Topic: Where do I top up my box with more PINGs...

[RayG]

Wow.

Looks like masq is severly broken.

The only clue I can pick up is the line about "worm: command not found". Assuming that's part of of the comment line, there are some problems with your editing. What did you use to edit the /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn file ?

I would recomend you delete /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPIn and rebuild/restart masq. If that doesn't get you back to a working configuration then you probably broke something trying to extract that library. If you did break masq, you can probably recover by reinstalling /e-smith/RPMS/iptables-1.2.5-3.i386.rpm from the e-smith install CD and e-smith-ipmasq-1.8.2-01.noarch.rpm from the Update 5 release.

[Robert Harlow]

mmmm;~/

Your instructions wrote *--proto icmp*. Is that OK, should it have been *--protocol icmp*? Perhaps that might explain part of the warning.

I edited with pico, viewed with mc, and worked with putty.

I extracted the library from site derived from Google...
http://www.wesmo.com/redhat/i386/
...and using rpm2cpio as I have been unable to work out how to do this *simple* browse/copy procedure in mc, presumably I am too much of a dolt.

My box is on SME5.6u4... I never did go to u5.

I am beginning to wish I'd not started on this trek. It would be far simpler to simply ignore everything that ACID/Snort displayed - for all the good this is doing me.

best wishes, Robert

[Robert Harlow]

I've been around once again, this time I left out your comment line stuff. The following was reported...

[root@nas600 masq]#  /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root@nas600 masq]#  service masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: /etc/init.d/masq: --jump: command not found
/etc/init.d/masq: DROP: command not found
done
[root@nas600 masq]#

I am still using the . Earlier I ran everything but had forgotten to copy over that file to its required working area and there were initial errors. These errors disappeared after putting the library file in its proper place, so I would hazard a guess that that file 'apparently' works.

 Yes, masq is quite probably up the pole. I have attempted to utilise a number of procedures that I have found - both on this forum and on the internet. Not a single one of them has made an iota of a difference to main target , indeed most of them have had an immediate detrimental effect. I think this accumulation of programming detritus is likely to be bad news, probably worse than looking at myriads of asinine worm-driven ICMP echo requests and responses.

Looks like I'm going to be better off finding the filler cap for the PING tank and topping the box up with a few more litres of PING responses and leaving things at that.

I will follow your suggested recovery procedure now.

best wishes, Robert

[Robert Harlow]

Updated the iptables and masq rpms from my archives using --force.
(that masq version of yours was in Update 4 so I went with it)
Have normalised the Snort rules file entry.
I assume that I am (safely) back to square 1 now.

Still can't single file extract from rpms using mc either directly on the server's keyboard or via my usual workstation and putty. Baffling.

best wishes, Robert

[RayG]

I'm glad to hear you got your box back in working order.

Putty and Midnight Commander are a great combination. You can navigate with the up/down arrow keys and make selections with the enter key. The tab key switches between active pannels. You can also use the mouse but I'm told that doesn't always work as expected.

The facility in MC that lets you work with rpm's is called "Virtual File System" or VFS. There's decent help built into Midnight Commander.

Get into MC and navigate to the rpm you want to extract a file out of in the left pannel. In this case it will be iptables-1.2.5-2.i386.rpm. Hit the enter key over the rpm and MC will "open" the rpm and show you the directory structure inside. Navigate down to the /lib directory and hit enter. From there, select the /iptables directory and hit enter again. In the /iptables directory, navigate down to libipt_length.so. Use the tab key to switch to the right pannel and navigate to the location you want the exptracted file placed. Hit the tab key again to get back to the left pannel. Make sure libipt_length.co is still selected and hit the F5 key. This will open the copy dialog. Select OK and the file will be copied to the destination you selected in the right pannel.

[Charlie Brady]

Robert Harlow wrote:

> Still can't single file extract from rpms using mc either
> directly on the server's keyboard or via my usual workstation
> and putty. Baffling.

It's very unlikely to be wise for you to be trying to extract a single file from an RPM. I wouldn't do it, if I were you.

If you really need ipt_length.so, just install latest RH 7.3 iptables update RPM.

Charlie

[Charlie Brady]

Robert Harlow wrote:

> My box is on SME5.6u4... I never did go to u5.

That's unlikely to be wise either (but not as unwise as still using 5.5 or earlier).

Worrying about Intrusion Detection Systems while not applying necessary updates just doesn't make any sense at all.

Charlie

[Robert Harlow]

Ray

Yes, well I hope the box is back in working order:-) Now I have virgin iptables and masq I will attempt to put into play what you suggested. Will advise results presently.

Ref: mc being able to extract single files from rpms (apparently)...
What you said is exactly what I have been doing. And, yes, I have viewed the extensive help albeit in its tiny onscreen box. The bit where you press ENTER, while the rpms is highlighted, is where it goes awry. Also I have tried using the CR key and the ENTER key. Pressing enter does NOT reveal a pseudo filing directory (!whatever that might be). I get a blink of the screen but not a lot else. When I exit mc I see that mc had attempted to invoke the rpm - judging by the error message. This occurs using mc via w2k/putty and also via the server's own keyboard. I don't remember seeing anything to do with VFS ever working hereabouts.

best wishes, Robert

[Robert Harlow]

Charlie

Noted. I don't normally attempt this sort of thing (single files out of rpms). Getting desperate I think;~/ I'd like SOMETHING that's added on to work - preferably flawlessly - and am always prepared to work at it!

Will find and download your suggestion, I am somewhat averse to picking up files from the great unwashed internet - much rather do it from recognised sources.

best wishes, Robert

[Robert Harlow]

Charlie

I updated my box from SME 5.5 a long time ago. My box is sitting at SME 5.6 update 4 at the moment. I thought update 5 was just for some VPN stuff and, as I don't possess a portable or need to call home from the field, I passed on update 5.

Just as soon as Mitel badge SME6.0 as *unsupported* I will almost certainly update. If I have the energy I will try to burn my existing wacky iteration of SME5.6 and rebuild SME6.0 from scratch.

best wishes, Robert

[Robert Harlow]

Ray

As you know I now have virgin iptables and masq.
This time took the libipt_length.so file out of RH9's iptables, itself from RedHat's site, and then copied it to /lib/iptables/ (using rpm2cpio as my mc does not appear to be playing the ball and allowing me to extract single files from rpms)
Copied the fragment, pico'd in your single line, saved out.
Expanded masq and restarted masq.
Usual/same error stuff transpired...
------------
[root@nas600 rpms]#  /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root@nas600 rpms]#  service masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: iptables v1.2.5: Unknown arg --icmp-type'
Try iptables -h' or 'iptables --help' for more information.
/etc/init.d/masq: echo-request: command not found
/etc/init.d/masq: DROP: command not found
done
[root@nas600 rpms]# mc
------------

Any ideas?

best wishes, Robert

[Robert Harlow]

Ray

Just in case... the contents of my pico-edited fragment 40AllowICMPIn.


-----------
{
    use esmith::NetworksDB;

    # We want to be very selective on the ICMPs we accept to stop
    # route hijacking

    my @OKicmpTypes = (
      qw(
          echo-request
          echo-reply
          destination-unreachable
          source-quench
          time-exceeded
          parameter-problem
      ) );

    my $stealth = $masq{Stealth} || 'no';
    if ($stealth eq 'yes')
    {
   $OUT .= <    /sbin/iptables --append icmpIn --proto icmp --icmp-type echo-request --in-interface \$OUTERIF --jump denylog
HERE
    }
    $OUT .= "\n /sbin/iptables --append icmpIn --proto icmp --icmp-type
echo-request --in-interface \$OUTERIF -m length --length 92 --jump
DROP\n\n";
    foreach my $icmpType (@OKicmpTypes)
    {
        $OUT .= <    /sbin/iptables --append icmpIn --proto icmp --icmp-type $icmpType --jump ACCEPT
HERE
    }
}
-----------

Anything you need to clear this up?

best wishes, Robert

[Robert Harlow]

Think I see a problem... it looks like there is an embedded CR/LF in that inserted line inherited from the copy/paste. Standby while I rerun and make sure.

best wishes, Robert

[Robert Harlow]

Yes, there is/was an unwanted CR/LF in the inserted copy/paste;~/
At least I get a new error this time around...

-----------
[root@nas600 root]#  /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root@nas600 root]#  service masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: iptables: match length' v1.2.7a (I'm v1.2.5).
/etc/init.d/masq: DROP: command not found
done
[root@nas600 root]#
-----------

....which you just about promised me I'd get if I used a too modern version of the libipt_length.so file. Standby while I track down an older version and rpm2cpio the time (I'm getting used to this now!).

best wishes, Robert

[Robert Harlow]

Cured the match length error by having to use the libipt_length.so file derived from a file iptables-1.2.5-2.i386.rpm pulled from the great unwashed as the RedHat site does not list it as being available in their seachbox.

FINALLY got the edit completed, proof follows!...
-----------------------
[root@nas600 masq]#  /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
[root@nas600 masq]#  service masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: done
[root@nas600 masq]#
-----------------------

Something was inserting a wrapping CR/LF. Not sure what, but I think it was pico as I seemed to have to persuade it to show the whole line in one without screen-wrapping.
 
Have edited snort's icmp.rules config file as you instructed and restarted snort. Now monitoring the command line queries of and . Will append results in due course:-)

Phew... THIS ONE MIGHT WORK! Amazing - thanks Ray:-))

best wishes, Robert