[Firewall] 2.0.1d LAN_INET_HOST_OPEN_TCP issues

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Tue Apr 2 17:24:32 CEST 2013


Good to know. Thanks for reporting back!

a.

On 02-Apr-13 16:31, Daniel Lindbeck wrote:
> Lonnie,
>
> I got it working!
> This bug was already fixed in sys-apps/coreutils-8.20-r2
> (https://bugs.gentoo.org/show_bug.cgi?id=448716).
> After unmasking and re-emerge all firewall rules applied nicely.
>
> Thanks for all your help!
>
> / Daniel
>
> Lonnie Abelbeck skrev 2013-04-02 15:37:
>> Daniel,
>>
>> Very weird, the problem seems to be with your "seq" command:
>>
>> io ~ # seq -s' ' 4 9
>> 4
>> 5 6 7 8 9
>>
>> The output should be all on one line, space separated, ie.
>> --
>> 4 5 6 7 8 9
>> --
>>
>> The \n between your first pair is causing your problems.
>>
>> Can you look into your "seq" command version...  Is your Linux
>> platform a distro, custom built, etc...
>>
>> Lonnie
>>
>>
>> On Apr 2, 2013, at 6:55 AM, Daniel Lindbeck wrote:
>>
>>> Here's the log:
>>>
>>> * Loading Firewall... ...Arno's Iptables Firewall
>>> Script v2.0.1d
>>> -------------------------------------------------------------------------------
>>>
>>> Platform: Linux 3.7.5-hardened-r1 x86_64
>>> Checking/probing Iptables modules:
>>> Loaded kernel module ip_tables.
>>> Loaded kernel module nf_conntrack.
>>> Loaded kernel module nf_conntrack_ftp.
>>> Loaded kernel module xt_conntrack.
>>> Loaded kernel module xt_limit.
>>> Loaded kernel module xt_state.
>>> Loaded kernel module xt_multiport.
>>> Loaded kernel module iptable_filter.
>>> Loaded kernel module iptable_mangle.
>>> Loaded kernel module ipt_REJECT.
>>> Loaded kernel module xt_LOG.
>>> Loaded kernel module xt_TCPMSS.
>>> Loaded kernel module xt_DSCP.
>>> Loaded kernel module iptable_nat.
>>> Loaded kernel module nf_nat.
>>> Loaded kernel module nf_nat_ftp.
>>> Loaded kernel module ipt_MASQUERADE.
>>> Loaded kernel module nf_conntrack_irc.
>>> Loaded kernel module nf_nat_irc.
>>> Module check done...
>>> Configuring general kernel parameters:
>>> Setting the max. amount of simultaneous connections to 16384
>>>   net.nf_conntrack_max = 16384
>>>   net.netfilter.nf_conntrack_udp_timeout = 60
>>>   net.netfilter.nf_conntrack_acct = 1
>>> Configuring kernel parameters:
>>> Disabling send redirects
>>>   net.ipv4.conf.all.send_redirects = 0
>>>   net.ipv4.conf.default.send_redirects = 0
>>>   net.ipv4.conf.eth0.send_redirects = 0
>>>   net.ipv4.conf.eth1.send_redirects = 0
>>>   net.ipv4.conf.lo.send_redirects = 0
>>> Enabling protection against source routed packets
>>>   net.ipv4.conf.all.accept_source_route = 0
>>>   net.ipv4.conf.default.accept_source_route = 0
>>>   net.ipv4.conf.eth0.accept_source_route = 0
>>>   net.ipv4.conf.eth1.accept_source_route = 0
>>>   net.ipv4.conf.lo.accept_source_route = 0
>>>   net.ipv4.icmp_echo_ignore_broadcasts = 1
>>>   net.ipv4.icmp_ignore_bogus_error_responses = 1
>>> Enabling packet forwarding
>>>   net.ipv4.conf.all.forwarding = 1
>>>   net.ipv4.conf.default.forwarding = 1
>>>   net.ipv4.conf.eth0.forwarding = 1
>>>   net.ipv4.conf.eth1.forwarding = 1
>>>   net.ipv4.conf.lo.forwarding = 1
>>> Setting some kernel performance options
>>>   net.ipv4.tcp_window_scaling = 1
>>>   net.ipv4.tcp_timestamps = 1
>>>   net.ipv4.tcp_sack = 1
>>>   net.ipv4.tcp_dsack = 1
>>>   net.ipv4.tcp_fack = 1
>>>   net.ipv4.tcp_low_latency = 0
>>> Enabling reduction of the DoS'ing ability
>>>   net.ipv4.tcp_fin_timeout = 30
>>>   net.ipv4.tcp_keepalive_time = 1800
>>>   net.ipv4.tcp_syn_retries = 3
>>>   net.ipv4.tcp_synack_retries = 2
>>>   net.ipv4.tcp_rfc1337 = 1
>>>   net.ipv4.ip_local_port_range = 32768 61000
>>> Enabling SYN-flood protection via SYN-cookies
>>>   net.ipv4.tcp_syncookies = 1
>>> Enabling anti-spoof with rp_filter
>>>   net.ipv4.conf.all.rp_filter = 1
>>>   net.ipv4.conf.default.rp_filter = 1
>>>   net.ipv4.conf.eth0.rp_filter = 1
>>>   net.ipv4.conf.eth1.rp_filter = 1
>>>   net.ipv4.conf.lo.rp_filter = 1
>>>   net.ipv4.icmp_echo_ignore_all = 0
>>> Disabling the logging of martians
>>>   net.ipv4.conf.all.log_martians = 0
>>>   net.ipv4.conf.default.log_martians = 0
>>>   net.ipv4.conf.eth0.log_martians = 0
>>>   net.ipv4.conf.eth1.log_martians = 0
>>>   net.ipv4.conf.lo.log_martians = 0
>>> Disabling the acception of ICMP-redirect messages
>>>   net.ipv4.conf.all.accept_redirects = 0
>>>   net.ipv4.conf.default.accept_redirects = 0
>>>   net.ipv4.conf.eth0.accept_redirects = 0
>>>   net.ipv4.conf.eth1.accept_redirects = 0
>>>   net.ipv4.conf.lo.accept_redirects = 0
>>> Disabling ECN (Explicit Congestion Notification)
>>>   net.ipv4.tcp_ecn = 0
>>> Enabling kernel support for dynamic IPs
>>>   net.ipv4.ip_dynaddr = 1
>>> Enabling PMTU discovery
>>>   net.ipv4.ip_no_pmtu_disc = 0
>>> Setting default TTL=64
>>>   net.ipv4.ip_default_ttl = 64
>>> Flushing route table
>>>   net.ipv4.route.flush = 1
>>> Kernel setup done...
>>> Reinitializing firewall chains
>>> Setting all default policies to DROP while "setting up firewall rules"
>>> IPv4 mode selected but IPv6 available, DROP all IPv6 packets
>>> Using loglevel "info" for syslogd
>>>
>>> Setting up firewall rules:
>>> -------------------------------------------------------------------------------
>>>
>>> Enabling setting the maximum packet size via MSS
>>> Enabling mangling TOS
>>> Logging of stealth scans (nmap probes etc.) enabled
>>> Logging of packets with bad TCP-flags enabled
>>> Logging of INVALID TCP packets disabled
>>> Logging of INVALID UDP packets disabled
>>> Logging of INVALID ICMP packets disabled
>>> Logging of fragmented packets enabled
>>> Logging of access from reserved nets enabled
>>> Setting up antispoof for INTERNAL net(s): 192.168.2.0/24
>>> Reading custom rules from /etc/arno-iptables-firewall/custom-rules
>>> Checking for (user) plugins in
>>> /usr/share/arno-iptables-firewall/plugins...
>>> Loaded 0 plugin(s)...
>>> Setting up external(INET) INPUT policy
>>> Logging of ICMP flooding enabled
>>> Enabling support for DHCP-assigned-IP (DHCP client)
>>> Logging of explicitly blocked hosts enabled
>>> Logging of denied local output connections enabled
>>> Packets will NOT be checked for reserved source addresses
>>> Allowing ANYHOST for TCP port(s): 20
>>> Allowing ANYHOST for TCP port(s): 21
>>> Allowing ANYHOST for TCP port(s): 22
>>> Allowing ANYHOST for TCP port(s): 53
>>> Allowing ANYHOST for TCP port(s): 80
>>> Allowing ANYHOST to send IPv4 ICMP-requests (ping)
>>> Logging of possible stealth scans enabled
>>> Logging of (other) packets to PRIVILEGED TCP ports enabled
>>> Logging of (other) packets to PRIVILEGED UDP ports enabled
>>> Logging of (other) packets to UNPRIVILEGED TCP ports enabled
>>> Logging of (other) packets to UNPRIVILEGED UDP ports enabled
>>> Logging of IGMP packets enabled
>>> Logging of dropped ICMP-request(ping) packets enabled
>>> Logging of dropped other ICMP packets enabled
>>> Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled
>>> Setting up external(INET) OUTPUT policy
>>> Applying external(INET) policy to interface: eth0 (without an
>>> external subnet specified)
>>> Setting up internal(LAN) INPUT policy
>>> Allowing ICMP-requests(ping)
>>> Allowing all (other) ports/protocols
>>> Applying internal(LAN) policy to interface: eth1
>>> Setting up internal(LAN) FORWARD policy
>>> Logging of denied LAN->INET FORWARD connections enabled
>>> Setting up LAN->INET policy
>>>   Allowing 0/0(LAN) to 1.2.3.170-190(INET) for TCP port(s): 443
>>>     /sbin/iptables -A LAN_INET_FORWARD_CHAIN -o + -s 0/0 -d 1.2.3.170
>>> 171 -p tcp --dport 443 -j ACCEPT
>>> ERROR (2): iptables v1.4.16.3: host/network `1.2.3.170
>>> 171' not found
>>> Try `iptables -h' or 'iptables --help' for more information.
>>>   Allowing 192.168.2.160-169(LAN) to 0/0(INET) for TCP port(s): 0:65535
>>>   /sbin/iptables -A LAN_INET_FORWARD_CHAIN -o + -s 192.168.2.160
>>> 161 -d 0/0 -p tcp --dport 0:65535 -j ACCEPT
>>> ERROR (2): iptables v1.4.16.3: host/network `192.168.2.160
>>> 161' not found
>>> Try `iptables -h' or 'iptables --help' for more information.
>>>   Allowing 192.168.2.10-35(LAN) to 0/0(INET) for TCP port(s): 20:1000
>>> /sbin/iptables -A LAN_INET_FORWARD_CHAIN -o + -s 192.168.2.10
>>> 11 -d 0/0 -p tcp --dport 20:1000 -j ACCEPT
>>> ERROR (2): iptables v1.4.16.3: host/network `192.168.2.10
>>> 11' not found
>>> Try `iptables -h' or 'iptables --help' for more information.
>>> Apr 02 13:48:48 WARNING: Not all firewall rules are applied.
>>>   Allowing ICMP-requests(ping)
>>>   Denying all (other) ports/protocols
>>> Applying internal(LAN) FORWARD policy to interface: eth1
>>> Enabling masquerading(NAT) via external interface(s): eth0
>>> Adding (internal) host(s): 192.168.2.0/24
>>> (eth0) Forwarding(NAT) TCP port(s) 0/0:6003,7001,7002,27000:27045 to
>>> 192.168.2.16
>>> (eth0) Forwarding(NAT) UDP port(s) 0/0:6003,7001,7002,27000:27045 to
>>> 192.168.2.16
>>> Security is ENFORCED for external interface(s) in the FORWARD chain
>>> Logging of dropped FORWARD packets enabled
>>>
>>> * WARNING: Failed to load Firewall [ !! ]
>>> * ERROR: arno-iptables-firewall failed to start
>>> ---
>>>
>>> io ~ # echo "1.2.3.4-9" |cut -s -d'-' -f1 |awk -F'.' '{ print $NF }'
>>> |grep -e '[0-9]'
>>> 4
>>> io ~ # echo "1.2.3.4-9" |cut -s -d'-' -f2 |grep -e '[0-9]'
>>> 9
>>> io ~ # seq -s' ' 4 9
>>> 4
>>> 5 6 7 8 9
>>> io ~ # IFS=',' ; $(IFS=' ') ; echo "$IFS" ; unset IFS
>>> ,
>>> io ~ #
>>>
>>> /Daniel
>>>
>>> Arno van Amersfoort skrev 2013-04-02 11:42:
>>>> The syntax is correct: that can't be the problem. I even tested it
>>>> myself to make sure it (still) does. Could you provide the complete
>>>> output of "/usr/local/sbin/arno-iptables-firewall start" ? And your
>>>> config file?
>>>>
>>>> a.
>>>>
>>>> On 02-Apr-13 8:10, Daniel Lindbeck wrote:
>>>>> Hi,
>>>>>
>>>>> I'm having some issues with LAN_INET_HOST_OPEN_TCP/UDP in 2.0.1d.
>>>>> In 1.9.x i could specify IP-ranges like this:
>>>>>
>>>>> LAN_INET_HOST_OPEN_TCP="
>>>>> 0/0>xxx.xxx.xxx.170-190~443
>>>>> xxx.xxx.xxx.160-169>0/0~0:65535
>>>>> xxx.xxx.xxx.10-35>0/0~20:1000"
>>>>>
>>>>> And the errors i'm getting is:
>>>>> seq: invalid floating point argument: 99/0
>>>>> Try 'seq --help' for more information. Allowing
>>>>> xxx.xxx.xxx.160-169(LAN)
>>>>> to 0/0(INET) for TCP port(s): 0:65535
>>>>>
>>>>> AND
>>>>>
>>>>> ERROR (2): iptables v1.4.16.3: host/network `xxx.xxx.xxx.10
>>>>>
>>>>> This configuration works fine in 1.9.x.
>>>>> Am i doing something wrong here?
>>>>>
>>>>> / Daniel
>>>>>
>>>>> _______________________________________________
>>>>> Firewall mailing list
>>>>> Firewall at rocky.eld.leidenuniv.nl
>>>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>>>> http://rocky.eld.leidenuniv.nl
>>>>>
>>>> _______________________________________________
>>>> Firewall mailing list
>>>> Firewall at rocky.eld.leidenuniv.nl
>>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>>> http://rocky.eld.leidenuniv.nl
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>>
>>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>


More information about the Firewall mailing list