Problems Pinging the Internet w/this script

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Problems Pinging the Internet w/this script
@ 2004-09-12  0:32 Jesse
  2004-09-12  1:15 ` Problems Pinging the Internet w/this script (nfcan: addressed to exclusive sender for this address) Jim Laurino
  2004-09-12  1:24 ` Problems Pinging the Internet w/this script Jason Opperisano
  0 siblings, 2 replies; 3+ messages in thread
From: Jesse @ 2004-09-12  0:32 UTC (permalink / raw)
  To: netfilter

Here's a script I'm using to create some tables which will only allow in 
on ports I'm running services. One of the problems I'm havng is that I 
can't ping the Internet with a DNS address from this machine. I've 
allowed everything in the OUTPUT table and can ping the Internet when 
using a straight IP, but when I type in "ping google.com" the machine 
hangs for a few seconds and gives me a server request error. I know it's 
something with my rules because when I flush them all I can ping 
google.com just fine. Any ideas would be greatly appreciated. I'm 
guessing it's something trivial but can't put my finger on it yet.

thanks

#!/bin/bash
########## Beginning 
###########################################################

# Define Interfaces/Networks

    # Inside/Intranet Interface
      INSIDEIP="192.168.7.55"
      INSIDEINT="eth0"

    # External/Internet Interface   
    # OUTSIDEIP=
    # OUTSIDEINT=

    # LAN Network
      LAN="192.168.7.0/24"

    # Admin Host
      ADMIN="192.168.7.51"

# Define other Variables

    RULE="/usr/sbin/iptables"

# Flushing All rules/chains
  $RULE -A INPUT LOG
  $RULE -A OUTPUT LOG
  $RULE -A FORWARD LOG
  $RULE -P INPUT DROP
  $RULE -P OUTPUT DROP
  $RULE -P FORWARD DROP
  $RULE -F INPUT
  $RULE -F OUTPUT
  $RULE -F FORWARD

# Adding Permittable Network/Hosts/Ports to Input Table on Internal 
Interface

  # Allowing DNS,FTP,SSH,Webmin,HTTP,SWAT,and Samba to Server

  $RULE -A INPUT -i $INSIDEINT --proto icmp --icmp-type any -j ACCEPT
  $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 21 -d $INSIDEIP -j ACCEPT
  $RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN --dport 22 -d 
$INSIDEIP -j ACCEPT
  $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 53 -d $INSIDEIP -j ACCEPT
  $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 80 -d $INSIDEIP -j ACCEPT
  $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 137 -d $INSIDEIP -j 
ACCEPT
  $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 138 -d $INSIDEIP -j 
ACCEPT
  $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 139 -d $INSIDEIP -j 
ACCEPT
  $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 445 -d $INSIDEIP -j 
ACCEPT
  $RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN --dport 901 -d 
$INSIDEIP -j ACCEPT
  $RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN  --dport 10000 -d 
$INSIDEIP -j ACCEPT

# Denying Everything on Local Network

# Adding entry to allow everything originating from Internal Interface out
   
  $RULE -A OUTPUT -j ACCEPT

########## END 
################################################################



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Problems Pinging the Internet w/this script (nfcan: addressed to exclusive sender for this address)
  2004-09-12  0:32 Problems Pinging the Internet w/this script Jesse
@ 2004-09-12  1:15 ` Jim Laurino
  2004-09-12  1:24 ` Problems Pinging the Internet w/this script Jason Opperisano
  1 sibling, 0 replies; 3+ messages in thread
From: Jim Laurino @ 2004-09-12  1:15 UTC (permalink / raw)
  To: netfilter

On 2004.09.11 20:32, Jesse rv wrote:
> Here's a script I'm using to create some tables which will only allow in on  
> ports I'm running services. One of the problems I'm havng is that I can't  
> ping the Internet with a DNS address from this machine. I've allowed  
> everything in the OUTPUT table and can ping the Internet when using a  
> straight IP, but when I type in "ping google.com" the machine hangs for a  
> few seconds and gives me a server request error. I know it's something with  
> my rules because when I flush them all I can ping google.com just fine. Any  
> ideas would be greatly appreciated. I'm guessing it's something trivial but  
> can't put my finger on it yet.
> 
> thanks
........
> 
> # Adding Permittable Network/Hosts/Ports to Input Table on Internal  
> Interface
> 
>  # Allowing DNS,FTP,SSH,Webmin,HTTP,SWAT,and Samba to Server
> 
>  $RULE -A INPUT -i $INSIDEINT --proto icmp --icmp-type any -j ACCEPT
.......
>  $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 53 -d $INSIDEIP -j ACCEPT
.......

One thing, at least, is that you have to allow DNS on both tcp and upd.
So you also need a rule like this:

   $RULE -A INPUT -i $INSIDEINT --proto udp --dport 53 -d $INSIDEIP -j ACCEPT

HTH

Jim


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Problems Pinging the Internet w/this script
  2004-09-12  0:32 Problems Pinging the Internet w/this script Jesse
  2004-09-12  1:15 ` Problems Pinging the Internet w/this script (nfcan: addressed to exclusive sender for this address) Jim Laurino
@ 2004-09-12  1:24 ` Jason Opperisano
  1 sibling, 0 replies; 3+ messages in thread
From: Jason Opperisano @ 2004-09-12  1:24 UTC (permalink / raw)
  To: netfilter

On Sat, 2004-09-11 at 20:32, Jesse wrote:
> Here's a script I'm using to create some tables which will only allow in 
> on ports I'm running services. One of the problems I'm havng is that I 
> can't ping the Internet with a DNS address from this machine. I've 
> allowed everything in the OUTPUT table and can ping the Internet when 
> using a straight IP, but when I type in "ping google.com" the machine 
> hangs for a few seconds and gives me a server request error. I know it's 
> something with my rules because when I flush them all I can ping 
> google.com just fine. Any ideas would be greatly appreciated. I'm 
> guessing it's something trivial but can't put my finger on it yet.
> 
> thanks
> 
> #!/bin/bash
> ########## Beginning 
> ###########################################################
> 
> # Define Interfaces/Networks
> 
>     # Inside/Intranet Interface
>       INSIDEIP="192.168.7.55"
>       INSIDEINT="eth0"
> 
>     # External/Internet Interface   
>     # OUTSIDEIP=
>     # OUTSIDEINT=
> 
>     # LAN Network
>       LAN="192.168.7.0/24"
> 
>     # Admin Host
>       ADMIN="192.168.7.51"
> 
> # Define other Variables
> 
>     RULE="/usr/sbin/iptables"
> 
> # Flushing All rules/chains
>   $RULE -A INPUT LOG
>   $RULE -A OUTPUT LOG
>   $RULE -A FORWARD LOG

um--any particular reason why you append 3 LOG rules (with incorrect
syntax, btw...) 3 lines before you flush everything out?  nevermind--i'm
sure there's a fantastic reason behind it--so i'll just note, that they
should be:

  iptables -A INPUT -j LOG
  iptables -A OUTPUT -j LOG
  iptables -A FORWARD -j LOG

>   $RULE -P INPUT DROP
>   $RULE -P OUTPUT DROP
>   $RULE -P FORWARD DROP
>   $RULE -F INPUT
>   $RULE -F OUTPUT
>   $RULE -F FORWARD
> 
> # Adding Permittable Network/Hosts/Ports to Input Table on Internal 
> Interface
> 
>   # Allowing DNS,FTP,SSH,Webmin,HTTP,SWAT,and Samba to Server
> 
>   $RULE -A INPUT -i $INSIDEINT --proto icmp --icmp-type any -j ACCEPT
>   $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 21 -d $INSIDEIP -j ACCEPT
>   $RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN --dport 22 -d 
> $INSIDEIP -j ACCEPT
>   $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 53 -d $INSIDEIP -j ACCEPT

if this machine is a DNS server offering name resolution to hosts on
$INSIDEINT--those requests are UDP, not TCP.  TCP 53 is used for zone
transfers between name servers.

>   $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 80 -d $INSIDEIP -j ACCEPT
>   $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 137 -d $INSIDEIP -j 
> ACCEPT
>   $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 138 -d $INSIDEIP -j 
> ACCEPT

ports 137 and 138, if being used in the "nmbd" sense--are UDP, not TCP. 
try "netstat -lntu" if you don't believe me.

>   $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 139 -d $INSIDEIP -j 
> ACCEPT
>   $RULE -A INPUT -i $INSIDEINT --proto tcp --dport 445 -d $INSIDEIP -j 
> ACCEPT

stylistic note:  you could reduce the number of rules you have by using
the "-m multiport" match:

  iptables -A INPUT -i $INSIDEINT -p tcp -d $INSIDEIP \
    -m multiport --dports 21,80,139,445 -j ACCEPT

  iptables -A INPUT -i $INSIDEINT -p udp -d $INSIDEIP \
    -m multiport --dports 53,137,138 -j ACCEPT

>   $RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN --dport 901 -d 
> $INSIDEIP -j ACCEPT
>   $RULE -A INPUT -i $INSIDEINT --proto tcp -s $ADMIN  --dport 10000 -d 
> $INSIDEIP -j ACCEPT
> 
> # Denying Everything on Local Network
> 
> # Adding entry to allow everything originating from Internal Interface out
>    
>   $RULE -A OUTPUT -j ACCEPT
> 
> ########## END 
> ################################################################

the reason you can ping by IP is:

  iptables -A OUTPUT -j ACCEPT

allows the ICMP echo-request out, and

  iptables -A INPUT -i $INSIDEINT --proto icmp --icmp-type any -j ACCEPT

allows the ICMP echo-reply back in.

the above does not hold true for a DNS request (UDP 53 out & in)

i might recommend investigating the use of:

  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

as the first rule in your INPUT chain. and the use of:

  iptables -A INPUT -j LOG --log-prefix "FW DROP IN: "
  iptables -A OUTPUT -j LOG --log-prefix "FW DROP OUT: "

as the last rules in your chains.

all this (and more) is covered in depth in:

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

-j

-- 
Jason Opperisano <opie@817west.com>



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2004-09-12  1:24 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-12  0:32 Problems Pinging the Internet w/this script Jesse
2004-09-12  1:15 ` Problems Pinging the Internet w/this script (nfcan: addressed to exclusive sender for this address) Jim Laurino
2004-09-12  1:24 ` Problems Pinging the Internet w/this script Jason Opperisano

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox