Linux Format forums

Re: iptables Questions - Linux Format LXF63 February 2005

Anonymous — Wed May 11, 2005 9:11 pm

Author: Anonymous

Posted: Wed May 11, 2005 9:11 pm

Hi, I managed to answer my own questions and have posted the results below in case anyone else is interested.

1) Kde/gnome locking up at their start-up screens.
Searching around it appears that X needs access to port 9000 to work correctly. I guess this must be a throwback to its client server origins. I could have opened port 9000 explicitly but in the end just gave localhost 127.0.0.1 full access. All now works as it should. I have posted the updated script at the end of this message in case anyone is interested.

2) How to configure the script for standard system startup.
A fould a very useful article from PCPlus.co.uk at:
http://davidcoulson.net/writing/pcp/167/masterclass-linuxhelp.pdf

On Red Hat systems the scripts which start or stop the various services are located in /etc/rc.d/init.d/. On other systems they may be in /etc/init.d/. These scripts are fairly straightforward and take simple �start, stop, restart, status� arguments. If you take a simple example, such as the one that launches atd, you could hack it to load or kill whichever service you�re interested in. To make the service run at start-up you need to set it up to start when the machine enters the default runlevel (usually 5 if you have a graphical login under Red Hat). If you look in /etc/rc.d/rc5.d/ you�ll notice a lot of files with names like S10atd which is symlinked to ../init.d/atd. Rather than duplicating the whole script or putting a command in a script, the init process looks in /etc/rc.d/rc5.d for everything beginning with a K, in numerical order, and does filename stop. If you had K10atd and K40crond, it would stop atd first, then crond. It then looks for everything beginning with an S and does filename start.

****
iptables script:
#!/bin/bash

# block_internet_access script
# Control internet access using IPTABLES rules

case "$1" in
start)
# Apply firewall restrictions
# First set up so default policy is set to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Now flush out any existing rules and non-default chains
iptables -F
iptables -X
# Now allow full access to local lan only
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT
# Allow full access for localhost, need access
# to at least port 9000 for X windows to be able
# to function
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
;;

stop)
# Now remove all rules and allow full access
# firewall is ineffect disabled. This is safe
# when behind a hardware firewall interface
# to the internet

# Now flush out any existing rules and non-default chains
iptables -F
iptables -X
# Set up default policy to ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
;;

restart)
# First set up so default policy is set to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Now flush out any existing rules and non-default chains
iptables -F
iptables -X
# Now allow full access to local lan only
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT
# Allow full access for localhost, need access
# to at least port 9000 for X windows to be able
# to function
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
;;

*)
echo 'Only start, stop and restart arguments with this script'
exit 1
;;
esac
exit 0
;;

Re: iptables Questions - Linux Format LXF63 February 2005

Anonymous — Sun May 08, 2005 10:16 pm

Author: Anonymous

Posted: Sun May 08, 2005 10:16 pm

Thanks for all the help so far, but I need a little more advice. As I have the strange situation where what I am doing stops kde/gnome from starting.

I have created the script (at end of this message) and did the following (on Mandrake 10.1):

1) Put script "block_internet_access" in /etc/rc.d/init.d/

2) Changed protection on file with:
chmod 744 block_internet_access

3) Edited /etc/rc.d/rc.local file. The comment in this file is:
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

Added following lines to the end of the file:
# Run block_internet_access script
/etc/init.d/block_internet_access start

Now when I was logged in before a re-boot I could issue as root:
# /etc/rc.d/init.d/block_internet_access start

# /etc/rc.d/init.d/block_internet_access stop

and all worked as I expected. Checking with a web browser for internet access and chekcing "iptables -nL" output.

However, when I re-booted a major problem occured. I got to the Mandrake login screen (so I think this means X has started ok). Entered username and password, and kde started. It got stuck at "Initialising system services" for about 1 minute or so and then the kde startup box disappeared and I was just left with the blue background screen. The machine was locked solid and I had to do a hard power off. The same thing happened when I tried gnome, rather than kde.

If, however, I pressed <ESC> at the lilo prompt and did a "linux 3" I get the non-graphical start (no X). I can log in and all is ok. When I run "iptables -nL" (as root) I get the following output, (which is what I was expecting):

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0

So my script appears to have run correctly. Via this login I can edit things to change the system.

Obviously I have something wrong though, and would appreciate some pointers as I am out of my depth. Is there access to some other network address kde/gnome is missing? localhost 127.0.0.1 (I believe) comes to mind?

When I comment out the line I added in the rc.local file, kde starts up fine on the next re-boot.

As an aside, I don't think adding the call to the rc.local file is how the rest of the system scripts are called, and some pointers as to how to start my script in the same way as the others is a longer term goal.

Thanks in advance for any help.

Script below:

****

#!/bin/bash

# block_internet_access script
# Control internet access using IPTABLES rules

case "$1" in
start)
# Apply firewall restrictions
# First set up so default policy is set to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Now flush out any existing rules and non-default chains
iptables -F
iptables -X
# Now allow full access to local lan only
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT
;;

stop)
# Now remove all rules and allow full access
# firewall is ineffect disabled. This is safe
# when behind a hardware firewall interface
# to the internet

# Now flush out any existing rules and non-default chains
iptables -F
iptables -X
# Set up default policy to ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
;;

restart)
# First set up so default policy is set to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Now flush out any existing rules and non-default chains
iptables -F
iptables -X
# Now allow full access to local lan only
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT
;;

*)
echo 'Only start, stop and restart arguments with this script'
exit 1
;;
esac
exit 0
;;

RE: reboot

Anonymous — Wed May 04, 2005 11:37 pm

Author: Anonymous

Posted: Wed May 04, 2005 11:37 pm

Thanks for the last couple of replies on the IP block addressing, I think I now just about understand it. If anyone else is interested I went hunting for some more information and found the following expanded further on the explainations helpfully given above.

http://www.freesoft.org/CIE/Course/Subnet/5.htm
http://www.freesoft.org/CIE/Course/Subnet/10.htm

and if you really think you understand it, you can answer a quiz, which I did (sad I know), at:
http://www.freesoft.org/CIE/Course/Subnet/quiz1a.cgi

Thank-you for your help.

Also thanks for the snort explanation.

RE: reboot

Anonymous — Wed May 04, 2005 8:37 am

Author: Anonymous

Posted: Wed May 04, 2005 8:37 am

Sorry about the snort code in the script. I simply copied and pasted my snort shell script instread of creating a new one.
Snort is a very good intrustion detection system that help idetify hacking atempts on your system.

just take this code out..

Giz
GBDesign - ERP for the SME - web based data driven solutions

RE: reboot

Anonymous — Wed May 04, 2005 4:24 am

Author: Anonymous

Posted: Wed May 04, 2005 4:24 am

Sorry,

Just correcting a typo, I meant:

... start their IP address with 192.168.1.

skecs

RE: reboot

Anonymous — Wed May 04, 2005 4:12 am

Author: Anonymous

Posted: Wed May 04, 2005 4:12 am

Hi.

tomdeb talked about a network mask of 24 bit because the IP Address is actually 4 bytes long, each byte is eight bits. Using binary numbers to represent each section of the IP address (the language computers understand) you have a sequence of 0's and 1's like this:

192.168.1.1 => 11000000.10101000.00000001.00000001

There fore the /24 blocks 24 bits => the first three sections are blocked and the network from 1 => 254 is accessible to other computers that start their IP address with 192.168.0.

skecs

RE: reboot

Anonymous — Tue May 03, 2005 10:42 pm

Author: Anonymous

Posted: Tue May 03, 2005 10:42 pm

Thank-you to the two people who have replied. I already have the rules in a simple script, to save typing the rules in each time. You have given me the pointers I needed as to a sensible way to graft this into the system.

I have question about the example script from gizard, I do not understand the line:
test -x $SNORT_PATH/snort || exit 0
as I don't know what snort is and I haven't had to use so far. Have I missed something?

Also I did some further searching on the web and found some old LXF articles:
http://www.davidcoulson.net/writing/lxf/38/iptables.pdf
http://www.davidcoulson.net/writing/lxf/39/iptables.pdf
http://davidcoulson.net/writing/lxf/14/iptables.pdf

The LXF14 ones talks about using iptables-save and iptables-restore, to save and re-store the rules, not something I have come across before, so I will stick to the script idea.

In the first reply from tomdeb, he said:
> because it s a 24 bit network mask covering the first 24 bits of the address.
> Thus 192.168.0.0 -> 192.168.0.255 are accessible.
2**24=16.7e6
I thought that the bits of an ip address between the dots were only three numbers, 000 -> 999 (I guess) and so only 1000 possibilities.
So I am afraid I still do not understand how:
192.168.0.0/24 (a range of 24 bits)
is equivalent to 192.168.0.0 to 192.168.0.999. (a range of 1000)
I have a feeling that I have a fundamental flaw in my understanding.

reboot

gizard — Tue May 03, 2005 3:37 pm

Author: gizard

Posted: Tue May 03, 2005 3:37 pm

I personally like to create boot shell scripts for this type of thing. I can then stop start and restart these without much hastle.

I.e.
/etc/inint.d/rc.3/myiptable stop

somthing like this might be useful

Code:

#!/bin/bash
# Control IPTABLE rules

# path to iptable
IPTABLE_PATH=/bin

# set interface
IFACE=eth0

# End of configuration

test -x $SNORT_PATH/snort || exit 0

case "$1" in
start)
# insert IPTABLE rules here
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT
;;

stop)
# flush IPTABLE rules here
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
;;
restart)
# flush IPTABLE rule
# Reset IPTABLE rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT
;;
*)
echo 'you can only use start - stop - restart with this script'
exit 1
;;
esac
exit 0
;;

not sure what your like at bashin the old shell but heres a link for ya that will show you what you need to know
http://www.tldp.org/LDP/abs/html/part1.html

Giz
GBDesign.net - ERP for SME - Data drive web design based solutions - PHP cert - mySQL cert

Re: iptables Questions - Linux Format LXF63 February 2005

tomdeb — Tue May 03, 2005 10:00 am

Author: tomdeb

Posted: Tue May 03, 2005 10:00 am

Anonymous wrote:

1) When I re-boot the settings are lost. They default back to a default of all ACCEPT and and my local lan ACCEPT rules have gone.
The article did not seem to mention what to do to make the changes stay after a re-boot.

create a simple bash script in /etc/init.d and then symlink it in your /etc/rc?.d.

Anonymous wrote:

2) A curiosity question. 192.168.0.0/24 refers to all devices on the subnet 192.168.0. I thought it would only refer to devices 0 to 24. I have checked that it does what the article says, 192.168.0.102 is covered by 192.168.0.0/24, and I am able to ping it on my lan. I just do not understand why.

because it s a 24 bit network mask covering the first 24 bits of the address. Thus 192.168.0.0 -> 192.168.0.255 are accessible.

iptables Questions - Linux Format LXF63 February 2005

Anonymous — Mon May 02, 2005 6:22 pm

Author: Anonymous

Posted: Mon May 02, 2005 6:22 pm

On one pc I needed to set it up so access to and from the internet was stopped (DROP) but access to and from the local lan was allowed (ACCEPT).

I followed the article in LXF63 (pp 54-55) and also looked at a couple of useful tutorials on the web. I was successful with the following comands:

# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP
# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
# iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT

Great. However, I have two questions:

1) When I re-boot the settings are lost. They default back to a default of all ACCEPT and and my local lan ACCEPT rules have gone.
The article did not seem to mention what to do to make the changes stay after a re-boot.

2) A curiosity question. 192.168.0.0/24 refers to all devices on the subnet 192.168.0. I thought it would only refer to devices 0 to 24. I have checked that it does what the article says, 192.168.0.102 is covered by 192.168.0.0/24, and I am able to ping it on my lan. I just do not understand why.

Thanks in advance for any help.