| View previous topic :: View next topic |
| Author |
Message |
o5gmmob8
Guru
Joined: 17 Oct 2003
Posts: 507
|
 Posted: Fri Feb 11, 2005 4:49 am Post subject: kmyfirewall/iptables issues |
 |
|
Hi,
I am having issues with my firewall on my an AMD64. I haven't been able to run it as it does not allow outgoing traffic from my machine. I cannot ping other computers, or surf the Internet.
It is setup to allow certain things to come in, it forwards nothing, and allows everything to output this machine. The strange thing is, whenever the policy for input is changed from drop to accept, it works. Here is my ruleset, it is similar to a server I manage which has a working firewall.
| Code: |
#!/bin/sh
#
# copyright (c) the KMyFirewall developers 2002
# mail to: Christian Hubinger <e9806056@student.tuwien.ac.at>
#
# KMyFirewall v0.9.6.2
# This is an automatic generated file DO NOT EDIT
#
IPT="/sbin/iptables"
MOD="/sbin/modprobe"
status="0"
startFirewall() {
echo
echo "Starting firewall..."
# Define all custom chains
echo -n "Create custom chains... "
echo "Done."
# Rules:
echo "Settup Rules in Table FILTER:
"
# Define Rules for Chain: INPUT
echo -n "Create Rules for Chain: INPUT "
$IPT -t filter -A INPUT --destination 127.0.0.1 --in-interface lo -j ACCEPT || { status="1"; echo "Setting up Rule: LOOPBACK_INPUT FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 22 -j ACCEPT || { status="1"; echo "Setting up Rule: SSH_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol icmp --icmp-type echo-request --match limit --limit 5/minute -j ACCEPT || { status="1"; echo "Setting up Rule: PING_INPUT FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 53 -j ACCEPT || { status="1"; echo "Setting up Rule: DNS_tcp FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol udp --destination-port 53 -j ACCEPT || { status="1"; echo "Setting up Rule: DNS_udp FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --match multiport --destination-port 67,68 -j ACCEPT || { status="1"; echo "Setting up Rule: DHCP_tcp FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol udp --match multiport --destination-port 67,68 -j ACCEPT || { status="1"; echo "Setting up Rule: DHCP_udp FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --source AC-CDNS2.net.cmu.edu -j ACCEPT || { status="1"; echo "Setting up Rule: CMU_DNS FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --source AC-CDNS2.net.cmu.edu --protocol tcp --destination-port 1025:6553 -j ACCEPT || { status="1"; echo "Setting up Rule: CMU_DNS_ports FAILED !!!"; exit 1; }
#$IPT -t filter -P INPUT ACCEPT || { status="1"; echo "Setting up Rule: Chain: INPUT Default Target FAILED !!!"; exit 1; }
$IPT -t filter -P INPUT DROP || { status="1"; echo "Setting up Rule: Chain: INPUT Default Target FAILED !!!"; exit 1; }
echo "Done."
# Define Rules for Chain: OUTPUT
echo -n "Create Rules for Chain: OUTPUT "
$IPT -t filter -P OUTPUT ACCEPT || { status="1"; echo "Setting up Rule: Chain: OUTPUT Default Target FAILED !!!"; exit 1; }
echo "Done."
# Define Rules for Chain: FORWARD
echo -n "Create Rules for Chain: FORWARD "
$IPT -t filter -P FORWARD DROP || { status="1"; echo "Setting up Rule: Chain: FORWARD Default Target FAILED !!!"; exit 1; }
echo "Done."
echo -n "Disable IP Forwarding. "
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "Done.
"
echo -n "Disable Reverse Path Filtering "
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
echo "Done.
"
echo -n "Disable log_martians (logging). "
for i in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 0 > $i
done
echo "Done.
"
#echo -n "Disable Syn Cookies. "
#echo 0 > /proc/sys/net/ipv4/tcp_syncookies
#echo "Done.
#"
}
stopFirewall() {
echo -n "Shutdown KMyFirewall... "
$IPT -t filter -F || status="1"
$IPT -t filter -X || status="1"
$IPT -t filter -P INPUT ACCEPT || status="1"
$IPT -t filter -P OUTPUT ACCEPT || status="1"
$IPT -t filter -P FORWARD ACCEPT || status="1"
echo "Done."
}
case $1 in
start)
stopFirewall
startFirewall
;;
stop)
stopFirewall
;;
restart)
stopFirewall
startFirewall
;;
*)
echo "Usage: sh kmyfirewall.sh { start | stop | restart } "
;;
esac
if [ "$status" = "1" ]; then
exit 1
else
exit 0
fi
|
Thanks,
Walter |
|
| Back to top |
|
 |
o5gmmob8
Guru
Joined: 17 Oct 2003
Posts: 507
|
| Posted: Fri Mar 04, 2005 4:18 pm Post subject: kmyfirewall/iptables issues |
|
|
Hi,
Here is dmesg, I am logging what output drops even though it is set to accept everything...
| Code: |
firewall_output:IN= OUT=eth0 SRC=my.ip.address.xxx DST=35.11.184.134 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=6921 DF PROTO=TCP SPT=9176 DPT=3196 WINDOW=32767 RES=0x00 ACK PSH URGP=0
|
This shouldn't be dropped?
Walter |
|
| Back to top |
|
|
meyerm
Veteran
Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany
|
| Posted: Fri Mar 04, 2005 5:19 pm Post subject: |
|
|
| Please send us the output of "iptables -nvL". |
|
| Back to top |
|
|
o5gmmob8
Guru
Joined: 17 Oct 2003
Posts: 507
|
| Posted: Fri Mar 04, 2005 6:27 pm Post subject: kmyfirewall/iptables issues |
|
|
Here is the output from iptables -nvL
| Code: |
Chain INPUT (policy DROP 45 packets, 8552 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 127.0.0.1
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 5/min burst5
27 3139 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags0 level 4 prefix `firewall_input:'
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags0 level 4 prefix `firewall_forward:'
Chain OUTPUT (policy ACCEPT 17 packets, 1199 bytes)
pkts bytes target prot opt in out source destination
17 1199 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags0 level 4 prefix `firewall_output:'
|
Walter |
|
| Back to top |
|
|
meyerm
Veteran
Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany
|
| Posted: Fri Mar 04, 2005 7:04 pm Post subject: |
|
|
Try
| Code: |
iptables -I INPUT 2 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
| Back to top |
|
|
o5gmmob8
Guru
Joined: 17 Oct 2003
Posts: 507
|
| Posted: Sat Mar 05, 2005 8:03 pm Post subject: kmyfirewall/iptables issues |
|
|
Hi,
I tried that but am getting an error. My iptables setup does not have connection_tracking support which is why I am getting that error I believe.
| Code: |
iptables: No chain/target/match by that name
|
This is my setup:
| Code: |
<> Connection tracking (required for masq/NAT) │ │
│ │ [ ] Connection tracking flow accounting (NEW) │ │
│ │ < > SCTP protocol connection tracking support (EXPERIMENTAL) (NEW) │ │
│ │ < > FTP protocol support (NEW) │ │
│ │ < > IRC protocol support (NEW) │ │
│ │ < > TFTP protocol support (NEW) │ │
│ │ < > Amanda backup protocol support (NEW) │ │
│ │ < > Userspace queueing via NETLINK
|
The ones listed above are not installed in the kernel or as modules. everything else is built though, so it should work fine.
Walter |
|
| Back to top |
|
|
meyerm
Veteran
Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany
|
| Posted: Sun Mar 06, 2005 11:29 am Post subject: |
|
|
Hmm, the needed selection would be "Connection state match support", but you already said you have included that. The INPUT chain is always there and the target ACCEPT is also nothing special  . So I'm quite surprised that you get that error. Is the following file present? And if yes, could you please try to load it manually before issueing the iptables command?
| Code: | | /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko |
Eventually you could try to change the command above to this: | Code: | | iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
|
|
| Back to top |
|
|
o5gmmob8
Guru
Joined: 17 Oct 2003
Posts: 507
|
| Posted: Sun Mar 06, 2005 4:46 pm Post subject: kmyfirewall/iptables issue |
|
|
Hi,
I have tried both appending and inserting the chain, both with no success. My kernel doesn't appear to have that support as I have compiled everything into the kernel, not as modules. I cannot reboot my system remotely as it doesn't work under 2.6.11-gentoo-r1 just yet.
Walter |
|
| Back to top |
|
|
o5gmmob8
Guru
Joined: 17 Oct 2003
Posts: 507
|
| Posted: Sun Mar 13, 2005 4:33 am Post subject: iptables |
|
|
Hi,
That did it. I appended this to my setup and now it restricts traffic like it should.
| Code: |
iptables -A -m state --state RELATED,ESTABLISHED -j ACCEPT
|
I am now using the gentoo-dev-sources 2.6.11-r3 with a ps/2 mouse so I have all modules for iptables built.
Thanks,
Walter |
|
| Back to top |
|
|
|
Networking & Security
