Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
02-23-2011, 07:57 AM
#1
Senior Member
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127
Rep:
Firestarter vs. treaceroute
I am running Firestarter 1.0.3 on my Ubuntu 10.04 desktop. When the firewall is running I am not able to execute a traceroute command.
It works fine if I stop the firewall.
I looked in the documentation and it tells me
Quote:
By default Firestarter allows ICMP traffic,
I do NOT have ICMP filtering enabled in the preferences. (I did try enabling it and allowing traceroute - same issue.)
I have my policies set to "Restrictive by default, whitelist traffic" but I do not find any way to add a rule for traceroute (which is supposed to be allowed by the preferences.)
Any suggestions???
TIA,
Ken
02-24-2011, 01:31 AM
#2
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
Print out you iptables using 'iptables -L -n -v'
02-24-2011, 07:44 AM
#3
Senior Member
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127
Original Poster
Rep:
Quote:
Chain INPUT (policy DROP 1 packets, 69 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.1 0.0.0.0/0 tcp flags:!0x17/0x02
303 28155 ACCEPT udp -- * * 192.168.0.1 0.0.0.0/0
2 144 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
3 687 DROP all -- eth0 * 0.0.0.0/0 255.255.255.255
13 2242 DROP all -- * * 0.0.0.0/0 192.168.0.255
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
7 280 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LSI all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
63009 89M INBOUND all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'
Chain OUTPUT (policy DROP 18 packets, 2496 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.112 192.168.0.1 tcp dpt:53
309 19370 ACCEPT udp -- * * 192.168.0.112 192.168.0.1 udp dpt:53
2 144 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
41550 2499K OUTBOUND all -- * eth0 0.0.0.0/0 0.0.0.0/0
18 2496 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
18 2496 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Output'
Chain INBOUND (1 references)
pkts bytes target prot opt in out source destination
62999 89M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 304 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 192.168.0.112 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.112 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.112 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.112 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpts:137:139
6 540 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:445
0 0 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpt:445
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:21
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:123
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:33434
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:20:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:20:21
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:563
0 0 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpt:563
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:11371
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:11371
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:11371
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:11371
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:11371
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:11371
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:443
0 0 LSI all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG_FILTER (5 references)
pkts bytes target prot opt in out source destination
Chain LSI (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LSO (1 references)
pkts bytes target prot opt in out source destination
2 88 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
2 88 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
2 88 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTBOUND (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
40988 2473K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 228 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 69.16.168.50
0 0 ACCEPT all -- * * 0.0.0.0/0 76.5.159.134
0 0 ACCEPT all -- * * 0.0.0.0/0 208.33.159.36
0 0 ACCEPT all -- * * 0.0.0.0/0 63.162.197.68
508 22352 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:80
26 1144 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:443
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:119
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:119
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpts:137:139
9 1248 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:445
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:445
5 220 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:110
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:25
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:5900
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:5900
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:515
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:515
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:9100
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:9100
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:10000
0 0 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:10000
0 0 ACCEPT tcp -- * * 192.168.0.112 0.0.0.0/0 tcp dpt:123
1 76 ACCEPT udp -- * * 192.168.0.112 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:67:68
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
8 352 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:563
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:563
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:11371
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:11371
2 88 LSO all -- * * 0.0.0.0/0 0.0.0.0/0
ken@taylor12:~$
Which is a lot to look at and of which I have little understanding. However, I did a traceroute (which failed) after the above and ran the iptables command again. I compared the results with Beyond Compare and found the following entry which might be a clue
Quote:
3 148 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Does that mean I am in fact filtering all ICMP traffic? Firestarter preferences indicate that I am not.
Thanks again,
Ken
All times are GMT -5. The time now is 04:25 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News