[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables and apt-get

Here are the logs:
 
ID=56596 PROTO=ICMP TYPE=3 CODE=1 [SRC="" DST=172.16.250.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15353 DF PROTO=TCP SPT=1031 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ]
Mar 11 01:40:08 dev1 kernel: DROPITIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC="" DST=172.16.5.92 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=56597 PROTO=ICMP TYPE=3 CODE=1 [SRC="" DST=172.16.250.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24795 DF PROTO=TCP SPT=1030 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ]
Mar 11 01:40:08 dev1 kernel: DROPITIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC="" DST=172.16.5.92 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=56598 PROTO=ICMP TYPE=3 CODE=1 [SRC="" DST=172.16.250.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15354 DF PROTO=TCP SPT=1031 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ]
It seams that there is a problem with icmp. 172.16.5.92 is the linux box and 172.16.250.1:8080 is the proxy server...
----- Original Message -----
Sent: Tuesday, March 11, 2003 1:39 AM
Subject: RE: iptables and apt-get

I'd put the default INPUT policy last.
 
here is mine
 
note some of this is experimental as per my notes in the file.
 
#!/bin/bash
#iptables firewall script
#17/06/01
#14/5/02 flushing and prerouting logs added, other rules added but not
#27/9/2002 mods for wireless laptop and 3 nics active
#8/12/2002 wi-fi working mk1
#start ip_forwarding in /etc/network/options
#elvis firewall 19/12/2002
# rules below to be tested
# Disable response to ping.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 
# network. Source routing is rarely used for legitimate purposes.
#/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
 
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter
# your routeing tables, possibly to a bad end.
#/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
 
#These 3 lines below allow flushing without a
#reBoot.
 
iptables -F
iptables -X
iptables -Z
echo "flushed rules"
 
#set constants
outer_nic="eth0"
#wifi_nic1="eth1"
#inner_nic2="eth2"
inner_nic1="eth1"
#wifiipsec="ipsec0"
#wifi_nw1="172.31.0.0/16"
echo "firewall constants setup"
#load any modules needed for connection tracking
#allow passive ftp
/sbin/modprobe ip_conntrack_ftp
echo "started connection tracking"
 
#individual port forwarding
echo "no portfw started"
 
#post routeing rules
#iptables -t nat -A POSTROUTING -s $wifi_nw1 -o $outer_nic -j MASQUERADE
#iptables -t nat -A POSTROUTING -o $outer_nic -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $wifi_nw2 -o $outer_nic -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $wifi_nw2 -d 0.0.0.0/0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $wifi_nw1 -o inner_nic2 \
#-j MASQUERADE
 
#forward rules
#iptables -A FORWARD -i $wifi_nic1 -j DROP
#iptables -A FORWARD -i $wifi_nic1 -j ACCEPT
#iptables -A FORWARD -i $wifiipsec -j ACCEPT
#iptables -A FORWARD -i $inner_nic2 -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P FORWARD DROP
#echo "FORWARD rules in place"
echo "no FORWARD rules in place"
 

#INPUT rules
#specific ipsec lines
#iptables -A INPUT -p udp --dport 500 -j ACCEPT
#iptables -A INPUT -p 50 -j ACCEPT
#iptables -A INPUT -p 51 -j ACCEPT
#echo "IPSEC rules now in place"
echo "IPSEC rules not activated"
#general
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p udp --dport 21 -j ACCEPT
#smb
iptables -A INPUT -p udp --dport 137 -j ACCEPT
#iptables -A INPUT -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -j ACCEPT
iptables -A INPUT -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -p udp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j ACCEPT
#web
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#x11 drop
iptables -A INPUT  -p udp --dport 6000:6009 -j DROP
iptables -A INPUT  -p tcp --dport 6000:6009 -j DROP
#specific worm / problem blocking
iptables -A INPUT  -p tcp --dport 23 -j DROP
iptables -A INPUT  -p tcp --dport 25 -j DROP
iptables -A INPUT  -p tcp --dport 53 -j DROP
iptables -A INPUT  -p udp --dport 53 -j DROP
iptables -A INPUT  -p tcp --dport 135 -j DROP
iptables -A INPUT  -p tcp --dport 445 -j DROP
iptables -A INPUT  -p tcp --dport 1080 -j DROP
iptables -A INPUT  -p tcp --dport 1214 -j DROP
iptables -A INPUT  -p tcp --dport 1433 -j DROP
iptables -A INPUT  -p tcp --dport 1434 -j DROP
iptables -A INPUT  -p tcp --dport 1080 -j DROP
 
#iptables -A INPUT -s $wifi_nw1 -p tcp --syn --dport 22 -j ACCEPT
#iptables -A INPUT -i $wifi_nic1 -p TCP --destination-port 22 -j ACCEPT
#iptables -A INPUT -s $inner_fw -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $outer_nic -j ACCEPT
#iptables -A INPUT -i $wifiipsec -j ACCEPT
 
#allow ping replies (may not be desired)
#iptables -A INPUT -p icmp -s 0/0 --icmp-type echo-request -j ACCEPT
#me playing below with icmp
iptables -A INPUT -p icmp -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 4 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
#to be tested
#iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS:
#"
#iptables -A INPUT -i $outer_nic -f -j DROP
 
iptables -P INPUT DROP
echo "INPUT rules now in place"
 
#output tables are default
#echo "output rules now in place"
#limit logging levels to save clutter and /var from being swamped
iptables -A FORWARD -m limit -j LOG
echo "log limiting in place"
 
#specific defence rules eg DoS attacks
#syn-flood protection
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#furtive port scanner
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit \
--limit 1/s -j ACCEPT
#ping of death
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit \
--limit 1/s -j ACCEPT
echo "DoS defences setup"
 
exit
regards
Thing

-----Original Message-----
From: Ian Goodall [mailto:ijg@iangoodall.co.uk]
Sent: Tuesday, 11 March 2003 2:21
To: Jones, Steven; debian-security@lists.debian.org
Subject: Re: iptables and apt-get
Here is my rule set:
 
 
#default input policy
/sbin/iptables -P INPUT DROP
#allow www/https(ssl)
/sbin/iptables -A INPUT -s 0/0 -d 172.16.5.92 -p tcp --dport https -j ACCEPT
#allow ssh
/sbin/iptables -A INPUT -s 0/0 -d 172.16.5.92 -p tcp --dport ssh -j ACCEPT
#allow smtp
/sbin/iptables -A INPUT -s 0/0 -d 172.16.5.92 -p tcp --dport smtp -j ACCEPT
 
#create a new rule for drop # log
#/sbin/iptables -N drop-and-log-it
#log it
#/sbin/iptables -A drop-and-log-it -j LOG --log-level info --log-prefix 'DROPIT'
#drop it
#/sbin/iptables -A drop-and-log-it -j DROP
 
#now call the rule to drop and log
 
/sbin/iptables -A INPUT -j drop-and-log-it
 
 
-----------
Thanks
 
ijg0
----- Original Message -----
Sent: Tuesday, March 11, 2003 1:11 AM
Subject: RE: iptables and apt-get

shouldnt do
 
unless you changed the output rules?
 
please provide your ruleset
 
Thing
-----Original Message-----
From: Ian Goodall [mailto:ijg@iangoodall.co.uk]
Sent: Tuesday, 11 March 2003 2:06
To: debian-security@lists.debian.org
Subject: iptables and apt-get

Hi Guys,
 
I am setting up iptables on my debain woody box. I have decided to close everyting and then open up just ssh and ssl. This obviously prevents my apt-get update from working. What ports do I need to open for this to work. If it helps I am going through a proxy to get to the internet.
 
Thanks
 
ijg0 
Reply to: