Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Problems accessing net with netfilter/ iptables
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
subdriver
n00b
n00b


Joined: 23 Mar 2010
Posts: 29

PostPosted: Tue Mar 23, 2010 11:34 am    Post subject: Problems accessing net with netfilter/ iptables Reply with quote

Dist: Gentoo 2008.0 on UltraSparc platform, kernel version 2.6.29-r1. Kernel is 64 bit with 32 bit userspace.
I am using this machine as a firewall / router for my home network, using netfilter / iptables configured using Bastille firewall. I cannot connect to the 'net, tracepath returns 'host name lookup failure' but I am able to ping the DNS servers on my ISPs network. I have tested with an earlier kernel build which doesn't have iptables compiled and I can access the 'net. TCPDump indicates that there is traffic both ways to the DNS server, so it seems the filter is blocking packets that I wouldn't expect it to.
I'm fairly new to packet filtering so don't really know where to look first; any pointers please?
Back to top
View user's profile Send private message
bendeguz
Apprentice
Apprentice


Joined: 10 Feb 2010
Posts: 189

PostPosted: Tue Mar 23, 2010 1:02 pm    Post subject: Reply with quote

post your iptables configuration
btw. i don't know bastille:S
Back to top
View user's profile Send private message
subdriver
n00b
n00b


Joined: 23 Mar 2010
Posts: 29

PostPosted: Tue Mar 23, 2010 2:55 pm    Post subject: Reply with quote

Is this what you need?

Code:

LinserverSparc1 ~ # iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
LOG        tcp  --  anywhere             loopback/8          LOG level warning prefix `INPUT DROP 0'
DROP       tcp  --  anywhere             loopback/8
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  224.0.0.0/4          anywhere            LOG level warning prefix `INPUT DROP 1 '
DROP       all  --  224.0.0.0/4          anywhere
LOG        all  --  anywhere             192.168.0.0/16      LOG level warning prefix `INPUT DROP 2 '
DROP       all  --  anywhere             192.168.0.0/16
LOG        all  --  192.168.0.0/16       anywhere            LOG level warning prefix `INPUT DROP 3 '
DROP       all  --  192.168.0.0/16       anywhere
PUB_IN     all  --  anywhere             anywhere
INT_IN     all  --  anywhere             anywhere
DROP       tcp  --  anywhere             anywhere            tcp dpts:netbios-ns:netbios-ssn
DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
DROP       all  --  anywhere             224.0.0.0/8
LOG        all  --  anywhere             anywhere            LOG level warning prefix `INPUT DROP 7 '
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
LOG        tcp  --  192.168.0.0/16       0.0.0.255/0.0.0.255 tcp dpts:netbios-ns:netbios-ssn LOG level warning prefix `FORWARD DROP 4 '
DROP       tcp  --  192.168.0.0/16       0.0.0.255/0.0.0.255 tcp dpts:netbios-ns:netbios-ssn
LOG        udp  --  192.168.0.0/16       0.0.0.255/0.0.0.255 udp dpts:netbios-ns:netbios-ssn LOG level warning prefix `FORWARD DROP 5 '
DROP       udp  --  192.168.0.0/16       0.0.0.255/0.0.0.255 udp dpts:netbios-ns:netbios-ssn
ACCEPT     all  --  192.168.0.0/16       anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PUB_OUT    all  --  anywhere             anywhere
INT_OUT    all  --  anywhere             anywhere

Chain INT_IN (1 references)
target     prot opt source               destination
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere
DROP       tcp  --  anywhere             anywhere            tcp dpts:netbios-ns:netbios-ssn
DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
DROP       all  --  anywhere             224.0.0.0/8
LOG        all  --  anywhere             anywhere            LOG level warning prefix `INT_IN DROP 9 '
DROP       all  --  anywhere             anywhere

Chain INT_OUT (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain PAROLE (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PUB_IN (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
DROP       tcp  --  anywhere             anywhere            tcp dpts:netbios-ns:netbios-ssn
DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
DROP       all  --  anywhere             224.0.0.0/8
LOG        icmp --  anywhere             anywhere            LOG level warning prefix `PUB_IN DROP 6'
DROP       icmp --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level warning prefix `PUB_IN DROP 8 '
DROP       all  --  anywhere             anywhere

Chain PUB_OUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
LinserverSparc1 ~ #
Back to top
View user's profile Send private message
bendeguz
Apprentice
Apprentice


Joined: 10 Feb 2010
Posts: 189

PostPosted: Tue Mar 23, 2010 6:03 pm    Post subject: Reply with quote

sorry, forgot -v option

could you please update your previous post with
Code:
iptables -L -v


if this the deafault setup in bastille?
Back to top
View user's profile Send private message
elissoncosta
n00b
n00b


Joined: 22 Jan 2009
Posts: 24
Location: Brasil

PostPosted: Tue Mar 23, 2010 6:04 pm    Post subject: Problems accessing net with netfilter/ iptables Reply with quote

You need add the rule for established connections.
# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables-save > rules_file

8)

--
Elisson Costa


Last edited by elissoncosta on Tue Mar 23, 2010 6:39 pm; edited 1 time in total
Back to top
View user's profile Send private message
bendeguz
Apprentice
Apprentice


Joined: 10 Feb 2010
Posts: 189

PostPosted: Tue Mar 23, 2010 6:16 pm    Post subject: Reply with quote

well, i'm not much of an iptables guru, but i think you have to enable incoming packets in the "forward" chain
Back to top
View user's profile Send private message
bendeguz
Apprentice
Apprentice


Joined: 10 Feb 2010
Posts: 189

PostPosted: Tue Mar 23, 2010 6:25 pm    Post subject: Reply with quote

elissoncosta wrote:
You need add the rule for established connections.
# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


yes, maybe you have to add(insert) that too
and same to the forward
Code:

# iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Back to top
View user's profile Send private message
elissoncosta
n00b
n00b


Joined: 22 Jan 2009
Posts: 24
Location: Brasil

PostPosted: Tue Mar 23, 2010 6:38 pm    Post subject: Problems accessing net with netfilter/ iptables Reply with quote

The Forward chain work as filter for packets that going through the firewall between 2 hosts on different networks.
For connections from or to the firewall you should configure rules on INPUT or OUTPUT chains.

8)

--
Elisson Costa
Back to top
View user's profile Send private message
bendeguz
Apprentice
Apprentice


Joined: 10 Feb 2010
Posts: 189

PostPosted: Tue Mar 23, 2010 7:45 pm    Post subject: Reply with quote

"I am using this machine as a firewall / router for my home network,"

so, he wants to use it as a gateway
Back to top
View user's profile Send private message
subdriver
n00b
n00b


Joined: 23 Mar 2010
Posts: 29

PostPosted: Tue Mar 23, 2010 7:50 pm    Post subject: Reply with quote

bendeguz wrote:
sorry, forgot -v option

could you please update your previous post with
Code:
iptables -L -v


if this the deafault setup in bastille?


No, it's not the default as that doesn't give NAT or masquerading.
OK, here's the result of iptables -L -v:
Code:
LinserverSparc1 ~ # iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  !lo    any     anywhere             loopback/8          LOG level warning prefix `INPUT DROP 0'
    0     0 DROP       tcp  --  !lo    any     anywhere             loopback/8 
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere   
  166 13353 ACCEPT     all  --  eth1   any     anywhere             anywhere   
    0     0 LOG        all  --  any    any     224.0.0.0/4          anywhere            LOG level warning prefix `INPUT DROP 1 '
    0     0 DROP       all  --  any    any     224.0.0.0/4          anywhere   
    0     0 LOG        all  --  eth0   any     anywhere             192.168.0.0/16      LOG level warning prefix `INPUT DROP 2 '
    0     0 DROP       all  --  eth0   any     anywhere             192.168.0.0/16
    0     0 LOG        all  --  eth0   any     192.168.0.0/16       anywhere            LOG level warning prefix `INPUT DROP 3 '
    0     0 DROP       all  --  eth0   any     192.168.0.0/16       anywhere   
  242 32077 PUB_IN     all  --  eth0   any     anywhere             anywhere   
    0     0 INT_IN     all  --  eth1   any     anywhere             anywhere   
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpts:netbios-ns:netbios-ssn
    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
    0     0 DROP       all  --  any    any     anywhere             224.0.0.0/8
    0     0 LOG        all  --  any    any     anywhere             anywhere            LOG level warning prefix `INPUT DROP 7 '
    0     0 DROP       all  --  any    any     anywhere             anywhere   

Chain FORWARD (policy DROP 450 packets, 38340 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  any    eth0    192.168.0.0/16       0.0.0.255/0.0.0.255 tcp dpts:netbios-ns:netbios-ssn LOG level warning prefix `FORWARD DROP 4 '
    0     0 DROP       tcp  --  any    eth0    192.168.0.0/16       0.0.0.255/0.0.0.255 tcp dpts:netbios-ns:netbios-ssn
    0     0 LOG        udp  --  any    eth0    192.168.0.0/16       0.0.0.255/0.0.0.255 udp dpts:netbios-ns:netbios-ssn LOG level warning prefix `FORWARD DROP 5 '
    0     0 DROP       udp  --  any    eth0    192.168.0.0/16       0.0.0.255/0.0.0.255 udp dpts:netbios-ns:netbios-ssn
  448 31172 ACCEPT     all  --  any    eth0    192.168.0.0/16       anywhere   

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  195 13560 PUB_OUT    all  --  any    eth0    anywhere             anywhere   
  133 26292 INT_OUT    all  --  any    eth1    anywhere             anywhere   

Chain INT_IN (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:bootps
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:bootpc
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere   
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpts:netbios-ns:netbios-ssn
    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
    0     0 DROP       all  --  any    any     anywhere             224.0.0.0/8
    0     0 LOG        all  --  any    any     anywhere             anywhere            LOG level warning prefix `INT_IN DROP 9 '
    0     0 DROP       all  --  any    any     anywhere             anywhere   

Chain INT_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere   
  133 26292 ACCEPT     all  --  any    any     anywhere             anywhere   

Chain PAROLE (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere   

Chain PUB_IN (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp destination-unreachable
    3   252 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp time-exceeded
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpts:netbios-ns:netbios-ssn
    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
    0     0 DROP       all  --  any    any     anywhere             224.0.0.0/8
    0     0 LOG        icmp --  any    any     anywhere             anywhere            LOG level warning prefix `PUB_IN DROP 6'
    0     0 DROP       icmp --  any    any     anywhere             anywhere   
  239 31825 LOG        all  --  any    any     anywhere             anywhere            LOG level warning prefix `PUB_IN DROP 8 '
  239 31825 DROP       all  --  any    any     anywhere             anywhere   

Chain PUB_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  195 13560 ACCEPT     all  --  any    any     anywhere             anywhere   
LinserverSparc1 ~ #


I'm not sure why Bastille's added 224.0.0.0 to the chains, but it originates from the /etc/Bastille/firewall.d/pre-audit.d/pre-audit.sh script.
Note, I've tweaked some settings in bastille that I had previously set incorrectly, so the above output differs slightly from the previous one.
Back to top
View user's profile Send private message
subdriver
n00b
n00b


Joined: 23 Mar 2010
Posts: 29

PostPosted: Tue Mar 23, 2010 8:02 pm    Post subject: Re: Problems accessing net with netfilter/ iptables Reply with quote

elissoncosta wrote:
You need add the rule for established connections.
# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables-save > rules_file

8)

--
Elisson Costa


Not sure if I can do that as bastille flushes all the chains before loading its own ones; I cannot see why bastille won't set up the NAT / masquerading as it's set in the /etc/Bastille/bastille-firewall.cfg configuration file (I manually added it to match the old, now dead, firewalls settings).
Back to top
View user's profile Send private message
subdriver
n00b
n00b


Joined: 23 Mar 2010
Posts: 29

PostPosted: Tue Mar 23, 2010 8:03 pm    Post subject: Reply with quote

bendeguz wrote:
"I am using this machine as a firewall / router for my home network,"

so, he wants to use it as a gateway


That's correct.
Back to top
View user's profile Send private message
elissoncosta
n00b
n00b


Joined: 22 Jan 2009
Posts: 24
Location: Brasil

PostPosted: Tue Mar 23, 2010 8:30 pm    Post subject: Problems accessing net with netfilter/ iptables Reply with quote

Add the following rules on command line(Don't flush the rules) then test it.

# iptables -t nat -A POSTROUTING -j MASQUERADE

--
Elisson Costa
Back to top
View user's profile Send private message
bendeguz
Apprentice
Apprentice


Joined: 10 Feb 2010
Posts: 189

PostPosted: Tue Mar 23, 2010 8:34 pm    Post subject: Re: Problems accessing net with netfilter/ iptables Reply with quote

subdriver wrote:
elissoncosta wrote:
You need add the rule for established connections.
# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables-save > rules_file

8)

--
Elisson Costa


Not sure if I can do that as bastille flushes all the chains before loading its own ones; I cannot see why bastille won't set up the NAT / masquerading as it's set in the /etc/Bastille/bastille-firewall.cfg configuration file (I manually added it to match the old, now dead, firewalls settings).


But if is like iptables on desktop profile , the you can save the rules, this way update the iptables init script.
I use this
Code:

# /etc/init.d/iptables save

after added some rules .

So if you boot up your gateway, then you add some rules from command line, and type "iptables save", then next boot it will load the new rules as well.
Back to top
View user's profile Send private message
subdriver
n00b
n00b


Joined: 23 Mar 2010
Posts: 29

PostPosted: Tue Mar 23, 2010 11:39 pm    Post subject: Re: Problems accessing net with netfilter/ iptables Reply with quote

elissoncosta wrote:
You need add the rule for established connections.
# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables-save > rules_file

8)

--
Elisson Costa


I tried this and got the messgage
Code:
LinserverSparc1 ~ # iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name.


elissoncosta wrote:

Add the following rules on command line(Don't flush the rules) then test it.

iptables -t nat -A POSTROUTING -j MASQUERADE

I did this but still can't tracepath from the server itself.
I did notice that there are some rules that show up in iptables-save that don't show up in iptables -L -v, after adding the above, I get this with iptables-save
Code:
LinserverSparc1 ~ # iptables-save
# Generated by iptables-save v1.4.3.2 on Tue Mar 23 23:33:20 2010
*nat
:PREROUTING ACCEPT [1607:137967]
:POSTROUTING ACCEPT [175:12146]
:OUTPUT ACCEPT [178:12323]
-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Tue Mar 23 23:33:20 2010
# Generated by iptables-save v1.4.3.2 on Tue Mar 23 23:33:20 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [1389:126393]
:OUTPUT ACCEPT [2:196]
:INT_IN - [0:0]
:INT_OUT - [0:0]
:PAROLE - [0:0]
:PUB_IN - [0:0]
:PUB_OUT - [0:0]
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j LOG --log-prefix "INPUT DROP 0"
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "INPUT DROP 1 "
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 192.168.0.0/16 -i eth0 -j LOG --log-prefix "INPUT DROP 2 "
-A INPUT -d 192.168.0.0/16 -i eth0 -j DROP
-A INPUT -s 192.168.0.0/16 -i eth0 -j LOG --log-prefix "INPUT DROP 3 "
-A INPUT -s 192.168.0.0/16 -i eth0 -j DROP
-A INPUT -i eth0 -j PUB_IN
-A INPUT -i eth1 -j INT_IN
-A INPUT -p tcp -m tcp --dport 137:139 -j DROP
-A INPUT -p udp -m udp --dport 137:139 -j DROP
-A INPUT -d 224.0.0.0/8 -j DROP
-A INPUT -j LOG --log-prefix "INPUT DROP 7 "
-A INPUT -j DROP
-A FORWARD -s 192.168.0.0/16 -d 0.0.0.255/0.0.0.255 -o eth0 -p tcp -m tcp --dport 137:139 -j LOG --log-prefix "FORWARD DROP 4 "
-A FORWARD -s 192.168.0.0/16 -d 0.0.0.255/0.0.0.255 -o eth0 -p tcp -m tcp --dport 137:139 -j DROP
-A FORWARD -s 192.168.0.0/16 -d 0.0.0.255/0.0.0.255 -o eth0 -p udp -m udp --dport 137:139 -j LOG --log-prefix "FORWARD DROP 5 "
-A FORWARD -s 192.168.0.0/16 -d 0.0.0.255/0.0.0.255 -o eth0 -p udp -m udp --dport 137:139 -j DROP
-A FORWARD -s 192.168.0.0/16 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j PUB_OUT
-A OUTPUT -o eth1 -j INT_OUT
-A INT_IN -p tcp -m tcp --dport 22 -j PAROLE
-A INT_IN -p udp -m udp --dport 67 -j ACCEPT
-A INT_IN -p udp -m udp --dport 68 -j ACCEPT
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -p tcp -m tcp --dport 137:139 -j DROP
-A INT_IN -p udp -m udp --dport 137:139 -j DROP
-A INT_IN -d 224.0.0.0/8 -j DROP
-A INT_IN -j LOG --log-prefix "INT_IN DROP 9 "
-A INT_IN -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PUB_IN -p tcp -m tcp --dport 137:139 -j DROP
-A PUB_IN -p udp -m udp --dport 137:139 -j DROP
-A PUB_IN -d 224.0.0.0/8 -j DROP
-A PUB_IN -p icmp -j LOG --log-prefix "PUB_IN DROP 6"
-A PUB_IN -p icmp -j DROP
-A PUB_IN -j LOG --log-prefix "PUB_IN DROP 8 "
-A PUB_IN -j DROP
-A PUB_OUT -j ACCEPT
COMMIT
# Completed on Tue Mar 23 23:33:20 2010
LinserverSparc1 ~ #
Back to top
View user's profile Send private message
bendeguz
Apprentice
Apprentice


Joined: 10 Feb 2010
Posts: 189

PostPosted: Wed Mar 24, 2010 12:13 am    Post subject: Reply with quote

Well, i dont't know, but isn't this ruleset overcomplicated?
If i were you i would build a basic ruleset, with the ones that allow you to go out the net(block everything in or through the gateway ( except related and established packages), allow everything out), and when it's working, then you can make it safer with adding more rules() .

(I was using floppyfw (http://www.zelow.no/floppyfw/) for routing for a long time.)
Back to top
View user's profile Send private message
subdriver
n00b
n00b


Joined: 23 Mar 2010
Posts: 29

PostPosted: Wed Mar 24, 2010 12:20 am    Post subject: Reply with quote

bendeguz wrote:
Well, i dont't know, but isn't this ruleset overcomplicated?
If i were you i would build a basic ruleset, with the ones that allow you to go out the net(block everything in or through the gateway ( except related and established packages), allow everything out), and when it's working, then you can make it safer with adding more rules() .

(I was using floppyfw (http://www.zelow.no/floppyfw/) for routing for a long time.)

It is complicated but that's what Bastille generates using the configuration script. If I had any idea about using iptables then I might have a go, but I don't, sadly. I used Bastille with great success on a Mandrake installation years ago, I was hoping it would work as smoothly this time.
Back to top
View user's profile Send private message
bendeguz
Apprentice
Apprentice


Joined: 10 Feb 2010
Posts: 189

PostPosted: Wed Mar 24, 2010 12:31 am    Post subject: Reply with quote

You have a config file, to set up, like this http://www.physics.ucsb.edu/~taro/comp/dimension4100/bastille/bastille-firewall.cfg, and then you have to run a script which makes the rules from the config file?

Because if it is so, then maybe you have something wrong in the config file. Post that one too, if it is not too long.
Back to top
View user's profile Send private message
subdriver
n00b
n00b


Joined: 23 Mar 2010
Posts: 29

PostPosted: Wed Mar 24, 2010 1:35 am    Post subject: Reply with quote

bendeguz wrote:
You have a config file, to set up, like this http://www.physics.ucsb.edu/~taro/comp/dimension4100/bastille/bastille-firewall.cfg, and then you have to run a script which makes the rules from the config file?

Because if it is so, then maybe you have something wrong in the config file. Post that one too, if it is not too long.

I've edited out a lot of the comments to shorten it but not so many that it doesn't make sense, hopefully:
Code:

#
# /etc/bastille-firewall.cfg
#
# Configuration file for both 2.2/ipchains and 2.4/netfilter scripts
#


# the configuration values should be whitespace-delimited lists of
# appropriate values, e.g.
#       TCP_PUBLIC_SERVICES="80 smtp ssh"
# lists Web (port 80), SMTP mail, and Secure Shell ports
#
# This script is suitable for workstations or simple NAT firewalls;
# you may want to add more "output" restrictions for serious servers

# 0) DNS servers (Linux 2.2/ipchains only)
#       You must list your DNS servers here so that
#       the firewall will allow them to service your lookup requests
#
# List of DNS servers/networks to allow "domain" responses from
# This _could_ be nameservers as a list of <ip-address>/32 entries
#
#
# To have the DNS servers parsed from /etc/resolv.conf at runtime,
# as normal workstations will want, make this variable empty
#DNS_SERVERS=""
#

DNS_SERVERS=""


# 1) define your interfaces (all systems)
#       Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP
#       interface
#

TRUSTED_IFACES="lo eth1"
PUBLIC_IFACES="eth0"
INTERNAL_IFACES="eth1"


# 2) services for which we want to log access attempts to syslog (all systems)
#       Note this only audits connection attempts from public interfaces
#

TCP_AUDIT_SERVICES=""
UDP_AUDIT_SERVICES=""
ICMP_AUDIT_TYPES=""


# 3) services we allow connections to (all systems)
#

TCP_PUBLIC_SERVICES=""
UDP_PUBLIC_SERVICES=""
TCP_INTERNAL_SERVICES="22"
UDP_INTERNAL_SERVICES="67 68"

# 4) passive/active FTP (Linux 2.2/ipchains only)

FORCE_PASV_FTP="Y"


# 5) Services to explicitly block. (Linux 2.2/ipchains only)

TCP_BLOCKED_SERVICES="2049 2065:2090 6000:6020 7100"
UDP_BLOCKED_SERVICES="2049 6770"
ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"


# 6) Source Address Verification (all Linux systems)
#       This helps prevent "IP Spoofing" attacks
#
ENABLE_SRC_ADDR_VERIFY="Y"


# 7) IP Masquerading / NAT. (all systems)
#       List your internal/masq'ed networks here
#

IP_MASQ_NETWORK="192.168.0.0/255.255.0.0"
IP_MASQ_MODULES="ftp raudio vdolive"


# 8) How to react to disallowed packets (all systems)
# whether to "REJECT" or "DROP" disallowed packets; if you're running any
# public services, you probably ought to use "REJECT"; if in serious stealth
# mode, choose "DROP" so simple probes don't know if there's anything out there

REJECT_METHOD="DENY"


# 9) DHCP (Linux 2.2/ipchains only)

DHCP_IFACES="eth0"


# 10) NTP servers (Linux 2.2/ipchains only)
#       more UDP fun. List IP addresses or network space of NTP servers
#
#NTP_SERVERS=""                         # DISABLE NTP QUERIES / SAFEST

NTP_SERVERS=""


# 11) more ICMP. (Linux 2.2/ipchains only)
#       Control the outbound ICMP to make yourself invisible to
#       traceroute probes

ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"


# 12) Logging (all systems)
#       With this enabled, ipchains will log all blocked packets.
#                ** this could generate huge logs **

LOG_FAILURES="Y"

# 13) Block fragmented packets (all systems)
#       There's no good reason to allow these
#ALLOW_FRAGMENTS="N"                            # safest
ALLOW_FRAGMENTS="Y"                             # old behavior

# 14) Prevent SMB broadcasts from leaking out NAT setup (all systems)

DROP_SMB_NAT_BCAST="Y"          # drop those packets

# 15) Log level (iptables/netfilter/Linux 2.4 only)

IP_LOG_LEVEL=4                  # iptables/netfilter default

# 16) Always attempt to use stateful features for inbound connections
#       Always using state will allow the firewall to reject invalid
#       packets sent to otherwise open TCP services, e.g. XMAS, NULL
#       and SIN/FYN scans. The downside to choosing this behavior is that
#       services may become unreachable if the packet filter's state
#       table becomes full.
IP_ALWAYS_USE_STATE="N"         # default, ensures services remain available
#IP_ALWAYS_USE_STATE="Y"        # disallow invalid packets

Back to top
View user's profile Send private message
bendeguz
Apprentice
Apprentice


Joined: 10 Feb 2010
Posts: 189

PostPosted: Wed Mar 24, 2010 9:58 am    Post subject: Re: Problems accessing net with netfilter/ iptables Reply with quote

subdriver wrote:

I tried this and got the messgage
Code:
LinserverSparc1 ~ # iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name.



This should work. Maybe try PUB_IN instead of INPUT.
And try this to the forward too:

Code:
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


I can't see anything in your bastille.conf (though i've never used it). So if there is no more configuration files, then you have to set you rules by hand, becuse it seems it doesn't want to allow incoming packets.

So try to run those two commands... Have luck :wink:
Back to top
View user's profile Send private message
subdriver
n00b
n00b


Joined: 23 Mar 2010
Posts: 29

PostPosted: Wed Mar 24, 2010 10:16 pm    Post subject: Reply with quote

Fixed :D
I discovered that module xt_state hadn't been built. Did a config, rebuilt the kernel and modules, including xt_state, and it works.
On a side note, most IPTables tutorials seem to refer to kernel version 2.4 or early 2.6 (pre 2.6.15) and a lot of the filter options have been renamed since then, it makes trying to ensure you have the correct modules very difficult :x
One last problem remains, psad isn't starting, it's complaining about unrecognized src/dst : myhomenet.net (myhomenet.net is my network's name); I'm guessing this needs to be set to something else in the psad.conf file.
Back to top
View user's profile Send private message
subdriver
n00b
n00b


Joined: 23 Mar 2010
Posts: 29

PostPosted: Sat Mar 27, 2010 12:13 am    Post subject: Solved Reply with quote

Fixed the psad issue, found the home network should be defined as the network IP address, i.e. 192.168.0.0/24 and not the name, that's not clear in the Bastille 'documentation' (the config file). Changed it and psad is working.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum