LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Firestarter vs. treaceroute (https://www.linuxquestions.org/questions/linux-software-2/firestarter-vs-treaceroute-864513/)

taylorkh 02-23-2011 07:57 AM
Firestarter vs. treaceroute
 
I am running Firestarter 1.0.3 on my Ubuntu 10.04 desktop. When the firewall is running I am not able to execute a traceroute command.
Quote:
traceroute www.missssouribullet.com
traceroute to www.missssouribullet.com (67.215.65.132), 30 hops max, 60 byte packets
send: Operation not permitted
It works fine if I stop the firewall.

I looked in the documentation and it tells me
Quote:
By default Firestarter allows ICMP traffic,
I do NOT have ICMP filtering enabled in the preferences. (I did try enabling it and allowing traceroute - same issue.)

I have my policies set to "Restrictive by default, whitelist traffic" but I do not find any way to add a rule for traceroute (which is supposed to be allowed by the preferences.)

Any suggestions???

TIA,

Ken

acid_kewpie 02-24-2011 01:31 AM
Print out you iptables using 'iptables -L -n -v'

taylorkh 02-24-2011 07:44 AM
Quote:
Chain INPUT (policy DROP 1 packets, 69 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.1 0.0.0.0/0 tcp flags:!0x17/0x02
303 28155 ACCEPT udp -- * * 192.168.0.1 0.0.0.0/0
2 144 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
3 687 DROP all -- eth0 * 0.0.0.0/0 255.255.255.255
13 2242 DROP all -- * * 0.0.0.0/0 192.168.0.255
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
7 280 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LSI all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
63009 89M INBOUND all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'

Chain OUTPUT (policy DROP 18 packets, 2496 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.112 192.168.0.1 tcp dpt:53
309 19370 ACCEPT udp -- * * 192.168.0.112 192.168.0.1 udp dpt:53
2 144 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
41550 2499K OUTBOUND all -- * eth0 0.0.0.0/0 0.0.0.0/0
18 2496 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
18 2496 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Output'

Chain INBOUND (1 references)
pkts bytes target prot opt in out source destination
62999 89M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 304 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 192.168.0.112 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.112 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.112 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.112 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpts:137:139
6 540 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:445
0 0 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpt:445
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:21
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:123
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:33434
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:20:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:20:21
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:563
0 0 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpt:563
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:11371
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:11371
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:11371
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:11371
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:11371
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:11371
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:443
0 0 LSI all -- * * 0.0.0.0/0 0.0.0.0/0

Chain LOG_FILTER (5 references)
pkts bytes target prot opt in out source destination

Chain LSI (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain LSO (1 references)
pkts bytes target prot opt in out source destination
2 88 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
2 88 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
2 88 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
40988 2473K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 228 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 69.16.168.50
0 0 ACCEPT all -- * * 0.0.0.0/0 76.5.159.134
0 0 ACCEPT all -- * * 0.0.0.0/0 208.33.159.36
0 0 ACCEPT all -- * * 0.0.0.0/0 63.162.197.68
508 22352 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:80
26 1144 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:443
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:119
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:119
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpts:137:139
9 1248 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:445
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:445
5 220 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:110
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:25
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:5900
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:5900
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:515
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:515
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:9100
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:9100
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:10000
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:10000
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:123
1 76 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:67:68
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
8 352 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:563
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:563
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:11371
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:11371
2 88 LSO all -- * * 0.0.0.0/0 0.0.0.0/0
ken@taylor12:~$
Which is a lot to look at and of which I have little understanding. However, I did a traceroute (which failed) after the above and ran the iptables command again. I compared the results with Beyond Compare and found the following entry which might be a clue
Quote:
3 148 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Does that mean I am in fact filtering all ICMP traffic? Firestarter preferences indicate that I am not.

Thanks again,

Ken


All times are GMT -5. The time now is 03:53 AM.