Mothra, Mon! Firewall script troubleshooting (long)

Mothra, Mon! Firewall script troubleshooting (long)

Post by Rich Gris » Fri, 04 Jun 2004 22:10:00



I've downloaded monmotha, and edited it to a certain degree - here's that
part:
# -------------------------------------------------------------------------

# Main Options
IPTABLES="/usr/sbin/iptables"
TCP_ALLOW="22"
UDP_ALLOW="68 6112 6119 4000"
INET_IFACE="eth0"
LAN_IFACE="eth1"
INTERNAL_LAN="10.0.0.0/8"
MASQ_LAN="10.0.0.0/8"
SNAT_LAN=""
DROP="TREJECT"
DENY_ALL=""
DENY_HOSTWISE_TCP=""
DENY_HOSTWISE_UDP=""
BLACKHOLE=""
BLACKHOLE_DROP="DROP"
ALLOW_HOSTWISE_TCP=""
ALLOW_HOSTWISE_UDP=""
TCP_FW=""
UDP_FW=""
MANGLE_TOS_OPTIMIZE="FALSE"
DHCP_SERVER="TRUE"
BAD_ICMP="5 9 10 15 16 17 18"
ENABLE="Y"

# Flood Params
LOG_FLOOD="2/s"
SYN_FLOOD="20/s"
PING_FLOOD="1/s"

# Outbound filters
# FIXME: Update config help wiki then remove one-liner help
ALLOW_OUT_TCP=""                                # Internal hosts allowed to
be forwarded out on TCP (do not put this/these host/s in INTERNAL_LAN, but
do define their method of access [snat, masq] if not a public ip)
PROXY=""                                        # Redirect for Squid or
other TRANSPARENT proxy. Syntax to specify the proxy is "host:port".
MY_IP=""                                        # Set to the internal IP of
this box (with the firewall), only needed for PROXY=

# Below here is experimental (please report your successes/failures)
MAC_MASQ=""                                     # Currently Broken
MAC_SNAT=""                                     # Ditto...
TTL_SAFE=""
USE_SYNCOOKIES="FALSE"
RP_FILTER="TRUE"
ACCEPT_SOURCE_ROUTE="FALSE"
SUPER_EXEMPT=""
BRAINDEAD_ISP="FALSE"
ALLOW_HOSTWISE_PROTO=""

# Only touch these if you're daring (PREALPHA stuff, as in basically
non-functional)
DMZ_IFACE=""                                    # Interface your DMZ is on
(leave blank if you don't have one) - Obsolete: Will be removed before 2.4.0

# ----------------------------------------------------------------------|
# These control basic script behavior; there should be no need to       |
#       change any of these settings for normal use.                    |
# ----------------------------------------------------------------------|
----------------------------------------------------------------------------
--------------
And /dev/rob0 reminded me to post data :-)
Here's some stuff before running rc.firewall or anything:
----------------------------------------------------------------------------
--------------
root@ops:/etc/rc.d# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
4.11.176.0      *               255.255.252.0   U     0      0        0 eth0
10.0.0.0        *               255.0.0.0       U     0      0        0 eth1
loopback        *               255.0.0.0       U     0      0        0 lo
default         wbar5-lax1-4-11 0.0.0.0         UG    0      0        0 eth0
root@ops:/etc/rc.d# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@ops:/etc/rc.d#
root@ops:~# lsmod
Module                  Size  Used by    Not tainted
snd-pcm-oss            37252   0  (unused)
snd-mixer-oss          11992   0  [snd-pcm-oss]
parport_pc             14724   1  (autoclean)
lp                      6752   0  (autoclean)
parport                23264   1  (autoclean) [parport_pc lp]
tulip                  40928   1
uhci                   24496   0  (unused)
ehci-hcd               16872   0  (unused)
usbcore                58400   1  [uhci ehci-hcd]
snd-via82xx            11712   0
snd-pcm                55904   0  [snd-pcm-oss snd-via82xx]
snd-timer              13252   0  [snd-pcm]
snd-ac97-codec         37240   0  [snd-via82xx]
snd-page-alloc          6004   0  [snd-via82xx snd-pcm]
snd-mpu401-uart         3136   0  [snd-via82xx]
snd-rawmidi            12512   0  [snd-mpu401-uart]
snd-seq-device          3920   0  [snd-rawmidi]
snd                    27460   0  [snd-pcm-oss snd-mixer-oss snd-via82xx
snd-pcm snd-timer snd-ac97-codec snd-mpu401-uart snd-rawmidi snd-seq-device]
soundcore               3332   4  [snd]
via-rhine              13552   1
mii                     2304   0  [via-rhine]
crc32                   2880   0  [tulip via-rhine]
pcmcia_core            40032   0
ide-scsi                9424   0
agpgart                39576   0  (unused)
root@ops:~#
----------------------------------------------------------------------------
-------------
Here's lsmod after running modprobe ip_tables:
root@ops:/etc/rc.d# lsmod
Module                  Size  Used by    Not tainted
ipt_MASQUERADE          1272   1  (autoclean)
iptable_mangle          2072   0  (autoclean) (unused)
iptable_nat            15928   1  (autoclean) [ipt_MASQUERADE]
ipt_REJECT              3160   7  (autoclean)
ipt_limit                856  21  (autoclean)
ipt_state                536   4  (autoclean)
ip_conntrack           18120   2  (autoclean) [ipt_MASQUERADE iptable_nat
ipt_state]
ipt_LOG                 3384   7  (autoclean)
ipt_ULOG                3432  12  (autoclean)
iptable_filter          1644   1  (autoclean)
ip_tables              12288  11  [ipt_MASQUERADE iptable_mangle iptable_nat
ipt_REJECT ipt_limit ipt_state ipt_LOG ipt_ULOG iptable_filter]
snd-pcm-oss            37252   0  (unused)
snd-mixer-oss          11992   0  [snd-pcm-oss]
parport_pc             14724   1  (autoclean)
lp                      6752   0  (autoclean)
parport                23264   1  (autoclean) [parport_pc lp]
tulip                  40928   1
uhci                   24496   0  (unused)
ehci-hcd               16872   0  (unused)
usbcore                58400   1  [uhci ehci-hcd]
snd-via82xx            11712   0
snd-pcm                55904   0  [snd-pcm-oss snd-via82xx]
snd-timer              13252   0  [snd-pcm]
snd-ac97-codec         37240   0  [snd-via82xx]
snd-page-alloc          6004   0  [snd-via82xx snd-pcm]
snd-mpu401-uart         3136   0  [snd-via82xx]
snd-rawmidi            12512   0  [snd-mpu401-uart]
snd-seq-device          3920   0  [snd-rawmidi]
snd                    27460   0  [snd-pcm-oss snd-mixer-oss snd-via82xx
snd-pcm snd-timer snd-ac97-codec snd-mpu401-uart snd-rawmidi snd-seq-device]
soundcore               3332   4  [snd]
via-rhine              13552   1
mii                     2304   0  [via-rhine]
crc32                   2880   0  [tulip via-rhine]
pcmcia_core            40032   0
ide-scsi                9424   0
agpgart                39576   0  (unused)
root@ops:/etc/rc.d#
--------------------------------------------------------------
And here's a run of the script:
root@ops:/etc/rc.d# ./rc.firewall
Loading iptables firewall:
Checking configuration...passed
Performing TCP_ALLOW and UDP_ALLOW alias preprocessing...done
Checking IP Forwarding...enabled.
Checking IP SynCookies...disabled.
Checking Route Verification...activated:eth0 activated:eth1
Refusing Source Routed Packets via SysCtl...activated:eth0 activated:eth1
Flush: INPUT OUTPUT1 FORWARD PREROUTING1 OUTPUT2 POSTROUTING PREROUTING2
OUTPUT3Creating chains: INETIN INETOUT DMZIN DMZOUT TCPACCEPT UDPACCEPT
LDROP LREJECTLTREJECT TREJECT ULDROP ULREJECT ULTREJECT
Default Policies: INPUT:DROP OUTPUT:ACCEPT FORWARD:DROP
Setting up drop chains chains: LDROP iptables: No chain/target/match by that
name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
LREJECT TREJECT iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
LTREJECT ULDROP ULREJECT ULTREJECT
Setting up per-proto ACCEPT: TCPACCEPT UDPACCEPT
TREJECTing invalid packets...done
Setting up INET chains: INETIN INETOUT
Local Traffic Rules: 10.0.0.0/8:ACCEPT loopback:ACCEPT dhcp:ACCEPT
Setting up masquerading: 10.0.0.0/8:MASQUERADE
TREJECTing ICMP messages specified in BAD_ICMP...5 9 10 15 16 17 18
Flood limiting: ICMP-PING
Allowing the rest of the ICMP messages in...done
Hostwise TCP Allows: 0/0>22
Hostwise UDP Allows: 0/0>68 0/0>6112 0/0>6119 0/0>4000
Allowing established outbound connections back in...done
Allowing related inbound connections...done
Setting up INET policies: INETIN:TREJECT INETOUT:ACCEPT
Done loading the firewall!
root@ops:/etc/rc.d#
--------------------------------------------------------------
And the resulting iptables:
Chain INPUT (policy DROP)
target     prot opt source               destination
INETIN     all  --  anywhere             anywhere
ACCEPT     all  --  10.0.0.0/8           anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere           udp dpt:bootps

Chain FORWARD (policy DROP)
target     prot opt source               destination
INETIN     all  --  anywhere             anywhere
INETOUT    all  --  anywhere             anywhere
ACCEPT     all  --  10.0.0.0/8           anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
INETOUT    all  --  anywhere             anywhere

Chain DMZIN (0 references)
target     prot opt source               destination

Chain DMZOUT (0 references)
target     prot opt source               destination

Chain INETIN (2 references)
target     prot opt source               destination
TREJECT    all  --  anywhere             anywhere           state INVALID
TREJECT    icmp --  anywhere             anywhere           icmp redirect
TREJECT    icmp --  anywhere             anywhere           icmp
router-advertisement
TREJECT    icmp --  anywhere             anywhere           icmp
router-solicitation
TREJECT    icmp --  anywhere             anywhere           icmp type 15
TREJECT    icmp --  anywhere             anywhere           icmp type 16
TREJECT    icmp --  anywhere             anywhere           icmp
address-mask-request
TREJECT    icmp --  anywhere             anywhere           icmp
address-mask-reply
ACCEPT     icmp --  anywhere             anywhere           icmp
echo-request limit: avg 1/sec burst 5
TREJECT    icmp --  anywhere             anywhere           icmp
echo-request
ACCEPT     icmp --  anywhere             anywhere           icmp
!echo-request
TCPACCEPT  tcp  --  anywhere             anywhere           tcp dpt:ssh
UDPACCEPT  udp  --  anywhere             anywhere           udp dpt:bootpc
UDPACCEPT  udp  --  anywhere             anywhere           udp dpt:6112
UDPACCEPT  udp  --  anywhere             anywhere           udp dpt:6119
UDPACCEPT  udp  --  anywhere             anywhere           udp dpt:4000
ACCEPT     all  --  anywhere             anywhere           state
ESTABLISHED
TCPACCEPT  tcp  --  anywhere             anywhere           tcp
dpts:1024:65535 state RELATED
UDPACCEPT  udp  --  anywhere             anywhere           udp
dpts:1024:65535 state RELATED
TREJECT    all  --  anywhere             anywhere

Chain INETOUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain LDROP (0 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere           limit: avg 2/sec
burst 5 LOG level info prefix `TCP Dropped '
LOG        udp  --  anywhere             anywhere           limit: avg 2/sec
burst 5 LOG level info prefix `UDP Dropped '
LOG        icmp --  anywhere             anywhere           limit: avg 2/sec
burst 5 LOG level info prefix `ICMP Dropped '
LOG        all  -f  anywhere             anywhere           limit: avg 2/sec
burst 5 LOG level warning prefix `FRAGMENT Dropped '
DROP       all  --  anywhere             anywhere

Chain LREJECTLTREJECT (0 references)
target     prot opt source               destination

Chain TCPACCEPT (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST,ACK/SYN limit: avg 20/sec burst 5
LOG        tcp  --  anywhere             anywhere           tcp
flags:SYN,RST,ACK/SYN limit: avg 2/sec burst 5 LOG level warning prefix
`Possible SynFlood '
TREJECT    tcp  --  anywhere             anywhere           tcp
flags:SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:!SYN,RST,ACK/SYN
LOG        all  --  anywhere             anywhere           limit: avg 2/sec
burst 5 LOG level warning prefix `Mismatch in TCPACCEPT '
TREJECT    all  --  anywhere             anywhere

Chain TREJECT (13 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere           reject-with
tcp-reset
REJECT     udp  --  anywhere             anywhere           reject-with
icmp-port-unreachable
DROP       icmp --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere           reject-with
icmp-port-unreachable

Chain UDPACCEPT (5 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           limit: avg 2/sec
burst 5 LOG level warning prefix `Mismatch on UDPACCEPT '
TREJECT    all  --  anywhere             anywhere

Chain ULDROP (0 references)
target     prot opt source               destination
ULOG       tcp  --  anywhere             anywhere           limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_TCP' queue_threshold 1
ULOG       udp  --  anywhere             anywhere           limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_UDP' queue_threshold 1
ULOG       icmp --  anywhere             anywhere           limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_ICMP' queue_threshold 1
ULOG       all  -f  anywhere             anywhere           limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_FRAG' queue_threshold 1
DROP       all  --  anywhere             anywhere

Chain ULREJECT (0 references)
target     prot opt source               destination
ULOG       tcp  --  anywhere             anywhere           limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_TCP' queue_threshold 1
ULOG       udp  --  anywhere             anywhere           limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP' queue_threshold 1
ULOG       icmp --  anywhere             anywhere           limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP' queue_threshold 1
ULOG       all  -f  anywhere             anywhere           limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_FRAG' queue_threshold 1
REJECT     all  --  anywhere             anywhere           reject-with
icmp-port-unreachable

Chain ULTREJECT (0 references)
target     prot opt source               destination
ULOG       tcp  --  anywhere             anywhere           limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_TCP' queue_threshold 1
ULOG       udp  --  anywhere             anywhere           limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_UDP' queue_threshold 1
ULOG       icmp --  anywhere             anywhere           limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_ICMP' queue_threshold 1
ULOG       all  -f  anywhere             anywhere           limit: avg 2/sec
burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_FRAG' queue_threshold 1
REJECT     tcp  --  anywhere             anywhere           reject-with
tcp-reset
REJECT     udp  --  anywhere             anywhere           reject-with
icmp-port-unreachable
DROP       icmp --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere           reject-with
icmp-port-unreachable

----------------------------------------------------------------------------
-
and the output of "route" is the same as above.

Stuff is getting through, obviously (i.e. this post), and I've visited a
bunch of those "check your ports" sites,
and the general consensus seems to be that all the ports are "closed," but
not "stealthed," so I should buy
their firewall. Interestingly, the ssh port and the bootp ports were open -
it said that the bootp port is used
by DHCP; I get a message when DHCP starts, like "No subnet declaration for
4.10.x.x." Not listening, if this is
not what you want, etc.

Is that a hole? And should I turn off SSH, and if so, how?

Anyway, I hope this is enough to work with to find out what I've done wrong.

Thanks!
Rich

P.S. is it eerie, that I encounter a firewall named Mothra right after
fielding a project called KeyZilla?
R