March 29th, 2004, 07:46 AM
help with iptables
Seems that shorewall has taken over my iptables in linux, as a result its blocking all icmp packets and blocking netbios sessions.
It also seems I may have more then one iptables files,
How can I tell which iptables is active, and how would I go abouts telling shorewall not to manage my ip tables?
Im realy new to this and have done google searching first, I find many resources on iptables, but non seem to resolve my issues.
if /sbin/iptables is the active one since it seems this is being controlled by shorewall, it had made too many unwanted changes, and I don't know enough to get my iptables back to the way it was.
Seems shorewall took over when I went into webmin last night.
Any guidence or help is apreciated.
March 29th, 2004, 12:06 PM
I have never used shorewall so I can't help with that.
You did an “/sbin/iptables -v” to find out what version is running ?
How about a "/usr/local/sbin/iptables -v" ? ( see below )
Did it match “rpm -qa :grep iptables” ? ( I saw in your profile you use Red Hat 9 )
Have you recompiled your kernel ?
Ok, I'll admit it; I'm tired and getting drunk after 24 hrs work in the last 36, but here goes.
Providing you can figure out how to remove shorewall ( I don't know how you installed it ), the next part is how to replace the iptables.
Just remove all the rpms then reinstall them.
That is of course if you don't use a custom kernel ( well, it would still work, but not quite right )
Rh 9 using rpms uses initd and xinitd to start and stop processes like ipchains and iptables.
When building a The Linux Kernel kernel the Netfilter/Iptables netfilter package ( unless the core is built as a module ) iptables will be started by the kernel. To avoid confusion it is wise to uninstall the rpm iptables and ipchains packages. Do a
rpm -qa |grep ipchains
rpm -qa |grep iptables
Then using rpm -e --nodeps <package> uninstall the packages. The nodeps is needed because of RH security configuration packages.
Red Hat does not use the standard directory structure that iptables and the kernel are looking for.
If you build your own netfilter package or compile it into the kernel it will use “/usr/local/sbin/” but Red Hat puts it in “/sbin/”
I do not remember what version of iptables RH9 uses, but I will assume you want the latest and greatest and also build your own custom kernel from The Linux Kernel and Netfilter/Iptables. I will not go into the kernel build here, you've been around a while and should know that. But say you need a few patches from POM. Let me see if I can guide you through that.
Although there is a new POM as of 3/2/04 as well as an new kernel ( 2.4.25 as of this time ) but I will be referencing the previous, you can adjust as necessary.
Again, this is for Red Hat 9
I will be using a few directories for building the kernel:
the /kernel directory ( where the kernel will be built )
the /installnow directory ( where iptables will be unpacked along with patch-o-matic )
the /download directory ( where the files were downloaded to )
In this case the files we will be using are:
1) download the necessary files from the respective sites.
2) check the signatures of the downloaded files
gpg --verify linux-2.4.24.tar.gz.sign
gpg --verify iptables-1.2.9.tar.bz2.sig
gpg --verify patch-o-matic-20031219.tar.bz2.sig
notice several things here. The actual command to check the kernel source should be
gpg --verify linux-2.4.24.tar.gz.sign linux-2.4.24.tar.gz
but the name of the file to be checked can be ommited if the files are in the same directory and are of the same name. Also, you may have to import a key signature ( using the kernel source here as an example )
gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517d0f0e
You may get a message
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
This will depend on how you have set up your trusted keys, etc. But you should have received a message like
gpg: Signature made Mon 05 Jan 2004 08:58:46 AM EST using DSA key ID 517D0F0E
gpg: Good signature from "Linux Kernel Archives Verification Key <firstname.lastname@example.org>"
3) copy the kernel source to the /kernel directory
cp linux-2.4.24.tar.gz /kernel/
4) copy the iptables and pom files to the /installnow directory
cp iptables-1.2.9.tar.bz2 /installnow/
cp patch-o-matic-20031219.tar.bz2 /installnow/
5) change to the kernel directory and unpack the source
tar -xzvf linux-2.4.24.tar.gz
6) change to the linux source directory and compile kernel
Edit the MAKE file for EXTRAVERSION
7) change to the directory where iptables an pom are and unpack them
bzip2 -dc iptables-1.2.9.tar.bz2 | tar xvf -
bzip2 -dc patch-o-matic-20031219.tar.bz2 | tar xvf -
Here is where you will add the POM patches to the Netfilter source. The ones I have chosen may be different, they are just an example.
8) change to the newly created pom directory and apply patches
KERNEL_DIR=/kernel/linux-2.4.24 ./runme extra
included patches for example build: 72_recent_procfs_fix.patch
9) change to the linux source directory and compile kernel
10) change to the iptables directory and apply
make BINDIR=/sbin LIBDIR=/lib KERNEL_DIR=/kernel/linux-2.4.24
make install BINDIR=/sbin LIBDIR=/lib KERNEL_DIR=/kernel/linux-2.4.24
11) now build your kernel
don't forget to make changes to the EXTRAVERSIONS in the MAKE file
12) Don't forget to set up Lilo ( and use lilo -v ) or Grub
13) delete the new directories for building linux, pom and iptables ( a paranoid step so anyone who breaks in does not have access to the build files )
14) run the command "updatedb" just for "shits and giggles"
Now you will have to set up your new Iptables rule set. But I am completly drunk and tired and going to bed.
Good luck, hope this helped, even if to just show you where iptables is stored buy default in Red Hat and other Linux distros.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
March 29th, 2004, 02:47 PM
Wow, that's alot, lol, I haven't recompiled my kernel enough times to comment on that.
I do, however, know iptables.
You need to see if monkeywall, or whatever it is, will change your firewall rules if you change them at bootup. Meaning, if you put some iptables commands in your startup scripts, will shorewall change them later or in real time?
First off, you don't need to mess with the iptables config files, in fact, at least red hat encourages you not to. I agree. You can edit the rules using the iptables command itself, and it's plenty simple. First, use the command
iptables -L INPUT
That should show you the rules for stuff coming into your box. All these commands I'm going to show you btw, are easily understood by doing man iptables. Now, if under the target field, it has something other than a clear word like ACCEPT, DROP and such, do the following. The rule is simply a jump to a chain defined by your OS or shorewall. No big deal.
iptables -L <whatever was under 'target'>
This would probably look like either 'RH-Lokkit-0-50-INPUT' or 'SW-Something-Shorewall-42' or something crazy like that. If all the targets in the list are clearly things that can be done to a packet, then that's the list of what's going on.
The following should probably go in a startup script, but you can do it by hand at first to make sure it works. To begin, you need to flush your INPUT chain. Keep in mind that the INPUT chain will more than likely be reset back to shorewalls default upon reboot. Shorewalls fiewall commands are most likely set as a service, and will execute in the first part of system initialization. Putting your rules in the startup script will essentially overide those set during service initializations. Sloppy but oh well. This will clear (flush) your INPUT chain, basically allow anything until you specify more rules.
iptables -F INPUT
After that you would put the commands specific you your system. Read 'man iptables' and decide what rules fit your system. With the iptables command you can specify what ports you want open and your default rules should be with a relatively simple command line tool.
Some literature regarding iptables: http://www.antionline.com/showthread...ables+tutorial
hope that helps,
March 29th, 2004, 05:45 PM
Let me apologize if I confused anybody. Most of that post above would not be necessary with a stock install of Red Hat.
I believe Shorewall http://www.shorewall.net/ uses rpms to install so if written properly can be uninstalled using the rpm package.
( do a “rpm -qa | grep shorewall” to see the installed packages, then “rpm -e filename” to uninstall )
Then do the same for Iptables, then reinstall from the install disks, that should clean it up.
Then you could probably run lokkit to have it set up as you did when you first installed RH9
The rest of the procedure above is only for those building a custom kernel and want to use the latest version of Netfilter, maybe want to include some features from POM, and want to avoid multiple versions on their file system.
The problem comes in when building a custom kernel. ( he indicated he may have more then one iptables files on the system which is why I included the rest of it). You can wind up with multiple versions of iptables and not know which one is being used, because Red Hat uses a different directory to store it.
I have RH9 installed with iptables. ( starts from an init.d script, iptables stored in /sbin directory )
I build a custom kernel, and choose to build iptables into the kernel. ( If you use the stock Linux kernel the kernel will now start it from /usr/local/sbin )
now you get it running but which one is running ?
That is what the rest of the post is about, getting just one version on the computer and in the correct place. Step 10 in the above post tells the kernel to install it where RH9 expects it ( which is why it was in bold ).
If you compile it into the custom kernel it will start automatically. Otherwise you will need an ini.d script to start it. Note here, if you use “rpm -e iptables” to uninstall the original iptables package, rpm will also remove the init.d scripts. If you want it started from the scripts the easiest way is to copy the scripts before removing the package, then just replace the scripts when removal is done.
One more thing, the above just gets it running with the default “accept all” policy.
You'll have to make your own policies from there.
Did I clear things up or make it harder ?
Going back to bed ....
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
March 29th, 2004, 11:45 PM
My profile is a month old, I don't have RedHat anymore, now I have Mandrake 9.2
/sbin/iptables -v told me I had 1.2.8
/usr/local/sbin/iptables -v tells me no such file
rpm -qa :grep iptables tells me I have iptables-1.2.8-2mdk
shorewall apears to have come with mandrake, and got activated perhaps when I was in webmin
The initd folder you were talking about I found shorewall, iptables and firestarter.
Using your commands rpm -e I was able to remove shorewall, firestarter and then removed iptables. I much apreciate this I didn't know it was that simple to remove packages.
Anyway, then I went into control center and went through the Internet Shareing wizard, it prompted to install packages , and later I discover it put iptables and shorewall back in so it seems iptables-1.2.8-2mdk and shorewall are tied together in Mandrake
After this process, Internet Shareing works as it did before the incident, but I am unable to ping any local address
I did a Iptables -L and shorewall is still in there, as well, icmp is blocked, but I dont know how to unblock it. But iptables -F does not help I tryed.
I even tryed downloading firewatarter again, but it keeps telling me there is an unknown error and firestarter never starts. I wrote a report to Firestarter about it.
But I need to somehow alow icmp and alow my netbios.
I much apreciate everyones asistance. I think instead of re compileing the kernel which i have no experince, that using the manual iptables commands as sugested by Uppercell would be my easyest option.
I did a iptables --help but I realy dont know what commands to type/
Any further assistance would be apreciated, also the link to the antionline iptables tutorial failed to load, it gave a timeout.
March 30th, 2004, 01:20 AM
I just removed mandrake and am in the process of downloading mandrake 10 comunity.
I was looking at www.linuxiso.org and it seems mandrake and redhat are the most userfriendy from the discriptions, but rh dont give free updates anymore. Im gona try my luck with mandrake 10.
I much apreciate all the help, and I have learned alot about rpms, and ip tables
March 30th, 2004, 03:01 PM
Hope I can help you a little here.
Yes, Shorewall and Mandrake are kinda tied together. If you opt to install and activate Mandrake's firewall, it will use Shorewall to do so. Shorewall is an iptables config script, basically. You modify the files in /etc/shorewall to get iptables to do your work for you. I have found shorewall very easy to use (yes, I will eventually learn iptables itself, but just not soon ) The shorewall files are very well commented and you can find tuts at http://www.shorewall.net .
Some things I have learned:
1. If you have shorewall installed, it must be running or you can't use the network. So if you issue the command "shorewall stop", then you can't surf, ping, etc. Make sure that if it is installed it is running. Just issue a "shorewall start", and if it is already running, it will tell you so.
2. Make sure your /etc/shorewall/policy states that all traffic from the fw zone to the net is to be accepted.
3. Make sure your /etc/shorewall/shorewall.conf has been edited to include the correct paths to your modules and such. The more that I think about it, this might well be your problem if the rpms you used did not go in the right place or have the correct defaults or about a hundred other things.
4. To set up netbios, just add entries to /etc/shorewall/rules. You can allow a specific ip addy, a specific mac, specific ports, however limiting you wish to be. If you are behind a router, and you are going to trust a machine to share files, I would just allow all traffic from that paritcular private ip (if reserved) or mac, and not worry about the ports.
Lastly, I think shorewall comes with 10.0 also.
April 4th, 2004, 06:22 AM
as it turned out mdk 10 fails to install, I ended up installing fedora core 1, after learning that it does offer updates. I thought RHN just abandand free users all together but it looks like they didn't
I thank you for the link to the shore wall tutorial, and for the information on shorewall.conf and setting up rules to allow netbios. I decided that mandrake was causeing so many problems for me, and although reading the shorewall tutorial would have problably helped me set up rules, I still had other mdk problems to contend with. With the iptables/shorewall issue, I got very upset that after a fresh install of mdk and haveing used the controll center to set up ipmasq and samba, then only going into webmin shorewall resets my rules. This was a major issue for me.
Now in fedora I will consider shorewall, firestarter or some other iptables interface. Eventualy I plan to spend the time and learn iptables also. Many thanks to all who provided me help and guidence, and believe me I learned alot, and will be useing this information more especialy now since my distro is redhat based.
April 4th, 2004, 09:19 AM
My advice on this is to keep a few things in mind when you do this:
First off, IMO, Red Hat did not abandoned anything except in offering their free software in a boxed set with limited support: they just renamed it and provided for more extensive user input ( I still haven’t formed an opinion on this strategy and I don’t think they have all the bugs worked out in this method ). Their “consumer” products were always the testing ground for their commercial software, offering as far as possible the latest versions of included programs ( such as GNOME, kernels, etc. ) The commercial versions were/are a few steps behind, but with all security flaws repaired and ROCK SOLID , learning from their feedback, as they will do with the Fedora Project .
Although FC1 ( fedora core 1 ) is available in ISOs I am not convinced that this is the way to go at this point. It should be on par with the next release of the old RH ( something like RH 9.1 ) but they have had issues with updates and I am not clear if they have resolved them ( from what I have seen updates can be trying if you are used to the old RH ). But RH9 is reaching its end-of-life ( 4-30-04 ) and many will begin to bail out looking for another product with current updates.
Hopefully RH will reconsider and extend support on RH9 at least until the update problems are rectified with FC1 and it has had time to be known to the mainstream. Since you have previous experience with ( RH9 ) Linux maybe you should venture to something else for a while. BSD would be a great experience, or another distro of Linux might serve you if you are looking to expand on knowledge of Netfilter. ( I am worried and curious though as to why mdk 10 failed to install )
You could reinstall your previous MDK , and find the problems with Shorewall . OR, remove iptables and Shorewall , then build a custom kernel as described ( Mandrake has previously used RH as a model, and your “/sbin/iptables -v " says it still uses the same file format as RH for iptables. The above procedure should work, while installing the latest Netfilter version to boot ) . Then make your own firewall rules! Just remember, block everything by default and log it first. Then you can punch the holes you need by reading the logs. And read the documentation on Netfilter.org , even if you don’t understand it; you eventually will as you experiment.
Do not, and I repeat, DO NOT try FC2 ( fedora core 2 ) unless you are very familiar with both the Linux operating system and SE Linux ! You will be very frustrated and disappointed. It is, in my opinion, a giant leap forward but not nearly ready for a novice or even someone with fundamental Linux skills to handle! The Documentation is not there yet, and the bugs for a mainstream OS haven’t been worked out. ( But that is how Linux users came to be !! Ain’t life GRAND !! )
Don’t shy away just because you encounter problems, learn to fix them. There is real satisfaction in learning how to do things yourself, and you’d be surprised how many people have the same problems, and how many you can help.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
April 4th, 2004, 02:35 PM
Well, I am sorry to hear that your problems continued. Sometimes it can be so frustrating that you can just throw the hands up and install something different. Just a couple of quick notes here.
Journy101: I believe the reason that shorewall keeps screwing everything up for you is that you are using webmin to set things. Whenever I fire up webmin, and I navigate to the shorewall or firewall modules, a message pops up that says it has detected two firewall scripts on the machine, and one needs to be disabled (or something like that) So, I think webmin might have something to do with the whole thing. Whenever I saw that message, I just went back to the shorewall files and configged from there.
IKnowNot: The only problem I had with the updates on FC1 was a ridiculous download speed (appx. 6 KB/s) I don't know if this is what you were referring to, but a quick google showed me that this was a very prevalent problem. It occurs because the default update servers are the rh servers, which are always slammed. I went and changed the update servers to the ones I downloaded the isos from (univ. of tulsa) and whammo, I was d/l the updates at 300+KB/s.
Anyway, good luck Journy101. Hope the next install goes a little smoother for ya.