iptables on Satellite receive only linux PC

iptables on Satellite receive only linux PC

[yunus]

Dear netfilter gurus,

In my last post I got good suggestions. Unfortunately they dont work.
This is a linux PC with satellite receive only card. The router is also
on the same network that is taking the traffic outside. Linux PC running
iptables has a satellite receive only pentanet card (data is received
and transmitted through cisco router.)

After implementing iptables config given below network traffic comming
from satellite PC stops.


IPTABLES="/sbin/iptables"
IP1=212.15.150.9
#

#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
#

#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an
attack
#
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix
TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix
Firewalled:
$IPTABLES -A firewalled -j DROP
#
# These are all TCP flag combinations that should never, ever, occur in
the
# wild. All of these are illegal combinations that are used to attack a
box
# in various ways.
#
$IPTABLES -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
# the above line will allow traffic from loopback interface
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j
tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j
ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things will break.
#
$IPTABLES -A INPUT -i lo -j ACCEPT
#
# Now allow Internet hosts access to those services we provide. Note
that
# enabling inbound FTP 20 & 21 tcp will also require allowing ports
# 1024-65534/tcp. Which in itself is good enough reason not to allow FTP

# connections and to only allow ssh/scp/sftp.
#
# Allow ssh frpm anywhere to this server
#
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
#
# HTTP access from anywhere
#
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 123 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 --dport 123 -j ACCEPT
#
#
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p udp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p udp --dport 123 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 123 -j ACCEPT
#
# If there are trusted nodes you can allow then access to everything
with
# something like. Be sure to set IP at the top of this script if you
enable one
# of these.
#
#$IPTABLES -A INPUT -s 10.0.0.0/24 -d $IP1 -j ACCEPT

#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Anything not already matched gets firewalled and logged.
#
$IPTABLES -A INPUT -j firewalled

Thanks for all the response

Re: iptables on Satellite receive only linux PC

[Cedric Blancher]

Le mer 28/07/2004 à 07:16, yunus a écrit :
> In my last post I got good suggestions. Unfortunately they dont work.
> This is a linux PC with satellite receive only card. The router is also
> on the same network that is taking the traffic outside. Linux PC running
> iptables has a satellite receive only pentanet card (data is received
> and transmitted through cisco router.)

Juste a bet. Have you desactivated reverse path filtering that does not
allow asymetric routing from working ?

	echo 0 > /proc/sys/net/ipv4/conf/all/rp_filters


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: iptables on Satellite receive only linux PC

[yunus]

When I change the line below to accept everything works fine.

$IPTABLES -P FORWARD DROP    to  $IPTABLES -P FORWARD ACCEPT

             netfilter@lists.netfilter.org

Cedric Blancher wrote:

> Le mer 28/07/2004 à 07:16, yunus a écrit :
> > In my last post I got good suggestions. Unfortunately they dont work.
> > This is a linux PC with satellite receive only card. The router is also
> > on the same network that is taking the traffic outside. Linux PC running
> > iptables has a satellite receive only pentanet card (data is received
> > and transmitted through cisco router.)
>
> Juste a bet. Have you desactivated reverse path filtering that does not
> allow asymetric routing from working ?
>
>         echo 0 > /proc/sys/net/ipv4/conf/all/rp_filters
>
> --
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> >> Hi! I'm your friendly neighbourhood signature virus.
> >> Copy me to your signature file and help me spread!

Re: iptables on Satellite receive only linux PC

[Aleksandar Milivojevic]

yunus wrote:
> When I change the line below to accept everything works fine.
> 
> $IPTABLES -P FORWARD DROP    to  $IPTABLES -P FORWARD ACCEPT

Of course it works, because you just deactivated your firewall. 
Anything goes through it (all your rules in FORWARD chain have ACCEPT 
target, and than you changed default policy to ACCEPT: everything is 
accepted).

Also, it seems that you have (incorrect) assumption that packet will go 
through both INPUT and FORWARD chains (because you are catching "bad" 
packets only in INPUT chain).  Packet will go either through INPUT (if 
it is destined for local machine) or through FORWARD (if it is to be 
routed/forwarded to another machine).  It will never go through both.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: iptables on Satellite receive only linux PC

[yunus]

Should I change /proc/sys/net/ipv4/conf/all/rp_filters =1.

Cedric Blancher wrote:

> Le mer 28/07/2004 à 07:16, yunus a écrit :
> > In my last post I got good suggestions. Unfortunately they dont work.
> > This is a linux PC with satellite receive only card. The router is also
> > on the same network that is taking the traffic outside. Linux PC running
> > iptables has a satellite receive only pentanet card (data is received
> > and transmitted through cisco router.)
>
> Juste a bet. Have you desactivated reverse path filtering that does not
> allow asymetric routing from working ?
>
>         echo 0 > /proc/sys/net/ipv4/conf/all/rp_filters
>
> --
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> >> Hi! I'm your friendly neighbourhood signature virus.
> >> Copy me to your signature file and help me spread!

             netfilter@lists.netfilter.org

Re: iptables on Satellite receive only linux PC

[Antony Stone]

On Saturday 31 July 2004 10:56 am, yunus wrote:

> Should I change /proc/sys/net/ipv4/conf/all/rp_filters =1.

You should "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filters"

You want the result of "cat /proc/sys/net/ipv4/conf/all/rp_filters" to be 0, 
not 1.

Regards,

Antony.

> Cedric Blancher wrote:
> > Le mer 28/07/2004 à 07:16, yunus a écrit :
> > > In my last post I got good suggestions. Unfortunately they dont work.
> > > This is a linux PC with satellite receive only card. The router is also
> > > on the same network that is taking the traffic outside. Linux PC
> > > running iptables has a satellite receive only pentanet card (data is
> > > received and transmitted through cisco router.)
> >
> > Juste a bet. Have you desactivated reverse path filtering that does not
> > allow asymetric routing from working ?
> >
> >         echo 0 > /proc/sys/net/ipv4/conf/all/rp_filters
> >
> > --
> > http://www.netexit.com/~sid/
> > PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> >
> > >> Hi! I'm your friendly neighbourhood signature virus.
> > >> Copy me to your signature file and help me spread!
>
>              netfilter@lists.netfilter.org

-- 
Users don't know what they want until they see what they get.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: iptables on Satellite receive only linux PC

[John Arthur]

> You should "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filters"
> 
> You want the result of "cat 
> /proc/sys/net/ipv4/conf/all/rp_filters" to be 0, 
> not 1.
> 

Actually assuming that the satellite card is pentanet0 you want

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filters
echo 1 > /proc/sys/net/ipv4/conf/pentanet0/rp_filters

To only turn off spoofing protection on the one interface.

Re: iptables on Satellite receive only linux PC

[yunus]

These are the default values. It still does'nt work. Can any one kindly go
through my script and tell me the mistake I am making. This is a Linux PC with
receive only pentanet card.

Thanks for all the help.
IPTABLES="/sbin/iptables"
IP1=212.15.150.9
#

#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
#

#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an
attack
#
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix
TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix
Firewalled:
$IPTABLES -A firewalled -j DROP
#
# These are all TCP flag combinations that should never, ever, occur in
the
# wild. All of these are illegal combinations that are used to attack a
box
# in various ways.
#
$IPTABLES -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
# the above line will allow traffic from loopback interface
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j
tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j
ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things will break.
#
$IPTABLES -A INPUT -i lo -j ACCEPT
#
# Now allow Internet hosts access to those services we provide. Note
that
# enabling inbound FTP 20 & 21 tcp will also require allowing ports
# 1024-65534/tcp. Which in itself is good enough reason not to allow FTP

# connections and to only allow ssh/scp/sftp.
#
# Allow ssh frpm anywhere to this server
#
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
#
# HTTP access from anywhere
#
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 123 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 --dport 123 -j ACCEPT
#
#
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p udp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p udp --dport 123 -j ACCEPT
$IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 123 -j ACCEPT
#
# If there are trusted nodes you can allow then access to everything
with
# something like. Be sure to set IP at the top of this script if you
enable one
# of these.
#
#$IPTABLES -A INPUT -s 10.0.0.0/24 -d $IP1 -j ACCEPT

#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Anything not already matched gets firewalled and logged.
#
$IPTABLES -A INPUT -j firewalled

>Actually assuming that the satellite card is pentanet0 you want

>echo 0 > /proc/sys/net/ipv4/conf/all/rp_filters
>echo 1 > /proc/sys/net/ipv4/conf/pentanet0/rp_filters

>To only turn off spoofing protection on the one interface.

Re: iptables on Satellite receive only linux PC

[Antony Stone]

On Monday 02 August 2004 6:36 am, yunus wrote:

> These are the default values. It still does'nt work. Can any one kindly go
> through my script and tell me the mistake I am making. This is a Linux PC
> with receive only pentanet card.
>
> # Allow selected ICMP types and drop the rest.
> #
> $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
> $IPTABLES -A INPUT -p icmp -j firewalled

Are you getting any ICMP packets logged from your "firewalled" user-defined 
chain?   I just wonder whether the satellite link uses any ICMP types you 
haven't allowed for here...?

> $IPTABLES -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
> $IPTABLES -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
> $IPTABLES -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT
> $IPTABLES -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT
> $IPTABLES -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT
> $IPTABLES -A INPUT -p tcp -s 0/0 --dport 123 -j ACCEPT
> $IPTABLES -A INPUT -p udp -s 0/0 --dport 123 -j ACCEPT
> #
> $IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 443 -j ACCEPT
> $IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 25 -j ACCEPT
> $IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -i pentanet0 -p udp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -i pentanet0 -p udp --dport 123 -j ACCEPT
> $IPTABLES -A FORWARD -i pentanet0 -p tcp --dport 123 -j ACCEPT

Are you *really* providing all these services - HTTP, HTTPS, SMTP, DNS, Time, 
*on* the firewall itself (INPUT) as well as on server/s inside your network 
(FORWARD)?

> #$IPTABLES -A INPUT -s 10.0.0.0/24 -d $IP1 -j ACCEPT
>
> #
> # Allow packets that are part of an established connection to pass
> # through the firewall. This is required for normal Internet activity
> # by inside clients.
> #
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

I would advise putting these rules as the first in their respective tables.   
Either move the position of these rules in your script, or change "-A" to 
"-I".   The vast majority of packets coming into or through the firewall will 
match one of the above rules, so it should be the first in the list.

> # Anything not already matched gets firewalled and logged.
> #
> $IPTABLES -A INPUT -j firewalled

And what about other packets trying to get through FORWARD?   Do you LOG 
those?   (LOGging can be a big clue when trying to track down why something 
isn't working...)

Regards,

Antony.

-- 
There are only 10 types of people in the world:
those who understand binary notation,
and those who don't.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: iptables on Satellite receive only linux PC

[Jason Opperisano]

> Actually assuming that the satellite card is pentanet0 you want
>
> echo 0 > /proc/sys/net/ipv4/conf/all/rp_filters
> echo 1 > /proc/sys/net/ipv4/conf/pentanet0/rp_filters
>
> To only turn off spoofing protection on the one interface.

That achieves the opposite effect.  The above will disable reverse path filtering for all interfaces except pentanet0.  The opposite, would do what you are suggesting:

# enable reverse-path filtering on all interfaces
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# disable reverse-path filtering on pentanet0 interface
echo 0 > /proc/sys/net/ipv4/conf/pentanet0/rp_filter

-j

RE: iptables on Satellite receive only linux PC

[John Arthur]

 
> > Actually assuming that the satellite card is pentanet0 you want
> >
> > echo 0 > /proc/sys/net/ipv4/conf/all/rp_filters
> > echo 1 > /proc/sys/net/ipv4/conf/pentanet0/rp_filters
> >
> > To only turn off spoofing protection on the one interface.
> 
> That achieves the opposite effect.  The above will disable 
> reverse path filtering for all interfaces except pentanet0.  The 
> opposite, would do what you are suggesting:
> 
> # enable reverse-path filtering on all interfaces
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
> 
> # disable reverse-path filtering on pentanet0 interface
> echo 0 > /proc/sys/net/ipv4/conf/pentanet0/rp_filter
> 

Yes you're correct. That's what comes from doing things too quickly. ;-)