zansatsu Posted April 14, 2005 Author Report Share Posted April 14, 2005 Have a look at my howto here:How to disable your firewall You may need to install iptables first (urpmi iptables). You cannot 'just stop' the firewall, as shorewall (or other firewall, including custom rule sets) just set the netfilter rules, then exit. So you need to clear the rules and set the defaults for 'allow'. This is obviously not recommended for a running environment - just for testing. Chris <{POST_SNAPBACK}> Holy cow, LinNeighborhood can now see my win2k machine after lowering my firewall. But I just lost internet connection sharing. Progress though.... Quote Link to comment Share on other sites More sharing options...
streeter Posted April 14, 2005 Report Share Posted April 14, 2005 Looks like our posts just crossed over.. Don't you just love ALL those rules shorewall makes :) You need to type iptables -nvL for us to read the netfilter tables properly - the v adds more info, like interface info. e.g. the very first rule ACCEPT all -- anywhere anywhere could just be on one interface, or all of them... (if it is all, you are already wide open anyway) Chris Quote Link to comment Share on other sites More sharing options...
streeter Posted April 14, 2005 Report Share Posted April 14, 2005 You will lose ICS, as it is a netfilter thing - we just disabled it :) I personally dislike shorewall - read the iptables howtos and write your own rules - you will probably only need 10 lines or so, not all those shorewall ones that jump from table to table and are difficult to follow... Chris Quote Link to comment Share on other sites More sharing options...
zansatsu Posted April 14, 2005 Author Report Share Posted April 14, 2005 Here's iptables -nvL: [root@aazwin2kmdk10 alex]# iptables -nvL Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2 80 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 88 37850 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 10 1220 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 1 packets, 48 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 3 370 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 3 189 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2 80 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 90 47205 fw2net all -- * eth1 0.0.0.0/0 0.0.0.0/0 12 1867 all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain Drop (1 references) pkts bytes target prot opt in out source destination 4 989 RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0 4 989 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropSMB all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropNonSyn all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DropDNSrep (2 references) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 Chain DropSMB (1 references) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 Chain DropUPnP (2 references) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 Chain Reject (4 references) pkts bytes target prot opt in out source destination 2 120 RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0 2 120 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0 2 120 RejectSMB all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropNonSyn all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0 Chain RejectAuth (2 references) pkts bytes target prot opt in out source destination 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 Chain RejectSMB (1 references) pkts bytes target prot opt in out source destination 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 1 60 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 1 60 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 Chain all2all (2 references) pkts bytes target prot opt in out source destination 10 1747 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 120 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dropBcast (2 references) pkts bytes target prot opt in out source destination 4 989 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast Chain dropNonSyn (2 references) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 Chain dynamic (4 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 2 143 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 3 189 loc2net all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 2 96 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 10 1220 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 3 370 net2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 4 989 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 88 37850 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 81 46654 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 6 360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 3 191 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (0 references) pkts bytes target prot opt in out source destination Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 8 1124 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4443,137 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4443,137 2 96 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 1 46 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 143 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (2 references) pkts bytes target prot opt in out source destination 3 370 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4 989 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 84 36861 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4443,137 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4443,137 4 989 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (11 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast 0 0 DROP all -- * * 131.96.229.191 0.0.0.0/0 0 0 DROP all -- * * 192.168.1.255 0.0.0.0/0 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 2 120 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain shorewall (0 references) pkts bytes target prot opt in out source destination Chain smurfs (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 131.96.229.191 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 0 0 DROP all -- * * 131.96.229.191 0.0.0.0/0 0 0 LOG all -- * * 192.168.1.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 0 0 DROP all -- * * 192.168.1.255 0.0.0.0/0 0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 Quote Link to comment Share on other sites More sharing options...
streeter Posted April 14, 2005 Report Share Posted April 14, 2005 Nearly there... If you put the following rule at the end of /etc/rc.d/rc.local it should allow all communication coming in eth0: iptables -I INPUT 2 -i eth0 -s 192.168.1.0/24 -j ACCEPT It will insert the rule just below the one allowing all comms from localhost, and should be quite safe to leave in place. Either reboot, or type it in at the command line for it to work straight away. Don't know how to configure shorewall to do the same - had a look and didn't like what I saw... Chris Quote Link to comment Share on other sites More sharing options...
zansatsu Posted April 14, 2005 Author Report Share Posted April 14, 2005 iptables -I INPUT 2 -i eth0 -s 192.168.1.0/24 -j ACCEPT iptables: Index of insertion too big Apparently iptables didn't like that. Quote Link to comment Share on other sites More sharing options...
streeter Posted April 14, 2005 Report Share Posted April 14, 2005 For the record: Just followed the chains through - this is the rule stopping Samba (and other stuff) from communicating into eth0: Chain all2all (2 references) pkts bytes target prot opt in out source destination xxxxxxxxxxxxxxxxxxxxx 2 120 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chris Quote Link to comment Share on other sites More sharing options...
streeter Posted April 14, 2005 Report Share Posted April 14, 2005 iptables -I INPUT 2 -i eth0 -s 192.168.1.0/24 -j ACCEPT iptables: Index of insertion too big Apparently iptables didn't like that. <{POST_SNAPBACK}> You must have cleared the tables out - reboot first so that shorewall has done it's stuff The rule is in addition to shorewall. Chris Quote Link to comment Share on other sites More sharing options...
zansatsu Posted April 14, 2005 Author Report Share Posted April 14, 2005 Ok will do. Quote Link to comment Share on other sites More sharing options...
zansatsu Posted April 14, 2005 Author Report Share Posted April 14, 2005 Good stuff it worked like a charm! Not only is ICS working but both machines can see each other. Now if I can get samba to function properly I will be in business. Thank you for your help. You are a linux guru. Quote Link to comment Share on other sites More sharing options...
zansatsu Posted April 14, 2005 Author Report Share Posted April 14, 2005 still unable to ping my windows machine from linux and there is no firewall on my windows machine. =( Quote Link to comment Share on other sites More sharing options...
streeter Posted April 14, 2005 Report Share Posted April 14, 2005 Its that same rule in the all2all table again... try: iptables -I OUTPUT 3 -o eth0 -s 127.0.0.1 -j ACCEPT I think that will allow anything from localhost to go out eth0. The return is already taken care of in the other 'addon' rule... Chris Quote Link to comment Share on other sites More sharing options...
zansatsu Posted April 15, 2005 Author Report Share Posted April 15, 2005 I think I was premature in my celebration. I'm back to square one. no ping from linux to my windows machine and the two computers no longer see each other. I'm half tempted to completely delete my current iptable configuration and start from scratch. Suggestions? Quote Link to comment Share on other sites More sharing options...
aioshin Posted April 15, 2005 Report Share Posted April 15, 2005 (edited) I think I was premature in my celebration. I'm back to square one. no ping from linux to my windows machine and the two computers no longer see each other. I'm half tempted to completely delete my current iptable configuration and start from scratch. Suggestions? <{POST_SNAPBACK}> k, hope this can help you: 1. try to stop shorewall to run during star-up, we will try to use rc.firewall 2. try to create a script named rc.firewall into the directory, /etc/rc.d 3. comand as root #vi /etc/rc.d/rc.firewall (actually you can name it what ever) 4. copy and paste the script below and just paste it, it works for me using mndk 10.0 5...anyway, u can just deleit if it will not work 6. after you created the file rc.firewall with the script on it try#chmod a+x /etc/rc.d/rc.firewall 7. then you can run it #/etc/rc.d/rc.fiirewall 8. then you can check iptables -L ---will list the iptables entry 9 . if you want to run it during start-up, try this: #vi /etc/rc.d/rc.local 10. at the end of the entry of that file, insert /etc/rc.d/rc.firewall 11. that should start duiring ur pc start #****************Script************************** #!/bin/sh #flush existing rules iptables -F #assuming eth0 - connected to LAN #eth1 - connected to internet #Allow incoming SSH requests from LAN iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT #Rejecting SSH from internet iptables -A INPUT -i eth1 -p tcp --dport 22 -j REJECT #Allow ncoming HTTP request (To Web Server) iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT #Accepting SMB connection From LAN and other ports## iptables -A INPUT -i eth0 -p tcp -m multiport --dports 135,137,138,139,445,143,10000 -j ACCEPT iptables -A INPUT -i eth0 -p udp -m multiport --dports 135,137,138,139,445 -j ACCEPT iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT #Denying SMB and other port from internet## iptables -A INPUT -i eth1 -p tcp -m multiport --dports 135,137,138,139,445,143,10000,4559 -j DROP iptables -A INPUT -i eth1 -p udp -m multiport --dports 135,137,138,139,445,143,4559 -j DROP ############# Anti spoofing field########################################### iptables -A FORWARD -s 192.168.0.0/24 -i eth1 -j DROP iptables -A INPUT -s 192.168.0.0/24 -i eth1 -j DROP iptables -A INPUT -i eth1 -s 172.16.0.0/16 -j DROP iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP i #allowing icmp iptables -A INPUT -i eth0 -p icmp -j ACCEPT #Rejecting ICMP from internet iptables -A INPUT -i eth1 -p icmp -j REJECT #Allowing SMTP access from the local network iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT #configuring NAT - allowing this host to become an internet gateway of other hosts echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE #$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 #This is for tranparent proxy - not used #$IPTABLES -t nat -A PREROUTING -i eth0 -s 0/0 -d 0/0 -p tcp --dport 80 -j REDIRECT --to-ports 3128 #dROP and log all other data #the logging is set so if more than 5 packets are dropped in #Three seconds they will be ignored. This helps to prevent a DOS attack #Crashing the computer the firewall is running on iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG iptables -A INPUT -i ! lo -j DROP #tHE logs from the firewall are put into your system log file, which can be found at #/var/log/syslog Edited April 15, 2005 by aioshin Quote Link to comment Share on other sites More sharing options...
aioshin Posted April 15, 2005 Report Share Posted April 15, 2005 just try to remove those ports that you dont actually used Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.