iptables woes - may be RELATED related :)

iptables woes - may be RELATED related :)

Post by Glen Coate » Thu, 13 Sep 2001 17:30:32



Hi - I've just started using iptables and I'm having trouble.  I
basically want my firewall setup to bar all connections except the ones
coming from my uni, and I had it doing this just fine in ipchains.  Now I
have a wierd problem, where if I telnet into uni and then back out to my
machine, iptables lets the connection thru just fine, but if I'm at uni
and I try to telnet in I get no response.  Here's my
/etc/sysconfig/iptables:

# Generated by iptables-save v1.2.2 on Fri Aug 31 12:54:36 2001
*nat
:PREROUTING ACCEPT [17:708]
:POSTROUTING ACCEPT [35:2109]
:OUTPUT ACCEPT [35:2109]
COMMIT
# Completed on Fri Aug 31 12:54:36 2001
# Generated by iptables-save v1.2.2 on Fri Aug 31 12:54:36 2001
*mangle
:PREROUTING ACCEPT [670:68228]
:OUTPUT ACCEPT [738:50393]
COMMIT
# Completed on Fri Aug 31 12:54:36 2001
# Generated by iptables-save v1.2.2 on Fri Aug 31 12:54:36 2001
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [738:50393]
:GLEN - [0:0]
-A INPUT -j GLEN
-A FORWARD -j GLEN
-A GLEN -i eth0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A GLEN -s 203.164.20.10 -p udp -m udp --dport 53 -j ACCEPT
-A GLEN -s 203.164.20.11 -p udp -m udp --dport 53 -j ACCEPT
-A GLEN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A GLEN -i lo -j ACCEPT
-A GLEN -s 129.94.242.0/255.255.255.0 -j ACCEPT
-A GLEN -j DROP
COMMIT
# Completed on Fri Aug 31 12:54:36 2001

The line which is supposed to allow incoming connections from uni is the
second last one in the GLEN chain.

Can anyone help me troubleshoot this? Any help would be really
appreciated.  Also, if you spot any glaring security holes, please let me
know, as I'm really new to firewalling and basically have nfi beyond what
I've tried to glean from a few HOWTO's.

Cheers,
Glen

 
 
 

iptables woes - may be RELATED related :)

Post by Thor Jans » Thu, 13 Sep 2001 23:08:00



> and I try to telnet in I get no response

I find it really odd that you will take the trouble to get some
security by installing a firewall, but will use an insecure protocol
like telnet, which transmits usernames, passwords and data in the
clear. If you really care about your systems' and LAN's security,
switch to ssh2 immediately and drop telnet.

 
 
 

iptables woes - may be RELATED related :)

Post by Glen Coate » Thu, 13 Sep 2001 23:52:32






>> and I try to telnet in I get no response

> I find it really odd that you will take the trouble to get some security
> by installing a firewall, but will use an insecure protocol like telnet,
> which transmits usernames, passwords and data in the clear. If you
> really care about your systems' and LAN's security, switch to ssh2
> immediately and drop telnet.

I do use ssh - I don't know why I put telnet there, probably just years
of win32'ing :) So can you help me with my question at all here mate?

Cheers,
Glen

 
 
 

iptables woes - may be RELATED related :)

Post by Thor Jans » Sat, 15 Sep 2001 05:05:45



> I do use ssh - I don't know why I put telnet there, probably just years
> of win32'ing :) So can you help me with my question at all here mate?

You will want to open up port 22 tcp/udp. I don't use iptables-save,
but adding something like:

-A GLEN -i eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A GLEN -i eth0 -p udp -m tcp --sport 22 -j ACCEPT

might do the trick for you. You may also want to restrict it to your
specific IP, so that you don't open port 22 to the world, but just to
yourself.

 
 
 

1. Three really bizarre problems that may or may not be related

The specs:
OS: FreeBSD 4.1-RELEASE
Motherboard: ASUS P2B-D (Dual 350mhz PIIs)
SCSI Controller: Adaptec 2940UW
CD Burner: Ricoh MP-6201S (same as MP-6200S but with 2MB buffer instead
of 1MB, why isn't it 6202?)

My first problem is the following two lines appear at boot:

isa0: too many dependant configs (8)
isa0: unexpected small tag 14

I thought it might be a resource conflict.  I've pulled out cards,
disabled unecessary serial ports in the BIOS, and checked all the
resources listed in dmesg via pen and paper.  I assure you, there are no
resource conflicts that I can find. What else could it be?  I'm not
really sure if this even a problem, but I haven't been able to get rid
of these lines and it may be an indication of the cause of my other
problems.

My second problem occurs when I try to burn a CD using cdrecord.  It
seems to be working just fine until the end when it's fixating and I get
the following error:

cdrecord: Input/output error. close track/session: scsi sendcmd:
retryable error
CDB:  5B 00 02 00 00 00 00 00 00 00
status: 0x0 (GOOD STATUS)
cmd finished after 138.882s timeout 480s

I've tried running cdrecord with the -fix option.  This does not result
in any errors, nor does it result in a readable disc.

My third problem is a real bummer.  It might not be my fault at all.  I
have 2 SCSI hard disks in a striped vinum RAID array.  Whenever I do
something disk-intensive, it slows my system down a lot more than it
should.  I'm not using identical drives, but the disk slices being used
are identical in size.  It also slows down considerably when I burn a
CD, and any mp3s I have playing are stopped for the duration of the
burn.

I've already invested a considerable amount of time trying to fix all of
these problems both reading and banging away at the keyboard.  I haven't
been able to make any progress, and I'm all out of ideas as to what to
try next.

2. Pcmcia and 3c589d

3. help: __CurrentException problem, may be 4.1.5 related

4. Sendmail 8.6.9 451 Nameserver timeout during parsing

5. Socket to which related processes may read/write ?.

6. rwall to PCs during shutdown

7. Network Latency problem 2.4.20 (may be related to cls_u32)

8. POP3 & NNRP LOCKUPS READ THIS!!! Digiboard

9. I am looking for Linux Security FAQ and Security related sites

10. Iptables and connection related established

11. iptables, -dport 113, RELATED

12. iptables: ESTABLISHED,RELATED but some ACK or RST rejected

13. iptables restart, existing sessions, and ESTABLISHED,RELATED rules