PDA

View Full Version : MDK9 - Using IPTables causes Open Office to Lock up



Oldbugger
10-21-2002, 10:13 AM
I am using MDK9 but was having some troubles with Shorewall...so I found a simple iptables command to stealth the ports. the command is
"/sbin/iptables -A INPUT -p tcp --syn -j DROP"
It work fine reporting all ports as Stealth on probing.... BUT....Open Office locks up on startup requiring a reboot.

Any Ideas anyone???

Oldbugger
10-21-2002, 07:01 PM
Fixed the problem...needed another paramater to restrict it to modem connection only....The command should have been

/sbin/iptables -A INPUT -i ppp0 -p tcp --syn -j DROP



Can anyone tell me now how to make it run a script at login so it will do this each time I lboot....I've created a scrpit in the /etc/initrd dir but it doesn't seem to execute it at boot???

Bern
10-21-2002, 11:14 PM
I have a firewall script called rc.firewall in /etc/rc.d and this is what runs it,
[code:1:be436d9ed5]
if [ -x /etc/rc.d/rc.firewall ]; then
/etc/rc.d/rc.firewall start
fi
[/code:1:be436d9ed5]
I can upload rc.firewall to p-two if you want to have a look at it.

Oldbugger
10-22-2002, 09:50 AM
If you could it would help a lot.......I'm really interested in how iptables work and am looking at as many as I can....Thanx

Bern
10-22-2002, 10:01 AM
Ok, download it here (ftp://ftp.p-two.net/pub/rc.firewall).
It's a stateful firewall set up for bigpond cable, but I've installed it onto an optus cable box as well (just needed to comment out the BPA parts) and it gives full stealth status at grc.

rockandchelle
10-22-2002, 10:33 AM
Will this work with DSL...I doubt it will because I have a USB DSL modem (ppp0) not an ethernet connection..

Oldbugger
10-22-2002, 01:01 PM
Yeah it should...the "-i" parameter is just to tell it where it gets its input from so if it is "ppp0" then it should work......give it a go

open a terminal window
change to su
then type in the command
then go to http://scan.sygate.com/ and run the stealth scan (a lot more comprehensive set of tests than GRC) and they should all come up as BLOCKED

What this actually does is drop (and not even acknowledge...that's why the stealth status) all unsolicited attempts to connect to your machine thru the tcp protocol.....very effectively. There are the other two protocols as well (ICMP and UDP) which can also be controlled like this and I have been fiddling a bit but have'nt quite got it straight yet....There is also the OUTPUT and the FORWARD packets as well but its the INPUT packets that cause the mayhem mostly.

If you use this you will need to do it after each boot ( I still can't work out how to get it to run automatically). And you can reverse it without rebooting by using a "-D" parameter in place of the "-A" parameter...all other parameters MUST be identical so you don't muck up any other system-run iptables policies.

I've since found out that Open Office works on a client/server basis and if you close all the ports even to internal traffic it will crash (as mine did).....but if you don't need OOffice when you are on the net then it doesn't matter??

Oldbugger
10-23-2002, 09:53 PM
Bern,
Thanks for the RC firewall....I found a really elegant way of getting to run at boot up...
I simply opened the file with an editor as root, selected all the script and copied it to the end of the /etc/rc.d/rc1.d/k92iptables file which runs at boot. (I actually got the DHCP version and changed the input parameter to ppp0 and the dns number to my isp and a few other iptables settings to beef it up a bit and make it a bit more solid.....jeez I luv Linux....I can do what I want not what's just dished up).

Feeling good as I found all this myself mucking around with the iptables concept and how the machine implements them.....lots and lots and lots of reading though..

The best site I've found so far to test the firewalls is www.pcflank.com

[Oldbugger smilin']

rockandchelle
10-25-2002, 04:55 PM
Bern, I need some help. I would like to use this firewall of yours but after looking over it I know it won't. I have done some shell script programming, but nothing this extensive. My biggest thing is with setting it up to get my ip address. Here is the line from your file.

$EXT_IF = eth0
EXT_IP=`/sbin/ifconfig $EXT_IF | grep inet | cut -d: -f2 | cut -d: -f1`

I changed this like I should to be

$EXT_IF = ppp0
EXT_IP=`/sbin/ifconfig $EXT_IF | grep inet | cut -d: -f2 | cut -d: -f1`

But when I run it it returns the following (this is an example not my actual IP Address)
123.45.67.89 P-t-P

And I am pretty sure that won't work because it has the P-t-P on the end..I was just running the above command from the command line. I thought I could use a cut -c: n-m on the end where I would specify the last 6 places to cut off thus leaving just the ip, however if I do that then if my IP changes and lets say gets longer then I will run into problems. Any help would be great. Thanks, it has beeen a while since I have done any shell programming.



Ok, download it here (ftp://ftp.p-two.net/pub/rc.firewall).
It's a stateful firewall set up for bigpond cable, but I've installed it onto an optus cable box as well (just needed to comment out the BPA parts) and it gives full stealth status at grc.

Bern
10-25-2002, 06:06 PM
Try this,

EXT_IP="`/sbin/ifconfig $EXT_IF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`/32"

rockandchelle
10-26-2002, 05:48 PM
Thank you very much, I remember briefly touching on AWK in my OS class, wish I would have learned it more..but thanks again.

rockandchelle
10-26-2002, 06:06 PM
Just out of curiosity what is the /32 added to the end for...thanks again for all your help.

Bern
10-26-2002, 06:11 PM
Buggered if I know, I lifted that line from a DSL script I found on the net one day. I have a few diferent ones that I collected for comparison and to see how diferent people used iptables.

rockandchelle
10-27-2002, 01:24 PM
Oh..ok..lol...well it didn't work if I had the /32 on the end..I did an echo of the "EXT_IP" to see what was stored in it and if I did it with the /32 it added it to the end of my ip address and would crash the program, so I just took it off and it works fine...thanks again..

Oldbugger
10-27-2002, 03:25 PM
I could be wrong but the /xx means use the first xx digits of the 32 bit ip address...if you have /32 it means use the full 32 bit ip address....I found something similar to this in the firewall script I modified....my parameter was /24 which it says was similar to net masking the ip address as 255.255.255.0

rockandchelle
10-29-2002, 04:50 PM
Hey bern, what exactly does the -c in this statement do.

$IPTABLES -A INPUT -i $EXT_IF -j TRAF-IN -c $X1

Because, for some reason now when I try to start the firewall it says...iptables v1.2.6a: Unknown arg `-c'...just wondering if you could help any.

Thanks.

Oldbugger
10-30-2002, 08:31 AM
The "-c" parameter is telling IPtables how many packets to process..in your case the number contained in the variable X1.

The whole line is appending (-A) an IPtables rule for INPUT packets received from the source EXT_IF and telling it to jump (-j) to the rule called TRAF-IN.

For example if the input source in EXT_IF is say a modem and the rule in TRAF-IN is to discard the packet and the variable X1 is 5 then the line is telling the kernel to take 5 packets received from the modem and drop them.

Roughly speaking that is.....without the rest if the script the above is an interpretation only of what the line is doing. Very crude interpretation and maybe one of the better informed fellas can help a bit more.