| View previous topic :: View next topic |
| Author |
Message |
The_Paranoid
Tux's lil' helper
Joined: 04 Mar 2004
Posts: 98
Location: Tübingen/Germany
|
 Posted: Wed Mar 17, 2004 10:42 am Post subject: iptables,ping, hostname and KDE Problems |
 |
|
very confusing 
I add iptables to default runlevel and edited hostnames. Then rebooted and KDE
didn't start anymore. Tried everything. Editing hostnames back reemerging. Didn't work. Then i tried to ping myself which didn't work either.
So i stopped itables so ping works. Result is that KDE works, too .. why that ??
How to enable ping in iptables and get rid of the .(none) at the login screen ??
dnsdomainame : ath.cx
hostname : theparanoid
hosts : 127.0.0.1 localhost theparanoid theparanoid.ath.cx
I don't have a static IP and now Network IP. So 127.0.0.1 is the only entry. |
|
| Back to top |
|
 |
avendesora
Veteran
Joined: 16 Aug 2002
Posts: 1739
Location: Betelgeuse vicinity
|
| Posted: Wed Mar 17, 2004 10:57 am Post subject: |
|
|
If you haven't configured iptables at all, then it probably starts up with a default "safe"
configuration: deny anything from anywhere... (That includes pings and any other type
of network traffic.)
You should read up on Gentoo Security Guide if you want to set up a firewall (Chap. 12 has iptables info). |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Wed Mar 17, 2004 11:00 am Post subject: Re: iptables,ping, hostname and KDE Problems |
|
|
| The_Paranoid wrote: | very confusing
I add iptables to default runlevel and edited hostnames. Then rebooted and KDE
didn't start anymore. Tried everything. Editing hostnames back reemerging. Didn't work. Then i tried to ping myself which didn't work either.
So i stopped itables so ping works. Result is that KDE works, too .. why that ?? |
Because the X server uses network sockets to connect you to it.
Without a working network config (even if only the local loopback) you won't be able to use X.
| The_Paranoid wrote: | | How to enable ping in iptables |
Add a rule to allow ICMP traffic.
Better yet - belay configuring a full iptables firewall until you have read up on it.
It's not something you will learn in a weekend.
| The_Paranoid wrote: | and get rid of the .(none) at the login screen ??
dnsdomainame : ath.cx
hostname : theparanoid
hosts : 127.0.0.1 localhost theparanoid theparanoid.ath.cx |
Don't alter the localhost line.
Add a line with your external IP, like so:
| Code: | | 10.10.10.10 theparanoid.ath.cx theparanoid |
If you don't have a static IP my advice would be to add this to your startup scripts.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
The_Paranoid
Tux's lil' helper
Joined: 04 Mar 2004
Posts: 98
Location: Tübingen/Germany
|
| Posted: Wed Mar 17, 2004 11:12 am Post subject: |
|
|
iptable is configured to drop all Input except related,established and services like www,ftp,ssh and p2p. After adding icmp ping works, too
iptables -L looks like this
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:5000
ACCEPT udp -- anywhere anywhere udp dpt:5001
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:9176
ACCEPT udp -- anywhere anywhere udp dpt:9176
ACCEPT tcp -- anywhere anywhere tcp dpt:rfe
ACCEPT tcp -- anywhere anywhere tcp dpt:5003
ACCEPT icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
With Startup Scripts you mean adding "10.10.10.10 theparanoid.ath.cx theparanoid" to /etc/hosts ??
Thx for the answers |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Wed Mar 17, 2004 11:46 am Post subject: |
|
|
No, you say you do not have a static IP on the box.
This means you have a DHCP setup, since it's nigh impossible to install Gentoo without any net connection.
The startup scripts allow for the dynamic assigning of nameservers and gateways - I would think assigning a hosts line when dhcp gets an IP is well within the realm of possibilities.
X uses port 6000 on the localhost by default; you may want to drop all iptables rules on the loopback interface anyway - they're kinda pointless
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
The_Paranoid
Tux's lil' helper
Joined: 04 Mar 2004
Posts: 98
Location: Tübingen/Germany
|
| Posted: Wed Mar 17, 2004 12:08 pm Post subject: |
|
|
yep, no static IP.
But i didn't set up any DHCP either.
| Quote: | | I would think assigning a hosts line when dhcp gets an IP is well within the realm of possibilities. |
How to do that ?? Checking IP and editing files everytime i reconect is kinda silly ... any way to do this automatically ?
How to accept traffic on port 6000 only for localhost, that the port is closed for the outside world ?? |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Wed Mar 17, 2004 1:58 pm Post subject: |
|
|
| Code: | | iptables -A INPUT -i lo -j ACCEPT |
For starters.
If you enter this as the first rule of the INPUT chain you can at least use all local services.
Of course I mean automatically.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
|
Networking & Security
