[luau] Warren's walkthrough of MonMotha's firewall script
burnst001 at hawaii.rr.com
burnst001 at hawaii.rr.com
Fri Nov 1 11:25:00 PST 2002
I've followed Warren's walkthrough of MonMotha's firewall script found at <http://www.mplug.org/phpwiki/index.php/BasicFirewallRouter>.
I installed the script on a computer running redhat 7.3. The only change I made
was that I used 192.168.1.1 instead of 192.168.0.1 for the firewall LAN gateway
address (eth1), because I have an existing Linksys router that had been using
that address and all my clients are already set up that way, I don't want to
have to reconfigure 17 computers when I swap my dedicated firewall for my router.
I can't get the firewall talking to the WAN at all. After I run the script,
I can't get the LAN to ping the firewall.
When I try to ping anything on the WAN from the firewall I get "network is not
reachable." This is true even before I run the firewall script so there are
no rules and default is "accept". I have set up the firewall with the same IP
number and gateway that the router had, I've disconnected the router from both
the WAN and the LAN, and hooked in the firewall instead.
I tested the cables. I tested the two ethernet cards. I reconfigured a client
to use the WAN address as a gateway and plugged it into the WAN NIC with a crossover
cable, the client was able to ping the firewall on eth0.
I am able to ping the firewall from the LAN before running the script. After
running the script, the firewall no longer answers ping. Is this what I should
expect?
Could redhat 7.3 have ipchains running by default and messing me up?
Could the IP# change matter? (Warren's walkthrough says use 192.168.0.1 as eth1's
IP#, the gateway address for the LAN, I used 192.168.1.1 instead.) I tried to
set the firewall up to be identical to the router it replaces, same gateway,
same IP#. The LED shows activity on the card attached to the WAN.
Could the MAC change when I switch from the router to the firewall be confusing
my gateway so that it refuses to speak to me? I am at UH, not using an ISP.
Could there be a delay before things start working? When I switch things back,
it always takes a while before the router starts working again.
There is some stuff in the walk-through about the PCI slots using bus-mastering,
I have no idea what this is about, could that be causing my problem?
How can I tell whether ipforwarding is enabled and working? (That's how the
packets get between the LAN NIC and the WAN NIC, right? I see it in the script
output,but is there an explicit test?)
Since I can't reach the network even before I run the script, the script doesn't
seem to be the entire problem. But for what it's worth, here is the output when
I run the script:
******************************
Loading iptables firewall:
Checking configuration...passed
Performing TCP_ALLOW and UDP_ALLOW alias preprocessing...done
Checking IP Forwarding...enabled.
Checking IP SynCookies...disabled.
Checking Route Verification...activated:eth0 activated:eth1
Refusing SSR Packets via SysCtl...activated:eth0 activated:eth1
Flush: INPUT OUTPUT1 FORWARD PREROUTING1 OUTPUT2 POSTROUTING PREROUTING2 OUTPUT3
Creating chains: INETIN INETOUT DMZIN DMZOUT TCPACCEPT UDPACCEPT LDROP LREJECT
TREJECT LTREJECT
Default Policies: INPUT:DROP OUTPUT:ACCEPT FORWARD:DROP
Setting up drop chains chains: LDROP LREJECT TREJECT LTREJECT
Setting up per-proto ACCEPT: TCPACCEPT UDPACCEPT
TREJECTing invalid packets...done
Setting up INET chains: INETIN INETOUT
Local Traffic Rules: 192.168.0.0/24:ACCEPT 192.168.1.0/24:ACCEPT loopback:ACCEPT
Setting up masquerading: 192.168.0.0/24:MASQUERADE 192.168.1.0/24:MASQUERADE
TREJECTing ICMP messages specified in BAD_ICMP...5 9 10 15 16 17 18
Flood limiting: ICMP-PING
Allowing the rest of the ICMP messages in...done
Hostwise TCP Allows: 0/0>22
Hostwise UDP Allows: 0/0>68 0/0>6112 0/0>6119 0/0>4000
Allowing established outbound connections back in...done
Allowing related inbound connections...done
Setting up INET policies: INETIN:TREJECT INETOUT:ACCEPT
Done loading the firewall!
**********************************
These don't look like errors to me. What does "192.168.1.0/24:ACCEPT" in the
local traffic rules mean - anything from a machine on the 192.168.1 subnet is
accepted??
Here is the output from iptables -L after running the script:
*******************************
Chain INPUT (policy DROP)
target prot opt source destination
INETIN all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
INETIN all -- anywhere anywhere
INETOUT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
INETOUT all -- anywhere anywhere
Chain DMZIN (0 references)
target prot opt source destination
Chain DMZOUT (0 references)
target prot opt source destination
Chain INETIN (2 references)
target prot opt source destination
TREJECT all -- anywhere anywhere state INVALID
TREJECT icmp -- anywhere anywhere icmp redirect
TREJECT icmp -- anywhere anywhere icmp router-advertisement
TREJECT icmp -- anywhere anywhere icmp router-solicitation
TREJECT icmp -- anywhere anywhere icmp type 15
TREJECT icmp -- anywhere anywhere icmp type 16
TREJECT icmp -- anywhere anywhere icmp address-mask-request
TREJECT icmp -- anywhere anywhere icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
limit: avg 1/sec burst 5
TREJECT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp !echo-request
TCPACCEPT tcp -- anywhere anywhere tcp dpt:ssh
UDPACCEPT udp -- anywhere anywhere udp dpt:bootpc
UDPACCEPT udp -- anywhere anywhere udp dpt:6112
UDPACCEPT udp -- anywhere anywhere udp dpt:6119
UDPACCEPT udp -- anywhere anywhere udp dpt:4000
ACCEPT all -- anywhere anywhere state ESTABLISHED
TCPACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535
state RELATED
UDPACCEPT udp -- anywhere anywhere udp dpts:1024:65535
state RELATED
TREJECT all -- anywhere anywhere
Chain INETOUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain LDROP (0 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level info prefix `TCP Dropped '
LOG udp -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level info prefix `UDP Dropped '
LOG icmp -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level info prefix `ICMP Dropped '
LOG all -f anywhere anywhere limit: avg 2/sec
burst 5 LOG level warning prefix `FRAGMENT Dropped '
DROP all -- anywhere anywhere
Chain LREJECT (0 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level info prefix `TCP Rejected '
LOG udp -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level info prefix `UDP Rejected '
LOG icmp -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level info prefix `ICMP Rejected '
LOG all -f anywhere anywhere limit: avg 2/sec
burst 5 LOG level warning prefix `FRAGMENT Rejected '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain LTREJECT (0 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level info prefix `TCP Rejected '
LOG udp -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level info prefix `UDP Rejected '
LOG icmp -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level info prefix `ICMP Rejected '
LOG all -f anywhere anywhere limit: avg 2/sec
burst 5 LOG level warning prefix `FRAGMENT Rejected '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain TCPACCEPT (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
limit: avg 20/sec burst 5
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
limit: avg 2/sec burst 5 LOG level warning prefix `Possible SynFlood '
TREJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN
LOG all -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level warning prefix `Mismatch in TCPACCEPT '
TREJECT all -- anywhere anywhere
Chain TREJECT (13 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain UDPACCEPT (5 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 2/sec
burst 5 LOG level warning prefix `Mismatch on UDPACCEPT '
TREJECT all -- anywhere anywhere
*************************
That doesn't really look right to me, but I don't claim to understand it at
all.
Devastated Dave
More information about the LUAU
mailing list