From hisham at shaw.ca Tue May 27 13:16:57 2003 From: hisham at shaw.ca (Hisham Abdel-Rahman) Date: Tue, 27 May 2003 14:16:57 -0600 Subject: [NARC] Few Questions Message-ID: <008401c3248c$ec752f30$740aa8c0@hisham> Hello All, I just installed the narc - totally new to iptables - I was using ipchains before on 2.2.14-5 kernel (RH). Now I'm running "RH 9.0" 2.4.20-8 kernel. Here is the questions: 1. The default start up script for iptables is S08iptables, which mean it will not work with narc because narc check for the ip address and the network will not start until S10network run, so the only way is to change S08iptables to S11iptables is there any problem doing this? why RH made iptables start before the network get configured?? 2. this is the string iptables log to firewall.log file: "May 27 13:32:09 kernel: ALL_ELSE IN=eth0 OUT= MAC=00:80:5f:6d:43:1d:08:00:3e:0e:f7:7c:08:00 SRC=xxx.xxx.xxx.xxx DST=yyy.yyy.yyy.yyy LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=31702 PROTO=TCP SPT=10025 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0" How can I interpret this info, which part that tells me that this packet being dropped ? 3. From the following output of /etc/rc5.d/S11iptabels start : "Reject packets to TCP auth port instead of drop Allow external connections on eth0 TCP ports: ssh,http Allow external connections on eth0 UDP ports: ntp Allow external connections on eth0 UDP ports: 67:68 Enabling ICMP message types: echo-reply network-unreachable host-unreachable port-unreachable" you can find that I enabled ssh, http,ntp and dhcp (67:68) I did not enable PPTP I used the following two line to enable PPTP in my old ipchains configurations: $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1723 -j ACCEPT # this takes care of port 1723 $IPCHAINS -A input -p 47 -s $REMOTENET -d $OUTERNET -j ACCEPT # this takes care of protocol 47 Now with iptables and RH 9.0 2.4.20-8 kernel, PPTP is working without adding any rules to enable it.. Is this right or there is a problem with the firewall?? if there is something wrong with the firewall what is it, how can I fix it and how to enable protocol 47 ?? "-A input -p 47 -s $REMOTENET " Thank you for your help. Hisham -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.knowplace.org/pipermail/narc/attachments/20030527/32861542/attachment.htm From shane at knowplace.org Tue May 27 22:11:31 2003 From: shane at knowplace.org (Shane Chen) Date: Tue, 27 May 2003 22:11:31 -0700 Subject: [NARC] Few Questions References: <008401c3248c$ec752f30$740aa8c0@hisham> Message-ID: <004901c324d7$9a106480$4264a8c0@TRANSMUTE> Hi Hisham, ----- Original Message ----- From: "Hisham Abdel-Rahman" > 1. The default start up script for iptables is S08iptables, which mean it will not work with narc because narc check for the ip address and the network will not start until S10network run, so the only way is to change S08iptables to S11iptables is there any problem doing this? why RH made iptables start before the network get configured?? If you have the luxury of knowing what your IP address is beforehand, this isn't a bad idea. Some security folks are of the opinion that you should have your network defenses up before the networking bits of your kernel is active. Primarily this was to prevent certain blackhats from crashing a box causing a reboot, and timing the attacks so that they can get packets pass the firewall and take control of something. Now, I don't know how many times this has happened, but it's possible. But since NARC utilizes IP info to do certain things, the easy way out was to load it after the networking is started. No harm done IMO. > 2. this is the string iptables log to firewall.log file: > > "May 27 13:32:09 kernel: ALL_ELSE IN=eth0 OUT= MAC=00:80:5f:6d:43:1d:08:00:3e:0e:f7:7c:08:00 SRC=xxx.xxx.xxx.xxx DST=yyy.yyy.yyy.yyy LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=31702 PROTO=TCP SPT=10025 DPT=25 WINDOW=8192 RES=0x00 SYN URGP=0" > > How can I interpret this info, which part that tells me that this packet being dropped ? See http://logi.cc/linux/NetfilterLogAnalyzer.php3 or http://logi.cc/linux/netfilter-log-format.php3. Basically, if the ALL_ELSE prefix in NARC means that the packet that activated this logging rule was not matched specifically by any previous rules, and is therefore dropped. > you can find that I enabled ssh, http,ntp and dhcp (67:68) I did not enable PPTP I used the following two line to enable PPTP in my old ipchains configurations: > Now with iptables and RH 9.0 2.4.20-8 kernel, PPTP is working without adding any rules to enable it.. Is this right or there is a problem with the firewall?? if there is something wrong with the firewall what is it, how can I fix it and how to enable protocol 47 ?? "-A input -p 47 -s $REMOTENET " Netfilter's connection tracking stuff is very cool that way. I assume you're PPTP'ing out from behind your firewall (it wouldn't work otherwise). NARC by default assumes that all outgoing traffic should be allowed, and based on the conntrack stuff, the return packets belonging to that connection is accepted. Shane From gabriel_orozco at mx.sumida.com Wed May 28 15:03:29 2003 From: gabriel_orozco at mx.sumida.com (Gabriel Orozco) Date: Wed, 28 May 2003 17:03:29 -0500 Subject: [NARC] Re: NARC digest, Vol 1 #68 - 2 msgs References: <20030528132926.4334.27.Mailman@moles> Message-ID: <005701c32564$f92e1510$5000870a@gorozco2> You need to open the 1723 port in the outside if you have a pptp server in your box also you need to add protocol 47 in your narc-custom.conf file, accepting it. that's all. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.484 / Virus Database: 282 - Release Date: 27/05/2003 From luis.peromarta at matersalvatoris-cs.org Thu May 29 02:51:44 2003 From: luis.peromarta at matersalvatoris-cs.org (Luis Peromarta) Date: Thu, 29 May 2003 11:51:44 +0200 Subject: [NARC] Port Selective NAT ? Message-ID: <3ED5D830.2050202@matersalvatoris-cs.org> Hi! Newbie to firewalls, simple question. With narc you can turn nat on or off. However, I just would like to masquerade traffic on one single TCP port. I seem to be unable to configure it that way. Any hint will be very much appreciated, Thanks Luis Peromarta. -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que est? limpio. From hisham at shaw.ca Fri May 30 14:28:32 2003 From: hisham at shaw.ca (Hisham Abdel-Rahman) Date: Fri, 30 May 2003 15:28:32 -0600 Subject: [NARC] Network issue Message-ID: <006a01c326f2$6bbc4eb0$740aa8c0@hisham> Hello All, I'm having a weird problem with a RH 9 (2.4.20-8) server I just installed, narc iptables is running on the system. The problem is that I can not ping the internal network IP address ( it can not ping it self). I can ping all the internal IP address from the Linux server and ping the Linux server from all machines in the network. but I can not ping the server from itself. Thanks, -Hisham -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.knowplace.org/pipermail/narc/attachments/20030530/d98aee70/attachment-0001.htm From shane at knowplace.org Fri May 30 15:55:13 2003 From: shane at knowplace.org (Shane Chen) Date: Fri, 30 May 2003 15:55:13 -0700 Subject: [NARC] Port Selective NAT ? References: <3ED5D830.2050202@matersalvatoris-cs.org> Message-ID: <011401c326fe$882b3eb0$22c1a8c0@ict.usc.edu> ----- Original Message ----- From: "Luis Peromarta" > Newbie to firewalls, simple question. With narc you > can turn nat on or off. However, I just would like to > masquerade traffic on one single TCP port. I believe what you're looking for is port forwarding, not NAT. Shane From shane at knowplace.org Fri May 30 16:04:28 2003 From: shane at knowplace.org (Shane Chen) Date: Fri, 30 May 2003 16:04:28 -0700 Subject: [NARC] Network issue References: <006a01c326f2$6bbc4eb0$740aa8c0@hisham> Message-ID: <012001c326ff$d2bf1540$22c1a8c0@ict.usc.edu> ----- Original Message ----- From: "Hisham Abdel-Rahman" > I'm having a weird problem with a RH 9 (2.4.20-8) server I just installed, narc iptables is running on the system. The problem is that I can not ping the internal network IP address ( it can not ping it self). I can ping all the internal IP address from the Linux server and ping the Linux server from all machines in the network. but I can not ping the server from itself. My guess is that it's either a LOOPBACK_MODE or BIND_IP setting problem. Shane