No announcement yet.

MDK9 - Using IPTables causes Open Office to Lock up

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • MDK9 - Using IPTables causes Open Office to Lock up

    I am using MDK9 but was having some troubles with Shorewall...so I found a simple iptables command to stealth the ports. the command is
    "/sbin/iptables -A INPUT -p tcp --syn -j DROP"
    It work fine reporting all ports as Stealth on probing.... BUT....Open Office locks up on startup requiring a reboot.

    Any Ideas anyone???

  • #2
    Fixed the problem...needed another paramater to restrict it to modem connection only....The command should have been

    /sbin/iptables -A INPUT -i ppp0 -p tcp --syn -j DROP



    Can anyone tell me now how to make it run a script at login so it will do this each time I lboot....I've created a scrpit in the /etc/initrd dir but it doesn't seem to execute it at boot???

    Comment


    • #3
      I have a firewall script called rc.firewall in /etc/rc.d and this is what runs it,
      [code:1:be436d9ed5]
      if [ -x /etc/rc.d/rc.firewall ]; then
      /etc/rc.d/rc.firewall start
      fi
      [/code:1:be436d9ed5]
      I can upload rc.firewall to p-two if you want to have a look at it.
      p-two.net

      Comment


      • #4
        If you could it would help a lot.......I'm really interested in how iptables work and am looking at as many as I can....Thanx

        Comment


        • #5
          Ok, download it here.
          It's a stateful firewall set up for bigpond cable, but I've installed it onto an optus cable box as well (just needed to comment out the BPA parts) and it gives full stealth status at grc.
          p-two.net

          Comment


          • #6
            Will this work with DSL...I doubt it will because I have a USB DSL modem (ppp0) not an ethernet connection..

            Comment


            • #7
              Yeah it should...the "-i" parameter is just to tell it where it gets its input from so if it is "ppp0" then it should work......give it a go

              open a terminal window
              change to su
              then type in the command
              then go to http://scan.sygate.com/ and run the stealth scan (a lot more comprehensive set of tests than GRC) and they should all come up as BLOCKED

              What this actually does is drop (and not even acknowledge...that's why the stealth status) all unsolicited attempts to connect to your machine thru the tcp protocol.....very effectively. There are the other two protocols as well (ICMP and UDP) which can also be controlled like this and I have been fiddling a bit but have'nt quite got it straight yet....There is also the OUTPUT and the FORWARD packets as well but its the INPUT packets that cause the mayhem mostly.

              If you use this you will need to do it after each boot ( I still can't work out how to get it to run automatically). And you can reverse it without rebooting by using a "-D" parameter in place of the "-A" parameter...all other parameters MUST be identical so you don't muck up any other system-run iptables policies.

              I've since found out that Open Office works on a client/server basis and if you close all the ports even to internal traffic it will crash (as mine did).....but if you don't need OOffice when you are on the net then it doesn't matter??

              Comment


              • #8
                Bern,
                Thanks for the RC firewall....I found a really elegant way of getting to run at boot up...
                I simply opened the file with an editor as root, selected all the script and copied it to the end of the /etc/rc.d/rc1.d/k92iptables file which runs at boot. (I actually got the DHCP version and changed the input parameter to ppp0 and the dns number to my isp and a few other iptables settings to beef it up a bit and make it a bit more solid.....jeez I luv Linux....I can do what I want not what's just dished up).

                Feeling good as I found all this myself mucking around with the iptables concept and how the machine implements them.....lots and lots and lots of reading though..

                The best site I've found so far to test the firewalls is www.pcflank.com

                [Oldbugger smilin']

                Comment


                • #9
                  Bern, I need some help. I would like to use this firewall of yours but after looking over it I know it won't. I have done some shell script programming, but nothing this extensive. My biggest thing is with setting it up to get my ip address. Here is the line from your file.

                  $EXT_IF = eth0
                  EXT_IP=`/sbin/ifconfig $EXT_IF | grep inet | cut -d: -f2 | cut -d: -f1`

                  I changed this like I should to be

                  $EXT_IF = ppp0
                  EXT_IP=`/sbin/ifconfig $EXT_IF | grep inet | cut -d: -f2 | cut -d: -f1`

                  But when I run it it returns the following (this is an example not my actual IP Address)
                  123.45.67.89 P-t-P

                  And I am pretty sure that won't work because it has the P-t-P on the end..I was just running the above command from the command line. I thought I could use a cut -c: n-m on the end where I would specify the last 6 places to cut off thus leaving just the ip, however if I do that then if my IP changes and lets say gets longer then I will run into problems. Any help would be great. Thanks, it has beeen a while since I have done any shell programming.

                  Originally posted by Bern
                  Ok, download it here.
                  It's a stateful firewall set up for bigpond cable, but I've installed it onto an optus cable box as well (just needed to comment out the BPA parts) and it gives full stealth status at grc.

                  Comment


                  • #10
                    Try this,

                    EXT_IP="`/sbin/ifconfig $EXT_IF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`/32"
                    p-two.net

                    Comment


                    • #11
                      Thank you very much, I remember briefly touching on AWK in my OS class, wish I would have learned it more..but thanks again.

                      Comment


                      • #12
                        Just out of curiosity what is the /32 added to the end for...thanks again for all your help.

                        Comment


                        • #13
                          Buggered if I know, I lifted that line from a DSL script I found on the net one day. I have a few diferent ones that I collected for comparison and to see how diferent people used iptables.
                          p-two.net

                          Comment


                          • #14
                            Oh..ok..lol...well it didn't work if I had the /32 on the end..I did an echo of the "EXT_IP" to see what was stored in it and if I did it with the /32 it added it to the end of my ip address and would crash the program, so I just took it off and it works fine...thanks again..

                            Comment


                            • #15
                              I could be wrong but the /xx means use the first xx digits of the 32 bit ip address...if you have /32 it means use the full 32 bit ip address....I found something similar to this in the firewall script I modified....my parameter was /24 which it says was similar to net masking the ip address as 255.255.255.0

                              Comment

                              Working...
                              X