| View previous topic :: View next topic |
| Author |
Message |
Corona688
Veteran
Joined: 10 Jan 2004
Posts: 1204
|
 Posted: Mon May 01, 2006 4:21 pm Post subject: firewall problems [SOLVED] |
 |
|
Whenever anything goes wrong with my network setup, the first thing I try is /etc/init.d/ipdables stop and lo and behold, it's my firewall that's suddenly and inexplicably decided to block yet another service that worked fine before...
This is getting really annoying, and people won't help me fix these problems in general. Fine. If you won't tell me a solution, then how can I at least trace which things are being blocked by which firewall rules, where, when? (Don't tell me tcpdump, I already tried that, it only prints things that get through then tells me how many packets got filtered WHEN I QUIT. real useful that.)
_________________
Petition for Better 64-bit ATI Drivers - Sign Here
http://www.petitiononline.com/atipet/petition.html
Last edited by Corona688 on Tue May 02, 2006 2:26 pm; edited 1 time in total |
|
| Back to top |
|
 |
bluedevils
Apprentice
Joined: 21 Jul 2004
Posts: 252
Location: Vancouver BC -> NYC, NY
|
| Posted: Mon May 01, 2006 4:39 pm Post subject: |
|
|
| I'm confused. Doesn't iptables -L list what iptables is doing? |
|
| Back to top |
|
|
Corona688
Veteran
Joined: 10 Jan 2004
Posts: 1204
|
| Posted: Mon May 01, 2006 5:13 pm Post subject: |
|
|
No. It tells me this: | Code: | Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT udp -- anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpts:0:1023
DROP udp -- anywhere anywhere udp dpts:0:1023
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere 10.1.1.0/24
ACCEPT all -- 10.1.1.0/24 anywhere
ACCEPT all -- anywhere 10.1.1.0/24
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination |
It does not tell me what it is DOING. For example, when it begins blocking samba for no readily discernible reason, I would like it to tell me the packets it drops, when it's dropping packets, and by what rule or lack-of-rules were they dropped. Not all the time obviously, it would fill up the logs, but when I need to debug something.
_________________
Petition for Better 64-bit ATI Drivers - Sign Here
http://www.petitiononline.com/atipet/petition.html |
|
| Back to top |
|
|
bluedevils
Apprentice
Joined: 21 Jul 2004
Posts: 252
Location: Vancouver BC -> NYC, NY
|
| Posted: Mon May 01, 2006 5:40 pm Post subject: |
|
|
| ya adding logging in iptables was the next thing I was going to suggest |
|
| Back to top |
|
|
Corona688
Veteran
Joined: 10 Jan 2004
Posts: 1204
|
|
| Back to top |
|
|
bluedevils
Apprentice
Joined: 21 Jul 2004
Posts: 252
Location: Vancouver BC -> NYC, NY
|
| Posted: Mon May 01, 2006 6:03 pm Post subject: |
|
|
there are plenty of examples on the net
here's one at http://www.brandonhutchinson.com/iptables_fw.html
| Quote: | # Create a LOGDROP chain to log and drop packets
/sbin/iptables -N LOGDROP
/sbin/iptables -A LOGDROP -j LOG
/sbin/iptables -A LOGDROP -j DROP
# Drop all other traffic
/sbin/iptables -A INPUT -j LOGDROP
You may also want to configure the --log-level to log dropped packets to a separate file instead of /var/log/messages:
# Drop all other traffic
/sbin/iptables -A INPUT -j LOGDROP --log-level debug |
|
|
| Back to top |
|
|
Corona688
Veteran
Joined: 10 Jan 2004
Posts: 1204
|
| Posted: Mon May 01, 2006 6:05 pm Post subject: |
|
|
So there's no way to log iptables except to build logging into all your rules? Seriously? For someone who's trying to debug their existing rules this seems to totally defeat the point... and what if something goes wrong in your logging rules? How do you debug-log the debug-logging rules of the logged logging logger rules? Can you tell I hate iptables yet...
_________________
Petition for Better 64-bit ATI Drivers - Sign Here
http://www.petitiononline.com/atipet/petition.html |
|
| Back to top |
|
|
bluedevils
Apprentice
Joined: 21 Jul 2004
Posts: 252
Location: Vancouver BC -> NYC, NY
|
| Posted: Mon May 01, 2006 6:53 pm Post subject: |
|
|
| as you inferred before, it's hard to see packet bouncing when you are behind the firewall. I assume you are on a switched network, which means the only way I know you can readily troubleshoot is to tap into your line (place a hub between computer and switch) and run tcpdump there. |
|
| Back to top |
|
|
expat_iain
Guru
Joined: 09 Jan 2004
Posts: 361
Location: Malta GC
|
| Posted: Tue May 02, 2006 10:32 am Post subject: |
|
|
You can get stats for the rules with counters, enabling you to view where a packet was caught using:
Of course, using this is addition to a log all & drop rule at the end of your chains should provide you with enough information to be able to track the source of your problem.
Regs.
Iain. |
|
| Back to top |
|
|
Corona688
Veteran
Joined: 10 Jan 2004
Posts: 1204
|
| Posted: Tue May 02, 2006 2:25 pm Post subject: |
|
|
OK. The first step to solving this, was to admit to myself that I don't know enough about iptables  Building a firewall with that is like trying to program an OS in assembly language...
Second step, "emerge firehol". I got that going in half an hour, samba, vnc, vpn, everything.
_________________
Petition for Better 64-bit ATI Drivers - Sign Here
http://www.petitiononline.com/atipet/petition.html |
|
| Back to top |
|
|
expat_iain
Guru
Joined: 09 Jan 2004
Posts: 361
Location: Malta GC
|
| Posted: Tue May 02, 2006 2:51 pm Post subject: |
|
|
Firewalls are easy.
Programming is hard.
Assembly is simply masochism. |
|
| Back to top |
|
|
Corona688
Veteran
Joined: 10 Jan 2004
Posts: 1204
|
| Posted: Tue May 02, 2006 2:55 pm Post subject: |
|
|
| expat_iain wrote: | Firewalls are easy.
Programming is hard.
Assembly is simply masochism. |
Heh, I've done all three and assembly's easier than iptables  Or maybye I just suck at it.
_________________
Petition for Better 64-bit ATI Drivers - Sign Here
http://www.petitiononline.com/atipet/petition.html |
|
| Back to top |
|
|
|
Networking & Security
