Please report all spam threads, posts and suspicious members. We receive spam notifications and will take immediate action!
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: MDK9 - Using IPTables causes Open Office to Lock up




  1. #1
    Join Date
    Nov 2001
    Posts
    362

    Default

    I am using MDK9 but was having some troubles with Shorewall...so I found a simple iptables command to stealth the ports. the command is
    "/sbin/iptables -A INPUT -p tcp --syn -j DROP"
    It work fine reporting all ports as Stealth on probing.... BUT....Open Office locks up on startup requiring a reboot.

    Any Ideas anyone???
    The older I get...the better I was

  2. #2
    Join Date
    Nov 2001
    Posts
    362

    Default

    Fixed the problem...needed another paramater to restrict it to modem connection only....The command should have been

    /sbin/iptables -A INPUT -i ppp0 -p tcp --syn -j DROP



    Can anyone tell me now how to make it run a script at login so it will do this each time I lboot....I've created a scrpit in the /etc/initrd dir but it doesn't seem to execute it at boot???
    The older I get...the better I was

  3. #3
    Join Date
    Nov 2001
    Location
    Brisvegas
    Posts
    832

    Default

    I have a firewall script called rc.firewall in /etc/rc.d and this is what runs it,
    [code:1:be436d9ed5]
    if [ -x /etc/rc.d/rc.firewall ]; then
    /etc/rc.d/rc.firewall start
    fi
    [/code:1:be436d9ed5]
    I can upload rc.firewall to p-two if you want to have a look at it.

  4. #4
    Join Date
    Nov 2001
    Posts
    362

    Default

    If you could it would help a lot.......I'm really interested in how iptables work and am looking at as many as I can....Thanx
    The older I get...the better I was

  5. #5
    Join Date
    Nov 2001
    Location
    Brisvegas
    Posts
    832

    Default

    Ok, download it here.
    It's a stateful firewall set up for bigpond cable, but I've installed it onto an optus cable box as well (just needed to comment out the BPA parts) and it gives full stealth status at grc.

  6. #6
    Join Date
    Sep 2002
    Posts
    40

    Default

    Will this work with DSL...I doubt it will because I have a USB DSL modem (ppp0) not an ethernet connection..
    | AMD XP 1800+ | MSI KT3 Ultra KT333 | 512 mb Crucial PC2700 | Hercules 3D Prophet 8500 128mb |
    | 40 GB Maxtor HD | 30 GB WD HD | Lian-Li PC60 Modded Case | SK6 Heatsink | FastAccess DSL |
    | Windows XP Home SP1 | Mandrake Linux 9.0 |

  7. #7
    Join Date
    Nov 2001
    Posts
    362

    Default

    Yeah it should...the "-i" parameter is just to tell it where it gets its input from so if it is "ppp0" then it should work......give it a go

    open a terminal window
    change to su
    then type in the command
    then go to http://scan.sygate.com/ and run the stealth scan (a lot more comprehensive set of tests than GRC) and they should all come up as BLOCKED

    What this actually does is drop (and not even acknowledge...that's why the stealth status) all unsolicited attempts to connect to your machine thru the tcp protocol.....very effectively. There are the other two protocols as well (ICMP and UDP) which can also be controlled like this and I have been fiddling a bit but have'nt quite got it straight yet....There is also the OUTPUT and the FORWARD packets as well but its the INPUT packets that cause the mayhem mostly.

    If you use this you will need to do it after each boot ( I still can't work out how to get it to run automatically). And you can reverse it without rebooting by using a "-D" parameter in place of the "-A" parameter...all other parameters MUST be identical so you don't muck up any other system-run iptables policies.

    I've since found out that Open Office works on a client/server basis and if you close all the ports even to internal traffic it will crash (as mine did).....but if you don't need OOffice when you are on the net then it doesn't matter??
    The older I get...the better I was

  8. #8
    Join Date
    Nov 2001
    Posts
    362

    Default

    Bern,
    Thanks for the RC firewall....I found a really elegant way of getting to run at boot up...
    I simply opened the file with an editor as root, selected all the script and copied it to the end of the /etc/rc.d/rc1.d/k92iptables file which runs at boot. (I actually got the DHCP version and changed the input parameter to ppp0 and the dns number to my isp and a few other iptables settings to beef it up a bit and make it a bit more solid.....jeez I luv Linux....I can do what I want not what's just dished up).

    Feeling good as I found all this myself mucking around with the iptables concept and how the machine implements them.....lots and lots and lots of reading though..

    The best site I've found so far to test the firewalls is www.pcflank.com

    [Oldbugger smilin']
    The older I get...the better I was

  9. #9
    Join Date
    Sep 2002
    Posts
    40

    Default

    Bern, I need some help. I would like to use this firewall of yours but after looking over it I know it won't. I have done some shell script programming, but nothing this extensive. My biggest thing is with setting it up to get my ip address. Here is the line from your file.

    $EXT_IF = eth0
    EXT_IP=`/sbin/ifconfig $EXT_IF | grep inet | cut -d: -f2 | cut -d: -f1`

    I changed this like I should to be

    $EXT_IF = ppp0
    EXT_IP=`/sbin/ifconfig $EXT_IF | grep inet | cut -d: -f2 | cut -d: -f1`

    But when I run it it returns the following (this is an example not my actual IP Address)
    123.45.67.89 P-t-P

    And I am pretty sure that won't work because it has the P-t-P on the end..I was just running the above command from the command line. I thought I could use a cut -c: n-m on the end where I would specify the last 6 places to cut off thus leaving just the ip, however if I do that then if my IP changes and lets say gets longer then I will run into problems. Any help would be great. Thanks, it has beeen a while since I have done any shell programming.

    Quote Originally Posted by Bern
    Ok, download it here.
    It's a stateful firewall set up for bigpond cable, but I've installed it onto an optus cable box as well (just needed to comment out the BPA parts) and it gives full stealth status at grc.
    | AMD XP 1800+ | MSI KT3 Ultra KT333 | 512 mb Crucial PC2700 | Hercules 3D Prophet 8500 128mb |
    | 40 GB Maxtor HD | 30 GB WD HD | Lian-Li PC60 Modded Case | SK6 Heatsink | FastAccess DSL |
    | Windows XP Home SP1 | Mandrake Linux 9.0 |

  10. #10
    Join Date
    Nov 2001
    Location
    Brisvegas
    Posts
    832

    Default

    Try this,

    EXT_IP="`/sbin/ifconfig $EXT_IF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`/32"

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •