RE: Problem with IPTables

To: 'Joe Ellis' <joee@lithodyne.net>
Cc: "'debian-security@lists.debian.org'" <debian-security@lists.debian.org>
Subject: RE: Problem with IPTables
From: "Bender, Jeff" <jbender@eschelon.com>
Date: Mon, 17 Dec 2001 13:20:52 -0600
Message-id: <[🔎] E37A7C49F2F2E04EAE60A86D0C570C1804CDF440@k2.corp.eschelon.com>
Ahh...hah.

I looked a few times in the 'make menuconfig' and saw that I included
everything in the kernel build.  I didn't include Connection Tracking which
I thought I only needed for NAT, but it looks like this gave me the option
that I was missing.  Thanks.


Oh, yeah I only used the default rules below so I wouldn't lock myself out
and have to run down to the server room.  It is a long walk.. heh.

> iptables -P INPUT ACCEPT 
> iptables -P FORWARD ACCEPT 
> iptables -P OUTPUT ACCEPT 



-----Original Message-----
From: Joe Ellis [mailto:joee@lithodyne.net]
Sent: Monday, December 17, 2001 12:43 PM
To: Bender, Jeff
Cc: 'debian-security@lists.debian.org'
Subject: Re: Problem with IPTables


i didn't see anything wrong with it, so i ran it:
bash# ./test.firewall
Start Rules
Allow DNS servers incoming traffic...done

i think your missing an option in your kernel when you compiled it last. 
    check your kernel config.

these are the commands i ran:
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
IFACE="eth0"
IPADDR="209.150.196.220"
LO="lo"
NAMESERVER_1="209.150.200.15"
NAMESERVER_2="209.150.200.10"
NAMESERVER_3="64.65.128.6"
BROADCAST="209.150.196.255"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
echo "Start Rules"
iptables -A INPUT  -i $LO -j ACCEPT
iptables -A OUTPUT -o $LO -j ACCEPT
echo -n "Allow DNS servers incoming traffic..."
iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport 53 -m state 
--state ESTABLISHED -j ACCEPT
echo "done"

run these and see if it works.  if not, your going to have to re-compile 
your kernel.

Bender, Jeff wrote:

> I am having troubles with IPTables.  My rules are having troubles with
> handling "-m state --state ESTABLISHED" options.  The error I get is
> "iptables: No chain/target/match by that name".  Any ideas?  Here is my
> script below.
> 
> # http://www.cs.princeton.edu/~jns/security/iptables/index.html
> # Prepared by James C. Stephens
> # (jns@gfdl.noaa.gov)
> 
> #!/bin/bash 
> # 
> # These lines are here in case rules are already in place and the script
is
> ever rerun on the fly. 
> # We want to remove all rules and pre-exisiting user defined chains and
zero
> the counters 
> # before we implement new rules. 
> iptables -F 
> iptables -X 
> iptables -Z 
> 
> # Set up a default DROP policy for the built-in chains. 
> # If we modify and re-run the script mid-session then (because we have a
> default DROP 
> # policy), what happens is that there is a small time period when packets
> are denied until 
> # the new rules are back in place. There is no period, however small, when
> packets we 
> # don't want are allowed. 
> iptables -P INPUT ACCEPT 
> iptables -P FORWARD ACCEPT 
> iptables -P OUTPUT ACCEPT 
> 
> ## =========================================================== 
> ## Some definitions: 
> IFACE="eth0" 
> IPADDR="209.150.196.220" 
> LO="lo"
> NAMESERVER_1="209.150.200.15" 
> NAMESERVER_2="209.150.200.10" 
> NAMESERVER_3="64.65.128.6" 
> BROADCAST="209.150.196.255" 
> LOOPBACK="127.0.0.0/8" 
> CLASS_A="10.0.0.0/8" 
> CLASS_B="172.16.0.0/12" 
> CLASS_C="192.168.0.0/16" 
> CLASS_D_MULTICAST="224.0.0.0/4" 
> CLASS_E_RESERVED_NET="240.0.0.0/5" 
> P_PORTS="0:1023" 
> UP_PORTS="1024:65535" 
> TR_SRC_PORTS="32769:65535" 
> TR_DEST_PORTS="33434:33523" 
> 
> ## ============================================================ 
> # RULES 
> echo "Start Rules"
> 
> ## LOOPBACK 
> # Allow unlimited traffic on the loopback interface. 
> iptables -A INPUT  -i $LO -j ACCEPT 
> iptables -A OUTPUT -o $LO -j ACCEPT 
> 
> echo -n "Allow DNS servers incoming traffic..."
> 
> ## DNS
> # NOTE: DNS uses tcp for zone transfers, for transfers greater than 512
> bytes (possible, but unusual), and on certain
> # platforms like AIX (I am told), so you might have to add a copy of this
> rule for tcp if you need it
> # Allow UDP packets in for DNS client from nameservers.
> iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport 53 -m state
> --state ESTABLISHED -j ACCEPT
> #iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_2 --sport 53 -m state
> --state ESTABLISHED -j ACCEPT
> #iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_3 --sport 53 -m state
> --state ESTABLISHED -j ACCEPT
> # Allow UDP packets to DNS servers from client.
> #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_1 --dport 53 -m state
> --state NEW,ESTABLISHED -j ACCEPT
> #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_2 --dport 53 -m state
> --state NEW,ESTABLISHED -j ACCEPT
> #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_3 --dport 53 -m state
> --state NEW,ESTABLISHED -j ACCEPT
> 
> echo "done"
> 
> bash# ./test.firewall 
> Start Rules
> Allow DNS servers incoming traffic...iptables: No chain/target/match by
that
> name
> done
> 
> 
> 
> 
> 


-- 
Joe Ellis
http://www.lithodyne.net


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to:
Prev by Date: Re: Apt-get is insecure
Next by Date: RE: Spam?!?
Previous by thread: Re: Problem with IPTables
Next by thread: [no subject]
Index(es):
- Date
- Thread