| View previous topic :: View next topic |
| Author |
Message |
noise
n00b
Joined: 07 Nov 2002
Posts: 35
|
 Posted: Sun Nov 10, 2002 5:29 am Post subject: firewall and server services |
 |
|
Ok.. i have been installing the router for couple days now and i'm getting sleepy 
Firewall (rules) is driving me insane! I just cant get it to work the way i want to. I'v been trying a great deal of scripts but none of them does what i want them to. Then i tryed to wright something my self but since all this is new to me ... well you can figure out the outcome
I have static IP from my ISP.
My gentoo box is acting like a router. And that i can fix. It's forwarding trafic to my internal network and all ports to internet apear to be closed (stealth). While i can surf around with my internal pc on the internet. Even the internal network is handling packets.. samba and ssh workin like they should. (i'm kinda proud of my self here  first time i'm doing this)
Well let's get to the real problem then...
I need to have apache+php, mysql and ftp 'working' on my router (gentoo).
But since Gentoo is just DROPING all th packets to these ports... and just forwarding \ i find my self without any servers 
I have been flipping, turning around code lines.. editing, deleting.. umm everything! I also searched on forums and google but i cant find something that's working.
This is the line that i have seen mostly, but it's not working... it just gives me error: iptables: No chain/target/match by that name
here is the code btw:
| Code: |
iptables -A INPUT -m state --state NEW -p tcp --syn --destination-port 80 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --destination-port 80 -j ACCEPT
|
umm... let's see.. i think that all
If i have forgotten any details just tell me and i'll answer!
Thank you in advance!
//noise
PS. gonna go get some sleep now |
|
| Back to top |
|
 |
securiteaze
Tux's lil' helper
Joined: 24 Oct 2002
Posts: 77
Location: Tulsa,Oklahoma
|
| Posted: Sun Nov 10, 2002 7:09 am Post subject: |
|
|
I often find it easier to spot troublesome rules by starting with something simple and gradually get more complex.
Start with | Code: | | iptables -A INPUT --destination-port 80 -j ACCEPT |
then | Code: | | iptables -A INPUT -m state --state NEW --destination-port 80 -j ACCEPT |
then | Code: | | iptables -A INPUT -m state --state NEW -p tcp --syn --destination-port 80 -j ACCEPT |
_________________
Blah.. |
|
| Back to top |
|
|
noise
n00b
Joined: 07 Nov 2002
Posts: 35
|
| Posted: Sun Nov 10, 2002 2:18 pm Post subject: |
|
|
Your first 2 lines give me error:
| Quote: |
iptables v1.2.7a: Unknown arg `--destination-port'
Try `iptables -h' or 'iptables --help' for more information.
|
and the last line (third) gives me this error (this is also what i have been getting in the past):
| Quote: |
iptables: No chain/target/match/ by that name
|
any mmore ideas on how to open up port 80 on the router (gentoo box)? |
|
| Back to top |
|
|
noise
n00b
Joined: 07 Nov 2002
Posts: 35
|
| Posted: Sun Nov 10, 2002 3:10 pm Post subject: |
|
|
ok.. i have clean out the code and here is what i got:
| Code: |
#!/bin/bash
iptables -F;iptables -t nat -F;iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to [my outside IP]
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A OUTPUT -s [my outside IP] -j DROP
iptables -A OUTPUT -s [ip of the win box] -j DROP
iptables -A INPUT -s [my outside IP] -j DROP
iptables -A INPUT -s [ip of the win box] -j DROP
|
here is what nmap has to say:
| Quote: |
nmap [my outside IP]
sendto in send_ip_raw: sendto(4, packet, 28, 0, [my outside ip], 16) => Operation not permitted
Note: Host seems down. If it is really up, but blockingour ping probes, try -P0.. bla bla bla
|
But i can get out from my Win box without any problems... (like i'm doing now )
But i still need gentoo to have some ports open to outside world(ftp, http, ssh, etc...) Lynx wont even try to connect to internet ("Alert: Unable to connect to remote host").
Any more ideeas ppl?
Dont forget that "-m state --state.. bla bla" gives me error
Thanx!!!
//noise |
|
| Back to top |
|
|
securiteaze
Tux's lil' helper
Joined: 24 Oct 2002
Posts: 77
Location: Tulsa,Oklahoma
|
| Posted: Sun Nov 10, 2002 5:23 pm Post subject: |
|
|
In order to specify a port, you must also specify a protocol. | Code: | | iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT |
There is another problem, once you allow a www request on port 80, the following rule prevents you from serving your pages. | Quote: | | iptables -A OUTPUT -s [my outside IP] -j DROP |
Not sure why you get the error with | Code: | | iptables -A INPUT -m state --state NEW -p tcp --syn --destination-port 80 -j ACCEPT |
Perhaps it's because '--state NEW' is practically the same thing as '-p tcp --syn' in this case.
_________________
Blah.. |
|
| Back to top |
|
|
fyerk
Apprentice
Joined: 17 Sep 2002
Posts: 212
Location: Atlanta, GA
|
| Posted: Mon Nov 11, 2002 1:08 pm Post subject: |
|
|
Most likely the last rule is giving an error because "state matching" isn't compiled in. If you compiled the netfilter code as modules, try this command to load it:
| Code: |
# modprobe ipt_state
|
In your kernel config look for State Matching (CONFIG_IP_NF_MATCH_STATE)
_________________
-David |
|
| Back to top |
|
|
noise
n00b
Joined: 07 Nov 2002
Posts: 35
|
| Posted: Mon Nov 11, 2002 3:24 pm Post subject: |
|
|
OMG!!! You are right edge!!!
To bad i did'nt look here before... but anyway, it's all working now
In the rc.firewall manual, there is a list of al things required to be compiled in... and i did'nt have 5 of them 
Thanx guys!!!
//noise |
|
| Back to top |
|
|
Bosnian[X]
n00b
Joined: 12 Jul 2002
Posts: 66
Location: Sweden, Malmö
|
| Posted: Tue Nov 12, 2002 2:54 pm Post subject: |
|
|
| Quote: | | (i'm kinda proud of my self here, first time i'm doing this) |
Hmmm......dude u kind a taking all the credit for my hardwork |
|
| Back to top |
|
|
noise
n00b
Joined: 07 Nov 2002
Posts: 35
|
| Posted: Tue Nov 12, 2002 6:31 pm Post subject: |
|
|
| lol yeah... could'nt do it without my lady |
|
| Back to top |
|
|
|
Networking & Security
