Server can't send :-/

Server can't send :-/

[yomega.info - Stephan Kessler]

Hi List,

I got that Configuration of my Firewall:
http://warpy.yomeganet.biz/fw.txt

It seemed to be nice, everything worked but then i tried to initiate
outbound Traffic from my Server via SSH. The result: I can't establish
any connection from my to an another, except DNS (via UDP?). What did i
wrong?

Thank you in advance!

Stephan

Server can't send :-/

[Stephan Kessler]

<-sorry for double mail, i just got mixed up with my Mail Adresses sorry
->

Hi List,

I got that Configuration of my Firewall:
http://warpy.yomeganet.biz/fw.txt

It seemed to be nice, everything worked but then i tried to initiate
outbound Traffic from my Server via SSH. The result: I can't establish
any connection from my to an another, except DNS (via UDP?). What did i
wrong?

Thank you in advance!

Stephan

Re: Server can't send :-/

[Ralf Spenneberg]

Am Mit, 2003-09-03 um 09.41 schrieb Stephan Kessler:
> Hi List,
> 
> I got that Configuration of my Firewall:
> http://warpy.yomeganet.biz/fw.txt
> 
> It seemed to be nice, everything worked but then i tried to initiate
> outbound Traffic from my Server via SSH. The result: I can't establish
> any connection from my to an another, except DNS (via UDP?). What did i
> wrong?
I suspect your machine is warpy.yomeganet.biz. The last input rule drops
all incoming tcp-traffic. You a just accepting traffic going to
22,80,21,20,etc.
Since I do not actually understand your ruleset, you just might want to
insert the following rule before this DROP rule 
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

RE: Server can't send :-/

[Stephan Kessler]

> I suspect your machine is warpy.yomeganet.biz. The last input 
> rule drops all incoming tcp-traffic. You a just accepting 
> traffic going to 22,80,21,20,etc. Since I do not actually 
> understand your ruleset, you just might want to insert the 
> following rule before this DROP rule 
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 


Thx thats it!

Greetings,
Stephan

Re: Server can't send :-/

[Cedric Blancher]

Le mer 03/09/2003 à 09:40, yomega.info - Stephan Kessler a écrit :
> I got that Configuration of my Firewall:
> http://warpy.yomeganet.biz/fw.txt
> It seemed to be nice, everything worked but then i tried to initiate
> outbound Traffic from my Server via SSH. The result: I can't establish
> any connection from my to an another, except DNS (via UDP?). What did i
> wrong?

Returning packets will get dropped by last rule, for they are not
destined to any of accepted ports. You have to add a rule to accept them
explicitly, such as one using ESTABLISHED and RELATED states.

By the way, I don't understand why your chains policy are all set to
ACCEPT... In particular, OUTPUT rules are useless for they only ACCEPT
in an ACCEPT policy chain ! Moreover, in INPUT chain, you implicitly
allow any layer 4 protocol that is not TCP or ICMP (remember that trojan
catched by Honeynet project that used IP protocol 11 for
communications...).

What I would do is :

	1. set all chains policy to DROP :
		iptables -P INPUT DROP
		iptables -P OUTPUT DROP
		iptables -P FORWARD DROP

	2. get rid of 2 last DROP rules (DROP handled by policy) and
	   optionnaly add a specific rule for each protocol you really
	   need to allow (UDP, GRE, ESP, etc.).

	3. insert an ESTABLISHED, RELATED state ACCEPT at the top of
	   INPUT rule :
		iptables -I INPUT -m state --state ESTABLISHED,RELATED \
			-j ACCEPT

	4. invert OUTPUT rules order for optimization (far more valid
	   packets are likely to match second rule than first one) :
		iptables -D OUTPUT 2
		iptables -I OUTPUT -m state --state \
			ESTABLISHED,RELATED -j ACCEPT

	5. add a NEW state match to all ACCEPT rules for services

My 0.02¤

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: Server can't send :-/

[Alistair Tonner]

	in reality, just to conserve rule scans and sanity, you want 
related,established rules to be at the TOP of the list ... once the conntrack 
has been accepted you don't want to have it fall through a list of rules.

On September 3, 2003 10:09 am, Stephan Kessler wrote:
> > I suspect your machine is warpy.yomeganet.biz. The last input
> > rule drops all incoming tcp-traffic. You a just accepting
> > traffic going to 22,80,21,20,etc. Since I do not actually
> > understand your ruleset, you just might want to insert the
> > following rule before this DROP rule
> > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> Thx thats it!
>
> Greetings,
> Stephan

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!