AW: [gentoo-user] iptables firewall+nat problem
--- Simon_Kühling [EMAIL PROTECTED] wrote: I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net ok, shorewall really seems to be quite popular in here :) so i should give it a try # emerge shorewall ... thanks for help so far! simon -- [EMAIL PROTECTED] mailing list
Re: AW: [gentoo-user] iptables firewall+nat problem
On Sunday 02 Nov 2003 13:28, Simon Kühling wrote: ok, shorewall really seems to be quite popular in here :) so i should give it a try # emerge shorewall Really?? I tried it when I was using Mandrake and didn't like it. What worked for me was the IP-Masquerade-HOWTO.html. With that I do feel in control of things. $ qpkg -f /usr/share/doc/howto/html-single/IP-Masquerade-HOWTO.html app-doc/howto-html-single * Peter -- == Portage 2.0.49-r15 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1, 2.4.23_pre8-gss) i686 AMD Athlon(tm) XP 3200+ == -- [EMAIL PROTECTED] mailing list
Re: AW: [gentoo-user] iptables firewall+nat problem
--- Simon_Kühling [EMAIL PROTECTED] wrote: http://www.shorewall.net ok, shorewall really seems to be quite popular in here :) so i should give it a try # emerge shorewall Hi Simon, Like anything new, you will need to get familar with Shorewalls web site which is top notch. The other thing that you will want to do is join their mailing list. The person who writes Shorewall does a very expert job at responding to users questions in an amazingly short time frame on this list. I found that with Shorewall in place I was able to garner immeadiate satisfaction of having a fully functional statefull firewall in place. Once everything was up an running, then I took the time to learn what was going on under the hood so to say. Just because your running Shorewall doesn't mean that your not going to understand whats running under the hood. I happened to learn iptables allot faster with Shorewall installed and running using its various diagnostic iptables tools. So if anyone try's to mislead you into thinking that you won't understand iptables with Shorewall installed that would be false. You still have control over iptables in the raw under the hood style if you wish. Shorewall just allows you immediate simplification of setting up Zones, Policy's, Rules, Masqing, and port forewarding to name a few. Joshua Banks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables firewall+nat problem
hi everyone, i'm trying to get my gentoo box running as a firewall and nat-router for my home-network. therefore i took the iptables-example script as seen in the gentoo security guide (http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12) and modified it a little. the server is able to establish an adsl-connection and lynx has no prob to surf the net. the firewall script is started and from inside the network i can easily access the server (192.168.0.1) via ssh, but theres no response to pings from e.g. 192.168.0.121 . the server itself is not able to make pings and get a strange error message: *** tux root # ping www.google.com PING www.google.akadns.net (216.239.59.99) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted --- www.google.akadns.net ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2000ms *** my firewallscript is attached to this mail. i do not see a mistake or something in that script. btw another strange behavior: yesterday the nat routing suddenly ran for about 10 minutes without changing the script (as i can remember). i am thankful for every little hint :) simon #!/sbin/runscript IPTABLES=/sbin/iptables IPTABLESSAVE=/sbin/iptables-save IPTABLESRESTORE=/sbin/iptables-restore FIREWALL=/etc/firewall.rules DNS1=145.253.2.11 DNS2=145.253.2.75 #inside IINTERFACE=eth0 #outside OINTERFACE=ppp0 opts=${opts} showstatus panic save restore showoptions rules depend() { need net procparam } rules() { stop ebegin Setting internal rules einfo Setting default rule to drop $IPTABLES -P FORWARD DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP #default rule einfo Creating states chain $IPTABLES -N allowed-connection $IPTABLES -F allowed-connection $IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix Bad packet from ${IINTERFACE}: $IPTABLES -A allowed-connection -j DROP #ICMP traffic einfo Creating icmp chain $IPTABLES -N icmp_allowed $IPTABLES -F icmp_allowed $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix Bad ICMP traffic: $IPTABLES -A icmp_allowed -p icmp -j DROP #Incoming traffic einfo Creating incoming ssh traffic chain $IPTABLES -N allow-ssh-traffic-in $IPTABLES -F allow-ssh-traffic-in #Flood protection $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport ssh -j ACCEPT $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport ssh -j ACCEPT $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT $IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT #outgoing traffic einfo Creating outgoing ssh traffic chain $IPTABLES -N allow-ssh-traffic-out $IPTABLES -F allow-ssh-traffic-out $IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT einfo Creating outgoing dns traffic chain $IPTABLES -N allow-dns-traffic-out $IPTABLES -F allow-dns-traffic-out $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain -j ACCEPT $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain -j ACCEPT einfo Creating outgoing http/https traffic chain $IPTABLES -N allow-www-traffic-out $IPTABLES -F allow-www-traffic-out $IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT $IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT #Catch portscanners einfo Creating portscan detection chain $IPTABLES -N check-flags $IPTABLES -F check-flags $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix NMAP-XMAS: $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix XMAS: $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix XMAS-PSH: $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix NULL_SCAN: $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix SYN/RST: $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST
Re: [gentoo-user] iptables firewall+nat problem
Simon, Save your self allot of time and headakeee and download emerge -p shorewall Shorewall firewall. IPtables made easy. This site is well maintained has a great mailing list and awesome easy to follow FAQ's for Standalone workstation, 2 nic's and 3 nic setup with DMZ. Shorewall is very light wheight and is a full featured statefull packet filtering firewall that uses a series of simple shell scripts to take all the (masacostic fun) our of configuring iptables line by line, word by word. http://www.shorewall.net Unless you trying to learn iptables ofcourse.. Heh. :P JBanks --- Simon_Kühling [EMAIL PROTECTED] wrote: hi everyone, i'm trying to get my gentoo box running as a firewall and nat-router for my home-network. therefore i took the iptables-example script as seen in the gentoo security guide (http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12) and modified it a little. the server is able to establish an adsl-connection and lynx has no prob to surf the net. the firewall script is started and from inside the network i can easily access the server (192.168.0.1) via ssh, but theres no response to pings from e.g. 192.168.0.121 . the server itself is not able to make pings and get a strange error message: *** tux root # ping www.google.com PING www.google.akadns.net (216.239.59.99) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted --- www.google.akadns.net ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2000ms *** my firewallscript is attached to this mail. i do not see a mistake or something in that script. btw another strange behavior: yesterday the nat routing suddenly ran for about 10 minutes without changing the script (as i can remember). i am thankful for every little hint :) simon #!/sbin/runscript IPTABLES=/sbin/iptables IPTABLESSAVE=/sbin/iptables-save IPTABLESRESTORE=/sbin/iptables-restore FIREWALL=/etc/firewall.rules DNS1=145.253.2.11 DNS2=145.253.2.75 #inside IINTERFACE=eth0 #outside OINTERFACE=ppp0 opts=${opts} showstatus panic save restore showoptions rules depend() { need net procparam } rules() { stop ebegin Setting internal rules einfo Setting default rule to drop $IPTABLES -P FORWARD DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP #default rule einfo Creating states chain $IPTABLES -N allowed-connection $IPTABLES -F allowed-connection $IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix Bad packet from ${IINTERFACE}: $IPTABLES -A allowed-connection -j DROP #ICMP traffic einfo Creating icmp chain $IPTABLES -N icmp_allowed $IPTABLES -F icmp_allowed $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix Bad ICMP traffic: $IPTABLES -A icmp_allowed -p icmp -j DROP #Incoming traffic einfo Creating incoming ssh traffic chain $IPTABLES -N allow-ssh-traffic-in $IPTABLES -F allow-ssh-traffic-in #Flood protection $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport ssh -j ACCEPT $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport ssh -j ACCEPT $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT $IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT #outgoing traffic einfo Creating outgoing ssh traffic chain $IPTABLES -N allow-ssh-traffic-out $IPTABLES -F allow-ssh-traffic-out $IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT einfo Creating outgoing dns traffic chain $IPTABLES -N allow-dns-traffic-out $IPTABLES -F allow-dns-traffic-out $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain -j ACCEPT $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain -j ACCEPT einfo Creating outgoing http/https traffic chain $IPTABLES -N allow-www-traffic-out $IPTABLES -F allow-www-traffic-out $IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT $IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT #Catch portscanners einfo Creating portscan detection chain $IPTABLES -N check-flags $IPTABLES -F check-flags $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix NMAP-XMAS: $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A check-flags -p tcp --tcp-flags
Re: [gentoo-user] iptables firewall+nat problem
I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP On Saturday 01 November 2003 06:15 am, Simon Kühling wrote: hi everyone, i'm trying to get my gentoo box running as a firewall and nat-router for my home-network. -- Stephen From here to there and there to here, funny things are everywhere. -- Dr Seuss -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP ok, thanks for the hint! simon -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables firewall+nat problem
gshield and shorewall can build you a firewall.. I prefer gshield myself. I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
--- Simon_Kühling [EMAIL PROTECTED] wrote: I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net JBanks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
I have been running my own personally developed IPTABLES ruleset since I converted from ipchains to iptables. My topology is is pretty simple: WAN (cable modem) --- eth1 [FW] eth0 --- [HUB] -- [LAN boxes] Note that I am forwarding port 25 from the FW to an internet mail server. This thread caused me to take a closer look at both shorewall, and gsheild (I think it was). I actually emerged shorewall, and attempted to configure it. In the end I found it more confusing than my own custom built script. Which I have pretty extensively tested. (and which I will be happy to share if any one is interested). Frankly, I like understanding what is going on under the covers... so I unmerged shorewall, and went back to using my script. On Sat, 2003-11-01 at 19:17, Joshua Banks wrote: --- Simon_Khling [EMAIL PROTECTED] wrote: I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net JBanks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list -- Lincoln A. Baxter [EMAIL PROTECTED] -- [EMAIL PROTECTED] mailing list