.0/8 -j ACCEPT

echo "Creating SSH Server rules"
$IPTABLES -A sshd-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT
$IPTABLES -A sshd-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT
$IPTABLES -A sshd-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT
$IPTABLES -A sshd-in -m state --state ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT

echo "Creating HTTP Server rules"
$IPTABLES -A http-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 80 -j ACCEPT
$IPTABLES -A http-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 80 -j ACCEPT
$IPTABLES -A http-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 80 -j ACCEPT
$IPTABLES -A http-in -m state --state ESTABLISHED,RELATED -p tcp --dport 80 -j ACCEPT

echo "Creating Samaba Server Rules"
$IPTABLES -A tcp-samba-in -s 192.168.1.0/24 -p tcp -m multiport --dport 137,138,139,445 -j ACCEPT
$IPTABLES -A udp-samba-in -s 192.168.1.0/24 -p udp -m multiport --dport 137,138,139,445 -j ACCEPT
$IPTABLES -A tcp-samba-in -s 192.168.1.0/24 -p tcp -m multiport --sport 137,138,139,445 -j ACCEPT
$IPTABLES -A udp-samba-in -s 192.168.1.0/24 -p udp -m multiport --sport 137,138,139,445 -j ACCEPT

echo "Creating Distributed C Compiler Server Rules"
$IPTABLES -A distcc-in -s 192.168.1.0/24 -p tcp --sport 3632 -j ACCEPT

echo "Creating Bad packet filtering"
$IPTABLES -A bad-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A bad-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A bad-flags -p tcp --tcp-flags ALL ALL -m limit --limit 3/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A bad-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A bad-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A bad-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A bad-flags -p tcp --tcp-flags ALL NONE -m limit --limit 3/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A bad-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A bad-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A bad-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A bad-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"

echo "Creating OS Fingerprinting rules"
$IPTABLES -A tcp-os-fingerprint -p tcp --dport 0 -j DROP
$IPTABLES -A udp-os-fingerprint -p udp --dport 0 -j DROP
$IPTABLES -A tcp-os-fingerprint -p tcp --sport 0 -j DROP
$IPTABLES -A udp-os-fingerprint -p udp --sport 0 -j DROP
$IPTABLES -A icmp-os-fingerprint -p icmp --icmp-type address-mask-request -j DROP
$IPTABLES -A icmp-os-fingerprint -p icmp --icmp-type address-mask-reply -j DROP

echo "Creating Invalid Packets rules"
$IPTABLES -A invalid-packets -m state --state INVALID -j DROP

echo "Block known Trojan ports"
$IPTABLES -A bad-ports -p tcp -m multiport --dport 3049,1999,4329,1,2,13,98,111,901,902 -j DROP
$IPTABLES -A bad-ports -p udp -m multiport --dport 3049,1999,4329,1,2,13,98,111,901,902 -j DROP
$IPTABLES -A bad-ports -p tcp -m multiport --dport 12345,1524,2049,27444,31335,27665,31337,65535 -j DROP
$IPTABLES -A bad-ports -p udp -m multiport --dport 12345,1524,2049,27444,31335,27665,31337,65535 -j DROP
$IPTABLES -A bad-ports -p tcp -m multiport --sport 3049,1999,4329,1,2,13,98,111,901,902 -j DROP
$IPTABLES -A bad-ports -p udp -m multiport --sport 3049,1999,4329,1,2,13,98,111,901,902 -j DROP
$IPTABLES -A bad-ports -p tcp -m multiport --sport 12345,1524,2049,27444,31335,27665,31337,65535 -j DROP
$IPTABLES -A bad-ports -p udp -m multiport --sport 12345,1524,2049,27444,31335,27665,31337,65535 -j DROP

echo "Establishing Kernel security"
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

for i in /proc/sys/net/ipv4/conf/*; do
/bin/echo "1" > $i/rp_filter
done

echo "Implement Rules"
$IPTABLES -A tcp-in -j bad-flags
$IPTABLES -A tcp-in -j tcp-os-fingerprint
$IPTABLES -A tcp-in -p tcp --dport 22 -j sshd-in
$IPTABLES -A tcp-in -p tcp --dport 80 -j http-in
$IPTABLES -A tcp-in -p tcp -j tcp-samba-in
$IPTABLES -A tcp-in -p tcp -j distcc-in
$IPTABLES -A udp-in -p udp -j udp-os-fingerprint
$IPTABLES -A udp-in -p udp -j udp-samba-in
$IPTABLES -A icmp-in -p icmp -j icmp-os-fingerprint
$IPTABLES -A INPUT -j lo
$IPTABLES -A INPUT -j bad-ports
$IPTABLES -A INPUT -p tcp -j tcp-in
$IPTABLES -A INPUT -p udp -j udp-in
$IPTABLES -A INPUT -p icmp -j icmp-in
$IPTABLES -A INPUT -j allowed

#Setting Everything to DROP.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
 
Old 07-16-2005, 08:34 PM   #2
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Your script is in appending mode all the time. Some flush commands before applying any rules would be healthy.

Also, try accepting all localhost traffic specifying the loopback interface (don't use 127.0.0.0/8)
Code:
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
I see you're using samba... Does this happen to you when you're using remote X?

If this is the case, then you must explicitly allow all X related traffic... ports 6000[:6063], 177 (xdmcp) & 7100 (X font server)

If not, you could try "-nolisten tcp" with startx and kdm/xdm. See Xserver(1), xdm(1) and xfs(1) anyway.

I don't think you really need the bad-ports chain, since legitimate programs may be using it at anytime. You could add "-m state --state NEW" (to allow already ESTABLISHED traffic later)

Check sshd-in & http-in. These rules would never apply:
-p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT
and some RST's are accompanied by an ACK
 
Old 07-17-2005, 07:28 AM   #3
rjkfsm
Member
 
Registered: Apr 2004
Location: Charleston, SC
Distribution: RHEL, CentOS, Debian, Gentoo, Knoppix & DSL
Posts: 126

Original Poster
Rep: Reputation: 15
Thank you very much for your response & your suggestions. Every one was implemented and problem solved.

RK
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ATI - fglrx - X runs 3 seconds then stops GuidoS Linux - Hardware 2 09-06-2004 12:37 PM
samba stops when MDK integrated firewall activated arete1969 Linux - Networking 2 04-06-2004 09:59 PM
Mouse Stops Working nodumping14 Linux - General 3 12-02-2003 02:20 PM
Postfix runs until reboot and can't find firewall joshuamorin Linux - Software 1 01-11-2002 07:23 AM
Postfix runs until reboot and can't find firewall joshuamorin Linux - Newbie 0 01-11-2002 06:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration