Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Noob firewall problem
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mebrelith
Tux's lil' helper
Tux's lil' helper


Joined: 04 Apr 2005
Posts: 102
Location: Torreon, Coahuila, Mexico

PostPosted: Thu Apr 07, 2005 7:17 pm    Post subject: Noob firewall problem Reply with quote

So I was tweaking my gentoo. Hehe. Now, in the old days of other distros I used to use Guarddog to tweak the iptables stuff. So I installed the dog on the gentoo, made the rules with the dog, saved the iptables, and added iptables using rc-update.
Rebooted, loaded firewall, everything peachy.
I decided to weak a lil. restrict some protocols (mainly anything I dont use :) ) and did the steps, saved the tables and rebooted.
Ah.... here comes the problem. Once I get into my KDE I find myself without internet, weather forecast or anything like that. Funny thing is I can ping.

Help! Any ideas? I tried taking back the changes I made when it stopped working but it didnt work. Any and all help will be deeply appreciated.

Post-scriptum: oh and in case you are thinking... "maybe its his internet connection". Its not, rebooted with the winside of the box and thats how I got to write this.
_________________
Mebrelith Lord of Thingamajigs, Linux zealot, Gentoo advocate, KDE promoter. Linux user #373009
Omnia mutantur, nihil interit - Everything changes, nothing is truly lost.
Back to top
View user's profile Send private message
adsv
n00b
n00b


Joined: 07 Apr 2005
Posts: 3
Location: Sweden

PostPosted: Thu Apr 07, 2005 8:02 pm    Post subject: Reply with quote

Hey!

You said you tried to take back your changes, but that it didn't work, what does
Code:
iptables -L

give you?

did you try flushing the rules manually:
Code:
iptables -F

or did you do it via guarddog?
Back to top
View user's profile Send private message
mebrelith
Tux's lil' helper
Tux's lil' helper


Joined: 04 Apr 2005
Posts: 102
Location: Torreon, Coahuila, Mexico

PostPosted: Thu Apr 07, 2005 8:51 pm    Post subject: Reply with quote

So heres the deal, doing iptables -L gave me:

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  myip         255.255.255.255
logaborted  tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED tcp flags:RST/RST
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
nicfilt    all  --  anywhere             anywhere
srcfilt    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
srcfilt    all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
s1         all  --  anywhere             anywhere

Chain f0to1 (3 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
logdrop    all  --  anywhere             anywhere

Chain f1to0 (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:rsync state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:888 state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:cvspserver state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:www state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:webcache state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:8008 state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:8000 state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:8888 state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpts:6660:6669 state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:5050 state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:telnet state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpts:5000:5001 state NEW
ACCEPT     udp  --  anywhere             anywhere            udp spts:1024:5999dpt:5000
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain state NEW
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp spts:1024:5999dpt:time
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:time state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:ftp state NEW
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:11999 state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:1863 state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:8880 state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:dict state NEW
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:ntp state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:5999dpt:https state NEW
logdrop    all  --  anywhere             anywhere

Chain logaborted (1 references)
target     prot opt source               destination
logaborted2  all  --  anywhere             anywhere            limit: avg 1/secburst 10
LOG        all  --  anywhere             anywhere            limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '

Chain logaborted2 (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain logdrop (4 references)
target     prot opt source               destination
logdrop2   all  --  anywhere             anywhere            limit: avg 1/sec burst 10
LOG        all  --  anywhere             anywhere            limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
DROP       all  --  anywhere             anywhere

Chain logdrop2 (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED '
DROP       all  --  anywhere             anywhere

Chain logreject (0 references)
target     prot opt source               destination
logreject2  all  --  anywhere             anywhere            limit: avg 1/sec burst 10
LOG        all  --  anywhere             anywhere            limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       all  --  anywhere             anywhere

Chain logreject2 (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED '
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       all  --  anywhere             anywhere

Chain nicfilt (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Chain s0 (1 references)
target     prot opt source               destination
f0to1      all  --  anywhere             myip
f0to1      all  --  anywhere             255.255.255.255
f0to1      all  --  anywhere             localhost
logdrop    all  --  anywhere             anywhere

Chain s1 (1 references)
target     prot opt source               destination
f1to0      all  --  anywhere             anywhere

Chain srcfilt (2 references)
target     prot opt source               destination
s0         all  --  anywhere             anywhere


Tried "flushing" the iptables (whatever that is, dont know about it) And got myself into a big new problem. Rebooted, got into kdm, looged into my account and oh... wait, what the... stuck at the second step of loading kde. Yep, no more beyond it, splash screen staring (that is until for some misterious reason ut decided to vanish and left me with just the mouse and my kdm wallpaper). So for the second time in my linux history I had to do a hard reboot to get into my windoze and write this.

HELP! Any ideas?!?!?
_________________
Mebrelith Lord of Thingamajigs, Linux zealot, Gentoo advocate, KDE promoter. Linux user #373009
Omnia mutantur, nihil interit - Everything changes, nothing is truly lost.
Back to top
View user's profile Send private message
adsv
n00b
n00b


Joined: 07 Apr 2005
Posts: 3
Location: Sweden

PostPosted: Thu Apr 07, 2005 10:38 pm    Post subject: Reply with quote

Hmm, must be guarddog that's failing? If you can reboot without starting X automatically, maybe you can find some config file for guarddog in .kde/share/config, and see if you can disable automatic startup. Or a simple method may be to try switching to another virtual console (Ctrl+Alt+F2) when startup freezes (or is it a hard freeze?), login there and try to kill the process that has hanged, probably
Code:
killall guarddog
or
Code:
pkill -9 guarddog
will do the trick. you can probably find the right process by trying:
Code:
top


Hope it works..
Back to top
View user's profile Send private message
mebrelith
Tux's lil' helper
Tux's lil' helper


Joined: 04 Apr 2005
Posts: 102
Location: Torreon, Coahuila, Mexico

PostPosted: Fri Apr 08, 2005 4:19 am    Post subject: Reply with quote

Follow me through this. As far as I know, iptables (the linux firewall in my box) reads rc.firewall for guidelines as to what to allow and what to stop. Guarddog is a program used to easyly program this guidelines and write'm down into rc.firewall
Now from the beginning of my linux experience Ive used Guarddog and Ive used the same guidelines and never had any problems before.
Also, instructions from Gentoo doc said that I had my rules written I had to do a
Code:
/etc/init.d/iptables save
and then do a
Code:
rc-update add iptables default
in order to get iptables goin. Now I understand that the 2nd line is to add iptables to the startup of my linux. But I dont now what 1st one does and if its a must-do.

So, the problem remains the same I had at the beginning of all this. With the iptables on I cant browse nor get weather or anything, as far as I can tell I can only ping.
I have to do remove iptables from startup in order to get browsing and whatnot.

Ive runed out of ideas as to what the problem could be.
Id really appreciate some help here, obviously I dont want to keep running my Gentoobox without firewall.
_________________
Mebrelith Lord of Thingamajigs, Linux zealot, Gentoo advocate, KDE promoter. Linux user #373009
Omnia mutantur, nihil interit - Everything changes, nothing is truly lost.
Back to top
View user's profile Send private message
adsv
n00b
n00b


Joined: 07 Apr 2005
Posts: 3
Location: Sweden

PostPosted: Fri Apr 08, 2005 10:16 am    Post subject: Reply with quote

Quote:
Now from the beginning of my linux experience Ive used Guarddog and Ive used the same guidelines and never had any problems before.

Has anything changed in your setup, like you're now behind a router or something?

I'm not really good enough at reading iptable rules to see something directly wrong with the setup you posted before (I'm guessing it's the same setup now), and I've never used guarddog..all I can do is to reccomend shorewall, I used it a while back, and it worked great.
Back to top
View user's profile Send private message
mebrelith
Tux's lil' helper
Tux's lil' helper


Joined: 04 Apr 2005
Posts: 102
Location: Torreon, Coahuila, Mexico

PostPosted: Fri Apr 08, 2005 12:01 pm    Post subject: Reply with quote

Nope, only thing changed is the Gentoo (used to be FC3). Ill try this Shoreline Firewall and see whats what. Thanx for the reply.
_________________
Mebrelith Lord of Thingamajigs, Linux zealot, Gentoo advocate, KDE promoter. Linux user #373009
Omnia mutantur, nihil interit - Everything changes, nothing is truly lost.
Back to top
View user's profile Send private message
mekong
Tux's lil' helper
Tux's lil' helper


Joined: 23 Apr 2004
Posts: 93
Location: Rdam - NL - EU

PostPosted: Fri Apr 08, 2005 3:41 pm    Post subject: Reply with quote

Quote:
/etc/init.d/iptables save

what it does is save your current loaded iptables rules to the file /var/lib/iptables/rules-save, so you should only run your custom firewall script once, the /etc/init.d/iptables will take care from here after every reboot after you add iptables to the default rc runleves (rc-update add iptables default).

About the error when your start "/etc/init.d/iptables start", did you overwrite /etc/init.d/iptables with your firewall script by accident? Because /etc/init./iptables start with this line #!/sbin/runscript, no /bin/bash. I suggest you reinstall iptables package: "emerge net-firewall/iptables"
Back to top
View user's profile Send private message
mebrelith
Tux's lil' helper
Tux's lil' helper


Joined: 04 Apr 2005
Posts: 102
Location: Torreon, Coahuila, Mexico

PostPosted: Fri Apr 08, 2005 4:32 pm    Post subject: Reply with quote

Decided to take heed on the advice of remerging iptables and well what do you know? Everything works now, iptables loads and works and I have my internet as usual.
Problem solved. Thanx guys for helping!
_________________
Mebrelith Lord of Thingamajigs, Linux zealot, Gentoo advocate, KDE promoter. Linux user #373009
Omnia mutantur, nihil interit - Everything changes, nothing is truly lost.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum