Re: Bastille/netfilter with Linux 2.6.28 blocks connections

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Roland Häder]

Here is the logfile for POP3 connections:
http://www.mxchange.org/downloads/firebox/pop3-drops.log

Greetings,
Roland
____________________________________________________________________
Psssst! Schon vom neuen WEB.DE MultiMessenger gehört? 
Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Mart Frauenlob]

Roland Häder wrote:
> Here is the logfile for POP3 connections:
> http://www.mxchange.org/downloads/firebox/pop3-drops.log
>
> Greetings,
> Roland
>   
-A FORWARD -s 192.168.1.0/24 -o eth0 -j ACCEPT

in your rule the output device is eth0, but it should again be ppp0.
same same but different... this time for the FORWARD chain.

advice 1: double check your data before posting.

advice 2: make yourself familiar with iptables.


greets


mart

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Roland Haeder]

> -A FORWARD -s 192.168.1.0/24 -o eth0 -j ACCEPT
Applied. Well, don't shoot me. I setup eth0 as external device only in
/etc/Bastille/bastille-firewall.cfg, but it has to be eth0 and ppp0 ...

> advice 1: double check your data before posting.
> 
> advice 2: make yourself familiar with iptables.
Will follow them next time. :)

As a contribution to Bastille I left the script files and bogon.list on
my server, others are removed.

Thanks again both for your help, even when the mistake was here and not
in iptables nor Bastille.

But anyway. The InteractiveBastille tool is still not regonizing DB5.0
as OS type. I already filled a bug report out. Hope they will fix it.

Roland

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Roland Häder]

Okay, still something left:

Mails cannot be fetcvhed from an Internet server to a client box (e.g. 192.168.1.16 connected to eth1).

But I got different log output here. Posting it in a minute!
____________________________________________________________________
Psssst! Schon vom neuen WEB.DE MultiMessenger gehört? 
Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Roland Häder]

> -A INPUT -i ppp0 -j PUB_IN
> -A OUTPUT -o ppp0 -j PUB_OUT
Or in other words, I need to rewrite the both exisiting rules for eth0 instead of ppp0 to ppp0.

Looks pretty good here. :) So far no drops! :D

The node is called "firebox" if you want to try it (Tor node!)

I think I can fill another bug report and credit you.

Thanks a lot!

Roland
____________________________________________________________________
Psssst! Schon vom neuen WEB.DE MultiMessenger gehört? 
Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Roland Häder]

> line 144: -A PUB_IN -s 192.168.1.0/24 -j LOG --log-prefix "PUB_IN DROP 8 "
> 
> says: 'PUB_IN DROP 8'
> 
> your log says: Jan 5 13:49:12 firebox kernel: INPUT DROP 8
> 
> this is not the rule matching in the log. otherwise it would say PUB_IN 
> DROP 8 in your logs.
Okay please redownload this file:
http://www.mxchange.org/downloads/firebox/iptables.list

I have updated it. Output of "iptables -v" said version 1.4.2

Roland
____________________________________________________________________
Psssst! Schon vom neuen WEB.DE MultiMessenger gehört? 
Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Mart Frauenlob]

Roland Häder wrote:
>> line 144: -A PUB_IN -s 192.168.1.0/24 -j LOG --log-prefix "PUB_IN DROP 8 "
>>
>> says: 'PUB_IN DROP 8'
>>
>> your log says: Jan 5 13:49:12 firebox kernel: INPUT DROP 8
>>
>> this is not the rule matching in the log. otherwise it would say PUB_IN 
>> DROP 8 in your logs.
>>     
> Okay please redownload this file:
> http://www.mxchange.org/downloads/firebox/iptables.list
>
> I have updated it. Output of "iptables -v" said version 1.4.2
>
> Roland
>   

ok,

your log says connections come into interface 'ppp0'.
those get dropped because there's no allow rule for them.
to do it with your configuration, you need two rules like:

-A INPUT -i ppp0 -j PUB_IN
-A OUTPUT -o ppp0 -j PUB_OUT

greets

mart

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Roland Häder]

Whyever this webmail did not CC the mailing list...


Hi,
> 
> there is no 'INPUT DROP 8' rule.
Please have a look in line 144, it should be there. :)

Roland

PS: Sorry for that commercial line, I need to use webmail. :/
__________________________________________________________________
Deutschlands größte Online-Videothek schenkt Ihnen 12.000 Videos!*
http://entertainment.web.de/de/entertainment/maxdome/index.html

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Mart Frauenlob]

>> there is no 'INPUT DROP 8' rule.
>>     
> Please have a look in line 144, it should be there. :)
>
> Roland
>
> PS: Sorry for that commercial line, I need to use webmail. :/
> __________________________________________________________________
> Deutschlands größte Online-Videothek schenkt Ihnen 12.000 Videos!*
> http://entertainment.web.de/de/entertainment/maxdome/index.html
>
>
>   

line 144: -A PUB_IN -s 192.168.1.0/24 -j LOG --log-prefix "PUB_IN DROP 8 "

says: 'PUB_IN DROP 8'

your log says: Jan 5 13:49:12 firebox kernel: INPUT DROP 8

this is not the rule matching in the log. otherwise it would say PUB_IN 
DROP 8 in your logs.

greets

Mart

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Roland Häder]

When I run "InteractiveBastille" I got this outout:

http://www.mxchange.org/downloads/firebox/InteractiveBastille.log

DB5.0 is not supported... Hmmm, maybe that's why I have this routing problems?

... Oh, I recall that, yes, I have updated Debian likewise.

I hope the Bastille team is also listening here, or do they have a seperate mailing list?

Roland
_______________________________________________________________________
Sensationsangebot verlängert: WEB.DE FreeDSL - Telefonanschluss + DSL
für nur 16,37 Euro/mtl.!* http://dsl.web.de/?ac=OM.AD.AD008K15039B7069a

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Roland Häder]

> Not right that "both" have the default gw to 192.168.1.1 Only the
> clients on 192.168.1.0/24 have to. The router (the server where you are
> writing the iptables rules) need another gw!
Yes, I have your mentioned setup here: clients have 192.168.1.1 as gateway and 192.168.1.1 has the PPP partner as its gateway.

> Try
> IP -F -t nat
> IP -F FORWARD
> IP -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> IP -A FORWARD -i eth1 -m state --state NEW -j LOG --log-prefix "NEW FW"
> IP -A FORWARD -i eth1 -j ACCEPT
> IP -A POSTROUTING -o eth0 -m state --state NEW -j LOG --log-prefix "NEW POR"
> IP -A POSTROUTING -o eth0 -j MASQUERADE
I suppose I should not replace my _whole_ ruleset but a small part? Else these rules will be a little less secure.

And currently my firewall got attacked on port 110 which is (sadly!) reachable on all NICs.

So where should I add/replace your rules?

> For this into the above iptables.list there are no rules!
> IP -A PREROUTING -i eth0 -p tcp --dport 30017 -j DNAT --to-destination 
> 192.168.1.17
> 
> and add the forward one
I have a similar one already and as I said, it worked before like a sharm. :)

So the "bug" must be someone else. Okay, I put all in /etc/Bastille in a ZIP and try it from a fresh installation. Then I put my custom firewall.d back in place step-by-step.

If that is still failing I try yours but shut down a lot processes on my box. I hate that my box got hacked by some script-kiddie or spammer .... :(

I will add "netstat -lnp" soon!

> I don't know about this....
Okay, never mind. :)

> Michele
Roland
__________________________________________________________________
Deutschlands größte Online-Videothek schenkt Ihnen 12.000 Videos!*
http://entertainment.web.de/de/entertainment/maxdome/index.html

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Michele Petrazzo - Unipex srl]

Roland Häder wrote:
> I suppose I should not replace my _whole_ ruleset but a small part?
> Else these rules will be a little less secure.
> 

Those replace only the forward one and add some debug. Of course, at the
end of tests, you'll modify and replace your rules with mine :)

> And currently my firewall got attacked on port 110 which is (sadly!)
> reachable on all NICs.
> 

IP -I INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

> So where should I add/replace your rules?
> 

For test, into a "running" env, so after yours.

>> For this into the above iptables.list there are no rules! IP -A
>> PREROUTING -i eth0 -p tcp --dport 30017 -j DNAT --to-destination 
>> 192.168.1.17
>> 
>> and add the forward one
> I have a similar one already and as I said, it worked before like a
> sharm. :)
> 

Strange. Start with a "rule clean" and recreate the only one that do the
work you want. Make them work and after, and only after, start to debug


Bye

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Roland Häder]

> Hi!
Hi,

> Why you said "now". It has never worked? When it's start to had problems?
It has worked on earlier days and with an older kernel, I cannot recall the exact version number, so maybe it was 2.6.18 which I have also used a long time. But once I have upgraded it to newer kernels, and double-checked the config, these routing problems starts.

Okay, anyway. As I have promised before I have uploaded some more details:

First here is the requested logfile (syslog) with the relevant ports:
http://www.mxchange.org/downloads/firebox/tor-drops_syslog.log

Okay, two thinks I was mentioning before where wrong, sorry about that. :( First INPUT DROP 8 is dropping the packets and second they came from outside as you can see in the logs.

Here are some more files for inspection:

My actually used kernel config:                                                                                                                              
http://www.mxchange.org/downloads/firebox/config-2.6.28-vanilla

Output of "route -n": (it should be fine, I suppose)
http://www.mxchange.org/downloads/firebox/route.txt

That x.x.x.x was me. It is the PPP partner IP of my ISP.

This directory contains my extra-scripts for the corresponding Bastille "hooks":
http://www.mxchange.org/downloads/firebox/firewall.d/

That directory should be found in /etc/Bastille/.
>
> You have to say us what you want to leave pass from that firewall... tor
> from internet, from lan? tor on localhost wants to connect to your-self
> by 127 or 192 ?
192.168.1.1 is my router, 192.168.1.1x are my clients, both have a "default gateway" set to 192.168.1.1 and /etc/resolve.conf has a nameserver entry pointing only to 192.168.1.1

I want to pass through from my LAN (eth1) to Internet (eth0/ppp0) regular things like Mail, Newsgroups and such things. So I need to masq my private network 192.168.1.0 on eth1 to the Internet. And this is no longer working.
  
I want to route traffic from Internet on TCP/UDP port 31017 which is being used by Descent2-Rebirth to my client 192.168.1.17. I used PREROUTE and FORWARD for this.
                                                                                                                                                             
Like I wrote above it *has* worked, until I have upgraded the farly outdated kernel which should be done on regular basis. I guess you know why. :)

> Too short description and no logs.
Hope that helps a bit more? :)

Roland

__________________________________________________________________
Deutschlands größte Online-Videothek schenkt Ihnen 12.000 Videos!*
http://entertainment.web.de/de/entertainment/maxdome/index.html

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Michele Petrazzo - Unipex srl]

Roland Häder wrote:
> 192.168.1.1 is my router, 192.168.1.1x are my clients, both have a 
> "default gateway" set to 192.168.1.1 and /etc/resolve.conf has a 
> nameserver entry pointing only to 192.168.1.1
> 

Not right that "both" have the default gw to 192.168.1.1 Only the
clients on 192.168.1.0/24 have to. The router (the server where you are
writing the iptables rules) need another gw!

> I want to pass through from my LAN (eth1) to Internet (eth0/ppp0) 
> regular things like Mail, Newsgroups and such things. So I need to 
> masq my private network 192.168.1.0 on eth1 to the Internet. And this
>  is no longer working.
> 

Seen the rules, this must work.
Try
IP -F -t nat
IP -F FORWARD
IP -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
IP -A FORWARD -i eth1 -m state --state NEW -j LOG --log-prefix "NEW FW"
IP -A FORWARD -i eth1 -j ACCEPT
IP -A POSTROUTING -o eth0 -m state --state NEW -j LOG --log-prefix "NEW POR"
IP -A POSTROUTING -o eth0 -j MASQUERADE

> I want to route traffic from Internet on TCP/UDP port 31017 which is 
> being used by Descent2-Rebirth to my client 192.168.1.17. I used 
> PREROUTE and FORWARD for this.
> 

For this into the above iptables.list there are no rules!
IP -A PREROUTING -i eth0 -p tcp --dport 30017 -j DNAT --to-destination 
192.168.1.17

and add the forward one

> Like I wrote above it *has* worked, until I have upgraded the farly 
> outdated kernel which should be done on regular basis. I guess you 
> know why. :)
> 

I don't know about this....

Michele

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Mart Frauenlob]

Roland Häder wrote:
> First here is the requested logfile (syslog) with the relevant ports:
> http://www.mxchange.org/downloads/firebox/tor-drops_syslog.log
>
> Okay, two thinks I was mentioning before where wrong, sorry about that. :( First INPUT DROP 8 is dropping the packets and second they came from outside as you can see in the logs

Hello,

in iptables-save output you supplied:
http://www.mxchange.org/downloads/firebox/iptables.list

there is no 'INPUT DROP 8' rule.

greets

Mart

Bastille/netfilter with Linux 2.6.28 blocks connections

[Roland Häder]

Hi together,

I have a Debian Unstable (Sid) here with vanilla kernel 2.6.28. I use the Bastille firewall script to setup firewall rules.

When I now start a service e.g. Tor which needs open ports at 9001 and 9030 it can connect to itself when the firewall is done.

But when I start it it's self-connections got blocked.

Here is my ruleset exported with "iptables-save > iptables.list":
http://www.mxchange.org/downloads/firebox/iptables.list

The rule with log-prefix "INPUT DROP 10" blocks Tor's own connection attempt.

Additonally no masq is working.

My router has IP 192.168.1.1 on internal NIC and 192.168.20.1 on external NIC where the ADSL box is connected.

If you need kernel config or output of "route -n" I can upload it on my server as well.

Please assisst me here. :)

Regards,
Roland
_______________________________________________________________________
Sensationsangebot verlängert: WEB.DE FreeDSL - Telefonanschluss + DSL
für nur 16,37 Euro/mtl.!* http://dsl.web.de/?ac=OM.AD.AD008K15039B7069a

Re: Bastille/netfilter with Linux 2.6.28 blocks connections

[Michele Petrazzo - Unipex srl]

Roland Häder wrote:
> Hi together,
> 

Hi!

> I have a Debian Unstable (Sid) here with vanilla kernel 2.6.28. I use
>  the Bastille firewall script to setup firewall rules.
> 
> When I now start a service e.g. Tor which needs open ports at 9001 
> and 9030 it can connect to itself when the firewall is done.
> 

Why you said "now". It has never worked? When it's start to had problems?

> But when I start it it's self-connections got blocked.
> 
> Here is my ruleset exported with "iptables-save > iptables.list": 
> http://www.mxchange.org/downloads/firebox/iptables.list
> 

You have to say us what you want to leave pass from that firewall... tor
from internet, from lan? tor on localhost wants to connect to your-self
by 127 or 192 ?
Too short description and no logs.
Past the "INPUT DROP 10" drop syslog or add some logging "debug" rules
around and see why it's not pass
Masq from .. to... ?

Michele