AW: [gentoo-user] iptables firewall+nat problem
--- Simon_Kühling [EMAIL PROTECTED] wrote: I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net ok, shorewall really seems to be quite popular in here :) so i should give it a try # emerge shorewall ... thanks for help so far! simon -- [EMAIL PROTECTED] mailing list
Re: AW: [gentoo-user] iptables firewall+nat problem
On Sunday 02 Nov 2003 13:28, Simon Kühling wrote: ok, shorewall really seems to be quite popular in here :) so i should give it a try # emerge shorewall Really?? I tried it when I was using Mandrake and didn't like it. What worked for me was the IP-Masquerade-HOWTO.html. With that I do feel in control of things. $ qpkg -f /usr/share/doc/howto/html-single/IP-Masquerade-HOWTO.html app-doc/howto-html-single * Peter -- == Portage 2.0.49-r15 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1, 2.4.23_pre8-gss) i686 AMD Athlon(tm) XP 3200+ == -- [EMAIL PROTECTED] mailing list
Re: AW: [gentoo-user] iptables firewall+nat problem
--- Simon_Kühling [EMAIL PROTECTED] wrote: http://www.shorewall.net ok, shorewall really seems to be quite popular in here :) so i should give it a try # emerge shorewall Hi Simon, Like anything new, you will need to get familar with Shorewalls web site which is top notch. The other thing that you will want to do is join their mailing list. The person who writes Shorewall does a very expert job at responding to users questions in an amazingly short time frame on this list. I found that with Shorewall in place I was able to garner immeadiate satisfaction of having a fully functional statefull firewall in place. Once everything was up an running, then I took the time to learn what was going on under the hood so to say. Just because your running Shorewall doesn't mean that your not going to understand whats running under the hood. I happened to learn iptables allot faster with Shorewall installed and running using its various diagnostic iptables tools. So if anyone try's to mislead you into thinking that you won't understand iptables with Shorewall installed that would be false. You still have control over iptables in the raw under the hood style if you wish. Shorewall just allows you immediate simplification of setting up Zones, Policy's, Rules, Masqing, and port forewarding to name a few. Joshua Banks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables firewall+nat problem
hi everyone,
i'm trying to get my gentoo box running as a firewall and nat-router for
my home-network. therefore i took the iptables-example script as seen in
the gentoo security guide
(http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12) and
modified it a little.
the server is able to establish an adsl-connection and lynx has no prob
to surf the net. the firewall script is started and from inside the
network i can easily access the server (192.168.0.1) via ssh, but theres
no response to pings from e.g. 192.168.0.121 . the server itself is not
able to make pings and get a strange error message:
***
tux root # ping www.google.com
PING www.google.akadns.net (216.239.59.99) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- www.google.akadns.net ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
***
my firewallscript is attached to this mail.
i do not see a mistake or something in that script.
btw another strange behavior: yesterday the nat routing suddenly ran for
about 10 minutes without changing the script (as i can remember).
i am thankful for every little hint :)
simon
#!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
FIREWALL=/etc/firewall.rules
DNS1=145.253.2.11
DNS2=145.253.2.75
#inside
IINTERFACE=eth0
#outside
OINTERFACE=ppp0
opts=${opts} showstatus panic save restore showoptions rules
depend() {
need net procparam
}
rules() {
stop
ebegin Setting internal rules
einfo Setting default rule to drop
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
#default rule
einfo Creating states chain
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection
$IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix Bad
packet from ${IINTERFACE}:
$IPTABLES -A allowed-connection -j DROP
#ICMP traffic
einfo Creating icmp chain
$IPTABLES -N icmp_allowed
$IPTABLES -F icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j
ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type
destination-unreachable -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix Bad ICMP traffic:
$IPTABLES -A icmp_allowed -p icmp -j DROP
#Incoming traffic
einfo Creating incoming ssh traffic chain
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
#Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL
RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL
FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL
SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp
--dport ssh -j ACCEPT
#outgoing traffic
einfo Creating outgoing ssh traffic chain
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT
einfo Creating outgoing dns traffic chain
$IPTABLES -N allow-dns-traffic-out
$IPTABLES -F allow-dns-traffic-out
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain -j ACCEPT
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain -j ACCEPT
einfo Creating outgoing http/https traffic chain
$IPTABLES -N allow-www-traffic-out
$IPTABLES -F allow-www-traffic-out
$IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT
$IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT
#Catch portscanners
einfo Creating portscan detection chain
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit
5/minute -j LOG --log-level alert --log-prefix NMAP-XMAS:
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG
--log-level 1 --log-prefix XMAS:
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit
5/minute -j LOG --log-level 1 --log-prefix XMAS-PSH:
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j
LOG --log-level 1 --log-prefix NULL_SCAN:
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit
5/minute -j LOG --log-level 5 --log-prefix SYN/RST:
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST
Re: [gentoo-user] iptables firewall+nat problem
Simon,
Save your self allot of time and headakeee and download emerge -p
shorewall Shorewall firewall. IPtables made easy. This site is well
maintained has a great mailing list and awesome easy to follow FAQ's
for Standalone workstation, 2 nic's and 3 nic setup with DMZ.
Shorewall is very light wheight and is a full featured statefull packet
filtering firewall that uses a series of simple shell scripts to take
all the (masacostic fun) our of configuring iptables line by line, word
by word.
http://www.shorewall.net
Unless you trying to learn iptables ofcourse.. Heh. :P
JBanks
--- Simon_Kühling [EMAIL PROTECTED] wrote:
hi everyone,
i'm trying to get my gentoo box running as a firewall and nat-router
for
my home-network. therefore i took the iptables-example script as seen
in
the gentoo security guide
(http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12) and
modified it a little.
the server is able to establish an adsl-connection and lynx has no
prob
to surf the net. the firewall script is started and from inside the
network i can easily access the server (192.168.0.1) via ssh, but
theres
no response to pings from e.g. 192.168.0.121 . the server itself is
not
able to make pings and get a strange error message:
***
tux root # ping www.google.com
PING www.google.akadns.net (216.239.59.99) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- www.google.akadns.net ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
***
my firewallscript is attached to this mail.
i do not see a mistake or something in that script.
btw another strange behavior: yesterday the nat routing suddenly ran
for
about 10 minutes without changing the script (as i can remember).
i am thankful for every little hint :)
simon
#!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
FIREWALL=/etc/firewall.rules
DNS1=145.253.2.11
DNS2=145.253.2.75
#inside
IINTERFACE=eth0
#outside
OINTERFACE=ppp0
opts=${opts} showstatus panic save restore showoptions rules
depend() {
need net procparam
}
rules() {
stop
ebegin Setting internal rules
einfo Setting default rule to drop
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
#default rule
einfo Creating states chain
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection
$IPTABLES -A allowed-connection -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG
--log-prefix Bad packet from ${IINTERFACE}:
$IPTABLES -A allowed-connection -j DROP
#ICMP traffic
einfo Creating icmp chain
$IPTABLES -N icmp_allowed
$IPTABLES -F icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type
time-exceeded -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type
destination-unreachable -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix Bad ICMP
traffic:
$IPTABLES -A icmp_allowed -p icmp -j DROP
#Incoming traffic
einfo Creating incoming ssh traffic chain
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
#Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags ALL RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags ALL FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state
RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT
#outgoing traffic
einfo Creating outgoing ssh traffic chain
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT
einfo Creating outgoing dns traffic chain
$IPTABLES -N allow-dns-traffic-out
$IPTABLES -F allow-dns-traffic-out
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain
-j ACCEPT
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain
-j ACCEPT
einfo Creating outgoing http/https traffic chain
$IPTABLES -N allow-www-traffic-out
$IPTABLES -F allow-www-traffic-out
$IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT
$IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT
#Catch portscanners
einfo Creating portscan detection chain
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m
limit --limit 5/minute -j LOG --log-level alert --log-prefix
NMAP-XMAS:
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags
Re: [gentoo-user] iptables firewall+nat problem
I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP On Saturday 01 November 2003 06:15 am, Simon Kühling wrote: hi everyone, i'm trying to get my gentoo box running as a firewall and nat-router for my home-network. -- Stephen From here to there and there to here, funny things are everywhere. -- Dr Seuss -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP ok, thanks for the hint! simon -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables firewall+nat problem
gshield and shorewall can build you a firewall.. I prefer gshield myself. I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
--- Simon_Kühling [EMAIL PROTECTED] wrote: I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net JBanks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
I have been running my own personally developed IPTABLES ruleset since I converted from ipchains to iptables. My topology is is pretty simple: WAN (cable modem) --- eth1 [FW] eth0 --- [HUB] -- [LAN boxes] Note that I am forwarding port 25 from the FW to an internet mail server. This thread caused me to take a closer look at both shorewall, and gsheild (I think it was). I actually emerged shorewall, and attempted to configure it. In the end I found it more confusing than my own custom built script. Which I have pretty extensively tested. (and which I will be happy to share if any one is interested). Frankly, I like understanding what is going on under the covers... so I unmerged shorewall, and went back to using my script. On Sat, 2003-11-01 at 19:17, Joshua Banks wrote: --- Simon_Khling [EMAIL PROTECTED] wrote: I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net JBanks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list -- Lincoln A. Baxter [EMAIL PROTECTED] -- [EMAIL PROTECTED] mailing list
