Re: [luau] Warren's walkthrough of MonMotha's firewall script

Thu, 7 Nov 2002 10:09:32 -1000 

I've not really used monmotha's script, forwarding to him...

--Ray


I've followed Warren's walkthrough of MonMotha's firewall script found at 
<http://www.mplug.org/phpwiki/index.php/BasicFirewallRouter>.
I installed the script on a computer running redhat 7.3. The only change I made
was that I used 192.168.1.1 instead of 192.168.0.1 for the firewall LAN gateway
address (eth1), because I have an existing Linksys router that had been using
that address and all my clients are already set up that way, I don't want to
have to reconfigure 17 computers when I swap my dedicated firewall for my 
router.


I can't get the firewall talking to the WAN at all. After I run the script,
I can't get the LAN to ping the firewall.

When I try to ping anything on the WAN from the firewall I get "network is not
reachable." This is true even before I run the firewall script so there are
no rules and default is "accept". I have set up the firewall with the same IP
number and gateway that the router had, I've disconnected the router from both
the WAN and the LAN, and hooked in the firewall instead.

I tested the cables. I tested the two ethernet cards. I reconfigured a client
to use the WAN address as a gateway and plugged it into the WAN NIC with a 
crossover
cable, the client was able to ping the firewall on eth0.

I am able to ping the firewall from the LAN before running the script. After
running the script, the firewall no longer answers ping. Is this what I should
expect?

Could redhat 7.3 have ipchains running by default and messing me up?

Could the IP# change matter? (Warren's walkthrough says use 192.168.0.1 as 
eth1's
IP#, the gateway address for the LAN, I used 192.168.1.1 instead.) I tried to
set the firewall up to be identical to the router it replaces, same gateway,
same IP#. The LED shows activity on the card attached to the WAN. 
Could the MAC change when I switch from the router to the firewall be confusing
my gateway so that it refuses to speak to me? I am at UH, not using an ISP.


Could there be a delay before things start working? When I switch things back,
it always takes a while before the router starts working again.

There is some stuff in the walk-through about the PCI slots using bus-mastering,
I have no idea what this is about, could that be causing my problem?

How can I tell whether ipforwarding is enabled and working? (That's how the
packets get between the LAN NIC and the WAN NIC, right? I see it in the script
output,but is there an explicit test?)

Since I can't reach the network even before I run the script, the script doesn't
seem to be the entire problem. But for what it's worth, here is the output when
I run the script:

******************************
Loading iptables firewall:
Checking configuration...passed
Performing TCP_ALLOW and UDP_ALLOW alias preprocessing...done
Checking IP Forwarding...enabled.
Checking IP SynCookies...disabled.
Checking Route Verification...activated:eth0 activated:eth1 Refusing SSR Packets via SysCtl...activated:eth0 activated:eth1 Flush: INPUT OUTPUT1 FORWARD PREROUTING1 OUTPUT2 POSTROUTING PREROUTING2 OUTPUT3 

Creating chains: INETIN INETOUT DMZIN DMZOUT TCPACCEPT UDPACCEPT LDROP LREJECT
TREJECT LTREJECT Default Policies: INPUT:DROP OUTPUT:ACCEPT FORWARD:DROP Setting up drop chains chains: LDROP LREJECT TREJECT LTREJECT Setting up per-proto ACCEPT: TCPACCEPT UDPACCEPT TREJECTing invalid packets...done Setting up INET chains: INETIN INETOUT Local Traffic Rules: 192.168.0.0/24:ACCEPT 192.168.1.0/24:ACCEPT loopback:ACCEPT 

Setting up masquerading: 192.168.0.0/24:MASQUERADE 192.168.1.0/24:MASQUERADE
TREJECTing ICMP messages specified in BAD_ICMP...5 9 10 15 16 17 18 Flood limiting: ICMP-PING Allowing the rest of the ICMP messages in...done Hostwise TCP Allows: 0/0>22 Hostwise UDP Allows: 0/0>68 0/0>6112 0/0>6119 0/0>4000 Allowing established outbound connections back in...done 
Allowing related inbound connections...done
Setting up INET policies: INETIN:TREJECT INETOUT:ACCEPT Done loading the firewall! 
**********************************

These don't look like errors to me. What does "192.168.1.0/24:ACCEPT" in the
local traffic rules mean - anything from a machine on the 192.168.1 subnet is
accepted??

Here is the output from iptables -L after running the script:

*******************************
Chain INPUT (policy DROP)
target prot opt source destination INETIN all -- anywhere anywhere ACCEPT all -- 192.168.0.0/24 anywhere ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- anywhere anywhere 
Chain FORWARD (policy DROP)
target prot opt source destination INETIN all -- anywhere anywhere INETOUT all -- anywhere anywhere ACCEPT all -- 192.168.0.0/24 anywhere ACCEPT all -- 192.168.1.0/24 anywhere 
Chain OUTPUT (policy ACCEPT)
target prot opt source destination INETOUT all -- anywhere anywhere 
Chain DMZIN (0 references)
target prot opt source destination 
Chain DMZOUT (0 references)
target prot opt source destination 
Chain INETIN (2 references)
target prot opt source destination TREJECT all -- anywhere anywhere state INVALID TREJECT icmp -- anywhere anywhere icmp redirect TREJECT icmp -- anywhere anywhere icmp router-advertisement 

TREJECT    icmp --  anywhere             anywhere           icmp 
router-solicitation
TREJECT icmp -- anywhere anywhere icmp type 15 TREJECT icmp -- anywhere anywhere icmp type 16 TREJECT icmp -- anywhere anywhere icmp address-mask-request 

TREJECT    icmp --  anywhere             anywhere           icmp 
address-mask-reply

ACCEPT     icmp --  anywhere             anywhere           icmp echo-request
limit: avg 1/sec burst 5 TREJECT icmp -- anywhere anywhere icmp echo-request 

ACCEPT     icmp --  anywhere             anywhere           icmp !echo-request
TCPACCEPT tcp -- anywhere anywhere tcp dpt:ssh UDPACCEPT udp -- anywhere anywhere udp dpt:bootpc UDPACCEPT udp -- anywhere anywhere udp dpt:6112 UDPACCEPT udp -- anywhere anywhere udp dpt:6119 UDPACCEPT udp -- anywhere anywhere udp dpt:4000 ACCEPT all -- anywhere anywhere state ESTABLISHED 

TCPACCEPT  tcp  --  anywhere             anywhere           tcp dpts:1024:65535
state RELATED UDPACCEPT udp -- anywhere anywhere udp dpts:1024:65535 state RELATED TREJECT all -- anywhere anywhere 
Chain INETOUT (2 references)
target prot opt source destination ACCEPT all -- anywhere anywhere 
Chain LDROP (0 references)
target prot opt source destination LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `TCP Dropped ' LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `UDP Dropped ' LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `ICMP Dropped ' LOG all -f anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `FRAGMENT Dropped ' DROP all -- anywhere anywhere 
Chain LREJECT (0 references)
target prot opt source destination LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `TCP Rejected ' LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `UDP Rejected ' LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `ICMP Rejected ' LOG all -f anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected ' REJECT all -- anywhere anywhere reject-with icmp-port-unreachable 


Chain LTREJECT (0 references)
target prot opt source destination LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `TCP Rejected ' LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `UDP Rejected ' LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `ICMP Rejected ' LOG all -f anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected ' REJECT tcp -- anywhere anywhere reject-with tcp-reset 

REJECT     udp  --  anywhere             anywhere           reject-with 
icmp-port-unreachable
DROP icmp -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable 


Chain TCPACCEPT (2 references)
target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 20/sec burst 5 LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 2/sec burst 5 LOG level warning prefix `Possible SynFlood ' TREJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN 

ACCEPT     tcp  --  anywhere             anywhere           tcp 
flags:!SYN,RST,ACK/SYN

LOG        all  --  anywhere             anywhere           limit: avg 2/sec
burst 5 LOG level warning prefix `Mismatch in TCPACCEPT ' TREJECT all -- anywhere anywhere 
Chain TREJECT (13 references)
target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset 

REJECT     udp  --  anywhere             anywhere           reject-with 
icmp-port-unreachable
DROP icmp -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable 


Chain UDPACCEPT (5 references)
target prot opt source destination ACCEPT udp -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `Mismatch on UDPACCEPT ' TREJECT all -- anywhere anywhere 
*************************

That doesn't really look right to me, but I don't claim to understand it at
all. 
Devastated Dave
_______________________________________________
LUAU mailing list
[EMAIL PROTECTED]
http://videl.ics.hawaii.edu/mailman/listinfo/luau

Reply via email to