Hi,
I am setting up a firewall on CENTOS 4.4.
I have done default block
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
I have enabled ICMP to www.google.com
iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT
Ping works fine as below [root@firebox rc.d]# ping 64.233.189.104 PING 64.233.189.104 ( 64.233.189.104) 56(84) bytes of data. 64 bytes from 64.233.189.104: icmp_seq=0 ttl=246 time=91.7 ms 64 bytes from 64.233.189.104: icmp_seq=1 ttl=246 time= 92.6 ms 64 bytes from 64.233.189.104: icmp_seq=2 ttl=246 time=93.2 ms 64 bytes from 64.233.189.104: icmp_seq=3 ttl=246 time=92.8 ms 64 bytes from 64.233.189.104: icmp_seq=4 ttl=246 time=91.4 ms 64 bytes from 64.233.189.104: icmp_seq=5 ttl=246 time=93.1 ms
But I still can not traceroute to that ip
Pls see below, as to when I try traceroute
[root@firebox rc.d]# traceroute 64.233.189.104 traceroute to 64.233.189.104 ( 64.233.189.104), 30 hops max, 38 byte packets traceroute: sendto: Operation not permitted 1 traceroute: wrote 64.233.189.104 38 chars, ret=-1 *traceroute: sendto: Operation not permitted traceroute: wrote 64.233.189.104 38 chars, ret=-1 *traceroute: sendto: Operation not permitted traceroute: wrote 64.233.189.104 38 chars, ret=-1 * traceroute: sendto: Operation not permitted 2 traceroute: wrote 64.233.189.104 38 chars, ret=-1
WHY , Help needed.
Indunil Jayasooriya (indunil75@gmail.com) napisał(a):
Hi,
I am setting up a firewall on CENTOS 4.4.
I have enabled ICMP to www.google.com
iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT
traceroute uses by default UDP with port 33434.
br
Hi,
I am setting up a firewall on CENTOS 4.4.
I have enabled ICMP to www.google.com
iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT
traceroute uses by default UDP with port 33434.
br
Hi,
Thanks for your info.
I wrote below 2 rules
iptables -A OUTPUT -p udp -d 64.233.189.104 --dport 33434 -j ACCEPT iptables -A INPUT -p udp -s 64.233.189.104 --sport 33434 -j ACCEPT
Then I tried as below
[root@firebox rc.d]# traceroute 64.233.189.104 traceroute to 64.233.189.104 (64.233.189.104), 30 hops max, 38 byte packets traceroute: sendto: Operation not permitted 1 traceroute: wrote 64.233.189.104 38 chars, ret=-1 *traceroute: sendto: Operation not permitted traceroute: wrote 64.233.189.104 38 chars, ret=-1 *traceroute: sendto: Operation not permitted traceroute: wrote 64.233.189.104 38 chars, ret=-1 * traceroute: sendto: Operation not permitted 2 traceroute: wrote 64.233.189.104 38 chars, ret=-1
But Still the same.
WHY?
IF my rules are wrong can you rectify it ?
-- Marcin Mazurek
http://www.netsync.pl/ - :::: - nic-hdl: MM3380-RIPE GnuPG 6687 E661 98B0 AEE6 DA8B 7F48 AEE4 776F 5688 DC89
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Sat February 17 2007 03:11, Indunil Jayasooriya wrote:
I am setting up a firewall on CENTOS 4.4.
I have enabled ICMP to www.google.com
iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT
traceroute uses by default UDP with port 33434.
While this is true for a starting point, this is not the whole story.
Traceroute starts on this port but every time it sends out a packet the port number is increased automatically. Why? Simple, the TTL is exceeded so traceroute sends out on the next port in numerical order. Thus traceroute needs more then 33434 open there should be a range of ports open. Traceroute does not always start on this port either I have found out. Sometimes it starts on a hight port but only by a few hopes.
I wrote below 2 rules
iptables -A OUTPUT -p udp -d 64.233.189.104 --dport 33434 -j ACCEPT iptables -A INPUT -p udp -s 64.233.189.104 --sport 33434 -j ACCEPT
I have the following ( I do not restrict traceroute destination);
-A OUTPUT -o eth0 -p udp --dport 33200:33500 -m state --state NEW -j ACCEPT
Also you don't need the INPUT statement if you have ESTABLISHED,RELATED at the top of your INPUT chain.
Then I tried as below
[snip]
But Still the same.
WHY?
I placing my money on the port settings
IF my rules are wrong can you rectify it ?
See above.
On 2/17/07, Robert Spangler lazydog@zoominternet.net wrote:
On Sat February 17 2007 03:11, Indunil Jayasooriya wrote:
I am setting up a firewall on CENTOS 4.4.
I have enabled ICMP to www.google.com
iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT
traceroute uses by default UDP with port 33434.
While this is true for a starting point, this is not the whole story.
Traceroute starts on this port but every time it sends out a packet the port number is increased automatically. Why? Simple, the TTL is exceeded so traceroute sends out on the next port in numerical order. Thus traceroute needs more then 33434 open there should be a range of ports open. Traceroute does not always start on this port either I have found out. Sometimes it starts on a hight port but only by a few hopes.
I wrote below 2 rules
iptables -A OUTPUT -p udp -d 64.233.189.104 --dport 33434 -j ACCEPT iptables -A INPUT -p udp -s 64.233.189.104 --sport 33434 -j ACCEPT
I have the following ( I do not restrict traceroute destination);
-A OUTPUT -o eth0 -p udp --dport 33200:33500 -m state --state NEW -j ACCEPT
Also you don't need the INPUT statement if you have ESTABLISHED,RELATED at the top of your INPUT chain.
I have included ESTABLISHED,RELATED at the top of your INPUT chain as below
#Allow established,related trafffic to come back #(for OUTPUT traffic to come back) iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
But without an INPUT statament it does not work. BUT for TCP OUTPUT traffice , that will be appilicalbe. But other than tcp (i.e UPD and ICMP ) I will have to include a INPUT staement.
A few OUTPUT rules that I need INPUT statemet are give below. (not TCP)
#UDP iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
#ICMP (for ping www.google.com)
iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT
And this is for TCP ( it does not nedd a INPUT satatment .it works fine)
iptables -A OUTPUT -p tcp -o eth0 --dport 22 -j ACCEPT
PLs expalin, why?
Then I tried as below
[snip]
But Still the same.
WHY?
I placing my money on the port settings
IF my rules are wrong can you rectify it ?
See above.
--
Regards Robert
Smile... it increases your face value! _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 19/02/07, Indunil Jayasooriya indunil75@gmail.com wrote:
WHY?
STOP USING CAPITLS, IT'S CONSIDERED SHOTING!
Before you ask anything about IPtables, print out the results from iptables -L. It could very well be that the order of your rules are MESSED UP!
On 2/19/07, Alvin Chang alvin.chang@gmail.com wrote:
On 19/02/07, Indunil Jayasooriya indunil75@gmail.com wrote:
WHY?
STOP USING CAPITLS, IT'S CONSIDERED SHOTING!
instaed of CAPITALS, I used simple letters as below.
iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state established,related -j ACCEPT
But I can not use -A INPUT as -a input, then it does not work.
Anyway, I would like to get more help as to this.
I want to know that does "-m state --state established,related -j ACCEPT" work for all tcp,udp and icmp protoclos ? or only for tcp. (for tcp. it works)
I am testing below rule. It is udp. iptables -A OUTPUT -p udp -o eth0 --dport 53 -m state --state NEW -j ACCEPT when I have below rule for the above, it works. If I remove it, it will not. WHY? iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
pls note that I have already added below rule iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state established,related -j ACCEPT
Before you ask anything about IPtables, print out the results from
iptables -L. It could very well be that the order of your rules are MESSED UP!
pls see below
[root@firebox rc.d]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere firebox.itabspl.com state RELATED,ESTABLISHED ACCEPT all -- localhost.localdomain localhost.localdomain ACCEPT tcp -- anywhere firebox.itabspl.com tcp dpt:ssh ACCEPT tcp -- anywhere 192.168.102.253 tcp dpt:ssh ACCEPT icmp -- firebox.itabspl.com anywhere ACCEPT icmp -- 192.168.102.0/24 192.168.102.253 ACCEPT icmp -- 66.94.234.13 anywhere ACCEPT icmp -- 64.233.189.104 anywhere ACCEPT icmp -- 203.143.4.1 anywhere ACCEPT udp -- anywhere anywhere udp spts:traceroute:33523 ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp type 30
Chain FORWARD (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- 192.168.102.0/24 anywhere udp dpt:domain ACCEPT udp -- anywhere 192.168.102.0/24 udp spt:domain ACCEPT udp -- 192.168.100.3 anywhere udp dpt:domain ACCEPT udp -- anywhere 192.168.100.3 udp spt:domain ACCEPT tcp -- 192.168.102.25 anywhere multiport dports ssh,smtp,domain,http,https,pop3,imap ACCEPT tcp -- 192.168.102.0/24 anywhere multiport dports http,https ACCEPT tcp -- 192.168.100.3 anywhere multiport dports smtp,http,https ACCEPT icmp -- 192.168.102.25 64.233.189.104 ACCEPT icmp -- 64.233.189.104 192.168.102.25
Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- localhost.localdomain localhost.localdomain ACCEPT tcp -- firebox.itabspl.com anywhere tcp dpt:ssh ACCEPT udp -- firebox.itabspl.com anywhere udp dpt:domain state NEW ACCEPT tcp -- firebox.itabspl.com anywhere tcp dpt:domain ACCEPT tcp -- firebox.itabspl.com anywhere tcp spt:ssh ACCEPT tcp -- 192.168.100.253 anywhere tcp spt:ssh ACCEPT tcp -- 192.168.102.253 anywhere tcp spt:ssh ACCEPT icmp -- anywhere firebox.itabspl.com ACCEPT icmp -- 192.168.102.253 192.168.102.0/24 ACCEPT icmp -- anywhere 66.94.234.13 ACCEPT icmp -- anywhere 64.233.189.104 ACCEPT udp -- anywhere anywhere udp dpts:traceroute:33523 ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp type 30 ACCEPT icmp -- anywhere 203.143.4.1
--
Alvin Chang Yu-Ming _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Alvin Chang spake the following on 2/18/2007 9:26 PM:
On 19/02/07, Indunil Jayasooriya indunil75@gmail.com wrote:
WHY?
STOP USING CAPITLS, IT'S CONSIDERED SHOTING!
Start using a dictionary or a spell checker!
Before you ask anything about IPtables, print out the results from iptables -L. It could very well be that the order of your rules are MESSED UP!
On 2/17/07, Indunil Jayasooriya indunil75@gmail.com wrote:
But I still can not traceroute to that ip Pls see below, as to when I try traceroute
Keep in mind that traceroute is no longer universally supported as several larger isps have blocked some icmp/udp functionality following some windows exploits a few years ago. tcptraceroute seems far more reliable to me these days.
-
Alvin Chang -
Indunil Jayasooriya -
Jim Perrin -
Marcin Mazurek -
Robert Spangler -
Scott Silva