Trying to restore to default script

Trying to restore to default script

[Bill L]

Hello all!

First email list post!
Xtreme Linux newbie

I have been trying to get iptables/squid/Dansguardian
to work together but I am quite good at screwing
things up. Machine is an FC4 box

My iptables won't start, I tried to install 1.3.5
(currently running 1.3.0) but screwed that up. I
managed to go back to 1.3.0. Here is some output:
[root@Leavenworth ~]# service iptables start
Flushing firewall rules:                              
    [  OK  ]
Setting chains to policy ACCEPT: filter               
    [  OK  ]
Unloading iptables modules:                           
    [  OK  ]
Applying iptables firewall rules: iptables-restore:
line 24 failed
                                                      
    [FAILED]

This is the ouput of: cat /etc/sysconfig/iptables:
# Generated by iptables-save v1.3.0 on Fri Jan 27
06:22:49 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -j RH-Firewall-1-INPUT
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any
-j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp
--dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m
tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m
tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with
icmp-host-prohibited
COMMIT
# Completed on Fri Jan 27 06:22:49 2006
# Generated by webmin
#*
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp -s 8080 --dport 80 -j
REDIRECT --to-ports 3128
COMMIT
# Completed


If I do an iptables-save > firewall-config this is
what the file ends up with:
# Generated by iptables-save v1.3.0 on Tue Feb  7
18:15:27 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [48:2884]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -j RH-Firewall-1-INPUT
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any
-j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp
--dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m
tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m
tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with
icmp-host-prohibited
COMMIT
# Completed on Tue Feb  7 18:15:27 2006

I'd like to get rid of this and start all over again:
# Completed on Fri Jan 27 06:22:49 2006
# Generated by webmin
#*
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp -s 8080 --dport 80 -j
REDIRECT --to-ports 3128
COMMIT

becasue I think it is messing me up! Is there a way of
"deleting" the script and iptables making me a nice
new one without any errors?

Thank you so much for your time

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Trying to restore to default script

[ludi]

iptables script.
Is it right? ;)

Re: Trying to restore to default script

[ludi]

#!/bin/sh
HOME_ADDR=

iptables -F OUTPUT
iptables -F INPUT
iptables -F FORWARD


#INPUT CHAIN :ACCESS SSH ,DROP ALL
iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --sport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 80 -j ACCEPT
iptables -A INPUT -p icmp -i eth0 -s 0/0 -d $HOME_ADDR -m limit
--limit 6/m --limit-burst 6 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 127.0.0.1/32 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP


iptables -A OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o eth0 -s $HOME_ADDR -j ACCEPT
iptables -P OUTPUT DROP


I use the script file to execute iptables.And , I dont know it is your want.:(

Re: Trying to restore to default script

[Rob Sterenborg]

On Thu, February 9, 2006 08:07, ludi wrote:
> #!/bin/sh
> HOME_ADDR=
>
> iptables -F OUTPUT
> iptables -F INPUT
> iptables -F FORWARD
>
>
> #INPUT CHAIN :ACCESS SSH ,DROP ALL
> iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --dport 53 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 22 -j ACCEPT
> iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --sport 53 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 80 -j ACCEPT
> iptables -A INPUT -p icmp -i eth0 -s 0/0 -d $HOME_ADDR -m limit
> --limit 6/m --limit-burst 6 -j ACCEPT
> iptables -A INPUT -i lo -s 0/0 -d 127.0.0.1/32 -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -P INPUT DROP

I would move these last 3 lines to the top of the script :
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 127.0.0.1/32 -j ACCEPT

You want to DROP everything before your rules have been setup.
Also, most packets are likely to the "ESTABLISHED,RELATED" rule so you want
that to be one of the first rules to match to speed things up.
Interface lo also receives a lot of traffic (well, here is does) and that's
why I'd move that one too.
You may want to add "-m state --state NEW" to the other rules.

> iptables -A OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -o eth0 -s $HOME_ADDR -j ACCEPT
> iptables -P OUTPUT DROP

Same here : move the policy rule to the top and add :
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


Gr,
Rob

Re: Trying to restore to default script

[ludi]

Thx,your advice~~~~

Re: Trying to restore to default script

[/dev/rob0]

On Tuesday 2006-February-07 17:57, Bill L wrote:
> First email list post!

Wow!

> Xtreme Linux newbie

I hope it works out well for you.

> I have been trying to get iptables/squid/Dansguardian
> to work together but I am quite good at screwing
> things up. Machine is an FC4 box
>
> My iptables won't start, I tried to install 1.3.5
> (currently running 1.3.0) but screwed that up. I

Wrong solution.

> managed to go back to 1.3.0. Here is some output:
> [root@Leavenworth ~]# service iptables start
> Flushing firewall rules:
>     [  OK  ]
> Setting chains to policy ACCEPT: filter
>     [  OK  ]
> Unloading iptables modules:
>     [  OK  ]
> Applying iptables firewall rules: iptables-restore:
> line 24 failed

This tells you to look at line 24 in your rules file.

> This is the ouput of: cat /etc/sysconfig/iptables:
snip
> *filter
snip
> :RH-Firewall-1-INPUT - [0:0]

This, BTW, is not a very good ruleset. If you want to learn iptables, 
it's probably not that difficult if 1. you understand some basics of 
TCP/IP, and 2. you start with a good HOWTO. I like Rusty's Packet 
Filtering Guide at netfilter.org. You can write a very strong yet 
simple ruleset by following those instructions. He even has a "really 
quick" example.

If you're not ready (or are never ready) to do that, fret not, many 
adequate ready-made scripts and rulesets are available. But in any 
case, I would toss that Fedora default firewall.

> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp
> --dport 5353 -j ACCEPT

I don't know what this is.

> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

You definitely do not want CUPS open to the outside world. And I  
thought CUPS was TCP anyway ...

> -A RH-Firewall-1-INPUT -m state --state
> RELATED,ESTABLISHED -j ACCEPT

I put this rule much higher, first or second.

> # Generated by webmin

Apparently you have found a bug in Webmin.

> # Forward HTTP connections to Squid proxy
> -A PREROUTING -p tcp -m tcp -s 8080 --dport 80 -j
> REDIRECT --to-ports 3128
> COMMIT

This cannot work because there is no "nat" table section here. Just run 
this command at a root shell[1]:

iptables -vt nat -A PREROUTING -p tcp -s 8080 --dport 80 \
  -j REDIRECT --to-ports 3128

But, I have done these transparent HTTP proxy servers before, and that 
does not look right. Please see the example in the squid documentation. 
Change that to use the Dansguardian port, likely 8080. You want to 
redirect outgoing HTTP traffic to Dansguardian, right?

iptables -vt nat -I PREROUTING -p tcp -i $LAN_IF --dport 80 \
  -j REDIRECT --to-ports 8080

> If I do an iptables-save > firewall-config this is
> what the file ends up with:

Yes, basically the same thing.

> becasue I think it is messing me up! Is there a way of
> "deleting" the script and iptables making me a nice
> new one without any errors?

Run the REDIRECT command; "iptables-save > /etc/sysconfig/iptables" 
saves it for posterity (or at least the next successful reboot.)



[1] If you really want to be successful with Linux, you will want to
    become acquainted and proficient with /bin/bash.
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header