[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: change in behavior of iptables with respect to firestarter



On 10/22/2010 01:56 PM, Rob Owens wrote:
On Fri, Oct 22, 2010 at 01:50:11PM -0400, Gilbert Sullivan wrote:
list's moderator hasn't got back to me. It appears that the rules I want
in iptables are not in effect at all until I actually  bring up the
Firestarter user interface during a given session. Once I log off
(restart not necessary) the rules are apparently reset to the default.

You can check this by running (as root):

iptables -L

If there are no firewall rules active, it will look something like this:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

-Rob

Thanks, Rob.

I set up the rules in Firestarter. I reboot. This is what I get:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Now I start the Firestarter GUI, and I repeat the two iptables commands (Sorry for the length of the output. I broke up the output from the two commands with dashed lines to help a little with parsing):

------------------------------------------------------------------

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT tcp -- resolver1.opendns.com anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     udp  --  resolver1.opendns.com  anywhere
ACCEPT tcp -- resolver2.opendns.com anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     udp  --  resolver2.opendns.com  anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
DROP       all  --  anywhere             255.255.255.255
DROP       all  --  anywhere             192.168.9.255
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/8
DROP       all  --  255.255.255.255      anywhere
DROP       all  --  anywhere             default
DROP       all  --  anywhere             anywhere            state INVALID
LSI all -f anywhere anywhere limit: avg 10/min burst 5
INBOUND    all  --  anywhere             anywhere
LOG_FILTER  all  --  anywhere             anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Input'

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
LOG_FILTER  all  --  anywhere             anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Forward'

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT tcp -- 192.168.9.22 resolver1.opendns.com tcp dpt:domain ACCEPT udp -- 192.168.9.22 resolver1.opendns.com udp dpt:domain ACCEPT tcp -- 192.168.9.22 resolver2.opendns.com tcp dpt:domain ACCEPT udp -- 192.168.9.22 resolver2.opendns.com udp dpt:domain
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/8
DROP       all  --  255.255.255.255      anywhere
DROP       all  --  anywhere             default
DROP       all  --  anywhere             anywhere            state INVALID
OUTBOUND   all  --  anywhere             anywhere
LOG_FILTER  all  --  anywhere             anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Output'

Chain INBOUND (1 references)
target     prot opt source               destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
LSI        all  --  anywhere             anywhere

Chain LOG_FILTER (5 references)
target     prot opt source               destination

Chain LSI (2 references)
target     prot opt source               destination
LOG_FILTER  all  --  anywhere             anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound ' DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound ' DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound ' DROP icmp -- anywhere anywhere icmp echo-request LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP       all  --  anywhere             anywhere

Chain LSO (0 references)
target     prot opt source               destination
LOG_FILTER  all  --  anywhere             anywhere
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound ' REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

------------------------------------------------------------------

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N INBOUND
-N LOG_FILTER
-N LSI
-N LSO
-N OUTBOUND
-A INPUT -s 208.67.222.222/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 208.67.222.222/32 -p udp -j ACCEPT
-A INPUT -s 208.67.220.220/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 208.67.220.220/32 -p udp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m limit --limit 10/sec -j ACCEPT
-A INPUT -d 255.255.255.255/32 -i eth0 -j DROP
-A INPUT -d 192.168.9.255/32 -j DROP
-A INPUT -s 224.0.0.0/8 -j DROP
-A INPUT -d 224.0.0.0/8 -j DROP
-A INPUT -s 255.255.255.255/32 -j DROP
-A INPUT -d 0.0.0.0/32 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -f -m limit --limit 10/min -j LSI
-A INPUT -i eth0 -j INBOUND
-A INPUT -j LOG_FILTER
-A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6
-A FORWARD -p icmp -m limit --limit 10/sec -j ACCEPT
-A FORWARD -j LOG_FILTER
-A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6
-A OUTPUT -s 192.168.9.22/32 -d 208.67.222.222/32 -p tcp -m tcp --dport 53 -j ACCEPT -A OUTPUT -s 192.168.9.22/32 -d 208.67.222.222/32 -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -s 192.168.9.22/32 -d 208.67.220.220/32 -p tcp -m tcp --dport 53 -j ACCEPT -A OUTPUT -s 192.168.9.22/32 -d 208.67.220.220/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 224.0.0.0/8 -j DROP
-A OUTPUT -d 224.0.0.0/8 -j DROP
-A OUTPUT -s 255.255.255.255/32 -j DROP
-A OUTPUT -d 0.0.0.0/32 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o eth0 -j OUTBOUND
-A OUTPUT -j LOG_FILTER
-A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -j LSI
-A LSI -j LOG_FILTER
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p icmp -m icmp --icmp-type 8 -j DROP
-A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -j DROP
-A LSO -j LOG_FILTER
-A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6
-A LSO -j REJECT --reject-with icmp-port-unreachable
-A OUTBOUND -p icmp -j ACCEPT
-A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -j ACCEPT

------------------------------------------------------------------

I've never seen Firestarter behave like this. It seems that the rules are only applied after Firestarter gets started in the current session. I can close Firestarter completely after starting it, and the rules are still held in iptables.

However, once I reboot, I'm back to the default iptables configuration.

I just checked again, and I guess i was wrong about losing the rules by just logging out. It appears that I have to reboot to lose them.

Does this have something to do with Firestarter being started (or not started) at different run levels during startup? I briefly see something about it scrolling by, but I never get a chance to read it.

Regards,
Gilbert


Reply to: