View previous topic :: View next topic |
Author |
Message |
subdriver n00b

Joined: 23 Mar 2010 Posts: 29
|
Posted: Tue Mar 23, 2010 11:34 am Post subject: Problems accessing net with netfilter/ iptables |
|
|
Dist: Gentoo 2008.0 on UltraSparc platform, kernel version 2.6.29-r1. Kernel is 64 bit with 32 bit userspace.
I am using this machine as a firewall / router for my home network, using netfilter / iptables configured using Bastille firewall. I cannot connect to the 'net, tracepath returns 'host name lookup failure' but I am able to ping the DNS servers on my ISPs network. I have tested with an earlier kernel build which doesn't have iptables compiled and I can access the 'net. TCPDump indicates that there is traffic both ways to the DNS server, so it seems the filter is blocking packets that I wouldn't expect it to.
I'm fairly new to packet filtering so don't really know where to look first; any pointers please? |
|
Back to top |
|
 |
bendeguz Apprentice

Joined: 10 Feb 2010 Posts: 189
|
Posted: Tue Mar 23, 2010 1:02 pm Post subject: |
|
|
post your iptables configuration
btw. i don't know bastille:S |
|
Back to top |
|
 |
subdriver n00b

Joined: 23 Mar 2010 Posts: 29
|
Posted: Tue Mar 23, 2010 2:55 pm Post subject: |
|
|
Is this what you need?
Code: |
LinserverSparc1 ~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
LOG tcp -- anywhere loopback/8 LOG level warning prefix `INPUT DROP 0'
DROP tcp -- anywhere loopback/8
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
LOG all -- 224.0.0.0/4 anywhere LOG level warning prefix `INPUT DROP 1 '
DROP all -- 224.0.0.0/4 anywhere
LOG all -- anywhere 192.168.0.0/16 LOG level warning prefix `INPUT DROP 2 '
DROP all -- anywhere 192.168.0.0/16
LOG all -- 192.168.0.0/16 anywhere LOG level warning prefix `INPUT DROP 3 '
DROP all -- 192.168.0.0/16 anywhere
PUB_IN all -- anywhere anywhere
INT_IN all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP all -- anywhere 224.0.0.0/8
LOG all -- anywhere anywhere LOG level warning prefix `INPUT DROP 7 '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG tcp -- 192.168.0.0/16 0.0.0.255/0.0.0.255 tcp dpts:netbios-ns:netbios-ssn LOG level warning prefix `FORWARD DROP 4 '
DROP tcp -- 192.168.0.0/16 0.0.0.255/0.0.0.255 tcp dpts:netbios-ns:netbios-ssn
LOG udp -- 192.168.0.0/16 0.0.0.255/0.0.0.255 udp dpts:netbios-ns:netbios-ssn LOG level warning prefix `FORWARD DROP 5 '
DROP udp -- 192.168.0.0/16 0.0.0.255/0.0.0.255 udp dpts:netbios-ns:netbios-ssn
ACCEPT all -- 192.168.0.0/16 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
INT_OUT all -- anywhere anywhere
Chain INT_IN (1 references)
target prot opt source destination
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP all -- anywhere 224.0.0.0/8
LOG all -- anywhere anywhere LOG level warning prefix `INT_IN DROP 9 '
DROP all -- anywhere anywhere
Chain INT_OUT (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain PAROLE (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain PUB_IN (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
DROP tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP all -- anywhere 224.0.0.0/8
LOG icmp -- anywhere anywhere LOG level warning prefix `PUB_IN DROP 6'
DROP icmp -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning prefix `PUB_IN DROP 8 '
DROP all -- anywhere anywhere
Chain PUB_OUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LinserverSparc1 ~ #
|
|
|
Back to top |
|
 |
bendeguz Apprentice

Joined: 10 Feb 2010 Posts: 189
|
Posted: Tue Mar 23, 2010 6:03 pm Post subject: |
|
|
sorry, forgot -v option
could you please update your previous post with
if this the deafault setup in bastille? |
|
Back to top |
|
 |
elissoncosta n00b


Joined: 22 Jan 2009 Posts: 24 Location: Brasil
|
Posted: Tue Mar 23, 2010 6:04 pm Post subject: Problems accessing net with netfilter/ iptables |
|
|
You need add the rule for established connections.
# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables-save > rules_file
--
Elisson Costa
Last edited by elissoncosta on Tue Mar 23, 2010 6:39 pm; edited 1 time in total |
|
Back to top |
|
 |
bendeguz Apprentice

Joined: 10 Feb 2010 Posts: 189
|
Posted: Tue Mar 23, 2010 6:16 pm Post subject: |
|
|
well, i'm not much of an iptables guru, but i think you have to enable incoming packets in the "forward" chain |
|
Back to top |
|
 |
bendeguz Apprentice

Joined: 10 Feb 2010 Posts: 189
|
Posted: Tue Mar 23, 2010 6:25 pm Post subject: |
|
|
elissoncosta wrote: | You need add the rule for established connections.
# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
yes, maybe you have to add(insert) that too
and same to the forward
Code: |
# iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
Back to top |
|
 |
elissoncosta n00b


Joined: 22 Jan 2009 Posts: 24 Location: Brasil
|
Posted: Tue Mar 23, 2010 6:38 pm Post subject: Problems accessing net with netfilter/ iptables |
|
|
The Forward chain work as filter for packets that going through the firewall between 2 hosts on different networks.
For connections from or to the firewall you should configure rules on INPUT or OUTPUT chains.
--
Elisson Costa |
|
Back to top |
|
 |
bendeguz Apprentice

Joined: 10 Feb 2010 Posts: 189
|
Posted: Tue Mar 23, 2010 7:45 pm Post subject: |
|
|
"I am using this machine as a firewall / router for my home network,"
so, he wants to use it as a gateway |
|
Back to top |
|
 |
subdriver n00b

Joined: 23 Mar 2010 Posts: 29
|
Posted: Tue Mar 23, 2010 7:50 pm Post subject: |
|
|
bendeguz wrote: | sorry, forgot -v option
could you please update your previous post with
if this the deafault setup in bastille? |
No, it's not the default as that doesn't give NAT or masquerading.
OK, here's the result of iptables -L -v:
Code: | LinserverSparc1 ~ # iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- !lo any anywhere loopback/8 LOG level warning prefix `INPUT DROP 0'
0 0 DROP tcp -- !lo any anywhere loopback/8
0 0 ACCEPT all -- lo any anywhere anywhere
166 13353 ACCEPT all -- eth1 any anywhere anywhere
0 0 LOG all -- any any 224.0.0.0/4 anywhere LOG level warning prefix `INPUT DROP 1 '
0 0 DROP all -- any any 224.0.0.0/4 anywhere
0 0 LOG all -- eth0 any anywhere 192.168.0.0/16 LOG level warning prefix `INPUT DROP 2 '
0 0 DROP all -- eth0 any anywhere 192.168.0.0/16
0 0 LOG all -- eth0 any 192.168.0.0/16 anywhere LOG level warning prefix `INPUT DROP 3 '
0 0 DROP all -- eth0 any 192.168.0.0/16 anywhere
242 32077 PUB_IN all -- eth0 any anywhere anywhere
0 0 INT_IN all -- eth1 any anywhere anywhere
0 0 DROP tcp -- any any anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
0 0 DROP udp -- any any anywhere anywhere udp dpts:netbios-ns:netbios-ssn
0 0 DROP all -- any any anywhere 224.0.0.0/8
0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `INPUT DROP 7 '
0 0 DROP all -- any any anywhere anywhere
Chain FORWARD (policy DROP 450 packets, 38340 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- any eth0 192.168.0.0/16 0.0.0.255/0.0.0.255 tcp dpts:netbios-ns:netbios-ssn LOG level warning prefix `FORWARD DROP 4 '
0 0 DROP tcp -- any eth0 192.168.0.0/16 0.0.0.255/0.0.0.255 tcp dpts:netbios-ns:netbios-ssn
0 0 LOG udp -- any eth0 192.168.0.0/16 0.0.0.255/0.0.0.255 udp dpts:netbios-ns:netbios-ssn LOG level warning prefix `FORWARD DROP 5 '
0 0 DROP udp -- any eth0 192.168.0.0/16 0.0.0.255/0.0.0.255 udp dpts:netbios-ns:netbios-ssn
448 31172 ACCEPT all -- any eth0 192.168.0.0/16 anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
195 13560 PUB_OUT all -- any eth0 anywhere anywhere
133 26292 INT_OUT all -- any eth1 anywhere anywhere
Chain INT_IN (1 references)
pkts bytes target prot opt in out source destination
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:bootps
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:bootpc
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 DROP tcp -- any any anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
0 0 DROP udp -- any any anywhere anywhere udp dpts:netbios-ns:netbios-ssn
0 0 DROP all -- any any anywhere 224.0.0.0/8
0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `INT_IN DROP 9 '
0 0 DROP all -- any any anywhere anywhere
Chain INT_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere
133 26292 ACCEPT all -- any any anywhere anywhere
Chain PAROLE (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain PUB_IN (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
3 252 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 DROP tcp -- any any anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
0 0 DROP udp -- any any anywhere anywhere udp dpts:netbios-ns:netbios-ssn
0 0 DROP all -- any any anywhere 224.0.0.0/8
0 0 LOG icmp -- any any anywhere anywhere LOG level warning prefix `PUB_IN DROP 6'
0 0 DROP icmp -- any any anywhere anywhere
239 31825 LOG all -- any any anywhere anywhere LOG level warning prefix `PUB_IN DROP 8 '
239 31825 DROP all -- any any anywhere anywhere
Chain PUB_OUT (1 references)
pkts bytes target prot opt in out source destination
195 13560 ACCEPT all -- any any anywhere anywhere
LinserverSparc1 ~ #
|
I'm not sure why Bastille's added 224.0.0.0 to the chains, but it originates from the /etc/Bastille/firewall.d/pre-audit.d/pre-audit.sh script.
Note, I've tweaked some settings in bastille that I had previously set incorrectly, so the above output differs slightly from the previous one. |
|
Back to top |
|
 |
subdriver n00b

Joined: 23 Mar 2010 Posts: 29
|
Posted: Tue Mar 23, 2010 8:02 pm Post subject: Re: Problems accessing net with netfilter/ iptables |
|
|
elissoncosta wrote: | You need add the rule for established connections.
# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables-save > rules_file
--
Elisson Costa |
Not sure if I can do that as bastille flushes all the chains before loading its own ones; I cannot see why bastille won't set up the NAT / masquerading as it's set in the /etc/Bastille/bastille-firewall.cfg configuration file (I manually added it to match the old, now dead, firewalls settings). |
|
Back to top |
|
 |
subdriver n00b

Joined: 23 Mar 2010 Posts: 29
|
Posted: Tue Mar 23, 2010 8:03 pm Post subject: |
|
|
bendeguz wrote: | "I am using this machine as a firewall / router for my home network,"
so, he wants to use it as a gateway |
That's correct. |
|
Back to top |
|
 |
elissoncosta n00b


Joined: 22 Jan 2009 Posts: 24 Location: Brasil
|
Posted: Tue Mar 23, 2010 8:30 pm Post subject: Problems accessing net with netfilter/ iptables |
|
|
Add the following rules on command line(Don't flush the rules) then test it.
# iptables -t nat -A POSTROUTING -j MASQUERADE
--
Elisson Costa |
|
Back to top |
|
 |
bendeguz Apprentice

Joined: 10 Feb 2010 Posts: 189
|
Posted: Tue Mar 23, 2010 8:34 pm Post subject: Re: Problems accessing net with netfilter/ iptables |
|
|
subdriver wrote: | elissoncosta wrote: | You need add the rule for established connections.
# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables-save > rules_file
--
Elisson Costa |
Not sure if I can do that as bastille flushes all the chains before loading its own ones; I cannot see why bastille won't set up the NAT / masquerading as it's set in the /etc/Bastille/bastille-firewall.cfg configuration file (I manually added it to match the old, now dead, firewalls settings). |
But if is like iptables on desktop profile , the you can save the rules, this way update the iptables init script.
I use this
Code: |
# /etc/init.d/iptables save
|
after added some rules .
So if you boot up your gateway, then you add some rules from command line, and type "iptables save", then next boot it will load the new rules as well. |
|
Back to top |
|
 |
subdriver n00b

Joined: 23 Mar 2010 Posts: 29
|
Posted: Tue Mar 23, 2010 11:39 pm Post subject: Re: Problems accessing net with netfilter/ iptables |
|
|
elissoncosta wrote: | You need add the rule for established connections.
# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables-save > rules_file
--
Elisson Costa |
I tried this and got the messgage Code: | LinserverSparc1 ~ # iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name. |
elissoncosta wrote: |
Add the following rules on command line(Don't flush the rules) then test it.
iptables -t nat -A POSTROUTING -j MASQUERADE
|
I did this but still can't tracepath from the server itself.
I did notice that there are some rules that show up in iptables-save that don't show up in iptables -L -v, after adding the above, I get this with iptables-save
Code: | LinserverSparc1 ~ # iptables-save
# Generated by iptables-save v1.4.3.2 on Tue Mar 23 23:33:20 2010
*nat
:PREROUTING ACCEPT [1607:137967]
:POSTROUTING ACCEPT [175:12146]
:OUTPUT ACCEPT [178:12323]
-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Tue Mar 23 23:33:20 2010
# Generated by iptables-save v1.4.3.2 on Tue Mar 23 23:33:20 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [1389:126393]
:OUTPUT ACCEPT [2:196]
:INT_IN - [0:0]
:INT_OUT - [0:0]
:PAROLE - [0:0]
:PUB_IN - [0:0]
:PUB_OUT - [0:0]
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j LOG --log-prefix "INPUT DROP 0"
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "INPUT DROP 1 "
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 192.168.0.0/16 -i eth0 -j LOG --log-prefix "INPUT DROP 2 "
-A INPUT -d 192.168.0.0/16 -i eth0 -j DROP
-A INPUT -s 192.168.0.0/16 -i eth0 -j LOG --log-prefix "INPUT DROP 3 "
-A INPUT -s 192.168.0.0/16 -i eth0 -j DROP
-A INPUT -i eth0 -j PUB_IN
-A INPUT -i eth1 -j INT_IN
-A INPUT -p tcp -m tcp --dport 137:139 -j DROP
-A INPUT -p udp -m udp --dport 137:139 -j DROP
-A INPUT -d 224.0.0.0/8 -j DROP
-A INPUT -j LOG --log-prefix "INPUT DROP 7 "
-A INPUT -j DROP
-A FORWARD -s 192.168.0.0/16 -d 0.0.0.255/0.0.0.255 -o eth0 -p tcp -m tcp --dport 137:139 -j LOG --log-prefix "FORWARD DROP 4 "
-A FORWARD -s 192.168.0.0/16 -d 0.0.0.255/0.0.0.255 -o eth0 -p tcp -m tcp --dport 137:139 -j DROP
-A FORWARD -s 192.168.0.0/16 -d 0.0.0.255/0.0.0.255 -o eth0 -p udp -m udp --dport 137:139 -j LOG --log-prefix "FORWARD DROP 5 "
-A FORWARD -s 192.168.0.0/16 -d 0.0.0.255/0.0.0.255 -o eth0 -p udp -m udp --dport 137:139 -j DROP
-A FORWARD -s 192.168.0.0/16 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j PUB_OUT
-A OUTPUT -o eth1 -j INT_OUT
-A INT_IN -p tcp -m tcp --dport 22 -j PAROLE
-A INT_IN -p udp -m udp --dport 67 -j ACCEPT
-A INT_IN -p udp -m udp --dport 68 -j ACCEPT
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -p tcp -m tcp --dport 137:139 -j DROP
-A INT_IN -p udp -m udp --dport 137:139 -j DROP
-A INT_IN -d 224.0.0.0/8 -j DROP
-A INT_IN -j LOG --log-prefix "INT_IN DROP 9 "
-A INT_IN -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 137:139 -j DROP
-A PUB_IN -p udp -m udp --dport 137:139 -j DROP
-A PUB_IN -d 224.0.0.0/8 -j DROP
-A PUB_IN -p icmp -j LOG --log-prefix "PUB_IN DROP 6"
-A PUB_IN -p icmp -j DROP
-A PUB_IN -j LOG --log-prefix "PUB_IN DROP 8 "
-A PUB_IN -j DROP
-A PUB_OUT -j ACCEPT
COMMIT
# Completed on Tue Mar 23 23:33:20 2010
LinserverSparc1 ~ #
|
|
|
Back to top |
|
 |
bendeguz Apprentice

Joined: 10 Feb 2010 Posts: 189
|
Posted: Wed Mar 24, 2010 12:13 am Post subject: |
|
|
Well, i dont't know, but isn't this ruleset overcomplicated?
If i were you i would build a basic ruleset, with the ones that allow you to go out the net(block everything in or through the gateway ( except related and established packages), allow everything out), and when it's working, then you can make it safer with adding more rules() .
(I was using floppyfw (http://www.zelow.no/floppyfw/) for routing for a long time.) |
|
Back to top |
|
 |
subdriver n00b

Joined: 23 Mar 2010 Posts: 29
|
Posted: Wed Mar 24, 2010 12:20 am Post subject: |
|
|
bendeguz wrote: | Well, i dont't know, but isn't this ruleset overcomplicated?
If i were you i would build a basic ruleset, with the ones that allow you to go out the net(block everything in or through the gateway ( except related and established packages), allow everything out), and when it's working, then you can make it safer with adding more rules() .
(I was using floppyfw (http://www.zelow.no/floppyfw/) for routing for a long time.) |
It is complicated but that's what Bastille generates using the configuration script. If I had any idea about using iptables then I might have a go, but I don't, sadly. I used Bastille with great success on a Mandrake installation years ago, I was hoping it would work as smoothly this time. |
|
Back to top |
|
 |
bendeguz Apprentice

Joined: 10 Feb 2010 Posts: 189
|
|
Back to top |
|
 |
subdriver n00b

Joined: 23 Mar 2010 Posts: 29
|
Posted: Wed Mar 24, 2010 1:35 am Post subject: |
|
|
I've edited out a lot of the comments to shorten it but not so many that it doesn't make sense, hopefully:
Code: |
#
# /etc/bastille-firewall.cfg
#
# Configuration file for both 2.2/ipchains and 2.4/netfilter scripts
#
# the configuration values should be whitespace-delimited lists of
# appropriate values, e.g.
# TCP_PUBLIC_SERVICES="80 smtp ssh"
# lists Web (port 80), SMTP mail, and Secure Shell ports
#
# This script is suitable for workstations or simple NAT firewalls;
# you may want to add more "output" restrictions for serious servers
# 0) DNS servers (Linux 2.2/ipchains only)
# You must list your DNS servers here so that
# the firewall will allow them to service your lookup requests
#
# List of DNS servers/networks to allow "domain" responses from
# This _could_ be nameservers as a list of <ip-address>/32 entries
#
#
# To have the DNS servers parsed from /etc/resolv.conf at runtime,
# as normal workstations will want, make this variable empty
#DNS_SERVERS=""
#
DNS_SERVERS=""
# 1) define your interfaces (all systems)
# Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP
# interface
#
TRUSTED_IFACES="lo eth1"
PUBLIC_IFACES="eth0"
INTERNAL_IFACES="eth1"
# 2) services for which we want to log access attempts to syslog (all systems)
# Note this only audits connection attempts from public interfaces
#
TCP_AUDIT_SERVICES=""
UDP_AUDIT_SERVICES=""
ICMP_AUDIT_TYPES=""
# 3) services we allow connections to (all systems)
#
TCP_PUBLIC_SERVICES=""
UDP_PUBLIC_SERVICES=""
TCP_INTERNAL_SERVICES="22"
UDP_INTERNAL_SERVICES="67 68"
# 4) passive/active FTP (Linux 2.2/ipchains only)
FORCE_PASV_FTP="Y"
# 5) Services to explicitly block. (Linux 2.2/ipchains only)
TCP_BLOCKED_SERVICES="2049 2065:2090 6000:6020 7100"
UDP_BLOCKED_SERVICES="2049 6770"
ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"
# 6) Source Address Verification (all Linux systems)
# This helps prevent "IP Spoofing" attacks
#
ENABLE_SRC_ADDR_VERIFY="Y"
# 7) IP Masquerading / NAT. (all systems)
# List your internal/masq'ed networks here
#
IP_MASQ_NETWORK="192.168.0.0/255.255.0.0"
IP_MASQ_MODULES="ftp raudio vdolive"
# 8) How to react to disallowed packets (all systems)
# whether to "REJECT" or "DROP" disallowed packets; if you're running any
# public services, you probably ought to use "REJECT"; if in serious stealth
# mode, choose "DROP" so simple probes don't know if there's anything out there
REJECT_METHOD="DENY"
# 9) DHCP (Linux 2.2/ipchains only)
DHCP_IFACES="eth0"
# 10) NTP servers (Linux 2.2/ipchains only)
# more UDP fun. List IP addresses or network space of NTP servers
#
#NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST
NTP_SERVERS=""
# 11) more ICMP. (Linux 2.2/ipchains only)
# Control the outbound ICMP to make yourself invisible to
# traceroute probes
ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
# 12) Logging (all systems)
# With this enabled, ipchains will log all blocked packets.
# ** this could generate huge logs **
LOG_FAILURES="Y"
# 13) Block fragmented packets (all systems)
# There's no good reason to allow these
#ALLOW_FRAGMENTS="N" # safest
ALLOW_FRAGMENTS="Y" # old behavior
# 14) Prevent SMB broadcasts from leaking out NAT setup (all systems)
DROP_SMB_NAT_BCAST="Y" # drop those packets
# 15) Log level (iptables/netfilter/Linux 2.4 only)
IP_LOG_LEVEL=4 # iptables/netfilter default
# 16) Always attempt to use stateful features for inbound connections
# Always using state will allow the firewall to reject invalid
# packets sent to otherwise open TCP services, e.g. XMAS, NULL
# and SIN/FYN scans. The downside to choosing this behavior is that
# services may become unreachable if the packet filter's state
# table becomes full.
IP_ALWAYS_USE_STATE="N" # default, ensures services remain available
#IP_ALWAYS_USE_STATE="Y" # disallow invalid packets
|
|
|
Back to top |
|
 |
bendeguz Apprentice

Joined: 10 Feb 2010 Posts: 189
|
Posted: Wed Mar 24, 2010 9:58 am Post subject: Re: Problems accessing net with netfilter/ iptables |
|
|
subdriver wrote: |
I tried this and got the messgage Code: | LinserverSparc1 ~ # iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name. |
|
This should work. Maybe try PUB_IN instead of INPUT.
And try this to the forward too:
Code: | iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
I can't see anything in your bastille.conf (though i've never used it). So if there is no more configuration files, then you have to set you rules by hand, becuse it seems it doesn't want to allow incoming packets.
So try to run those two commands... Have luck  |
|
Back to top |
|
 |
subdriver n00b

Joined: 23 Mar 2010 Posts: 29
|
Posted: Wed Mar 24, 2010 10:16 pm Post subject: |
|
|
Fixed
I discovered that module xt_state hadn't been built. Did a config, rebuilt the kernel and modules, including xt_state, and it works.
On a side note, most IPTables tutorials seem to refer to kernel version 2.4 or early 2.6 (pre 2.6.15) and a lot of the filter options have been renamed since then, it makes trying to ensure you have the correct modules very difficult
One last problem remains, psad isn't starting, it's complaining about unrecognized src/dst : myhomenet.net (myhomenet.net is my network's name); I'm guessing this needs to be set to something else in the psad.conf file. |
|
Back to top |
|
 |
subdriver n00b

Joined: 23 Mar 2010 Posts: 29
|
Posted: Sat Mar 27, 2010 12:13 am Post subject: Solved |
|
|
Fixed the psad issue, found the home network should be defined as the network IP address, i.e. 192.168.0.0/24 and not the name, that's not clear in the Bastille 'documentation' (the config file). Changed it and psad is working. |
|
Back to top |
|
 |
|