TechSpot

RH9 Unable to access internet after setting Firewall? posted Today 07:08 PM

By novkhan
Apr 24, 2004
Topic Status:
Not open for further replies.
  1. Goodday!

    Tried to setup Firewall using the Guide "RedHat Linux 9 for Dummies"

    I follow every single steps , and the firewall is succesfully setup.

    But i cannot access the internet when the Firewall is up.

    Below is what i have done!

    [root@localhost root]# iptables --flush
    [root@localhost root]# iptables --flush -t nat
    [root@localhost root]# iptables --policy INPUT DROP
    [root@localhost root]# iptables --policy OUTPUT DROP
    [root@localhost root]# iptables --policy FORWARD DROP
    [root@localhost root]# iptables -A OUTPUT -j ACCEPT -o lo
    [root@localhost root]# iptables -A INPUT -j ACCEPT -i lo
    [root@localhost root]# iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED --j ACCEPT
    [root@localhost root]# iptables -A OUTPUT -m state --state RELATED,ESTABLISHED --j ACCEPT
    [root@localhost root]# iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT --dport 22
    [root@localhost root]# cd /etc/init.d/
    [root@localhost init.d]# sshd start
    Extra argument start.
    [root@localhost init.d]# iptables -A OUTPUT -m state --state RELATED,ESTABLISHED --j ACCEPT
    [root@localhost init.d]# iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT --dport 80
    [root@localhost init.d]# cd /etc/init.d/
    [root@localhost init.d]# sshd start
    Extra argument start.
    [root@localhost root]# iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:ssh

    Chain FORWARD (policy DROP)
    target prot opt source destination

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

    Chain RH-Lokkit-0-50-INPUT (0 references)
    target prot opt source destination
    [root@localhost root]# iptables-save > /etc/sysconfig/iptables



    After i type the command below i cant access the internet!
    [root@localhost root]# /etc/init.d/iptables start
    Flushing all current rules and user defined chains: [ OK ]
    Clearing all current rules and user defined chains: [ OK ]
    Applying iptables firewall rules: [ OK ]

    Thankyou!
  2. fgaliegue

    fgaliegue TS Rookie Posts: 54

    Hello and first of all, have a look at a post of mine I posted earlier (http://www.techspot.com/vb/topic43874.html), if you follow its guidelines you should be set up. And also...

    This is normal, your rules are broken!

    The second command here is useless, all packets it matches are already matched by the previous one.

    OK, why not, but I hope you understand that this allows incoming SSH traffic to your host?

    NO! Be with me here, THE CURRENT DIRECTORY IS NEVER INCLUDED IN THE PATH VARIABLE BY DEFAULT. What you are trying to do here is launching /usr/sbin/sshd start, and this is why you get that "Extra argument start" - which is ignored by sshd.

    Solution: type either of these:
    • service sshd start
    • /etc/init.d/sshd start

    On to the following...

    Similarly, this command is useless, all packets defined here already are matched by the previous rule.

    And this opens up your HTTP port. Do you actually want to run a webserver?

    In short, all that your firewall accepts in the INPUT chain are packets that allow people from the outside to reach your SSH and HTTP server! Certainly not what you want...

    Oh, the packets you send out will be accepted, yes, but the problem is that returning packets will get dropped!

    If you want more details, read my thread, the URL of which I posted at the start of this post.
  3. fgaliegue

    fgaliegue TS Rookie Posts: 54

    The quick fix

    OK, here is a firewall that shoud set you on the way. First of all, flush all your chains, by typing:

    service iptables stop​

    Then do the following:


    #
    # The central part of it - conntrack, ie stateful firewalling
    #
    iptables -N connstate
    iptables -A connstate -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A connstate -m state --state INVALID -j DROP
    iptables -A connstate -m state --state NEW -p tcp ! --syn -m limit --limit 2/sec -j LOG --log-prefix "NEWNOTSYN: "
    iptables -A connstate -m state --state NEW -p tcp ! --syn -j REJECT --reject-with tcp-reset
    iptables -A connstate -m state --state NEW -j RETURN
    iptables -A connstate -j LOG --log-level CRIT --log-prefix "CONNTRACK BARF: "
    iptables -A connstate -j DROP

    #
    # For all three filter chains: drop everything by default - first chain to go through is
    # connstate
    #
    for i in INPUT OUTPUT FORWARD; do
    iptables -P $i DROP
    iptables -A $i -j connstate
    done

    #
    # Deal with the loopback special case
    #
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT

    #
    # Accept everything from the local machine to the Internet - assuming the net
    # interface is ppp0
    #
    iptables -N local_to_ppp0
    iptables -A local_to_ppp0 -j ACCEPT
    iptables -A OUTPUT -o ppp0 -j local_to_ppp0

    #
    # End, save this all after resetting all counters
    #
    for i in mangle nat filter; do iptables -Z $i;done
    iptables-save >/etc/sysconfig/iptables
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.