I'm trying to configure a messaging system based on php script with iptables, rsyslog and mysql. In the firewall server Sendmail is istalled so i'd like to use it to receive messages in the main mail server, located in DMZ. In the Lan i've configured another linux server than works perfectly, sending mail messages to the server located in DMZ. After looking for some solution I've tried to configure sendmail to relay mail to the server but the only thing I reached is the following message: "Deferred: Connection refused by mail.server.com" message rest on queue and flushing it reply
I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,
If I forward port 80 to port 3128 for squid with an iptable rule, does port 3128 have to be open on the firewall or is this all routed behind the firewall?
I am using webmin for my daily tasks. I have fedora 13, whenever I click on ''Sendmail M4 Configuration'' or Outgoing Addresses (generics)'' I get the following error message
Quote:
The Sendmail M4 configuration base directory /usr/share/sendmail-cf was not found on your system, or is not the correct directory. Maybe it has not been installed (common for packaged installs of Sendmail), or the module config is incorrect. I read documentation at sendmail.org, it seems that structure of directories for send mail has been changed in version sendmail-8.1.4 shipped with FC13. In webmin config module we have
Quote:
Sendmail M4 base directory = /usr/share/sendmail-cf
which is not there. I did a locate / sendmail-cf on the command line, it finds nothing
I am having a little trouble setting up a NAT firewall using iptables. I have 1 PC dedicated to being the firewall running Ubuntu 10.04 LTS. There are 2 NICs in this PC. One NIC is connected to the modem & the other is hooked into my router, sharing the connection through to the other PC on my LAN. Thing is that I am having troubles setting this up using iptables. I have it sharing the connection, but can't seem to make it forward 2 ports through to my webserver on the LAN. I am also wanting to setup init.d to control iptables. I have been trying to google this, but haven't found anything useful to get this accomplished. I put the following into rc.local to make the forwarding work:
/sbin/iptables -F /sbin/iptables -N block /sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT /sbin/iptables -A block -j LOG /sbin/iptables -A block -j DROP /sbin/iptables -A INPUT -j block /sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
I have to make my final exam on network & security, my task is to compare Iptables and a firewall program, yeah not a distribution. I use Archlinux so I'd like to continue use it for my project! Anyway my question is: which Network firewall could be the best one? I need this features:
- packet filtering - HA (High Availability) - Live (active) connection migration (if one fails...) - Load balancing (not really important but...)
I know "many" firewalls but they all are distro. I need something to install on a linux machine (as said... better if I can run it directly on Archlinux!)
Recently I have been working on iptables and trying to understand how to use it. Here's a little script I have written to setup a basic firewall for myself:
Code: #!/bin/bash if [ `id -u` -ne 0 ]; then echo "You need root privilege" exit 1 fi
PROG=/sbin/iptables $PROG -F function sethttp { echo "Opening http port..." $PROG -A INPUT -p tcp --dport 80 -j ACCEPT }
function sethttps { echo "Opening https port..." $PROG -A INPUT -p tcp --dport 443 -j ACCEPT }
function settorrent { echo "Opening torrent port..." $PROG -A INPUT -p tcp --dport 52413 -j ACCEPT }
while getopts "hst" option; do case "$option" in h) sethttp;; s) sethttps;; t) settorrent;; *) echo "DOH!" esac done
$PROG -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $PROG -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $PROG -A INPUT -i lo -j ACCEPT $PROG -A OUTPUT -o lo -j ACCEPT $PROG -A INPUT -j DROP $PROG -A FORWARD -j REJECT echo "Done setting up the firewall! Enjoy :)" exit 0
OK, this can take 3 arguments that open ports 80, 443 and 52413. And at the end, some default rules are applied. But here's the thing I don't understand: if I don't give the argument for port 80, I can still view web pages... and also, when I remove the line:
Code: $PROG -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Whether I say it to open port 80 or not, I can't view any web pages.
I am encountering problems to configure my firewall (through iptables) to allow apt-get features, like update and install.I have the latest debian server running in a virtual machine in my windows xp and therefore I have two interfaces in this debian server:- NAT Interfaceinet: 10.0.2.15- Host Only Interfaceinet: 192.168.56.101So far my iptable rules drop all packets for default, in exception icmp and ssh that I allow to ping and connect from my windows xp. Both of them I use only the Host interface (192...) to connect to another 192... interface on my windows.
Those are working fine, but apt is not. I know, in this very moment it shouldn't. But I made a lot of attempts trying to configure the iptables allow connections through the 80 and 21 ports from/to NAT and Host. I think I made all possible combination (or not, because it didnt work). But I'm wondering if someone more experient can help me solve this problem.
I just install 1 firewall using Iptables. Firewall includes 2 NIC: NIC1 <IP PUBLIC> NIC2 192.168.10.1 I installed 1 web server IP: 192.168.10.2 I have some PC IP range: 192.168.10.10->20
I set rules NAT on firewall and PC & web server can connect internet good, but I have problems: When PC access to web server with IP 192.168.10.2 that ok, but PC can't access to web server when using IP Public. But outside internet, I can access to web server using IP Public.
Rules on IPTables Code: # Generated by iptables-save v1.3.5 on Sun Mar 7 21:01:16 2010 *nat :PREROUTING ACCEPT [950:126970] :POSTROUTING ACCEPT [89:5880] :OUTPUT ACCEPT [19:1342] -A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80 -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to-source 209.99.242.124 *filter :INPUT DROP [1599:157409] :FORWARD DROP [0:0] :OUTPUT ACCEPT [232:34452] -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -p tcp --dport 80 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT COMMIT
I had been using Guarddog for iptables but I updated to KDE4 and guarddog does not work with KDE4, neither does Firestarter. Is there a Graphical interface for iptables available that works with KDE4?
CentOS 5 iptables 1.4.1.1 APF 9.7 Webmin 1.4.80 (yes i can be a gui noob at times)
I'm currently running a dedicated server that hosts a couple of sites and runs a game server or two. I was using iptables on its own for a while, but recently I'm a target of all sorts of attacks (typically aimed directly at the gameserver on port 7777. UDP flood attacks, etc). I'm also seeing an spike in foreign spam, SSH brutes, and a few people in Turkey thought it would be cute to download files over and over and over I have decided to start banning entire countries, using the subnets listed here [URL]... I'm trying to block Central and South america (189,190,200,201.x.x.x), China, Ukraine, Turkey, Iran, Spain and Italy. I do this because a majority of the traffic from those areas are usually up to no good.
I installed APF so I could easily add these ranges in deny_hosts.rules and be done with it. I added the ranges, which turned out to be too many, and the system tanked. I decreased the amount of ranges to just 4:
189.0.0.0/8 190.0.0.0/8 200.0.0.0/8 201.0.0.0/8
Restarted APF and it loaded fine. Do an apf --list and iptables --list and it shows those 4 ranges as blocked. The only issue...I have people from 190.x and 200.x connecting to the gameserver and PLAYING. Its as if the firewall isnt there. Also, adding those ranges to /etc/hosts.deny (or whatever) doesn't block them either.
I add one of my own ips and I get blocked instantly. WTF?? I look in the iptables for webmin, and it shows an empty firewall. I do iptables --list and it shows the ranges I added in APF. I'm looking at building (or whatever its called) an fresh iptables with the geoip module added in. [URL]...
I've never done anything like this, and I don't want to kill the box. I also don't want to spend the effort if 1) something is wrong with my system to begin with and 2) the geoip module doesn't work. geoip module aside....how exactly should i configure the firewall? Empty iptables completely and then rely on APF for everything? Oh and heres another tidbit: I tried this before 2 years ago and it used to be that anything I put in APF would show when i looked at iptables using the webmin module. Thats no longer the case now. That was also on CentOS 4 when it did that. I don't know if moving to 5 is whats preventing it now.
In a nutshell, I'm new at this and I'm being inundated with terrible people trying to do terrible things and I'm ready to just give up. Can someone just give me a quick rundown on:
1) how to test that my firewall is actually firewalling
2) how I should configure the/a firewall on this CentOS5. Not too specific, I just want to know if I should empty iptables then load apf, should i not bother with APF (i like it when it works), is there a specific order of doing things?
I am in the process of enabling Samba client and server on my opensuse 11.3 32-bit workstation, and have just looked at the firewall rules (via iptables -L) prior to enabling these applications.I have used iptables a lot before and despite having my network interface defined as being in the External Zone (ie the least trusted, and therefore supposedly the most protected), the first rules in iptables are as follows:
In an effort to learn more about firewalls and iptables I have left behind gui set-up tools and have setup a firewall using iptables that logs to its own file. The firewall is as follows:
Code: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :TCP - [0:0]
We have a new Bussiness DSL line with 16 public addresses.What we want is to setup a DMZ to run some services and internet to the LAN. Here's a schematic of what we want:
Code:
Backup Internet Main Internet connection connection | | | | SDSL Modem BDSL Modem
I have a server with 14 IP's on eth0. I'm using virtual interfaces to handle the IP's, but the iptables don't seem to work on the virtual interface. It blocks ports that I want open. I'm not that great with iptables, I use what I have because it works for me, but as far as tweaking it, I'm pretty lost.
My iptables: # Simple Firewall configuration # # Set default policies -------- *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # # Internal Networks ----------- #-A INPUT -s <private.class.C>/24 -d <private.class.C>/24 -i eth1 -j ACCEPT # # Loopback -------------------- -A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT # # Accept established connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # Services -------------------- # # For SSH gateway -A INPUT -p tcp -s 0/0 -d 0/0 --dport 22 -m state --state NEW -j ACCEPT # # For SMTP gateway -A INPUT -p tcp -s 0/0 -d 0/0 --dport 25 -m state --state NEW -j ACCEPT # # For FTP server -A INPUT -p tcp -s 0/0 -d 0/0 --dport 20 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 21 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 53 -m state --state NEW -j ACCEPT # # HTTP services -A INPUT -p tcp -s 0/0 -d 0/0 --dport 80 -m state --state NEW -j ACCEPT # # HTTPS services -A INPUT -p tcp -s 0/0 -d 0/0 --dport 443 -m state --state NEW -j ACCEPT # # POP-3 services #-A INPUT -p tcp -s 0/0 -d 0/0 --dport 110 -m state --state NEW -j ACCEPT # # IMAP services -A INPUT -p tcp -s 0/0 -d 0/0 --dport 143 -m state --state NEW -j ACCEPT # #PLESK #-A INPUT -p tcp -s 0/0 -d 0/0 --dport 8443 -m state --state NEW -j ACCEPT # #Games -A INPUT -p tcp -s 0/0 -d 0/0 --dport 28960 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 28960 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 27666 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 27666 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 28961 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 28961 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 28962 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 28962 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 27015 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 27015 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 27016 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 27016 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 27017 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 27017 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 27020 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 27020 -m state --state NEW -j ACCEPT
# Disallow fragmented packets -A INPUT -f -j DROP # # Log & Block broadcast packets -A INPUT -d 255.255.255.255/0.0.0.255 -j LOG -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP # Log & Block multicast packets -A INPUT -d 224.0.0.1 -j LOG -A INPUT -d 224.0.0.1 -j DROP # # Log and drop all other incoming packets -A INPUT -j LOG -A INPUT -j DROP # COMMIT
I have an ubuntu server virtual machine with a webhost. I am trying to configure the firewall. I am having a problem with sendmail and the required firewall configuraiton If I type the command:
iptables -F
Then sendmail works perfectly. I can see the emails sent in my googlemail inbox. I then configure my firewall as follows:
iptables -F iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp --dport 2252 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT [Code]....
(I have moved SSH to a diffrent port) Once this is setup sendmail no longer works. I had assumed that sendmail will establish a tcp connection and the first rule will allow all established connections to pass. why this iptables/netfilter config stops sendmail from working.
So I know Linux has iptables, I'm rather new to linux, and I'm wondering, are the stock settings with Ubuntu/Kubuntu safe? Is there anything I need to do make them more secure? I tried adding rules myself for some things but ended up just not being able to do anything so I had to reset back to stock with iptables -F. Should I be safe running as-is?
I have managed to get iodine working between my ubuntu intrepid box and my windows client with a caveat.
The firewall rules allows DNS queries inbound. The client tunnel endpoint gets assigned an IP address and the tunnel is established properly.
However when I try to ping from the client machine, the reply packets are not coming back.
I used TCPDUMP on the Ubuntu box and watch the dns0 tunnel interface, and noticed that the packets are reaching the Ubuntu box from the client, but I don't see ANY ICMP echo replies until I turn off the firewall from Firestarter.
I recently modified sendmail.cf to use a third party SMTP server to send emails. It works great. But when I run sendmail from the command line, I have to specify the -C flag and force feed it the location of my sendmail.cf, or else it doesn't work.
So in other words, the following works great:
However, if I don't specify the -C flag, sendmail doesn't consider what's in the sendmail.cf and barfs:
I don't run sendmail as a daemon. I'm only using it to send emails. I know my modifications of sendmail.cf are correct because it works perfectly when I use the -C flag. I searched my disk to see if I could find another sendmail.cf on the machine and only the one in /etc/mail came up.
Why sendmail is not reading my sendmail.cf?
I'm running Sendmail version 8.14.2 on Fedora Core 8.
is this possible on 2 Linux boxes will act as a INTERNET Firewall + Filtering: 1st PC = CENTOS 5.5 functions as a firewall using iptables with two NICS 1=ETH0 connected to internet with a public ip and 1=ETH1 with ip address of 10.0.0.1 connected to the 2nd PC Centos 5.5 with squid/dansguardian with ip address of 10.0.0.2
2nd PC = Centos 5.5 functions as a squid + dansguardian internet filtering with 2 NICS 1=ETH0 with ip address of 10.0.0.2 connected to the ETH1 of the 1st PC with ip address of 10.0.0.1 and 2nd ETH1=connected to LAN (172.16.1.0/24)
does this make sense? this might be confusing but I just want to try this, to protect incoming ssh from our previous Sys admins who intended to enter the LAN 172.16.1.0/24 network. And also to confuse them that they have to pass through 10.0.0.1 - 2.
I'd like to (if it's possible, of course) to redirect the packets originated within a linux box, and I've been tryin' to do it through the OUTPUT chain in nat table:
The policy for the rest is ACCEPT.This redirection didn't work this way. If I do lynx http://192.168.0.74:80 I reach 192.168.0.74 host, so there is no redirection.Could I achieve what I'm needing through with IPTABLES' OUTPUT chain (in nat table)?
I am booting centos 5.4 on machine. The system hangs at line "Applying iptables firewall rules".Is there any way to skip starting iptables service during boot or disable it during boot so the system finally reboots.
