Newbie DNS/Firewall Troubles 1

[MattWray]

I am in the process of setting up a RedHat web server. My problems are stemming from the ipchains firewall. I tried to use the default setup and remove and change rules, but to no avail. So, i used the firewall-config and added the ports I need, 80 and 53, and allowed icmp. But when i add to the last 2 lines to deny anything that does not match the above rules, I lose my name resolution. I thought DNS was only on port 53, but I have that open and it still happens. I was able to manually enter 2 slightly different rules that were what I wanted to accomplish, but they did not save. I apparently don't know how to save correctly to ipchains. Help me please... Matt Wray
CCNA, MCP

 

[wolf2x]

Name resolution works when the firewall is NOT in the picture?


Hmm....make sure you allow DNS on port 53 for both TCP and UDP.

Also, below is a cut and paste from the IPCHAINS how-to. It describes how to make the "rules permanent".

"Making Rules Permanent
Your current firewall setup is stored in the kernel, and thus will be lost on reboot. I recommend using the `ipchains-save' and `ipchains-restore' scripts to make your rules permanent. To do this, set up your rules, then run (as root):


# ipchains-save > /etc/ipchains.rules
#

Create a script like the following:


#! /bin/sh
# Script to control packet filtering.

# If no rules, do nothing.
[ -f /etc/ipchains.rules ] || exit 0

case "$1" in
start)
echo -n "Turning on packet filtering:"
/sbin/ipchains-restore < /etc/ipchains.rules || exit 1
echo 1 > /proc/sys/net/ipv4/ip_forward
echo &quot;.&quot;
;;
stop)
echo -n &quot;Turning off packet filtering:&quot;
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
echo &quot;.&quot;
;;
*)
echo &quot;Usage: /etc/init.d/packetfilter {start|stop}&quot;
exit 1
;;
esac

exit 0

Make sure this is run early in the bootup procedure. In my case (Debian 2.1), I make a symbolic link called `S39packetfilter' in the `/etc/rcS.d' directory (this will be run before S40network).&quot;


I hope this gets you going in the right direction.

 

[MattWray]

Thanks for the info on how to save. I am still having trouble with the firewall issue. I have open ports 53 and 80, but when I deny all others, I lose name resolution on the local machine and the internal machines are no longer able to connect to the web page. This machine is not on the internet yet. Matt Wray
CCNA, MCP

 

[LinuXelite]

Hi

Try that:

(make sure you ping localhost - resolv 127.0.0.1)
/etc/host

ipchains -A input -j ACCEPT -p all -s localhost -d localhost -i lo
ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo
/sbin/ipchains-save > /etc/sysconfig/ipchains.rules
/sbin/ipchains-restore < /etc/sysconfig/ipchains.rules


Good luck
Francois

 

[chiph]

LinuXelite -

Will the Lokkit (shipped with recent RedHat versions, plus maybe others) make it's changes to the ipchains config permanent?

Thanks.
Chip H.

 

[Norwich]

Hi, make sure your rules are set to log any infringment and have a look in the logs to see what's happening.

If the type of ruleset is block everything then open up particular ports, use something that includes at the start:

# Remove all existing rules belonging to this filter
ipchains -F

# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY


Then your filtering rules which allow access to ports, then at the end set logging to record anything that has fallen through to the bottom of the chain list...






#---------------------------------------------
# Enable logging for selected denied packets

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp --destination-port $PRIVPORTS -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp --destination-port $UNPRIVPORTS -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type 0:255 -j DENY -l
ipchains -A ouput -i $EXTERNAL_INTERFACE -p icmp --destination-port 0:255 -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l





Depending on how your messaging is set up, these errors will appear at the end of /var/log/messages (see syslog.conf to see where things are being logged).


As a cheat and a good learning tool, see:

http://www.linux-firewall-tools.com/linux

The firewall design tool will use an online questionnaire to design an ipchains script for you. It's very complete and complex but it's a good learning tool if you use it for nothing else.

 

[Horus]

To make rules permanent, just type:

/etc/init.d/ipchains save

 

[fluffybunny]

I just went thru hell with the same problem but with SSH not working on RH7.3 with ipchains running.

Found out that the append command does not work. Use insert instead, and do supply the port number with udp and tcp.

BTW, doesn't RH7.3 automatically open the ports for BIND nameservers when configuring ipchains ? Mine does.

Cheers,
Saran <back to finding out why my sendmail is not working .... Arrrhggggghgghghghghg>

 

[marsd]

Your clients need tcp/udp high ports 1024-5500 and
30000-65000. Open these in your input/forward chains.
If you need examples write back.

 

[MattWray]

I created a set of rules with this tool,

http://www.linux-firewall-tools.com/linux,

but am unsure what to do with it. I have it saved in my home. Do I need to copy it or how do I go about applying it? Matt Wray
CCNA, MCP

 

[Norwich]

To test it, just run it as a shell script. eg:

bash /path/to/script

If it works OK, set it up to be run automatically. Some systems are installed to run one automatically, check your system documentation. However, Wolf2x's first post will do - the script created is like the script created by the ipchains-save script.