[Firewall] 2.0.1d LAN_INET_HOST_OPEN_TCP issues

Daniel Lindbeck dajmon at lindnet.se
Tue Apr 2 16:31:54 CEST 2013


Lonnie,

I got it working!
This bug was already fixed in sys-apps/coreutils-8.20-r2 
(https://bugs.gentoo.org/show_bug.cgi?id=448716).
After unmasking and re-emerge all firewall rules applied nicely.

Thanks for all your help!

/ Daniel

Lonnie Abelbeck skrev 2013-04-02 15:37:
> Daniel,
>
> Very weird, the problem seems to be with your "seq" command:
>
> io ~ # seq -s' ' 4 9
> 4
> 5 6 7 8 9
>
> The output should be all on one line, space separated, ie.
> --
> 4 5 6 7 8 9
> --
>
> The \n between your first pair is causing your problems.
>
> Can you look into your "seq" command version...  Is your Linux platform a distro, custom built, etc...
>
> Lonnie
>
>
> On Apr 2, 2013, at 6:55 AM, Daniel Lindbeck wrote:
>
>> Here's the log:
>>
>> * Loading Firewall... ...Arno's Iptables Firewall Script v2.0.1d
>> -------------------------------------------------------------------------------
>> Platform: Linux 3.7.5-hardened-r1 x86_64
>> Checking/probing Iptables modules:
>> Loaded kernel module ip_tables.
>> Loaded kernel module nf_conntrack.
>> Loaded kernel module nf_conntrack_ftp.
>> Loaded kernel module xt_conntrack.
>> Loaded kernel module xt_limit.
>> Loaded kernel module xt_state.
>> Loaded kernel module xt_multiport.
>> Loaded kernel module iptable_filter.
>> Loaded kernel module iptable_mangle.
>> Loaded kernel module ipt_REJECT.
>> Loaded kernel module xt_LOG.
>> Loaded kernel module xt_TCPMSS.
>> Loaded kernel module xt_DSCP.
>> Loaded kernel module iptable_nat.
>> Loaded kernel module nf_nat.
>> Loaded kernel module nf_nat_ftp.
>> Loaded kernel module ipt_MASQUERADE.
>> Loaded kernel module nf_conntrack_irc.
>> Loaded kernel module nf_nat_irc.
>> Module check done...
>> Configuring general kernel parameters:
>> Setting the max. amount of simultaneous connections to 16384
>>   net.nf_conntrack_max = 16384
>>   net.netfilter.nf_conntrack_udp_timeout = 60
>>   net.netfilter.nf_conntrack_acct = 1
>> Configuring kernel parameters:
>> Disabling send redirects
>>   net.ipv4.conf.all.send_redirects = 0
>>   net.ipv4.conf.default.send_redirects = 0
>>   net.ipv4.conf.eth0.send_redirects = 0
>>   net.ipv4.conf.eth1.send_redirects = 0
>>   net.ipv4.conf.lo.send_redirects = 0
>> Enabling protection against source routed packets
>>   net.ipv4.conf.all.accept_source_route = 0
>>   net.ipv4.conf.default.accept_source_route = 0
>>   net.ipv4.conf.eth0.accept_source_route = 0
>>   net.ipv4.conf.eth1.accept_source_route = 0
>>   net.ipv4.conf.lo.accept_source_route = 0
>>   net.ipv4.icmp_echo_ignore_broadcasts = 1
>>   net.ipv4.icmp_ignore_bogus_error_responses = 1
>> Enabling packet forwarding
>>   net.ipv4.conf.all.forwarding = 1
>>   net.ipv4.conf.default.forwarding = 1
>>   net.ipv4.conf.eth0.forwarding = 1
>>   net.ipv4.conf.eth1.forwarding = 1
>>   net.ipv4.conf.lo.forwarding = 1
>> Setting some kernel performance options
>>   net.ipv4.tcp_window_scaling = 1
>>   net.ipv4.tcp_timestamps = 1
>>   net.ipv4.tcp_sack = 1
>>   net.ipv4.tcp_dsack = 1
>>   net.ipv4.tcp_fack = 1
>>   net.ipv4.tcp_low_latency = 0
>> Enabling reduction of the DoS'ing ability
>>   net.ipv4.tcp_fin_timeout = 30
>>   net.ipv4.tcp_keepalive_time = 1800
>>   net.ipv4.tcp_syn_retries = 3
>>   net.ipv4.tcp_synack_retries = 2
>>   net.ipv4.tcp_rfc1337 = 1
>>   net.ipv4.ip_local_port_range = 32768 61000
>> Enabling SYN-flood protection via SYN-cookies
>>   net.ipv4.tcp_syncookies = 1
>> Enabling anti-spoof with rp_filter
>>   net.ipv4.conf.all.rp_filter = 1
>>   net.ipv4.conf.default.rp_filter = 1
>>   net.ipv4.conf.eth0.rp_filter = 1
>>   net.ipv4.conf.eth1.rp_filter = 1
>>   net.ipv4.conf.lo.rp_filter = 1
>>   net.ipv4.icmp_echo_ignore_all = 0
>> Disabling the logging of martians
>>   net.ipv4.conf.all.log_martians = 0
>>   net.ipv4.conf.default.log_martians = 0
>>   net.ipv4.conf.eth0.log_martians = 0
>>   net.ipv4.conf.eth1.log_martians = 0
>>   net.ipv4.conf.lo.log_martians = 0
>> Disabling the acception of ICMP-redirect messages
>>   net.ipv4.conf.all.accept_redirects = 0
>>   net.ipv4.conf.default.accept_redirects = 0
>>   net.ipv4.conf.eth0.accept_redirects = 0
>>   net.ipv4.conf.eth1.accept_redirects = 0
>>   net.ipv4.conf.lo.accept_redirects = 0
>> Disabling ECN (Explicit Congestion Notification)
>>   net.ipv4.tcp_ecn = 0
>> Enabling kernel support for dynamic IPs
>>   net.ipv4.ip_dynaddr = 1
>> Enabling PMTU discovery
>>   net.ipv4.ip_no_pmtu_disc = 0
>> Setting default TTL=64
>>   net.ipv4.ip_default_ttl = 64
>> Flushing route table
>>   net.ipv4.route.flush = 1
>> Kernel setup done...
>> Reinitializing firewall chains
>> Setting all default policies to DROP while "setting up firewall rules"
>> IPv4 mode selected but IPv6 available, DROP all IPv6 packets
>> Using loglevel "info" for syslogd
>>
>> Setting up firewall rules:
>> -------------------------------------------------------------------------------
>> Enabling setting the maximum packet size via MSS
>> Enabling mangling TOS
>> Logging of stealth scans (nmap probes etc.) enabled
>> Logging of packets with bad TCP-flags enabled
>> Logging of INVALID TCP packets disabled
>> Logging of INVALID UDP packets disabled
>> Logging of INVALID ICMP packets disabled
>> Logging of fragmented packets enabled
>> Logging of access from reserved nets enabled
>> Setting up antispoof for INTERNAL net(s): 192.168.2.0/24
>> Reading custom rules from /etc/arno-iptables-firewall/custom-rules
>> Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
>> Loaded 0 plugin(s)...
>> Setting up external(INET) INPUT policy
>> Logging of ICMP flooding enabled
>> Enabling support for DHCP-assigned-IP (DHCP client)
>> Logging of explicitly blocked hosts enabled
>> Logging of denied local output connections enabled
>> Packets will NOT be checked for reserved source addresses
>> Allowing ANYHOST for TCP port(s): 20
>> Allowing ANYHOST for TCP port(s): 21
>> Allowing ANYHOST for TCP port(s): 22
>> Allowing ANYHOST for TCP port(s): 53
>> Allowing ANYHOST for TCP port(s): 80
>> Allowing ANYHOST to send IPv4 ICMP-requests (ping)
>> Logging of possible stealth scans enabled
>> Logging of (other) packets to PRIVILEGED TCP ports enabled
>> Logging of (other) packets to PRIVILEGED UDP ports enabled
>> Logging of (other) packets to UNPRIVILEGED TCP ports enabled
>> Logging of (other) packets to UNPRIVILEGED UDP ports enabled
>> Logging of IGMP packets enabled
>> Logging of dropped ICMP-request(ping) packets enabled
>> Logging of dropped other ICMP packets enabled
>> Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled
>> Setting up external(INET) OUTPUT policy
>> Applying external(INET) policy to interface: eth0 (without an external subnet specified)
>> Setting up internal(LAN) INPUT policy
>> Allowing ICMP-requests(ping)
>> Allowing all (other) ports/protocols
>> Applying internal(LAN) policy to interface: eth1
>> Setting up internal(LAN) FORWARD policy
>> Logging of denied LAN->INET FORWARD connections enabled
>> Setting up LAN->INET policy
>>   Allowing 0/0(LAN) to 1.2.3.170-190(INET) for TCP port(s): 443
>>     /sbin/iptables -A LAN_INET_FORWARD_CHAIN -o + -s 0/0 -d 1.2.3.170
>> 171 -p tcp --dport 443 -j ACCEPT
>> ERROR (2): iptables v1.4.16.3: host/network `1.2.3.170
>> 171' not found
>> Try `iptables -h' or 'iptables --help' for more information.
>>   Allowing 192.168.2.160-169(LAN) to 0/0(INET) for TCP port(s): 0:65535
>>   /sbin/iptables -A LAN_INET_FORWARD_CHAIN -o + -s 192.168.2.160
>> 161 -d 0/0 -p tcp --dport 0:65535 -j ACCEPT
>> ERROR (2): iptables v1.4.16.3: host/network `192.168.2.160
>> 161' not found
>> Try `iptables -h' or 'iptables --help' for more information.
>>   Allowing 192.168.2.10-35(LAN) to 0/0(INET) for TCP port(s): 20:1000
>> /sbin/iptables -A LAN_INET_FORWARD_CHAIN -o + -s 192.168.2.10
>> 11 -d 0/0 -p tcp --dport 20:1000 -j ACCEPT
>> ERROR (2): iptables v1.4.16.3: host/network `192.168.2.10
>> 11' not found
>> Try `iptables -h' or 'iptables --help' for more information.
>> Apr 02 13:48:48 WARNING: Not all firewall rules are applied.
>>   Allowing ICMP-requests(ping)
>>   Denying all (other) ports/protocols
>> Applying internal(LAN) FORWARD policy to interface: eth1
>> Enabling masquerading(NAT) via external interface(s): eth0
>> Adding (internal) host(s): 192.168.2.0/24
>> (eth0) Forwarding(NAT) TCP port(s) 0/0:6003,7001,7002,27000:27045 to 192.168.2.16
>> (eth0) Forwarding(NAT) UDP port(s) 0/0:6003,7001,7002,27000:27045 to 192.168.2.16
>> Security is ENFORCED for external interface(s) in the FORWARD chain
>> Logging of dropped FORWARD packets enabled
>>
>> * WARNING: Failed to load Firewall [ !! ]
>> * ERROR: arno-iptables-firewall failed to start
>> ---
>>
>> io ~ # echo "1.2.3.4-9" |cut -s -d'-' -f1 |awk -F'.' '{ print $NF }' |grep -e '[0-9]'
>> 4
>> io ~ # echo "1.2.3.4-9" |cut -s -d'-' -f2 |grep -e '[0-9]'
>> 9
>> io ~ # seq -s' ' 4 9
>> 4
>> 5 6 7 8 9
>> io ~ # IFS=',' ; $(IFS=' ') ; echo "$IFS" ; unset IFS
>> ,
>> io ~ #
>>
>> /Daniel
>>
>> Arno van Amersfoort skrev 2013-04-02 11:42:
>>> The syntax is correct: that can't be the problem. I even tested it myself to make sure it (still) does. Could you provide the complete output of "/usr/local/sbin/arno-iptables-firewall start" ? And your config file?
>>>
>>> a.
>>>
>>> On 02-Apr-13 8:10, Daniel Lindbeck wrote:
>>>> Hi,
>>>>
>>>> I'm having some issues with LAN_INET_HOST_OPEN_TCP/UDP in 2.0.1d.
>>>> In 1.9.x i could specify IP-ranges like this:
>>>>
>>>> LAN_INET_HOST_OPEN_TCP="
>>>> 0/0>xxx.xxx.xxx.170-190~443
>>>> xxx.xxx.xxx.160-169>0/0~0:65535
>>>> xxx.xxx.xxx.10-35>0/0~20:1000"
>>>>
>>>> And the errors i'm getting is:
>>>> seq: invalid floating point argument: 99/0
>>>> Try 'seq --help' for more information. Allowing xxx.xxx.xxx.160-169(LAN)
>>>> to 0/0(INET) for TCP port(s): 0:65535
>>>>
>>>> AND
>>>>
>>>> ERROR (2): iptables v1.4.16.3: host/network `xxx.xxx.xxx.10
>>>>
>>>> This configuration works fine in 1.9.x.
>>>> Am i doing something wrong here?
>>>>
>>>> / Daniel
>>>>
>>>> _______________________________________________
>>>> Firewall mailing list
>>>> Firewall at rocky.eld.leidenuniv.nl
>>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>>> http://rocky.eld.leidenuniv.nl
>>>>
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list