myfirewall help

myfirewall help

[varun_saa]

Hello,
      My server is Mandrake 10.1
eth0 is WAN with static IP connected to 512k DSL
eth1 is LAN

I am trying to write iptables rules and I am 
stuck with some error.

My iptable file is as follows :

# Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Oct 21 05:32:36 2004
# Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
*mangle
:PREROUTING ACCEPT [32056:3889577]
:INPUT ACCEPT [32010:3885659]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [31637:4617585]
:POSTROUTING ACCEPT [31639:4618071]
COMMIT
# Completed on Thu Oct 21 05:32:36 2004
# Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT
-A INPUT -p udp -m udp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT
COMMIT
# Completed on Thu Oct 21 05:32:36 2004

When I am trying to save I get the following error :

iptables-restore v1.2.9: Can't use -o with INPUT

Error occurred at line: 25
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Can anybody guide me ?

Thanks in advance

Varun

Re: myfirewall help

[Jason Opperisano]

On Thu, 2005-01-27 at 05:13, varun_saa@vsnl.net wrote:
> Hello,
>       My server is Mandrake 10.1
> eth0 is WAN with static IP connected to 512k DSL
> eth1 is LAN
> 
> I am trying to write iptables rules and I am 
> stuck with some error.
> 
> My iptable file is as follows :
> 
> # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> *nat
> :OUTPUT ACCEPT [0:0]
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Thu Oct 21 05:32:36 2004
> # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> *mangle
> :PREROUTING ACCEPT [32056:3889577]
> :INPUT ACCEPT [32010:3885659]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [31637:4617585]
> :POSTROUTING ACCEPT [31639:4618071]
> COMMIT
> # Completed on Thu Oct 21 05:32:36 2004
> # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> *filter
> :FORWARD ACCEPT [0:0]
> :INPUT DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -j ACCEPT
> -A INPUT -s 127.0.0.1 -j ACCEPT
> -A INPUT -p tcp -m tcp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT
> -A INPUT -p udp -m udp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT
> COMMIT
> # Completed on Thu Oct 21 05:32:36 2004
> 
> When I am trying to save I get the following error :
> 
> iptables-restore v1.2.9: Can't use -o with INPUT
> 
> Error occurred at line: 25
> Try `iptables-restore -h' or 'iptables-restore --help' for more information.
> 
> Can anybody guide me ?

yeah--you can't use "-o" with INPUT.

if you are under the impression that the traffic you're trying to filter
has both an inbound and outbound interface and that the packet is
FORWARD-ed from one to the other--you should be adding that rule to the
FORWARD chain, not the INPUT chain.

btw--what traffic do you believe has a source port of 80 and a
destination port of 3128?

-j

--
"Oh, people can come up with statistics to prove anything, Kent. 14%
 of people know that."
	--The Simpsons

Re: myfirewall help

[Eric Ellis]

Jason Opperisano wrote:
> On Thu, 2005-01-27 at 05:13, varun_saa@vsnl.net wrote:
> 
>>Hello,
>>      My server is Mandrake 10.1
>>eth0 is WAN with static IP connected to 512k DSL
>>eth1 is LAN
>>
>>I am trying to write iptables rules and I am 
>>stuck with some error.
>>
>>My iptable file is as follows :
>>
>># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
>>*nat
>>:OUTPUT ACCEPT [0:0]
>>:PREROUTING ACCEPT [0:0]
>>:POSTROUTING ACCEPT [0:0]
>>-A POSTROUTING -o eth0 -j MASQUERADE
>>COMMIT
>># Completed on Thu Oct 21 05:32:36 2004
>># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
>>*mangle
>>:PREROUTING ACCEPT [32056:3889577]
>>:INPUT ACCEPT [32010:3885659]
>>:FORWARD ACCEPT [0:0]
>>:OUTPUT ACCEPT [31637:4617585]
>>:POSTROUTING ACCEPT [31639:4618071]
>>COMMIT
>># Completed on Thu Oct 21 05:32:36 2004
>># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
>>*filter
>>:FORWARD ACCEPT [0:0]
>>:INPUT DROP [0:0]
>>:OUTPUT ACCEPT [0:0]
>>-A INPUT -j ACCEPT
>>-A INPUT -s 127.0.0.1 -j ACCEPT
>>-A INPUT -p tcp -m tcp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT
>>-A INPUT -p udp -m udp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT
>>COMMIT
>># Completed on Thu Oct 21 05:32:36 2004
>>
>>When I am trying to save I get the following error :
>>
>>iptables-restore v1.2.9: Can't use -o with INPUT
>>
>>Error occurred at line: 25
>>Try `iptables-restore -h' or 'iptables-restore --help' for more information.
>>
>>Can anybody guide me ?
> 
> 
> yeah--you can't use "-o" with INPUT.
> 
> if you are under the impression that the traffic you're trying to filter
> has both an inbound and outbound interface and that the packet is
> FORWARD-ed from one to the other--you should be adding that rule to the
> FORWARD chain, not the INPUT chain.
> 
> btw--what traffic do you believe has a source port of 80 and a
> destination port of 3128?
> 
> -j
> 
> --
> "Oh, people can come up with statistics to prove anything, Kent. 14%
>  of people know that."
> 	--The Simpsons
Jason:

He has a squid proxy on the other side. :)  3128 is the default for squid.

Re: myfirewall help

[Jason Opperisano]

On Thu, 2005-01-27 at 09:36, Eric Ellis wrote:
> Jason:
> 
> He has a squid proxy on the other side. :)  3128 is the default for squid.

really?  wow--i didn't know that.

web servers listen on tcp port 80 by default.
squid listens on tcp port 3128 by default.
none of this is new to anyone (hopefully).

now i ask again--explain to me what communication pattern results in a
TCP packet with a source port of 80 and a destination port of 3128.

i would prefer that you provide tcpdump output as part of the reply as
well.

-j

ps--i understand that it's inevitable that eventually a client machine
will use a source port of 3128 when connecting to a web server, and the
reply packets from the web server to the client will actually match this
pattern:  sport=80 dport=3128.  if this is the case that the OP was
trying to account for--then i retract all my posts in this thread.

--
"I've added an extra ingredient just for you.  The merciless peppers
 of Quetzlzacatenango!  Grown deep in the jungle primeval by the
 inmates of a Guatemalan insane asylum."
	--The Simpsons

Re: myfirewall help

[Jeffrey Laramie]

On Thursday 27 January 2005 05:13, varun_saa@vsnl.net wrote:
> Hello,
>       My server is Mandrake 10.1
> eth0 is WAN with static IP connected to 512k DSL
> eth1 is LAN
>
> I am trying to write iptables rules and I am
> stuck with some error.
>
> My iptable file is as follows :
>
> # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> *nat
>
> :OUTPUT ACCEPT [0:0]
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
>
> -A POSTROUTING -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Thu Oct 21 05:32:36 2004
> # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> *mangle
>
> :PREROUTING ACCEPT [32056:3889577]
> :INPUT ACCEPT [32010:3885659]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [31637:4617585]
> :POSTROUTING ACCEPT [31639:4618071]
>
> COMMIT
> # Completed on Thu Oct 21 05:32:36 2004
> # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> *filter
>
> :FORWARD ACCEPT [0:0]
> :INPUT DROP [0:0]
> :OUTPUT ACCEPT [0:0]
>
> -A INPUT -j ACCEPT
> -A INPUT -s 127.0.0.1 -j ACCEPT
> -A INPUT -p tcp -m tcp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT
> -A INPUT -p udp -m udp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT
> COMMIT
> # Completed on Thu Oct 21 05:32:36 2004
>
> When I am trying to save I get the following error :
>
> iptables-restore v1.2.9: Can't use -o with INPUT

The error message gives you the answer. You can't use the -o parameter on the 
INPUT chain since by definition the destination is always the local host. 
Remove "-o eth0" from your rules.

Jeff

Re: myfirewall help

[R. DuFresne]

All I saw in the rules and policies were ACCEPT's, so what was really
being blocked?  Seemed to be a new router layer being added rather then
anything resemebling a firewall.  I must have missed something eh?

Thanks,

Ron DuFresne

On Thu, 27 Jan 2005, Eric Ellis wrote:

> Jason Opperisano wrote:
> > On Thu, 2005-01-27 at 05:13, varun_saa@vsnl.net wrote:
> > 
> >>Hello,
> >>      My server is Mandrake 10.1
> >>eth0 is WAN with static IP connected to 512k DSL
> >>eth1 is LAN
> >>
> >>I am trying to write iptables rules and I am 
> >>stuck with some error.
> >>
> >>My iptable file is as follows :
> >>
> >># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> >>*nat
> >>:OUTPUT ACCEPT [0:0]
> >>:PREROUTING ACCEPT [0:0]
> >>:POSTROUTING ACCEPT [0:0]
> >>-A POSTROUTING -o eth0 -j MASQUERADE
> >>COMMIT
> >># Completed on Thu Oct 21 05:32:36 2004
> >># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> >>*mangle
> >>:PREROUTING ACCEPT [32056:3889577]
> >>:INPUT ACCEPT [32010:3885659]
> >>:FORWARD ACCEPT [0:0]
> >>:OUTPUT ACCEPT [31637:4617585]
> >>:POSTROUTING ACCEPT [31639:4618071]
> >>COMMIT
> >># Completed on Thu Oct 21 05:32:36 2004
> >># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> >>*filter
> >>:FORWARD ACCEPT [0:0]
> >>:INPUT DROP [0:0]
> >>:OUTPUT ACCEPT [0:0]
> >>-A INPUT -j ACCEPT
> >>-A INPUT -s 127.0.0.1 -j ACCEPT
> >>-A INPUT -p tcp -m tcp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT
> >>-A INPUT -p udp -m udp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT
> >>COMMIT
> >># Completed on Thu Oct 21 05:32:36 2004
> >>
> >>When I am trying to save I get the following error :
> >>
> >>iptables-restore v1.2.9: Can't use -o with INPUT
> >>
> >>Error occurred at line: 25
> >>Try `iptables-restore -h' or 'iptables-restore --help' for more information.
> >>
> >>Can anybody guide me ?
> > 
> > 
> > yeah--you can't use "-o" with INPUT.
> > 
> > if you are under the impression that the traffic you're trying to filter
> > has both an inbound and outbound interface and that the packet is
> > FORWARD-ed from one to the other--you should be adding that rule to the
> > FORWARD chain, not the INPUT chain.
> > 
> > btw--what traffic do you believe has a source port of 80 and a
> > destination port of 3128?
> > 
> > -j
> > 
> > --
> > "Oh, people can come up with statistics to prove anything, Kent. 14%
> >  of people know that."
> > 	--The Simpsons
> Jason:
> 
> He has a squid proxy on the other side. :)  3128 is the default for squid.
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>

Re: myfirewall help

[varun_saa]

----- Original Message -----
From: Jason Opperisano <opie@817west.com>
Date: Thursday, January 27, 2005 7:49 pm
Subject: Re: myfirewall help

> On Thu, 2005-01-27 at 05:13, varun_saa@vsnl.net wrote:
> > Hello,
> >       My server is Mandrake 10.1
> > eth0 is WAN with static IP connected to 512k DSL
> > eth1 is LAN
> > 
> > I am trying to write iptables rules and I am 
> > stuck with some error.
> > 
> > My iptable file is as follows :
> > 
> > # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> > *nat
> > :OUTPUT ACCEPT [0:0]
> > :PREROUTING ACCEPT [0:0]
> > :POSTROUTING ACCEPT [0:0]
> > -A POSTROUTING -o eth0 -j MASQUERADE
> > COMMIT
> > # Completed on Thu Oct 21 05:32:36 2004
> > # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> > *mangle
> > :PREROUTING ACCEPT [32056:3889577]
> > :INPUT ACCEPT [32010:3885659]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [31637:4617585]
> > :POSTROUTING ACCEPT [31639:4618071]
> > COMMIT
> > # Completed on Thu Oct 21 05:32:36 2004
> > # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> > *filter
> > :FORWARD ACCEPT [0:0]
> > :INPUT DROP [0:0]
> > :OUTPUT ACCEPT [0:0]
> > -A INPUT -j ACCEPT
> > -A INPUT -s 127.0.0.1 -j ACCEPT
> > -A INPUT -p tcp -m tcp -i eth1 -o eth0 --dport 3128 --sport 80 -j 
> ACCEPT> -A INPUT -p udp -m udp -i eth1 -o eth0 --dport 3128 --sport 
> 80 -j ACCEPT
> > COMMIT
> > # Completed on Thu Oct 21 05:32:36 2004
> > 
> > When I am trying to save I get the following error :
> > 
> > iptables-restore v1.2.9: Can't use -o with INPUT
> > 
> > Error occurred at line: 25
> > Try `iptables-restore -h' or 'iptables-restore --help' for more 
> information.> 
> > Can anybody guide me ?
> 
> yeah--you can't use "-o" with INPUT.
> 
> if you are under the impression that the traffic you're trying to 
> filterhas both an inbound and outbound interface and that the 
> packet is
> FORWARD-ed from one to the other--you should be adding that rule to 
> theFORWARD chain, not the INPUT chain.
> 
> btw--what traffic do you believe has a source port of 80 and a
> destination port of 3128?
> 
> -j
> 
> --
First I have very little experience with iptables.

Basically I want clients to be able to :

1. send and recieve mails

2. access the net

3. use MSN or Yahoo


I am using webmin -> netowrking -> linux firewall
to set the rules.

Now coming to my rule :

-A INPUT -p tcp -m tcp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT

What I want is that the firewall allow http traffic with 
sport as 80 and dport as 3128 from coming from eth1.

Same for udp.

So what do you think ?

Tell me I you think I should be doing it differently.

Thanks

Varun

Re: myfirewall help

[varun_saa]

----- Original Message -----
From: Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>
Date: Thursday, January 27, 2005 8:27 pm
Subject: Re: myfirewall help

> On Thursday 27 January 2005 05:13, varun_saa@vsnl.net wrote:
> > Hello,
> >       My server is Mandrake 10.1
> > eth0 is WAN with static IP connected to 512k DSL
> > eth1 is LAN
> >
> > I am trying to write iptables rules and I am
> > stuck with some error.
> >
> > My iptable file is as follows :
> >
> > # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> > *nat
> >
> > :OUTPUT ACCEPT [0:0]
> > :PREROUTING ACCEPT [0:0]
> > :POSTROUTING ACCEPT [0:0]
> >
> > -A POSTROUTING -o eth0 -j MASQUERADE
> > COMMIT
> > # Completed on Thu Oct 21 05:32:36 2004
> > # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> > *mangle
> >
> > :PREROUTING ACCEPT [32056:3889577]
> > :INPUT ACCEPT [32010:3885659]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [31637:4617585]
> > :POSTROUTING ACCEPT [31639:4618071]
> >
> > COMMIT
> > # Completed on Thu Oct 21 05:32:36 2004
> > # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> > *filter
> >
> > :FORWARD ACCEPT [0:0]
> > :INPUT DROP [0:0]
> > :OUTPUT ACCEPT [0:0]
> >
> > -A INPUT -j ACCEPT
> > -A INPUT -s 127.0.0.1 -j ACCEPT
> > -A INPUT -p tcp -m tcp -i eth1 -o eth0 --dport 3128 --sport 80 -j 
> ACCEPT> -A INPUT -p udp -m udp -i eth1 -o eth0 --dport 3128 --sport 
> 80 -j ACCEPT
> > COMMIT
> > # Completed on Thu Oct 21 05:32:36 2004
> >
> > When I am trying to save I get the following error :
> >
> > iptables-restore v1.2.9: Can't use -o with INPUT
> 
> The error message gives you the answer. You can't use the -o 
> parameter on the 
> INPUT chain since by definition the destination is always the local 
> host. 
> Remove "-o eth0" from your rules.
> 
> Jeff

I am writing firewall rules for the first time.
 
I am writing rules using webmin -> networking -> linux firewall.

First what do you think of the rule.

Second is it Ok to just remove -0 eth0.

Please feel free to correct me.

Thanks

Varun

Re: myfirewall help

[Jeffrey Laramie]

varun_saa@vsnl.net wrote:
> 
> ----- Original Message -----
> From: Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>
> Date: Thursday, January 27, 2005 8:27 pm
> Subject: Re: myfirewall help
> 
> 
>>On Thursday 27 January 2005 05:13, varun_saa@vsnl.net wrote:
>>
>>>Hello,
>>>      My server is Mandrake 10.1
>>>eth0 is WAN with static IP connected to 512k DSL
>>>eth1 is LAN
>>>
>>>I am trying to write iptables rules and I am
>>>stuck with some error.
>>>
>>>My iptable file is as follows :
>>>
>>># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
>>>*nat
>>>
>>>:OUTPUT ACCEPT [0:0]
>>>:PREROUTING ACCEPT [0:0]
>>>:POSTROUTING ACCEPT [0:0]
>>>
>>>-A POSTROUTING -o eth0 -j MASQUERADE
>>>COMMIT
>>># Completed on Thu Oct 21 05:32:36 2004
>>># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
>>>*mangle
>>>
>>>:PREROUTING ACCEPT [32056:3889577]
>>>:INPUT ACCEPT [32010:3885659]
>>>:FORWARD ACCEPT [0:0]
>>>:OUTPUT ACCEPT [31637:4617585]
>>>:POSTROUTING ACCEPT [31639:4618071]
>>>
>>>COMMIT
>>># Completed on Thu Oct 21 05:32:36 2004
>>># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
>>>*filter
>>>
>>>:FORWARD ACCEPT [0:0]
>>>:INPUT DROP [0:0]
>>>:OUTPUT ACCEPT [0:0]
>>>
>>>-A INPUT -j ACCEPT
>>>-A INPUT -s 127.0.0.1 -j ACCEPT
>>>-A INPUT -p tcp -m tcp -i eth1 -o eth0 --dport 3128 --sport 80 -j 
>>
>>ACCEPT> -A INPUT -p udp -m udp -i eth1 -o eth0 --dport 3128 --sport 
>>80 -j ACCEPT
>>
>>>COMMIT
>>># Completed on Thu Oct 21 05:32:36 2004
>>>
>>>When I am trying to save I get the following error :
>>>
>>>iptables-restore v1.2.9: Can't use -o with INPUT
>>
>>The error message gives you the answer. You can't use the -o 
>>parameter on the 
>>INPUT chain since by definition the destination is always the local 
>>host. 
>>Remove "-o eth0" from your rules.
>>
>>Jeff
> 
> 
> I am writing firewall rules for the first time.

We all have to start somewhere. You should read some documentation on 
iptables/netfilter to help you understand how the rules work and what 
they do. This is what I use:

http://iptables-tutorial.frozentux.net/chunkyhtml/index.html

>  
> I am writing rules using webmin -> networking -> linux firewall.

This is fine as long as your rules don't become too complex. If you 
start to have lots of rules you will find it easier to put them in a 
script. In a script you can add comments to explain the rules and you 
can run and edit the script from the command line which is faster than 
using webmin.

> 
> First what do you think of the rule.

I'm afraid it doesn't really do anything since that combination of 
source and destination ports is not likely to happen very often. In 
general when opening up ports for services you only need to specify the 
destination port. Something like this:

iptables -A INPUT -p udp -i eth1 --dport 3128 -j ACCEPT

This allows udp packets in to the host from eth1 on port 3128

> 
> Second is it Ok to just remove -0 eth0.

Yes, but the rule I listed above is more useful. Adding more parameters 
to a rule makes in narrower in scope. Add too many and the rule becomes 
useless. Read the tutorial and look and the example scripts. Then show 
us your rules and tell us what you are trying to do and we can try to help.

Jeff