| View previous topic :: View next topic |
| Author |
Message |
ashkar
n00b
Joined: 26 Sep 2002
Posts: 48
|
 Posted: Sun Feb 02, 2003 8:13 am Post subject: netfilter blocking ports |
 |
|
I seem to be having a problem with my firewall. It is blocking access to ssh and http on my server (which is also running the firewall). I am having no problem connecting to either service from inside but trying to connect on the external interface ppp0 fails. Nmap shows both ports to be filtered. I modified a script from here to use. I think I can follow it ok, but I can't see why the packets are dropping. They should run through the INPUT chain, bad_tcp_packets, back to INPUT, then a few lines down go to the tcp_packets chain in which the first line should send it to the allowed chain, where it should be accepted. Anybody see the problem?
| Code: | #!/bin/sh
#setup the script variables
INET_IFACE="ppp0"
DHCP="yes"
LAN_IP="192.168.2.32"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BROADCAST_ADDRESS="192.168.255.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/sbin/iptables"
#load modules
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc
#proc setup
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#rules setup
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#create user-defined chains
$IPTABLES -N bad_tcp_packets
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N imcp_packets
#bad_tcp_packets chain
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#allowed chain
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#TCP chain
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j allowed
#UDP chain
#ICMP chain
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#INPUT chain
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT
#DHCP requests from lan
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p IMCP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
#FORWARD chain
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#OUTPUT chain
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
#nat
$IPTABLES -t nat POSTROUTING -o $INET_IFACE -j MASQUERADE
|
|
|
| Back to top |
|
 |
krt
Tux's lil' helper
Joined: 27 Nov 2002
Posts: 102
Location: Earth
|
| Posted: Sun Feb 02, 2003 12:20 pm Post subject: |
|
|
I havent gone through your firewall list in great detail... but you can!
Even though your script puts certain lines in a certain order, this might not be how those rules end up in the iptables list. The first thing to check is the output of "iptables -L", and you'll see how the actual running ruleset layout looks compared to what your script is doing.
The next trick is to insert a line at the top of each chain that logs all packets hitting that chain.. I do stuff like this at various points in the iptables setup to figure out where a packet is going if I cant figure it out otherwise.
$IPTABLES -A FORWARD -j LOG --log-prefix '-- FORWARD CHAIN CATCH --'
insert that last line all over the place (renaming it per chain, of course..) and watch your logs...
_________________
Everyone has something clever for a signature but me. |
|
| Back to top |
|
|
KraziKid
Tux's lil' helper
Joined: 26 Dec 2002
Posts: 128
|
| Posted: Sun Feb 02, 2003 11:52 pm Post subject: |
|
|
| Just for kicks, try changing the OUTPUT POLICY to ACCEPT, using iptables -P OUTPUT ACCEPT (from the bash prompt, after you run your firewall script), and see if that fixes it. Your firewall may be blocking the OUTPUT packets. Actually, after looking it over more, it looks like your INPUT chain is not allowing the the external interface to get any connections. |
|
| Back to top |
|
|
ashkar
n00b
Joined: 26 Sep 2002
Posts: 48
|
| Posted: Mon Feb 03, 2003 2:50 pm Post subject: |
|
|
| thanks for the suggestions, i'll try them when i get home. as for the logging, i'm not too familiar with unix system logs so i'm not real sure where they will log to. i have the default install of metalog emerged. is the best bet just to grep the entire /var/log directory? i do know i have to turn off buffering in metalog to get the most current logs. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
