Re: change in behavior of iptables with respect to firestarter

To: debian-user@lists.debian.org
Subject: Re: change in behavior of iptables with respect to firestarter
From: Gilbert Sullivan <whirlygig@comcast.net>
Date: Fri, 22 Oct 2010 15:00:40 -0400
Message-id: <[🔎] 4CC1DF58.6020809@comcast.net>
In-reply-to: <[🔎] 20101022175614.GA28226@aurora.owens.net>
References: <[🔎] 4CC1CED3.7050601@comcast.net> <[🔎] 20101022175614.GA28226@aurora.owens.net>

On 10/22/2010 01:56 PM, Rob Owens wrote:

On Fri, Oct 22, 2010 at 01:50:11PM -0400, Gilbert Sullivan wrote:

list's moderator hasn't got back to me. It appears that the rules I want
in iptables are not in effect at all until I actually  bring up the
Firestarter user interface during a given session. Once I log off
(restart not necessary) the rules are apparently reset to the default.

You can check this by running (as root):

iptables -L

If there are no firewall rules active, it will look something like this:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

-Rob


Thanks, Rob.

I set up the rules in Firestarter. I reboot. This is what I get:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Now I start the Firestarter GUI, and I repeat the two iptables commands(Sorry for the length of the output. I broke up the output from the twocommands with dashed lines to help a little with parsing):


------------------------------------------------------------------

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination

ACCEPT tcp -- resolver1.opendns.com anywhere tcpflags:!FIN,SYN,RST,ACK/SYN

ACCEPT     udp  --  resolver1.opendns.com  anywhere

ACCEPT tcp -- resolver2.opendns.com anywhere tcpflags:!FIN,SYN,RST,ACK/SYN

ACCEPT     udp  --  resolver2.opendns.com  anywhere
ACCEPT     all  --  anywhere             anywhere

ACCEPT icmp -- anywhere anywhere limit: avg10/sec burst 5

DROP       all  --  anywhere             255.255.255.255
DROP       all  --  anywhere             192.168.9.255
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/8
DROP       all  --  255.255.255.255      anywhere
DROP       all  --  anywhere             default
DROP       all  --  anywhere             anywhere            state INVALID

LSI all -f anywhere anywhere limit: avg10/min burst 5

INBOUND    all  --  anywhere             anywhere
LOG_FILTER  all  --  anywhere             anywhere

LOG all -- anywhere anywhere LOG levelinfo prefix `Unknown Input'


Chain FORWARD (policy DROP)
target     prot opt source               destination

ACCEPT icmp -- anywhere anywhere limit: avg10/sec burst 5

LOG_FILTER  all  --  anywhere             anywhere

LOG all -- anywhere anywhere LOG levelinfo prefix `Unknown Forward'


Chain OUTPUT (policy DROP)
target     prot opt source               destination

ACCEPT tcp -- 192.168.9.22 resolver1.opendns.com tcpdpt:domainACCEPT udp -- 192.168.9.22 resolver1.opendns.com udpdpt:domainACCEPT tcp -- 192.168.9.22 resolver2.opendns.com tcpdpt:domainACCEPT udp -- 192.168.9.22 resolver2.opendns.com udpdpt:domain

ACCEPT     all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/8
DROP       all  --  255.255.255.255      anywhere
DROP       all  --  anywhere             default
DROP       all  --  anywhere             anywhere            state INVALID
OUTBOUND   all  --  anywhere             anywhere
LOG_FILTER  all  --  anywhere             anywhere

LOG all -- anywhere anywhere LOG levelinfo prefix `Unknown Output'


Chain INBOUND (1 references)
target     prot opt source               destination

ACCEPT tcp -- anywhere anywhere stateRELATED,ESTABLISHEDACCEPT udp -- anywhere anywhere stateRELATED,ESTABLISHED

LSI        all  --  anywhere             anywhere

Chain LOG_FILTER (5 references)
target     prot opt source               destination

Chain LSI (2 references)
target     prot opt source               destination
LOG_FILTER  all  --  anywhere             anywhere

LOG tcp -- anywhere anywhere tcpflags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix`Inbound 'DROP tcp -- anywhere anywhere tcpflags:FIN,SYN,RST,ACK/SYNLOG tcp -- anywhere anywhere tcpflags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix`Inbound 'DROP tcp -- anywhere anywhere tcpflags:FIN,SYN,RST,ACK/RSTLOG icmp -- anywhere anywhere icmpecho-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound 'DROP icmp -- anywhere anywhere icmpecho-requestLOG all -- anywhere anywhere limit: avg5/sec burst 5 LOG level info prefix `Inbound '

DROP       all  --  anywhere             anywhere

Chain LSO (0 references)
target     prot opt source               destination
LOG_FILTER  all  --  anywhere             anywhere

LOG all -- anywhere anywhere limit: avg5/sec burst 5 LOG level info prefix `Outbound 'REJECT all -- anywhere anywhere reject-withicmp-port-unreachable


Chain OUTBOUND (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere

ACCEPT tcp -- anywhere anywhere stateRELATED,ESTABLISHEDACCEPT udp -- anywhere anywhere stateRELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

------------------------------------------------------------------

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N INBOUND
-N LOG_FILTER
-N LSI
-N LSO
-N OUTBOUND

-A INPUT -s 208.67.222.222/32 -p tcp -m tcp ! --tcp-flagsFIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -s 208.67.222.222/32 -p udp -j ACCEPT

-A INPUT -s 208.67.220.220/32 -p tcp -m tcp ! --tcp-flagsFIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -s 208.67.220.220/32 -p udp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m limit --limit 10/sec -j ACCEPT
-A INPUT -d 255.255.255.255/32 -i eth0 -j DROP
-A INPUT -d 192.168.9.255/32 -j DROP
-A INPUT -s 224.0.0.0/8 -j DROP
-A INPUT -d 224.0.0.0/8 -j DROP
-A INPUT -s 255.255.255.255/32 -j DROP
-A INPUT -d 0.0.0.0/32 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -f -m limit --limit 10/min -j LSI
-A INPUT -i eth0 -j INBOUND
-A INPUT -j LOG_FILTER
-A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6
-A FORWARD -p icmp -m limit --limit 10/sec -j ACCEPT
-A FORWARD -j LOG_FILTER
-A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6

-A OUTPUT -s 192.168.9.22/32 -d 208.67.222.222/32 -p tcp -m tcp --dport53 -j ACCEPT-A OUTPUT -s 192.168.9.22/32 -d 208.67.222.222/32 -p udp -m udp --dport53 -j ACCEPT-A OUTPUT -s 192.168.9.22/32 -d 208.67.220.220/32 -p tcp -m tcp --dport53 -j ACCEPT-A OUTPUT -s 192.168.9.22/32 -d 208.67.220.220/32 -p udp -m udp --dport53 -j ACCEPT

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 224.0.0.0/8 -j DROP
-A OUTPUT -d 224.0.0.0/8 -j DROP
-A OUTPUT -s 255.255.255.255/32 -j DROP
-A OUTPUT -d 0.0.0.0/32 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o eth0 -j OUTBOUND
-A OUTPUT -j LOG_FILTER
-A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -j LSI
-A LSI -j LOG_FILTER

-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit1/sec -j LOG --log-prefix "Inbound " --log-level 6

-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit1/sec -j LOG --log-prefix "Inbound " --log-level 6

-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP

-A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG--log-prefix "Inbound " --log-level 6

-A LSI -p icmp -m icmp --icmp-type 8 -j DROP
-A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -j DROP
-A LSO -j LOG_FILTER
-A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6
-A LSO -j REJECT --reject-with icmp-port-unreachable
-A OUTBOUND -p icmp -j ACCEPT
-A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -j ACCEPT

------------------------------------------------------------------

I've never seen Firestarter behave like this. It seems that the rulesare only applied after Firestarter gets started in the current session.I can close Firestarter completely after starting it, and the rules arestill held in iptables.


However, once I reboot, I'm back to the default iptables configuration.

I just checked again, and I guess i was wrong about losing the rules byjust logging out. It appears that I have to reboot to lose them.

Does this have something to do with Firestarter being started (or notstarted) at different run levels during startup? I briefly see somethingabout it scrolling by, but I never get a chance to read it.


Regards,
Gilbert

Reply to:

Follow-Ups:
- Re: change in behavior of iptables with respect to firestarter
  - From: Rob Owens <rowens@ptd.net>
- Re: change in behavior of iptables with respect to firestarter
  - From: Greg Madden <gomadtroll@gci.net>

References:
- change in behavior of iptables with respect to firestarter
  - From: Gilbert Sullivan <whirlygig@comcast.net>
- Re: change in behavior of iptables with respect to firestarter
  - From: Rob Owens <rowens@ptd.net>

Prev by Date: Re: Wierd kde/gnome interaction
Next by Date: add downloaded program to menu or run it--how?
Previous by thread: Re: change in behavior of iptables with respect to firestarter
Next by thread: Re: change in behavior of iptables with respect to firestarter
Index(es):
- Date
- Thread