| View previous topic :: View next topic |
| Author |
Message |
FINITE
Guru
Joined: 10 May 2002
Posts: 449
|
 Posted: Thu May 30, 2002 10:01 am Post subject: Monmotha iptables script? |
 |
|
I was just wondering if I needed to add the dns addresses of my isp if they are assigned dynamically. Otherwise I didn't see anything else that might need to be changed for dhcp. Could be wrong, probably am, let me know if anything else needs to be changed for dhcp.
I think the most important question is where do I put this file? Do I have to chmod +x it to make it executable or anything. Does it go in my /etc directory? After copying it to a text file I trid to click that file to open it and nothing happens, whats up with that? Did I run the script by clicking it? I named the file iptables-script does that matter? Probably forgetting several things here that I should be asking but as always any and all help is greatly appreciated. Thanks. |
|
| Back to top |
|
 |
lx
Veteran
Joined: 28 May 2002
Posts: 1012
Location: Netherlands
|
| Posted: Thu May 30, 2002 11:36 am Post subject: |
|
|
I hacked my ADSL-modem to be firewall so no iptables for me, but I can remember that before the hack I needed to add my DNS (statis) IP (UDP) in the iptables. Maybe it's possible to use dynamic DNS (by using a script) but I don't know, thought smoothwall firewal provided dynamic DNS, but haven't use that package.
_________________
"Remember there's a big difference between kneeling down and bending over.", Frank Zappa |
|
| Back to top |
|
|
474
l33t
Joined: 19 Apr 2002
Posts: 714
|
| Posted: Thu May 30, 2002 1:31 pm Post subject: DNS/DHCP schematics |
|
|
Sorry, I don't use iptables for my firewall but I can tell you the necessary rule schematics for DNS and DHCP to work, if that helps. For DNS:
> Allow all outgoing UDP packets from this host to any host on port 53 (stateful)
If you are using NAT to share the internet connection between other computers then consider "this host" in the above rule to mean "any host on my subnet".
For DHCP to work, I believe you will need a rule like this:
> Allow all outoing UDP packets from this host to (any host|DHCP server) on port 67 (stateful)
For security purposes, you should probably set the above rule to allow only outgoing to your DHCP server's IP address (ask your ISP, or run a packet sniffer or check from the firewall log), rather than any host. If DHCP doesn't work then try making the above rule non-stateful then having an addidional rule like this:
> Allow all incoming UDP packets to this host from (any host|DHCP server) to my port 68 (non-stateful).
Provided these two rules are effectively in place, then everything should be fine.
I would recommend fwbuilder for people who are looking for an easier way to create rules without having to get messy with iptables command syntax. |
|
| Back to top |
|
|
Radar
n00b
Joined: 21 May 2002
Posts: 6
Location: Schenectady, NY
|
| Posted: Sat Jun 01, 2002 2:27 am Post subject: Re: Monmotha iptables script? |
|
|
| FINITE wrote: |
I think the most important question is where do I put this file? Do I have to chmod +x it to make it executable or anything. Does it go in my /etc directory? After copying it to a text file I trid to click that file to open it and nothing happens, whats up with that? Did I run the script by clicking it? I named the file iptables-script does that matter? Probably forgetting several things here that I should be asking but as always any and all help is greatly appreciated. Thanks. |
Here's what I did. I named my script rc.firewall-2.3.8-pre3 and chmod'd it as you said to make it executable. Move the file to /etc/init.d and do a /etc/init.d/rc.firewall-2.3.8-pre3 to make sure you can execute it. Then edit /etc/conf.d/local.start adding /etc/init.d/rc.firewall-2.3.8-pre3 to the end of the file. Now motha firewall should run at startup. |
|
| Back to top |
|
|
therobot
Apprentice
Joined: 07 Jun 2002
Posts: 256
Location: Canada
|
| Posted: Thu Jun 13, 2002 12:37 am Post subject: |
|
|
I tried doing what you said, but it comes up with all these errors about /usr/local/sbin/iptables not existing.
I'm not really sure what that means, nor how to fix it....
does anybody have any suggestions?
thanks. |
|
| Back to top |
|
|
fbleagh
Tux's lil' helper
Joined: 13 Jun 2002
Posts: 98
|
| Posted: Thu Jun 13, 2002 11:46 am Post subject: |
|
|
I think i see the problem
do a 'whereis iptables'
and you should see
iptables: /sbin/iptables /lib/iptables /usr/man/man8/iptables.8.gz /usr/share/man/man8/iptables.8.gz
that will show you where the iptables file is sitting
in this case /sbin/iptables
so jsut change the script to look for /sbin/iptables instead of /usr/local/sbin/iptables
have fun |
|
| Back to top |
|
|
therobot
Apprentice
Joined: 07 Jun 2002
Posts: 256
Location: Canada
|
| Posted: Thu Jun 13, 2002 10:00 pm Post subject: |
|
|
ok, that worked a bit, but i'm still having a little trouble getting this working. I compiled the iptable stuff into my kernel, but when i try to run this script, this is what i get:
| Code: |
bash-2.05a# /etc/init.d/firewall.first
/etc/init.d/firewall.first: !/bin/sh: No such file or directory
Loading iptables firewall:
Checking IP Forwarding...enabled.
Checking IP SynCookies...support not found, but that's OK.
Flush: INPUT OUTPUT1 FORWARD modprobe: Can't locate module ip_tables
iptables v1.2.6a: can't initialize iptables table `nat': Table does not exist (d
o you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
PREROUTING1 modprobe: Can't locate module ip_tables
iptables v1.2.6a: can't initialize iptables table `nat': Table does not exist (d
o you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
OUTPUT2 modprobe: Can't locate module ip_tables
iptables v1.2.6a: can't initialize iptables table `nat': Table does not exist (d
o you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
POSTROUTING modprobe: Can't locate module ip_tables
iptables v1.2.6a: can't initialize iptables table `mangle': Table does not exist
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
PREROUTING2 modprobe: Can't locate module ip_tables
iptables v1.2.6a: can't initialize iptables table `mangle': Table does not exist
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
OUTPUT3
Creating chains: INETIN INETOUT
Default Policies: INPUT:ACCEPT OUTPUT:ACCEPT FORWARD:DROP
Local Traffic Rules: 192.168.0.0/24:ACCEPT 192.168.1.0/24:ACCEPT
Setting up NAT: modprobe: Can't locate module ip_tables
iptables v1.2.6a: can't initialize iptables table `nat': Table does not exist (d
o you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
192.168.0.0/24:MASQUERADE modprobe: Can't locate module ip_tables
iptables v1.2.6a: can't initialize iptables table `nat': Table does not exist (d
o you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
192.168.1.0/24:MASQUERADE
Setting up INET chains: INETIN INETOUT
Flood Protection: iptables: No chain/target/match by that name
ICMP-PING
Allowing ICMP in...done
Denying hosts:
TCP Input Allow: iptables: No chain/target/match by that name
21 iptables: No chain/target/match by that name
22 iptables: No chain/target/match by that name
25 iptables: No chain/target/match by that name
80 iptables: No chain/target/match by that name
110 iptables: No chain/target/match by that name
443 iptables: No chain/target/match by that name
3333 iptables: No chain/target/match by that name
6667
UDP Input Allow: 6112 6119 4000
DNS Servers: 209.153.4.130 209.153.4.150
Accounting for SSH...SSH1
AUTH accepts: 207.69.200.132 216.32.132.250 206.132.27.156 209.81.232.66 207.45.
69.69 216.80.83.185 212.158.123.66
Allowing established outbound connections back in...iptables: No chain/target/ma
tch by that name
done
Setting up INET Policies: iptables: No chain/target/match by that name
INETIN:REJECT INETOUT:ACCEPT
Done loading the firewall!
|
sorry its so long, I just don't really know what to do...
thanks |
|
| Back to top |
|
|
sulu
Guru
Joined: 21 May 2002
Posts: 399
Location: Dornbirn/Austria
|
| Posted: Fri Jun 14, 2002 4:15 am Post subject: |
|
|
Hmmm
Does your script starts with
#!/bin/sh
or with
!/bin/sh
The latter would be wrong.
It seems that your Kernel misses ip_tables.
Try
/sbin/modprobe ip_tables
If it reports a error you have to go throu your Kernel-Setup
(/usr/src/linux/.config) and check that in the netfilter-section
#
# IP: Netfilter Configuration
#
....
CONFIG_IP_NF_IPTABLES=m
....
ip_tables will be compiled as a module (you also may compile into the kernel). After doing this most of the errors should not appear any more. |
|
| Back to top |
|
|
therobot
Apprentice
Joined: 07 Jun 2002
Posts: 256
Location: Canada
|
| Posted: Fri Jun 14, 2002 6:40 am Post subject: |
|
|
yep, earlier I went back through my module, and figured out that there was one thing that i missed, so i recompiled my module.... now, I get this upon running it.
| Code: |
bash-2.05a# /etc/init.d/firewall.first
Loading iptables firewall:
Checking IP Forwarding...enabled.
Checking IP SynCookies...support not found, but that's OK.
Flush: INPUT OUTPUT1 FORWARD PREROUTING1 OUTPUT2 POSTROUTING PREROUTING2 OUTPUT3
Creating chains: INETIN INETOUT
Default Policies: INPUT:ACCEPT OUTPUT:ACCEPT FORWARD:DROP
Local Traffic Rules: 192.168.0.0/24:ACCEPT 192.168.1.0/24:ACCEPT
Setting up NAT: iptables: No chain/target/match by that name
192.168.0.0/24:MASQUERADE iptables: No chain/target/match by that name
192.168.1.0/24:MASQUERADE
Setting up INET chains: INETIN INETOUT
Flood Protection: iptables: No chain/target/match by that name
ICMP-PING
Allowing ICMP in...done
Denying hosts:
TCP Input Allow: iptables: No chain/target/match by that name
21 iptables: No chain/target/match by that name
22 iptables: No chain/target/match by that name
25 iptables: No chain/target/match by that name
80 iptables: No chain/target/match by that name
110 iptables: No chain/target/match by that name
443 iptables: No chain/target/match by that name
3333 iptables: No chain/target/match by that name
6667
UDP Input Allow: 6112 6119 4000
DNS Servers: 209.153.4.130 209.153.4.150
Accounting for SSH...SSH1
AUTH accepts: 207.69.200.132 216.32.132.250 206.132.27.156 209.81.232.66 207.45.69.69 216.80.83.185 212.158.123.66
Allowing established outbound connections back in...iptables: No chain/target/match by that name
done
Setting up INET Policies: iptables: No chain/target/match by that name
INETIN:REJECT INETOUT:ACCEPT
Done loading the firewall!
|
|
|
| Back to top |
|
|
trolley
Apprentice
Joined: 12 Jun 2002
Posts: 292
Location: Canada
|
| Posted: Fri Jun 14, 2002 1:32 pm Post subject: |
|
|
| Why don't you post this to the Monmotha mailing list? The author answers questions personally, so I'm sure he could help you resolve your problem. |
|
| Back to top |
|
|
sulu
Guru
Joined: 21 May 2002
Posts: 399
Location: Dornbirn/Austria
|
| Posted: Fri Jun 14, 2002 3:59 pm Post subject: |
|
|
Uhm.
Methinks yout script isn't set up correctly.
Maybe you have to fill some fields at top of the script.
This looks like incomplete commands
Please post e.g. the line in the script which lead to this error
192.168.0.0/24:MASQUERADE iptables: No chain/target/match by that name |
|
| Back to top |
|
|
therobot
Apprentice
Joined: 07 Jun 2002
Posts: 256
Location: Canada
|
| Posted: Fri Jun 14, 2002 11:01 pm Post subject: |
|
|
| Code: |
echo -n "Setting up NAT: "
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
echo -n "${subnet}:MASQUERADE "
done
echo
|
| Code: |
echo -n "Flood Protection: "
# Ping Floods (ICMP echo-request)
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/s -i ${INET_IFACE} -j ACCEPT
echo -n "ICMP-PING "
echo
|
| Code: |
echo -n "Denying hosts: "
for host in ${DENY_ALL} ; do
${IPTABLES} -t filter -A INETIN -s ${host} -j ${DROP}
echo -n "${host}:${DROP}"
done
echo
#Start allowing stuff
echo -n "TCP Input Allow: "
for port in ${TCP_ALLOW} ; do
if [ "0$port" == "021" ]; then #Active FTP (thanks steff)
${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 ! --syn -j ACCEPT
fi
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} ! --syn -j ACCEPT
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} --syn -m limit --limit 2/s -j ACCEPT
echo -n "${port} "
done
echo
echo -n "UDP Input Allow: "
for port in ${UDP_ALLOW} ; do
${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j ACCEPT
echo -n "${port} "
done
echo
echo -n "DNS Servers: "
for server in ${DNS} ; do
${IPTABLES} -t filter -A INETIN -p udp -s ${server} --sport 53 -j ACCEPT
echo -n "${server} "
done
echo
#SSH Rulesets
if [ $USE_SSH1 = TRUE ]; then #SSH1
echo -n "Accounting for SSH..."
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 513:1023 ! --syn -j ACCEPT
echo -n "SSH1 "
fi
if [ $USE_OPENSSH = TRUE ] ; then #OpenSSH
if [ ! $USE_SSH1 = TRUE ] ; then #We need to echo "Accounting for SSH..."
echo -n "Accounting for SSH..."
fi
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 1024:65535 ! --syn -j ACCEPT
echo -n "OpenSSH "
fi
echo
#AUTH(identd) host-based allows
if [ "$AUTH_ALLOW" != "" ] ; then
echo -n "AUTH accepts: "
for host in ${AUTH_ALLOW} ; do
${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport 113 -j ACCEPT
echo -n "${host} "
done
echo
fi
echo -n "Allowing established outbound connections back in..."
${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "done"
echo -n "Setting up INET Policies: "
# Drop if we cant find a valid inbound rule.
${IPTABLES} -t filter -A INETIN -j ${DROP}
echo -n "INETIN:${DROP} "
#We can send what we want to the internet
${IPTABLES} -t filter -A INETOUT -j ACCEPT
echo -n "INETOUT:ACCEPT "
echo
echo "Done loading the firewall!"
|
|
|
| Back to top |
|
|
|
Networking & Security
