ez-ipupdate and iptables

ez-ipupdate and iptables

Post by Sam Dunh » Thu, 14 Aug 2003 06:01:41



I have Mandrake 9.1 and am running ez-ipupdate. The problem I'm
running into is that when the IP address changes, IPTables seems to
block traffic from ez-ipupdate. If I do a:

/etc/rc.d/init.d/network restart
/etc/rc.d/init.d/rc.firewall restart
killall -HUP ez-ipupdate

Everything works until the ip address changes again.

Here's my rc.firewall:

=============================================================================

#!/bin/sh

# This is the location of the iptables command
IPTABLES="/sbin/iptables"

case "$1" in
   stop)
      echo "Shutting down firewall..."
      $IPTABLES -F
      $IPTABLES -F -t mangle
      $IPTABLES -F -t nat
      $IPTABLES -X
      $IPTABLES -X -t mangle
      $IPTABLES -X -t nat

      $IPTABLES -P INPUT ACCEPT
      $IPTABLES -P OUTPUT ACCEPT
      $IPTABLES -P FORWARD ACCEPT
      echo "...done"
      ;;
   status)
      echo $"Table: filter"
      iptables --list
      echo $"Table: nat"
      iptables -t nat --list
      echo $"Table: mangle"
      iptables -t mangle --list
      ;;
   restart|reload)
      $0 stop
      $0 start
      ;;
   start)
    echo "Starting Firewall..."
    echo ""

##--------------------------Begin
Firewall---------------------------------##

#----Default-Interfaces-----#

## Default external interface (used, if EXTIF isn't specified on
command line)
DEFAULT_EXTIF="eth0"
IP=` /sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed
-e s/.*://`

## Default internal interface (used, if INTIF isn't specified on
command line)
DEFAULT_INTIF="eth1"

#----Special Variables-----#

# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"

# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"

# Specification of X Window System (TCP) ports.
XWINPORTS="6000:6063"

# Ports for IRC-Connection-Tracking
IRCPORTS="6665,6666,6667,6668,6669,7000"

#-----Port-Forwarding Variables-----#

#For port-forwarding to an internal host, define a variable with the
appropriate
#internal IP-Address here and take a look at the port-forwarding
sections in the FORWARD +
#PREROUTING-chain:

#These are examples, uncomment to activate

#IP for forwarded Battlecom-traffic
#BATTLECOMIP="192.168.0.5"

#IP for forwarded HTTP-traffic
#HTTPIP="192.168.0.20"

#----Flood Variables-----#

# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"

# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"

# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"

#----Automatically determine infos about involved interfaces-----#

### External Interface:

## Get external interface from command-line
## If no interface is specified then set $DEFAULT_EXTIF as EXTIF
#if [ "x$2" != "x" ]; then
#   EXTIF=$2
#else
   EXTIF=$DEFAULT_EXTIF
#fi
echo External Interface: $EXTIF

## Determine external IP
EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
  if [ "$EXTIP" = '' ]; then
     echo "Aborting: Unable to determine the IP-address of $EXTIF !"
     exit 1
  fi
echo External IP: $EXTIP

## Determine external gateway
EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW

echo " --- "

### Internal Interface:

## Get internal interface from command-line
## If no interface is specified then set $DEFAULT_INTIF as INTIF
if [ "x$3" != "x" ]; then
   INTIF=$3
else
   INTIF=$DEFAULT_INTIF
fi
echo Internal Interface: $INTIF

## Determine internal IP
INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
  if [ "$INTIP" = '' ]; then
     echo "Aborting: Unable to determine the IP-address of $INTIF !"
     exit 1
  fi  
echo Internal IP: $INTIP

## Determine internal netmask
INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
echo Internal Netmask: $INTMASK

## Determine network address of the internal network
INTLAN=$INTIP'/'$INTMASK
echo Internal LAN: $INTLAN

echo ""

#----Load IPTABLES-modules-----#

#Insert modules- should be done automatically if needed

#If the IRC-modules are available, uncomment them below

echo "Loading IPTABLES modules"

dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6

echo " --- "

#----Clear/Reset all chains-----#

#Clear all IPTABLES-chains

#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#----Set network sysctl options-----#

echo "Setting sysctl options"

#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack

echo " --- "

echo "Creating user-chains"

#----Create logging chains-----#

##These are the logging-chains. They all have a certain limit of
log-entries/sec to prevent log-flooding
##The syslog-entries will be fireparse-compatible (see
http://www.fireparse.com)

#Invalid packets (not ESTABLISHED,RELATED or NEW)
        $IPTABLES -N LINVALID
        $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP "
        $IPTABLES -A LINVALID -j DROP

#TCP-Packets with one ore more bad flags
        $IPTABLES -N LBADFLAG
        $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
        $IPTABLES -A LBADFLAG -j DROP

#Logging of connection attempts on special ports (Trojan portscans,
special services, etc.)
        $IPTABLES -N LSPECIALPORT
        $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP "
        $IPTABLES -A LSPECIALPORT -j DROP

#Logging of possible TCP-SYN-Floods
        $IPTABLES -N LSYNFLOOD
        $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
        $IPTABLES -A LSYNFLOOD -j DROP

#Logging of possible Ping-Floods
        $IPTABLES -N LPINGFLOOD
        $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
        $IPTABLES -A LPINGFLOOD -j DROP

#All other dropped packets
        $IPTABLES -N LDROP
        $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "
        $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "
        $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
        $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP "
        $IPTABLES -A LDROP -j DROP

#All other rejected packets
        $IPTABLES -N LREJECT
        $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT "
        $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT "
        $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT "
        $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT "
        $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
        $IPTABLES -A LREJECT -p udp -j REJECT --reject-with
icmp-port-unreachable
        $IPTABLES -A LREJECT -j REJECT

#----Create Accept-Chains-----#

#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in

        $IPTABLES -N TCPACCEPT
        $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT
--limit-burst $TCPSYNLIMITBURST -j ACCEPT
        $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
        $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT

#----Create special User-Chains-----#

#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible
flag-combinations (Some port-scanners use these, eg. nmap
Xmas,Null,etc.-scan)

        $IPTABLES -N CHECKBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j
LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG
-j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j
LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j
LBADFLAG

#FILTERING FOR SPECIAL PORTS

        #Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our
Logs)

                #SMB-Traffic
                $IPTABLES -N SMB

                $IPTABLES -A SMB -p tcp --dport 137 -j DROP
                $IPTABLES -A SMB -p tcp --dport 138 -j DROP
                $IPTABLES -A SMB -p tcp --dport 139 -j DROP
                $IPTABLES
...

read more »

 
 
 

ez-ipupdate and iptables

Post by Jeremia d » Thu, 14 Aug 2003 13:27:47



> I have Mandrake 9.1 and am running ez-ipupdate. The problem I'm
> running into is that when the IP address changes, IPTables seems to
> block traffic from ez-ipupdate. If I do a:

The firewall needs to be restarted as well.

 
 
 

ez-ipupdate and iptables

Post by Sam Dunh » Thu, 14 Aug 2003 22:53:39




> > I have Mandrake 9.1 and am running ez-ipupdate. The problem I'm
> > running into is that when the IP address changes, IPTables seems to
> > block traffic from ez-ipupdate. If I do a:
>  The firewall needs to be restarted as well.

Okay, how do I get the firewall to restart after the IP address
changes, but before ez-ipupdate executes?

Thanks,
Sam

 
 
 

ez-ipupdate and iptables

Post by Jeremia d » Thu, 14 Aug 2003 23:44:40



> Okay, how do I get the firewall to restart after the IP address
> changes, but before ez-ipupdate executes?

> Thanks,
> Sam

You could just make a small script to stop the firewall run your ipupdate
then start the firewall again.
 
 
 

ez-ipupdate and iptables

Post by Rich Piotrowsk » Thu, 14 Aug 2003 23:48:14





>> > I have Mandrake 9.1 and am running ez-ipupdate. The problem I'm
>> > running into is that when the IP address changes, IPTables seems to
>> > block traffic from ez-ipupdate. If I do a:
>>  The firewall needs to be restarted as well.

>Okay, how do I get the firewall to restart after the IP address
>changes, but before ez-ipupdate executes?

>Thanks,
>Sam

Sam,

I use a different approach. I do not run ez-ipupdate as a daemon.

What dhcp client do you use? I use dhclient. From dhclient-exit-hooks
I call the following script.

############# start rc.updatedns ################

#!/bin/bash
exec >> /var/log/dhclient.log 2>&1

# Updated by RP on 07/06/2003

# Show ip address
/bin/echo Interface eth1 has been assigned an IP address of \
$new_ip_address

# Enter IP address into SNAT_LAN
ed /etc/rc.d/rc.firewall << EOF > /dev/null 2>&1
g/SNAT_LAN="192.168.100.0/s/:.*/:$new_ip_address"/
w
q
EOF

# Reset the firewall
/etc/rc.d/./rc.firewall > /dev/null 2>&1

# Wait to allow the firewall to be established
sleep 1s

# Run ez-ipupdate
/usr/bin/ez-ipupdate -S dyndns-custom -u username:password \
-h piotro.net  -i eth1 -b /tmp/ez-ipupdate.cache \

# ====  End

If you use dhcpcd, you can do something like that from inside of
dhcpcd.exe

Rich Piotrowski

To E-mail use: rpiotro(at)wi(dot)rr(dot)com

 
 
 

ez-ipupdate and iptables

Post by SPAM_FRE » Fri, 15 Aug 2003 15:26:28


Sam Dunham wrote:
> I have Mandrake 9.1 and am running ez-ipupdate. The problem I'm
> running into is that when the IP address changes, IPTables seems to
> block traffic from ez-ipupdate. If I do a:

> /etc/rc.d/init.d/network restart
> /etc/rc.d/init.d/rc.firewall restart
> killall -HUP ez-ipupdate

> Everything works until the ip address changes again.

> Here's my rc.firewall:

> =============================================================================

> #!/bin/sh

> # This is the location of the iptables command
> IPTABLES="/sbin/iptables"

> case "$1" in
>    stop)
>       echo "Shutting down firewall..."
>       $IPTABLES -F
>       $IPTABLES -F -t mangle
>       $IPTABLES -F -t nat
>       $IPTABLES -X
>       $IPTABLES -X -t mangle
>       $IPTABLES -X -t nat

>       $IPTABLES -P INPUT ACCEPT
>       $IPTABLES -P OUTPUT ACCEPT
>       $IPTABLES -P FORWARD ACCEPT
>       echo "...done"
>       ;;
>    status)
>       echo $"Table: filter"
>       iptables --list
>       echo $"Table: nat"
>       iptables -t nat --list
>       echo $"Table: mangle"
>       iptables -t mangle --list
>       ;;
>    restart|reload)
>       $0 stop
>       $0 start
>       ;;
>    start)
>     echo "Starting Firewall..."
>     echo ""

> ##--------------------------Begin
> Firewall---------------------------------##

> #----Default-Interfaces-----#

> ## Default external interface (used, if EXTIF isn't specified on
> command line)
> DEFAULT_EXTIF="eth0"
> IP=` /sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed
> -e s/.*://`

> ## Default internal interface (used, if INTIF isn't specified on
> command line)
> DEFAULT_INTIF="eth1"

> #----Special Variables-----#

> # IP Mask for all IP addresses
> UNIVERSE="0.0.0.0/0"

> # Specification of the high unprivileged IP ports.
> UNPRIVPORTS="1024:65535"

> # Specification of X Window System (TCP) ports.
> XWINPORTS="6000:6063"

> # Ports for IRC-Connection-Tracking
> IRCPORTS="6665,6666,6667,6668,6669,7000"

> #-----Port-Forwarding Variables-----#

> #For port-forwarding to an internal host, define a variable with the
> appropriate
> #internal IP-Address here and take a look at the port-forwarding
> sections in the FORWARD +
> #PREROUTING-chain:

> #These are examples, uncomment to activate

> #IP for forwarded Battlecom-traffic
> #BATTLECOMIP="192.168.0.5"

> #IP for forwarded HTTP-traffic
> #HTTPIP="192.168.0.20"

> #----Flood Variables-----#

> # Overall Limit for TCP-SYN-Flood detection
> TCPSYNLIMIT="5/s"
> # Burst Limit for TCP-SYN-Flood detection
> TCPSYNLIMITBURST="10"

> # Overall Limit for Loggging in Logging-Chains
> LOGLIMIT="2/s"
> # Burst Limit for Logging in Logging-Chains
> LOGLIMITBURST="10"

> # Overall Limit for Ping-Flood-Detection
> PINGLIMIT="5/s"
> # Burst Limit for Ping-Flood-Detection
> PINGLIMITBURST="10"

> #----Automatically determine infos about involved interfaces-----#

> ### External Interface:

> ## Get external interface from command-line
> ## If no interface is specified then set $DEFAULT_EXTIF as EXTIF
> #if [ "x$2" != "x" ]; then
> #   EXTIF=$2
> #else
>    EXTIF=$DEFAULT_EXTIF
> #fi
> echo External Interface: $EXTIF

> ## Determine external IP
> EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
>   if [ "$EXTIP" = '' ]; then
>      echo "Aborting: Unable to determine the IP-address of $EXTIF !"
>      exit 1
>   fi
> echo External IP: $EXTIP

> ## Determine external gateway
> EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'`
> echo Default GW: $EXTGW

> echo " --- "

> ### Internal Interface:

> ## Get internal interface from command-line
> ## If no interface is specified then set $DEFAULT_INTIF as INTIF
> if [ "x$3" != "x" ]; then
>    INTIF=$3
> else
>    INTIF=$DEFAULT_INTIF
> fi
> echo Internal Interface: $INTIF

> ## Determine internal IP
> INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
>   if [ "$INTIP" = '' ]; then
>      echo "Aborting: Unable to determine the IP-address of $INTIF !"
>      exit 1
>   fi  
> echo Internal IP: $INTIP

> ## Determine internal netmask
> INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
> echo Internal Netmask: $INTMASK

> ## Determine network address of the internal network
> INTLAN=$INTIP'/'$INTMASK
> echo Internal LAN: $INTLAN

> echo ""

> #----Load IPTABLES-modules-----#

> #Insert modules- should be done automatically if needed

> #If the IRC-modules are available, uncomment them below

> echo "Loading IPTABLES modules"

> dmesg -n 1 #Kill copyright display on module load
> /sbin/modprobe ip_tables
> /sbin/modprobe iptable_filter
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
> #/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
> #/sbin/modprobe ip_nat_irc ports=$IRCPORTS
> dmesg -n 6

> echo " --- "

> #----Clear/Reset all chains-----#

> #Clear all IPTABLES-chains

> #Flush everything, start from scratch
> $IPTABLES -F
> $IPTABLES -F -t mangle
> $IPTABLES -F -t nat
> $IPTABLES -X
> $IPTABLES -X -t mangle
> $IPTABLES -X -t nat

> #Set default policies to DROP
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP

> #----Set network sysctl options-----#

> echo "Setting sysctl options"

> #Enable forwarding in kernel
> echo 1 > /proc/sys/net/ipv4/ip_forward

> #Disabling IP Spoofing attacks.
> echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

> #Don't respond to broadcast pings (Smurf-Amplifier-Protection)
> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

> #Block source routing
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

> #Kill timestamps
> echo 0 > /proc/sys/net/ipv4/tcp_timestamps

> #Enable SYN Cookies
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies

> #Kill redirects
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

> #Enable bad error message protection
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

> #Log martians (packets with impossible addresses)
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

> #Set out local port range
> echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

> #Reduce DoS'ing ability by reducing timeouts
> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
> echo 0 > /proc/sys/net/ipv4/tcp_sack

> echo " --- "

> echo "Creating user-chains"

> #----Create logging chains-----#

> ##These are the logging-chains. They all have a certain limit of
> log-entries/sec to prevent log-flooding
> ##The syslog-entries will be fireparse-compatible (see
> http://www.fireparse.com)

> #Invalid packets (not ESTABLISHED,RELATED or NEW)
>    $IPTABLES -N LINVALID
>    $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP "
>    $IPTABLES -A LINVALID -j DROP

> #TCP-Packets with one ore more bad flags
>    $IPTABLES -N LBADFLAG
>    $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
>    $IPTABLES -A LBADFLAG -j DROP

> #Logging of connection attempts on special ports (Trojan portscans,
> special services, etc.)
>    $IPTABLES -N LSPECIALPORT
>    $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP "
>    $IPTABLES -A LSPECIALPORT -j DROP

> #Logging of possible TCP-SYN-Floods
>    $IPTABLES -N LSYNFLOOD
>    $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
>    $IPTABLES -A LSYNFLOOD -j DROP

> #Logging of possible Ping-Floods
>    $IPTABLES -N LPINGFLOOD
>    $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
>    $IPTABLES -A LPINGFLOOD -j DROP

> #All other dropped packets
>    $IPTABLES -N LDROP
>    $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "
>    $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "
>    $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
>    $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP "
>    $IPTABLES -A LDROP -j DROP

> #All other rejected packets
>    $IPTABLES -N LREJECT
>    $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT "
>    $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT "
>    $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT "
>    $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT "
>    $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
>    $IPTABLES -A LREJECT -p udp -j REJECT --reject-with
> icmp-port-unreachable
>    $IPTABLES -A LREJECT -j REJECT

> #----Create Accept-Chains-----#

> #TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in

>    $IPTABLES -N TCPACCEPT
>    $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT
> --limit-burst $TCPSYNLIMITBURST -j ACCEPT
>    $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
>    $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT

> #----Create special User-Chains-----#

> #CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible
> flag-combinations (Some port-scanners use these, eg. nmap
> Xmas,Null,etc.-scan)

>    $IPTABLES -N CHECKBADFLAG

...

read more »

 
 
 

ez-ipupdate and iptables

Post by Bob Ribbec » Fri, 15 Aug 2003 17:38:35


Sam Dunham wrote:
> I have Mandrake 9.1 and am running ez-ipupdate. The problem I'm
> running into is that when the IP address changes, IPTables seems to
> block traffic from ez-ipupdate. If I do a:

> /etc/rc.d/init.d/network restart
> /etc/rc.d/init.d/rc.firewall restart
> killall -HUP ez-ipupdate

> Everything works until the ip address changes again.

> Here's my rc.firewall:

> =============================================================================

> #!/bin/sh

> # This is the location of the iptables command
> IPTABLES="/sbin/iptables"

> case "$1" in
>    stop)
>       echo "Shutting down firewall..."
>       $IPTABLES -F
>       $IPTABLES -F -t mangle
>       $IPTABLES -F -t nat
>       $IPTABLES -X
>       $IPTABLES -X -t mangle
>       $IPTABLES -X -t nat

>       $IPTABLES -P INPUT ACCEPT
>       $IPTABLES -P OUTPUT ACCEPT
>       $IPTABLES -P FORWARD ACCEPT
>       echo "...done"
>       ;;
>    status)
>       echo $"Table: filter"
>       iptables --list
>       echo $"Table: nat"
>       iptables -t nat --list
>       echo $"Table: mangle"
>       iptables -t mangle --list
>       ;;
>    restart|reload)
>       $0 stop
>       $0 start
>       ;;
>    start)
>     echo "Starting Firewall..."
>     echo ""

> ##--------------------------Begin
> Firewall---------------------------------##

> #----Default-Interfaces-----#

> ## Default external interface (used, if EXTIF isn't specified on
> command line)
> DEFAULT_EXTIF="eth0"
> IP=` /sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed
> -e s/.*://`

> ## Default internal interface (used, if INTIF isn't specified on
> command line)
> DEFAULT_INTIF="eth1"

> #----Special Variables-----#

> # IP Mask for all IP addresses
> UNIVERSE="0.0.0.0/0"

> # Specification of the high unprivileged IP ports.
> UNPRIVPORTS="1024:65535"

> # Specification of X Window System (TCP) ports.
> XWINPORTS="6000:6063"

> # Ports for IRC-Connection-Tracking
> IRCPORTS="6665,6666,6667,6668,6669,7000"

> #-----Port-Forwarding Variables-----#

> #For port-forwarding to an internal host, define a variable with the
> appropriate
> #internal IP-Address here and take a look at the port-forwarding
> sections in the FORWARD +
> #PREROUTING-chain:

> #These are examples, uncomment to activate

> #IP for forwarded Battlecom-traffic
> #BATTLECOMIP="192.168.0.5"

> #IP for forwarded HTTP-traffic
> #HTTPIP="192.168.0.20"

> #----Flood Variables-----#

> # Overall Limit for TCP-SYN-Flood detection
> TCPSYNLIMIT="5/s"
> # Burst Limit for TCP-SYN-Flood detection
> TCPSYNLIMITBURST="10"

> # Overall Limit for Loggging in Logging-Chains
> LOGLIMIT="2/s"
> # Burst Limit for Logging in Logging-Chains
> LOGLIMITBURST="10"

> # Overall Limit for Ping-Flood-Detection
> PINGLIMIT="5/s"
> # Burst Limit for Ping-Flood-Detection
> PINGLIMITBURST="10"

> #----Automatically determine infos about involved interfaces-----#

> ### External Interface:

> ## Get external interface from command-line
> ## If no interface is specified then set $DEFAULT_EXTIF as EXTIF
> #if [ "x$2" != "x" ]; then
> #   EXTIF=$2
> #else
>    EXTIF=$DEFAULT_EXTIF
> #fi
> echo External Interface: $EXTIF

> ## Determine external IP
> EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
>   if [ "$EXTIP" = '' ]; then
>      echo "Aborting: Unable to determine the IP-address of $EXTIF !"
>      exit 1
>   fi
> echo External IP: $EXTIP

> ## Determine external gateway
> EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'`
> echo Default GW: $EXTGW

> echo " --- "

> ### Internal Interface:

> ## Get internal interface from command-line
> ## If no interface is specified then set $DEFAULT_INTIF as INTIF
> if [ "x$3" != "x" ]; then
>    INTIF=$3
> else
>    INTIF=$DEFAULT_INTIF
> fi
> echo Internal Interface: $INTIF

> ## Determine internal IP
> INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
>   if [ "$INTIP" = '' ]; then
>      echo "Aborting: Unable to determine the IP-address of $INTIF !"
>      exit 1
>   fi  
> echo Internal IP: $INTIP

> ## Determine internal netmask
> INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
> echo Internal Netmask: $INTMASK

> ## Determine network address of the internal network
> INTLAN=$INTIP'/'$INTMASK
> echo Internal LAN: $INTLAN

> echo ""

> #----Load IPTABLES-modules-----#

> #Insert modules- should be done automatically if needed

> #If the IRC-modules are available, uncomment them below

> echo "Loading IPTABLES modules"

> dmesg -n 1 #Kill copyright display on module load
> /sbin/modprobe ip_tables
> /sbin/modprobe iptable_filter
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
> #/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
> #/sbin/modprobe ip_nat_irc ports=$IRCPORTS
> dmesg -n 6

> echo " --- "

> #----Clear/Reset all chains-----#

> #Clear all IPTABLES-chains

> #Flush everything, start from scratch
> $IPTABLES -F
> $IPTABLES -F -t mangle
> $IPTABLES -F -t nat
> $IPTABLES -X
> $IPTABLES -X -t mangle
> $IPTABLES -X -t nat

> #Set default policies to DROP
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP

> #----Set network sysctl options-----#

> echo "Setting sysctl options"

> #Enable forwarding in kernel
> echo 1 > /proc/sys/net/ipv4/ip_forward

> #Disabling IP Spoofing attacks.
> echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

> #Don't respond to broadcast pings (Smurf-Amplifier-Protection)
> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

> #Block source routing
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

> #Kill timestamps
> echo 0 > /proc/sys/net/ipv4/tcp_timestamps

> #Enable SYN Cookies
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies

> #Kill redirects
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

> #Enable bad error message protection
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

> #Log martians (packets with impossible addresses)
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

> #Set out local port range
> echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

> #Reduce DoS'ing ability by reducing timeouts
> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
> echo 0 > /proc/sys/net/ipv4/tcp_sack

> echo " --- "

> echo "Creating user-chains"

> #----Create logging chains-----#

> ##These are the logging-chains. They all have a certain limit of
> log-entries/sec to prevent log-flooding
> ##The syslog-entries will be fireparse-compatible (see
> http://www.fireparse.com)

> #Invalid packets (not ESTABLISHED,RELATED or NEW)
>    $IPTABLES -N LINVALID
>    $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP "
>    $IPTABLES -A LINVALID -j DROP

> #TCP-Packets with one ore more bad flags
>    $IPTABLES -N LBADFLAG
>    $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
>    $IPTABLES -A LBADFLAG -j DROP

> #Logging of connection attempts on special ports (Trojan portscans,
> special services, etc.)
>    $IPTABLES -N LSPECIALPORT
>    $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP "
>    $IPTABLES -A LSPECIALPORT -j DROP

> #Logging of possible TCP-SYN-Floods
>    $IPTABLES -N LSYNFLOOD
>    $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
>    $IPTABLES -A LSYNFLOOD -j DROP

> #Logging of possible Ping-Floods
>    $IPTABLES -N LPINGFLOOD
>    $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
>    $IPTABLES -A LPINGFLOOD -j DROP

> #All other dropped packets
>    $IPTABLES -N LDROP
>    $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "
>    $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "
>    $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
>    $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP "
>    $IPTABLES -A LDROP -j DROP

> #All other rejected packets
>    $IPTABLES -N LREJECT
>    $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT "
>    $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT "
>    $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT "
>    $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT "
>    $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
>    $IPTABLES -A LREJECT -p udp -j REJECT --reject-with
> icmp-port-unreachable
>    $IPTABLES -A LREJECT -j REJECT

> #----Create Accept-Chains-----#

> #TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in

>    $IPTABLES -N TCPACCEPT
>    $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT
> --limit-burst $TCPSYNLIMITBURST -j ACCEPT
>    $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
>    $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT

> #----Create special User-Chains-----#

> #CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible
> flag-combinations (Some port-scanners use these, eg. nmap
> Xmas,Null,etc.-scan)

>    $IPTABLES -N CHECKBADFLAG

...

read more »

 
 
 

ez-ipupdate and iptables

Post by Sam Dunh » Sat, 16 Aug 2003 22:40:23




<snip>

> FYI your firewall rules reload/restart reinstall your complete ruleset
> and this is not necessary when your IP-address changes. You only need
> to change the rules using your IP_ADDRESS which can be done with the
> iptables replace command. It's much quicker than a complete reload.
> If Your want I'll email details - it's a bit more than an quick response
> the NG

> BOB


 
 
 

1. ez-ipupdate problem

Hi NG,

i have a problem with ez-ipupdate running SuSE Linux 7.2 Professional on a
DSL-Router.

I installed ez-ipupdate Version 3.0.10 properly, configured it to use my
account on dyndns.org (in /etc/ez-ipupdate.conf) to update the IP of device
ppp0 running as a daemon (the owner of the process is not root).

Then I wrote a small boot script to ensure that ez-ipupdate is started
whenever the server goes up. I tested my script as su and everything worked
fine (start/stop/restart). Looking at /var/log/messages I found:
---
/usr/local/bin/ez-ipupdate started for interface ppp0 host "localhost"
using server members.dyndns.org and service dyndns
.....
/usr/local/bin/ez-ipupdate[3416]: successful update for ppp0->HOST_IP
(HOST_DNS)
---

I verified the IP with ifconfig ppp0 and the address was correct. From then
on ez-ipupdate was solely started by the boot script and everything was
fine (ftp, ssh was working with the dns-entry on my server).

A few weeks later someone complained to me, that ftp/ssh wasn' t working
anymore using dns-hostname of my server. I had a look at the server and
found in /var/log/messages after ez-ipupdate was started by the boot script:
---
/usr/local/bin/ez-ipupdate started for interface ppp0 host "localhost"
using server members.dyndns.org and service dyndns
/usr/local/bin/ez-ipupdate[561]: failure to update ppp0->10.64.64.64
(HOST_DNS)
/usr/local/bin/ez-ipupdate[561]: failure to update ppp0->10.64.64.64
(HOST_DNS)
/usr/local/bin/ez-ipupdate[561]: failure to update ppp0->10.64.64.64
(HOST_DNS)
.....
/usr/local/bin/ez-ipupdate[561]: failure to update ppp0->HOST_IP(HOST_DNS)
......
---

The first IP 10.64.64.64 is a dummy address before HOST_IP was obtained
from my ISP. Although at some point the HOST_IP was correct, ez-ipupdate
still gave the error message. I (su) stopped ez-ipupdate (executing the
bootscript with stop) and then restarted it (also using the boot script
with start). Everything worked fine, the IP got updated and I had no error
messages. But since this day ez-ipupdate doesn' t work properly when the
server is booted and it is started by my script. In order to make it work,
I manually (su) have to stop the process and restart ez-ipupdate (with the
boot script).
This seems quite strange to me, because the script was working all the time
without me having to do anything by hand. During the time everything was
ok, I didn' t update or install anything new on my machine.

Do you have any idea, what went wrong or what [561] means?
Are there better solutions to automatically start ez-ipupdate at boottime?

All the best,

Christopher

2. Telnet to serial ports

3. Red Hat 9 + ez-ipupdate

4. Solaris 8 and ADSL

5. multiples domainnames and ez-ipupdate ?

6. Getting the SETUP command to work

7. ez-ipupdate, DSL router, how do I get IP address?

8. LOCAL: Los Angeles Users Group

9. Linksysmon/Linksys Router/ez-ipupdate - Just Learning

10. Newbie ez-ipupdate/startup question

11. EasyDNS & ez-ipupdate

12. Using inadym instead of ez-ipupdate

13. EasyDNS & ez-ipupdate