[lug] Redhat doesn't support users that compile their own kernels.
D. Stimits
stimits at idcomm.com
Fri Nov 2 19:42:21 MST 2001
Rob Nagler wrote:
>
> > iptables, and have not had time to learn as yet, I simply ensure that
> > the init script only loads ipchains.
>
> I don't quite understand the issue. You can't run, say, qpopper and
> ipop3d simultaneously. They share the same unique interface (port
> 110). This is the same issue with ipchains and iptables. While it
> might be possible to build a knowledge base defining all the possible
> resource conflicts, this isn't the "linux way" if you will. DEC had
> such a system for configuring VAX hardware. It was pretty cool, but
> which would you rather be using Ultrix or Linux. ;-)
>
> Anyway, I recently switched from ipchains to iptables with:
>
> chkconfig --del ipchains
> chkconfig --add iptables
> reboot
This won't work under some circumstances. Yes, ipchains and iptables are
not supposed to work together at the same time. This isn't a bug. Trying
to use ipchains while iptables is loaded is a mistake. In that case, the
kernel returns an error.
The problem is that the redhat scripts do NOT TELL you that trying to
run ipchains failed. It looks successful. If ipchains fails due to the
kernel not supporting ipchains, the script lies. It only indicates
correctly about failure if ipchains was properly loaded. If for any
reason you don't have the ipchains module loaded, the script will go
merrily along its way without complaining.
Don't you think that if init tries to start ipchains and it fails, you
should see a failure message? If you try to bring up the network on a
broken interface, it tells you. But if the gates are wide open to all
the crackers, it sweeps it under the carpet. It simply does not matter
whatsoever that it fails due to bad rules or due to the kernel not
supporting ipchains. And it does not matter if it does not support
ipchains due to iptables being loaded, or if it does not support
ipchains because the module does not exist. It should *never* lie to me
about it working when it isn't. Period. No, I have absolutely zero
expectation that iptables and ipchains run at the same time; but I
require a 100% honest answer when I tell ipchains to run and it
fails...it MUST tell me that it failed, and not lie.
This has nothing to do with whether iptables should or should not have
been loaded. It has nothing to do with whether the bootup was configured
correctly. I expect that an indication be given of success or failure,
period. No lies. No false "success" stories. No missing "failure"
messages. If it does not load, it must say so. The reason for failure is
irrelevant, I only want an indication of what it did, and I want the
truth, security is important. Current ipchains scripts do not tell the
truth under all circumstances, they hide failure.
D. Stimits, stimits at idcomm.com
>
> I don't think its all that complicated. I feel obligated to the boot
> configuration anyway, and rebooting is easier than executing than
> playing rmmod/lsmod games.
>
> If you are switching to iptables, here are a couple of problems I ran
> into.
>
> The --log-prefix is stored correctly by iptables-save, but
> iptables-restore doesn't parse quoted strings. This is on RH 7.1,
> iptables v1.2.1a. It's probably been fixed in a newer version.
>
> Another problem is that /etc/rc.d/init.d/iptables doesn't load the
> right modules. You have to load them yourself.
>
> So I ended up creating /etc/sysconfig/iptables.sh which does all the
> work. It's easier to debug than save/restore, because it is
> repeatable. I've attached the patch to /etc/rc.d/init.d/iptables.
>
> The last "attachment" is my iptables script. I cobbled together
> various ideas from around the net. Your comments are welcome.
> [eth0 is the Internet (1.2.3.4). eth1 is inside (192.168.1.1).]
>
> Thanks,
> Rob
>
> ----------------------------------------------------------------
> *** /etc/rc.d/init.d/iptables Wed Mar 21 23:27:45 2001
> --- iptables Fri Nov 2 19:04:37 2001
> ***************
> *** 58,64 ****
> for i in $chains; do iptables -t $i -Z; done
>
> echo $"Applying iptables firewall rules: "
> ! grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/iptables-restore -c && \
> success $"Applying iptables firewall rules" || \
> failure $"Applying iptables firewall rules"
> echo
> --- 58,64 ----
> for i in $chains; do iptables -t $i -Z; done
>
> echo $"Applying iptables firewall rules: "
> ! bash /etc/sysconfig/iptables.sh && \
> success $"Applying iptables firewall rules" || \
> failure $"Applying iptables firewall rules"
> echo
> ----------------------------------------------------------------
> #!/bin/bash
> #
> # iptables initialization
> #
> # set -x
> set -e
> #
> # SERVICES
> #
> TCP_SERVICES=ssh,ftp,http,https
>
> #
> # MODULES
> #
> modprobe ip_tables
> modprobe iptable_nat
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe ip_conntrack_irc
> modprobe iptable_filter
> modprobe iptable_mangle
> modprobe ipt_LOG
> modprobe ipt_REJECT
> modprobe ipt_state
>
> #
> # FUNCTIONS
> #
>
> # stop_and_log chain rule jump prefix
> #
> # Log the rule on chain with prefix and rewrite rule if jump is not
> # empty.
> #
> function stop_and_log {
> iptables -A $1 $2 -m limit --limit 2/m --limit-burst 1 -j LOG \
> --log-prefix "$1 $4: "
> if [ "x$3" != x ]; then
> iptables -A $1 $2 -j $3
> fi
> }
>
> # basic_filter chain accept_interfaces
> #
> # accept_interfaces are not filtered. On the rest of the interfaces,
> # allow established,related and drop invalid.
> #
> function basic_filter {
> typeset chain=$1
> shift
> typeset dir=$1
> shift
> typeset ifc
> for ifc in "$@"; do
> iptables -A $chain $dir $ifc -j ACCEPT
> done
>
> # Basic protection
> iptables -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
> stop_and_log $chain '-m state --state INVALID' DROP 'invalid'
> }
>
> #
> # FLUSH
> #
> iptables -F
> iptables -F -t nat
> iptables -F -t mangle
> iptables -X
>
> #
> # POLICY: DROP
> #
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> #
> # SNAT
> #
> # Make everything going out eth0 look like it is going out correct IP addr
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
>
> #
> # DNAT
> #
> # Make incoming port 80 map to 192.168.1.1 (testing for now)
> # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
> # -j DNAT --to 192.168.1.1
>
> #
> # INPUT (destined for this box)
> #
> # lo & eth1 are safe interfaces. We accept anything from them. Our
> # servers are secure.
> basic_filter INPUT -i lo eth1
>
> # Allow incoming protocols: ssh, pop3, smtp, auth
> # We don't run identd, but we'll return connection refused on "auth".
> # Better than dropping packets.
> iptables -A INPUT -m state --state NEW -p tcp -m multiport \
> --destination-port ssh,pop3,pop3s,smtp,auth -j ACCEPT
>
> # LOG port scans
> stop_and_log INPUT \
> '-p tcp --tcp-flags SYN,ACK,RST ACK -m state --state NEW' \
> 'REJECT --reject-with tcp-reset' \
> 'ACK scan'
>
> # We'll see this with incoming trace route
> stop_and_log INPUT \
> '-p tcp ! --syn -m state --state NEW' \
> DROP \
> 'scan'
> stop_and_log INPUT \
> '-p tcp --tcp-option 64' \
> DROP \
> 'tcpopt 64'
> stop_and_log INPUT \
> '-p tcp --tcp-option 128' \
> DROP \
> 'tcpopt 128'
>
> # Ignore route packets
> iptables -A INPUT -p udp --dport route -j DROP
>
> stop_and_log INPUT '' '' default
>
> #
> # OUTPUT (locally generated packets)
> #
> # Allow anything from this box out to eth1 and lo. Our servers are friendly.
> basic_filter OUTPUT -o lo eth1
>
> # Outgoing UDP
> iptables -A OUTPUT -o eth0 -p udp -m multiport \
> --destination-port domain,ntp -j ACCEPT
> # traceroute uses lots of different ports
> iptables -A OUTPUT -o eth0 -p udp \
> --destination-port 33435:33500 -j ACCEPT
> # Outgoing TCP
> iptables -A OUTPUT -o eth0 -p tcp -m multiport \
> --destination-port $TCP_SERVICES,ntp,smtp,auth -j ACCEPT
>
> # Outgoing ICMP
> iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
>
> # log unwanted attempts, not flooding the logfile
> stop_and_log OUTPUT '' '' default
>
> #
> # FORWARD (passing through box)
> #
> basic_filter FORWARD -i lo
>
> # Outgoing TCP
> iptables -A FORWARD -i eth1 -p tcp -m multiport \
> --destination-port $TCP_SERVICES -j ACCEPT
>
> # Outgoing TCP on invalid ports, we reject
> stop_and_log FORWARD \
> '-i eth1' \
> 'REJECT --reject-with icmp-proto-unreachable' \
> 'internal proto'
>
> # Outgoing ICMP
> iptables -A FORWARD -i ! eth0 -p icmp -j ACCEPT
>
> # log unwanted attempts, not flooding the logfile
> stop_and_log FORWARD '' '' default
>
> exit 0
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list