[luau] Warren's walkthrough of MonMotha's firewall script
Ray Strode
halfline at hawaii.rr.com
Thu Nov 7 10:10:00 PST 2002
I've not really used monmotha's script, forwarding to him...
--Ray
>I've followed Warren's walkthrough of MonMotha's firewall script found at <http://www.mplug.org/phpwiki/index.php/BasicFirewallRouter>.
>I installed the script on a computer running redhat 7.3. The only change I made
>was that I used 192.168.1.1 instead of 192.168.0.1 for the firewall LAN gateway
>address (eth1), because I have an existing Linksys router that had been using
>that address and all my clients are already set up that way, I don't want to
>have to reconfigure 17 computers when I swap my dedicated firewall for my router.
>
>
>I can't get the firewall talking to the WAN at all. After I run the script,
>I can't get the LAN to ping the firewall.
>
>When I try to ping anything on the WAN from the firewall I get "network is not
>reachable." This is true even before I run the firewall script so there are
>no rules and default is "accept". I have set up the firewall with the same IP
>number and gateway that the router had, I've disconnected the router from both
>the WAN and the LAN, and hooked in the firewall instead.
>
>I tested the cables. I tested the two ethernet cards. I reconfigured a client
>to use the WAN address as a gateway and plugged it into the WAN NIC with a crossover
>cable, the client was able to ping the firewall on eth0.
>
>I am able to ping the firewall from the LAN before running the script. After
>running the script, the firewall no longer answers ping. Is this what I should
>expect?
>
>Could redhat 7.3 have ipchains running by default and messing me up?
>
>Could the IP# change matter? (Warren's walkthrough says use 192.168.0.1 as eth1's
>IP#, the gateway address for the LAN, I used 192.168.1.1 instead.) I tried to
>set the firewall up to be identical to the router it replaces, same gateway,
>same IP#. The LED shows activity on the card attached to the WAN.
>
>Could the MAC change when I switch from the router to the firewall be confusing
>my gateway so that it refuses to speak to me? I am at UH, not using an ISP.
>
>
>Could there be a delay before things start working? When I switch things back,
>it always takes a while before the router starts working again.
>
>There is some stuff in the walk-through about the PCI slots using bus-mastering,
>I have no idea what this is about, could that be causing my problem?
>
>How can I tell whether ipforwarding is enabled and working? (That's how the
>packets get between the LAN NIC and the WAN NIC, right? I see it in the script
>output,but is there an explicit test?)
>
>Since I can't reach the network even before I run the script, the script doesn't
>seem to be the entire problem. But for what it's worth, here is the output when
>I run the script:
>
>******************************
>Loading iptables firewall:
>Checking configuration...passed
>Performing TCP_ALLOW and UDP_ALLOW alias preprocessing...done
>Checking IP Forwarding...enabled.
>Checking IP SynCookies...disabled.
>Checking Route Verification...activated:eth0 activated:eth1
>Refusing SSR Packets via SysCtl...activated:eth0 activated:eth1
>Flush: INPUT OUTPUT1 FORWARD PREROUTING1 OUTPUT2 POSTROUTING PREROUTING2 OUTPUT3
>
>Creating chains: INETIN INETOUT DMZIN DMZOUT TCPACCEPT UDPACCEPT LDROP LREJECT
>TREJECT LTREJECT
>Default Policies: INPUT:DROP OUTPUT:ACCEPT FORWARD:DROP
>Setting up drop chains chains: LDROP LREJECT TREJECT LTREJECT
>Setting up per-proto ACCEPT: TCPACCEPT UDPACCEPT
>TREJECTing invalid packets...done
>Setting up INET chains: INETIN INETOUT
>Local Traffic Rules: 192.168.0.0/24:ACCEPT 192.168.1.0/24:ACCEPT loopback:ACCEPT
>
>Setting up masquerading: 192.168.0.0/24:MASQUERADE 192.168.1.0/24:MASQUERADE
>
>TREJECTing ICMP messages specified in BAD_ICMP...5 9 10 15 16 17 18
>Flood limiting: ICMP-PING
>Allowing the rest of the ICMP messages in...done
>Hostwise TCP Allows: 0/0>22
>Hostwise UDP Allows: 0/0>68 0/0>6112 0/0>6119 0/0>4000
>Allowing established outbound connections back in...done
>Allowing related inbound connections...done
>Setting up INET policies: INETIN:TREJECT INETOUT:ACCEPT
>Done loading the firewall!
>**********************************
>
>These don't look like errors to me. What does "192.168.1.0/24:ACCEPT" in the
>local traffic rules mean - anything from a machine on the 192.168.1 subnet is
>accepted??
>
>Here is the output from iptables -L after running the script:
>
>*******************************
>Chain INPUT (policy DROP)
>target prot opt source destination
>INETIN all -- anywhere anywhere
>ACCEPT all -- 192.168.0.0/24 anywhere
>ACCEPT all -- 192.168.1.0/24 anywhere
>ACCEPT all -- anywhere anywhere
>
>Chain FORWARD (policy DROP)
>target prot opt source destination
>INETIN all -- anywhere anywhere
>INETOUT all -- anywhere anywhere
>ACCEPT all -- 192.168.0.0/24 anywhere
>ACCEPT all -- 192.168.1.0/24 anywhere
>
>Chain OUTPUT (policy ACCEPT)
>target prot opt source destination
>INETOUT all -- anywhere anywhere
>
>Chain DMZIN (0 references)
>target prot opt source destination
>
>Chain DMZOUT (0 references)
>target prot opt source destination
>
>Chain INETIN (2 references)
>target prot opt source destination
>TREJECT all -- anywhere anywhere state INVALID
>TREJECT icmp -- anywhere anywhere icmp redirect
>TREJECT icmp -- anywhere anywhere icmp router-advertisement
>
>TREJECT icmp -- anywhere anywhere icmp router-solicitation
>
>TREJECT icmp -- anywhere anywhere icmp type 15
>TREJECT icmp -- anywhere anywhere icmp type 16
>TREJECT icmp -- anywhere anywhere icmp address-mask-request
>
>TREJECT icmp -- anywhere anywhere icmp address-mask-reply
>
>ACCEPT icmp -- anywhere anywhere icmp echo-request
>limit: avg 1/sec burst 5
>TREJECT icmp -- anywhere anywhere icmp echo-request
>
>ACCEPT icmp -- anywhere anywhere icmp !echo-request
>
>TCPACCEPT tcp -- anywhere anywhere tcp dpt:ssh
>UDPACCEPT udp -- anywhere anywhere udp dpt:bootpc
>
>UDPACCEPT udp -- anywhere anywhere udp dpt:6112
>UDPACCEPT udp -- anywhere anywhere udp dpt:6119
>UDPACCEPT udp -- anywhere anywhere udp dpt:4000
>ACCEPT all -- anywhere anywhere state ESTABLISHED
>
>TCPACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535
>state RELATED
>UDPACCEPT udp -- anywhere anywhere udp dpts:1024:65535
>state RELATED
>TREJECT all -- anywhere anywhere
>
>Chain INETOUT (2 references)
>target prot opt source destination
>ACCEPT all -- anywhere anywhere
>
>Chain LDROP (0 references)
>target prot opt source destination
>LOG tcp -- anywhere anywhere limit: avg 2/sec
>burst 5 LOG level info prefix `TCP Dropped '
>LOG udp -- anywhere anywhere limit: avg 2/sec
>burst 5 LOG level info prefix `UDP Dropped '
>LOG icmp -- anywhere anywhere limit: avg 2/sec
>burst 5 LOG level info prefix `ICMP Dropped '
>LOG all -f anywhere anywhere limit: avg 2/sec
>burst 5 LOG level warning prefix `FRAGMENT Dropped '
>DROP all -- anywhere anywhere
>
>Chain LREJECT (0 references)
>target prot opt source destination
>LOG tcp -- anywhere anywhere limit: avg 2/sec
>burst 5 LOG level info prefix `TCP Rejected '
>LOG udp -- anywhere anywhere limit: avg 2/sec
>burst 5 LOG level info prefix `UDP Rejected '
>LOG icmp -- anywhere anywhere limit: avg 2/sec
>burst 5 LOG level info prefix `ICMP Rejected '
>LOG all -f anywhere anywhere limit: avg 2/sec
>burst 5 LOG level warning prefix `FRAGMENT Rejected '
>REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
>
>
>Chain LTREJECT (0 references)
>target prot opt source destination
>LOG tcp -- anywhere anywhere limit: avg 2/sec
>burst 5 LOG level info prefix `TCP Rejected '
>LOG udp -- anywhere anywhere limit: avg 2/sec
>burst 5 LOG level info prefix `UDP Rejected '
>LOG icmp -- anywhere anywhere limit: avg 2/sec
>burst 5 LOG level info prefix `ICMP Rejected '
>LOG all -f anywhere anywhere limit: avg 2/sec
>burst 5 LOG level warning prefix `FRAGMENT Rejected '
>REJECT tcp -- anywhere anywhere reject-with tcp-reset
>
>REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
>
>DROP icmp -- anywhere anywhere
>REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
>
>
>Chain TCPACCEPT (2 references)
>target prot opt source destination
>ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
>limit: avg 20/sec burst 5
>LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
>limit: avg 2/sec burst 5 LOG level warning prefix `Possible SynFlood '
>TREJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
>
>ACCEPT tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN
>
>LOG all -- anywhere anywhere limit: avg 2/sec
>burst 5 LOG level warning prefix `Mismatch in TCPACCEPT '
>TREJECT all -- anywhere anywhere
>
>Chain TREJECT (13 references)
>target prot opt source destination
>REJECT tcp -- anywhere anywhere reject-with tcp-reset
>
>REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
>
>DROP icmp -- anywhere anywhere
>REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
>
>
>Chain UDPACCEPT (5 references)
>target prot opt source destination
>ACCEPT udp -- anywhere anywhere
>LOG all -- anywhere anywhere limit: avg 2/sec
>burst 5 LOG level warning prefix `Mismatch on UDPACCEPT '
>TREJECT all -- anywhere anywhere
>
>*************************
>
>That doesn't really look right to me, but I don't claim to understand it at
>all.
>
>Devastated Dave
>_______________________________________________
>LUAU mailing list
>LUAU at videl.ics.hawaii.edu
>http://videl.ics.hawaii.edu/mailman/listinfo/luau
>
>
More information about the LUAU
mailing list