View previous topic :: View next topic |
Author |
Message |
The_Great_Sephiroth Veteran
Joined: 03 Oct 2014 Posts: 1602 Location: Fayetteville, NC, USA
|
Posted: Thu Feb 26, 2015 5:41 pm Post subject: Gentoo iptables different? |
|
|
I normally create a firewall on my laptop which allows me to allow only SMB and SSH connections from my WLAN and LAN interfaces. I do this in Firewall Builder. This is not working in Gentoo. It creates a script which works fine on other Linux systems (with names changed to old names such as eth0) but not on Gentoo. The lines below result in the error "iptables: No chain/target/match by that name."
Code: |
$IPTABLES -A INPUT -i enp0s25 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i enp0s25 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i wlp12s0 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i wlp12s0 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i enp0s25 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i enp0s25 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i wlp12s0 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i wlp12s0 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
|
Meanwhile the code below works.
Code: |
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
|
So why does this work everywhere but in Gentoo? I am lost after spending a few hours trying. My interface names are correct, I do not see spelling errors, and the FW works in Debian if I change the names from enp0s25 to eth0 and wlp12s0 to wlan0. I did compile iptables into my kernel. Well, as modules, not into the kernel. _________________ Ever picture systemd as what runs "The Borg"? |
|
Back to top |
|
|
lovelytux Tux's lil' helper
Joined: 23 Aug 2013 Posts: 108
|
Posted: Thu Feb 26, 2015 6:07 pm Post subject: |
|
|
Hey The_Great_Sephiroth!
Do you shure that you have:
Code: | CONFIG_IP_NF_TARGET_REDIRECT=m |
in your kernel?
lovelytux |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3131
|
Posted: Thu Feb 26, 2015 7:31 pm Post subject: |
|
|
Iptables doesn't depend on gento oas much as it depends on your kernel's config. There are only a few most basic modules enabled by default, you better check the options and fix it |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4130 Location: Bavaria
|
Posted: Thu Feb 26, 2015 8:37 pm Post subject: |
|
|
Maybe you didnt find the module because "Advanced netfilter configuration" is not set. Only if set you find "multiport Multiple port match support" in > Networking support > Networking options > Network packet filtering framework (Netfilter) > Core Netfilter Configuration. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54216 Location: 56N 3W
|
Posted: Thu Feb 26, 2015 11:04 pm Post subject: |
|
|
The_Great_Sephiroth,
What does the 'z' key do in make menuconfig ?
Small hint: Its a toggle function
Bigger hint, you will find it useful _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
The_Great_Sephiroth Veteran
Joined: 03 Oct 2014 Posts: 1602 Location: Fayetteville, NC, USA
|
Posted: Fri Feb 27, 2015 1:41 am Post subject: |
|
|
I will check the kernel configuration tomorrow morning. As for "z", I assume it does like other keys and goes to whatever starts with "z". I know that "/" searches. _________________ Ever picture systemd as what runs "The Borg"? |
|
Back to top |
|
|
The_Great_Sephiroth Veteran
Joined: 03 Oct 2014 Posts: 1602 Location: Fayetteville, NC, USA
|
Posted: Fri Feb 27, 2015 1:47 pm Post subject: |
|
|
You are correct, I did not have the advanced configuration set. I enabled it and am not enabling more options.
Also, the "z" key is nice. Shows everything regardless of options. Oh, and I was mistaken. 99% of my iptables stuff is built in-kernel, not as modules. _________________ Ever picture systemd as what runs "The Borg"? |
|
Back to top |
|
|
The_Great_Sephiroth Veteran
Joined: 03 Oct 2014 Posts: 1602 Location: Fayetteville, NC, USA
|
Posted: Fri Feb 27, 2015 2:47 pm Post subject: |
|
|
Alright, all is good. The "multiport" option was not selected. My firewall is up and allows only SMB and SSH connections.
Code: |
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i enp0s25 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
-A INPUT -i enp0s25 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
-A INPUT -i wlp12s0 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
-A INPUT -i wlp12s0 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state NEW -j ACCEPT
-A FORWARD -i enp0s25 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
-A FORWARD -i enp0s25 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
-A FORWARD -i wlp12s0 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT
-A FORWARD -i wlp12s0 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state NEW -j ACCEPT
|
It isn't fancy, but it works! Now I need to figure out a way to add rules when ppp0 comes up (VPN) and delete those rules when it goes down. _________________ Ever picture systemd as what runs "The Borg"? |
|
Back to top |
|
|
The_Great_Sephiroth Veteran
Joined: 03 Oct 2014 Posts: 1602 Location: Fayetteville, NC, USA
|
Posted: Fri Feb 27, 2015 3:11 pm Post subject: |
|
|
Alright, got that working also! I added the following two scripts and they work.
/etc/ppp/ip-up.d/90-iptables.sh
Code: |
#!/bin/bash
# If the interface was specified, add the rule
if [ $# -eq 6 ] && [ ! -z "$1" ]; then
iptables -A INPUT -i $1 -m state --state NEW -j ACCEPT
fi
|
/etc/ppp/ip-down.d/90-iptables.sh
Code: |
#!/bin/bash
# If the interface was specified, delete the rule
if [ $# -eq 6 ] && [ ! -z "$1" ]; then
iptables -D INPUT -i $1 -m state --state NEW -j ACCEPT
fi
|
This adds and deletes the rule no matter what VPN connection a user initiates. I am golden now! _________________ Ever picture systemd as what runs "The Borg"? |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|