Topic: iptables

[bhairav]

is there any web based interface for firewall rules for the SME server 5.6 which uses iptables
thanks for help in advance

[Anonymous]

Yes, take a look at : http://no.longer.valid/mylinks/viewcat.php?op=&cid=123 and e-smith-masq-manager.

But I still develop it.
Actually i just implement icmp and antispoofing rules.

There is a HowTo in HowTo section.

[Muzo]

Doh! I forgot to login

But i have a request :
Have anybody make (build?) iptables with mod_string for SME 5.6 or 6.0?

[bhairav]

thanks the rpm does the work but what modification does i have to do in
/etc/e-smith/web/functions/firewall if i want to put source as well as destination address in rule and also can i combine the e-smith-portforwarding rpm to this one
thanks

[Muzo]

What do you mean?

You want to merge in a simple RPM, portforwarding contrib and masq-manager?

(I hope i understand your idea)
Portforwarding and masq-manager contribs are based on e-smith-packetfilter-1.13.0-04.noarch.rpm. So you can use twice. That's why I said in readme file, I didn't add a potforwarding pannel, because that's job is done.

In conclusion, e-smith-masq-manager-0.*-*.noarch.rpm and e-smith-portforwarding-0.*.0-*.noarch.rpm work fine together.

Have I answer correctly?

[bhairav]

i have just tried to mix both of them, i have installed both and redirect ur link for port rules to the port-forward, port-open and deny port and it works but i have some problems i will solve them soon and thanks for the help

[Muzo]

You're welcome

[bhairav]

i can not see the filter string rule link in the server manager panel of e-smith-masq-manager is it a bug or problem in my computer can u tell me if its a bug how to solve this, i have edited the /usr/lib/perl5/site_perl/esmith/Formmagick/Panels/firewall.pm and add a link at line 104 but it nod display the filter string rule page why???

[Muzo]

It's because mod_string isn't compiled on SME (5.6 and 6.0), and you can't use it. So I removed it.
But, all functions exists, there are just disabled in firewall panel. But I think (in the early morning it's hard to think) I removed all things about strings in panel. I must take a look to my own "still in developpement" manager.

Have your rebuild an netfilter iptables with mod_string for SME? If yes, i'm very interested  

[bhairav]

i can do the compilation for u but tell me that wheather i have to compile iptables in SME 5.6 or 6.0 or compile it on redhat linux 7.3 if in linux what r the SME packages i have to install in linux

[Muzo]

i can do the compilation for u but tell me that wheather i have to compile iptables in SME 5.6 or 6.0 or compile it on redhat linux 7.3 if in linux what r the SME packages i have to install in linux

Like you i use SME 5.6, but i have no idea about compiling iptables.  

[bhairav]

i have compiled many things on my SME 5.6 i can compile the iptables-1.2.5-3 on my SME 5.6 box so will it be usable for u if yes then i will compile it and handed over to u

[Muzo]

Oh Yes!! It will be very usable for me and many SME users i think.

Thanks a lot.

So i must update my firewall manager  

[Muzo]

I found an old source of my manager.
I think String panel is enabled.
Take a look : source

[bhairav]

ok i have found that and it is working thanks for that u have helped a lot to me thanks once again.

[Muzo]

Ok.
And how about compiled iptables with mod_string?
Send me a PM to tell me what to do.

[bhairav]

hi I am unable to send pm to u it says pm is disabled on this board so can we talk on yahoo messenger give me ur id

[Muzo]

I got no yahoo messenger. And if i got one, i can't use it at work.

Mail received.  

[kingnugian]

Is this masq-manager confirmed working 100% with 6.0??

If so are there any differences to getting it working as compared to 5.6??

[Muzo]

Nobody said me that masq-manager dont work with 6.0.

[mbachmann]

I have a 6.0 box here and would give the masq manager a try. Installed is.

e-smith-portforwarding-0.2.0-02
e-smith-packetfilter-1.14.0-02
iptables-1.2.5-3

But since the versions differ i am afraid to mess things up.

[Muzo]

I have a 6.0 box here and would give the masq manager a try. Installed is.

e-smith-portforwarding-0.2.0-02
e-smith-packetfilter-1.14.0-02
iptables-1.2.5-3

But since the versions differ i am afraid to mess things up.

Mmmh, i must have a look to new e-smith-packetfilter.
Where did you find it?

Anyway, masq-manager modify e-smith-packetfilter templates, these one are :
- 40AllowICMPIn
- 40AllowICMPOut
- and I add a new one for AntiSpoofing (I can't remember it's name and number).

Can you take a look to this templates to validate 6.0 compatibility, please? thanks a lot.

[Anonymous]

packetfilter/portforwarding:
 ftp://public.planetmirror.com/pub/e-smith/dev/6.0dev/updates/6.0beta3/RPMS/

My skills in checking the packetfilter templates are quite limited. I issued rpm -ivh --test for your masqmgr which went o.k., then tried install, o.k. The masqmgr appears under "Unknown - firewall" in the server manager. This happend to a few contribs and only got fixed with post upgrade. No errors yet, everything looks good. Created some rules and will watch it for some days.

If you wouldn't mind telling me how to exactly verify 6.0 compatibility i'll do.

Congrats for your great contrib.

[mbachmann]

Above was me. Disconnection time is too low. Should be an hour or configureable.

[Muzo]

Thanks,

To see if anti spoofing is enabled, try this command line :
iptables nat -L -n

Now, to validate compatibility, we must compare Templates. But i can't remember files path.

I'll post tonight all files path.

thanks again mbachmann.

[Muzo]

So go to dir :
/etc/e-smith/templates/etc/rc.d/init.d/masq

It's where are all masq templates.
There 2 templates interest us :
First one : 40AllowIcmp, icmpIn chain must be created.
This is e-smith-packetfilter-1.13.0-04.noarch.rpm code :

Code: [Select]

   /sbin/iptables --new-chain icmpIn
    /sbin/iptables --append INPUT --protocol icmp --jump icmpIn
{
    use esmith::NetworksDB;

    # We want to be very selective on the ICMPs we accept to stop
    # route hijacking

    my @OKicmpTypes = (
qw(
   echo-request
   echo-reply
   destination-unreachable
   source-quench
   time-exceeded
   parameter-problem
) );

    my $stealth = $masq{Stealth} || 'no';
    if ($stealth eq 'yes')
    {
$OUT .= <<HERE
    /sbin/iptables --append icmpIn --proto icmp --icmp-type echo-request --in-interface \$OUTERIF --jump denylog
HERE
    }

    foreach my $icmpType (@OKicmpTypes)
    {
        $OUT .= <<HERE;
    /sbin/iptables --append icmpIn --proto icmp --icmp-type $icmpType --jump ACCEPT
HERE
    }
}

Second one : 40AllowICMPOut icmpOut chain must be created. This is e-smith-packetfilter-1.13.0-04.noarch.rpm code :

Code: [Select]

   /sbin/iptables --new-chain icmpOut
    /sbin/iptables --append OUTPUT --protocol icmp --jump icmpOut
{
    # We want to be very selective on the ICMPs we accept to stop
    # route hijacking

    foreach my $icmpType (
qw( echo-request
   echo-reply
   destination-unreachable
   source-quench
   time-exceeded
   parameter-problem
) )
    {
        $OUT .= <<HERE;
    /sbin/iptables --append icmpOut --proto icmp --icmp-type $icmpType --jump ACCEPT
HERE
    }
}


Must import is 2 chains (icmpIn and icmpOut) must be created, if they are not, tell me their new name (if they have a new one of course).

And there must be no problem for antispoofing, because it's a new template.

[mbachmann]

Muzo i'm away for two days and will report back on 09.02.04.

I have created an anti-spoofing rule but iptables nat -L -n  "my" iptables does not understand the nat option: Bad argument nat'

I've had already looked at 40AllowIcmp... in my server but was unable to compare "my" rules to those in your masq rpm.

Thx so far

[Muzo]

I have created an anti-spoofing rule but iptables nat -L -n  "my" iptables does not understand the nat option: Bad argument nat'

Doh! I write something wrong! I'll check "man iptables" to correct this  

[bhairav]

i think u should use
iptables -t nat -L -n

[treco]

hi you all, maybe i'm in the wrong place in this forum, but by searching into it, i've read this part of, and sorry by to interfere with it, but i'm trying to install some sort of ip upload / download traffic monitor in the version 6.0 of SME server as server and gatway, and, i dont get it how to put any to work. Any hints or help?!

thanks and sorry for the interfernce  

[mbachmann]

treco, you should use use mrtg and/or sysmon. Have a look here: http://sme.swerts-knudsen.dk/.

[mbachmann]

O.K., after post upgrade reboot I see "Administration - Firewall Management".

In /etc/e-smith/templates-custom/etc/rc.d/init.d/masq i've found 40AllowIcmp, 40AllowICMPOut, 70Anti-Spoofing templates.

iptables shows, after setting icmp redirect: reject the correct values.

So i guess it's gone alright.

Please excuse for silly questions (like that after iptables -t nat -L -n). I still not feel experienced enough for the experienced user forum. But i'm trying hard.

[Muzo]

Thanks for your testing, so now i'm sure, masq-manager is SME6.0 compliant!

There's no silly question, only silly responses   . If there is a question, so something isn't explain clearly.

I prepare a new RPM, where you could see a complet iptables configuration in a panel.
Instead of just seing result of command line iptable -L, panel will show result of : iptables -L AND iptables -t nat -L AND iptables -t mangle -L.

If you dont feel experienced enough, you're on the good way. I'm still a Linux Newbie  

[mbachmann]

Go Muzo, go.

However the masq mgr seems to interfere with mrtg monitoring in some way i have not found out. But may also be pure coincidence.

Does blocking ICMP redirects (and only redirects, nothing else) prevent SNMP-Strings from being caught? I thought not.

[Muzo]

Hum .. i don't know.
It's possible, on my manage i just drop echo-reply and echo-request (my server no more respond to ping) on icmp input (form internet to my SME).
You can read this about icmp type on the man page :

Code: [Select]

Valid ICMP Types:
 echo-reply (pong)
3 : destination-unreachable
         network-unreachable
         host-unreachable
         protocol-unreachable
         port-unreachable
         fragmentation-needed
         source-route-failed
         network-unknown
         host-unknown
         network-prohibited
         host-prohibited
         TOS-network-unreachable
         TOS-host-unreachable
         communication-prohibited
         host-precedence-violation
         precedence-cutoff
4 : source-quench
5 : redirect
         network-redirect
         host-redirect
         TOS-network-redirect
         TOS-host-redirect
8 : echo-request (ping)
         router-advertisement
         router-solicitation
11 : time-exceeded (ttl-exceeded)
         ttl-zero-during-transit
         ttl-zero-during-reassembly
         parameter-problem
         ip-header-bad
         required-option-missing
13 : timestamp-request
14 : timestamp-reply
         address-mask-request
         address-mask-reply

[mbachmann]

I've found out that SNMP uses UDP packages.