Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Wed, Jun 1, 2022 at 11:21 john doe  wrote:

> when does it actually start operating? Does it do so then, or does it take
>
> a reboot?
>

Apparently, if you 'enable' 'ufw', it will start and be enabled at boot.


Good, thanks.

According to (1), ufw should work with nftables, I did not follow the
> reasoning on why to use iptables but only if you have issues use legacy
> iptables.
>

Well, the guidance I got was varying. In my mind, Il Ka seemed to be the
most well-informed and understanding of my specific needs, and I went with
his recommendations. He was upfront about why he stayed with iptables, and
I also favor that view. Based on my experience upgrading Debian since
version 4, I know I don't like to jump on new stuff right away, but expect
to have to eventually.

-Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[john doe]

On 6/1/2022 1:45 PM, Tom Browder wrote:

On Mon, May 30, 2022 at 19:46 Edwin Zimmerman  wrote:


On 5/30/22 09:41, Greg Wooledge wrote:

On Mon, May 30, 2022 at 07:13:54AM -0500, Tom Browder wrote:

No worries. All those responses about the subject IP now are the norm

for a

bare-iron server ready for use by a customer, yours truly. It is the

same

server I messed up the firewall with and locked myself out of. The OS

has

been reinstalled and is ready for me to use again.



On that note, for my next try with the server, I will definitely use UFW
with the legacy uptables that was suggested.

But a question: it is clear that it must be enabled to go into effect, but
when does it actually start operating? Does it do so then, or does it take
a reboot?



Apparently, if you 'enable' 'ufw', it will start and be enabled at boot.

According to (1), ufw should work with nftables, I did not follow the
reasoning on why to use iptables but only if you have issues use legacy
iptables.

1)  https://wiki.archlinux.org/title/Uncomplicated_Firewall

--
John Doe

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Mon, May 30, 2022 at 19:46 Edwin Zimmerman  wrote:

> On 5/30/22 09:41, Greg Wooledge wrote:
> > On Mon, May 30, 2022 at 07:13:54AM -0500, Tom Browder wrote:
> >> No worries. All those responses about the subject IP now are the norm
> for a
> >> bare-iron server ready for use by a customer, yours truly. It is the
> same
> >> server I messed up the firewall with and locked myself out of. The OS
> has
> >> been reinstalled and is ready for me to use again.


On that note, for my next try with the server, I will definitely use UFW
with the legacy uptables that was suggested.

But a question: it is clear that it must be enabled to go into effect, but
when does it actually start operating? Does it do so then, or does it take
a reboot?

-Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Edwin Zimmerman]

On 5/30/22 09:41, Greg Wooledge wrote:
> On Mon, May 30, 2022 at 07:13:54AM -0500, Tom Browder wrote:
>> No worries. All those responses about the subject IP now are the norm for a
>> bare-iron server ready for use by a customer, yours truly. It is the same
>> server I messed up the firewall with and locked myself out of. The OS has
>> been reinstalled and is ready for me to use again.
> Why are you installing a firewall on a web server *at all*?
Because it prevents accidental port exposure.  It's not uncommon to be running 
some other service other than the web server, and accidental configurations 
happen all the time.  A firewall is a simple security measure to contain such 
problems.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Timothy M Butterworth]

On Mon, May 30, 2022 at 1:24 PM Tom Browder  wrote:

> On Mon, May 30, 2022 at 09:03 IL Ka  wrote:
>
>> IMHO: It is better to have a firewall and block (policy -- drop) INPUT
>> and FORWARD by default.
>> And open only ports that must be opened.
>> This will help if you install some software that listens for 0.0.0.0 by
>> accident
>>
>
> From my limited research, that seems to be the prevailing view.
>
> -Tom
>

If you have firewalld try running:
`firewall-cmd --permanent --add-service=http`
`firewall-cmd --reload`

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Mon, May 30, 2022 at 09:03 IL Ka  wrote:

> IMHO: It is better to have a firewall and block (policy -- drop) INPUT and
> FORWARD by default.
> And open only ports that must be opened.
> This will help if you install some software that listens for 0.0.0.0 by
> accident
>

>From my limited research, that seems to be the prevailing view.

-Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Mon, May 30, 2022 at 08:42 Greg Wooledge  wrote:
..

> Unless this machine is more than just a web server...?


It does serve other purposes.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

IMHO: It is better to have a firewall and block (policy -- drop) INPUT and
FORWARD by default.
And open only ports that must be opened.
This will help if you install some software that listens for 0.0.0.0 by
accident

On Mon, May 30, 2022 at 4:42 PM Greg Wooledge  wrote:

> On Mon, May 30, 2022 at 07:13:54AM -0500, Tom Browder wrote:
> > No worries. All those responses about the subject IP now are the norm
> for a
> > bare-iron server ready for use by a customer, yours truly. It is the same
> > server I messed up the firewall with and locked myself out of. The OS has
> > been reinstalled and is ready for me to use again.
>
> Why are you installing a firewall on a web server *at all*?
>
> The only thing you need to secure is your ssh access, and that's
> usually done in the /etc/ssh/sshd_config file, either by setting
> up key access only, or by restricting the source IPs who can connect.
>
> The web service is supposed to be open to the whole world.  That's
> why it's called the World Wide Web.
>
> Unless this machine is more than just a web server...?
>
>

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Greg Wooledge]

On Mon, May 30, 2022 at 07:13:54AM -0500, Tom Browder wrote:
> No worries. All those responses about the subject IP now are the norm for a
> bare-iron server ready for use by a customer, yours truly. It is the same
> server I messed up the firewall with and locked myself out of. The OS has
> been reinstalled and is ready for me to use again.

Why are you installing a firewall on a web server *at all*?

The only thing you need to secure is your ssh access, and that's
usually done in the /etc/ssh/sshd_config file, either by setting
up key access only, or by restricting the source IPs who can connect.

The web service is supposed to be open to the whole world.  That's
why it's called the World Wide Web.

Unless this machine is more than just a web server...?

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Mon, May 30, 2022 at 02:13 john doe  wrote:

> On 5/30/2022 12:26 AM, Tom Browder wrote:
> > On Sun, May 29, 2022 at 15:55 Greg Wooledge  wrote:


No worries. All those responses about the subject IP now are the norm for a
bare-iron server ready for use by a customer, yours truly. It is the same
server I messed up the firewall with and locked myself out of. The OS has
been reinstalled and is ready for me to use again.

If all is set as expected, I should be able to get http and https working
on it.

And I will certainly try to take care of most of the security concerns
expressed here.

For those of you with forensic curiosity so recently demonstrated, the new
server we are discussing is to replace mine currently operating at IP
173.208.182.170. It has been online for over two years. I believe it is
locked down pretty well.

Some websites there are:

novco1968tbs.com   # my Marine brother's TBS  class
usafa-1965.org # my college class
moody67a.org   # my pilot training class
nwflug.org
computertechnwf.org

The first three sites have entries very appropriate for US Memorial Day:
noting men who sacrificed their lives fighting for us.

-Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Curt]

On 2022-05-29, Greg Wooledge  wrote:
>
> Second, I cannot ping this IP address, nor can I telnet to port 80 of it.
> (Nor port 22.)
>

That's strange; I can ping it (I'm not in Kansas anymore):

curty@einstein:~$ ping  69.30.225.10
PING 69.30.225.10 (69.30.225.10) 56(84) bytes of data.
64 bytes from 69.30.225.10: icmp_seq=1 ttl=51 time=110 ms
64 bytes from 69.30.225.10: icmp_seq=2 ttl=51 time=109 ms
64 bytes from 69.30.225.10: icmp_seq=3 ttl=51 time=110 ms
64 bytes from 69.30.225.10: icmp_seq=4 ttl=51 time=110 ms
64 bytes from 69.30.225.10: icmp_seq=5 ttl=51 time=109 ms
64 bytes from 69.30.225.10: icmp_seq=6 ttl=51 time=109 ms
^C
--- 69.30.225.10 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 109.920/110.172/110.613/0.511 ms

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[john doe]

On 5/30/2022 12:26 AM, Tom Browder wrote:

On Sun, May 29, 2022 at 15:55 Greg Wooledge  wrote:
...

Thanks, Greg. It looks like my server was blocked from ports 80 and 443
upstream from it (as you and others suspected), so I asked my provider to
reinstall the OS and ensure it has public access to ports 80 and 443.



If I may, looks like this is over your head and I would suggest you to
do the following:
- Understand what is done on this server (installed pkgs, config ...)
- Start by securing remote access (see this thread on to do that for SSH)
- Get all of your set up working offline/locally
- Document yourself on how to do what you want (when exposing services
publically you can not guess/try)


In other words, familiorise yourself with what you have.

--
John Doe

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Charles Kroeger]

> Maybe I should remove all firewall progs and start from zero.

I would suggest you install Shorewall. it is not the pain in the arse that's
been the theme of this thread so far.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Timothy M Butterworth]

On Sun, May 29, 2022 at 8:13 PM Greg Wooledge  wrote:

> On Sun, May 29, 2022 at 11:50:44PM +, Lee wrote:
> > On 5/29/22, Greg Wooledge  wrote:
> > > Second, I cannot ping this IP address, nor can I telnet to port 80 of
> it.
> >
> > For whatever it's worth..
> >
> > Pinging 69.30.225.10 with 32 bytes of data:
> > Reply from 69.30.225.10: bytes=32 time=43ms TTL=53
> > Reply from 69.30.225.10: bytes=32 time=42ms TTL=53
> > Reply from 69.30.225.10: bytes=32 time=43ms TTL=53
> > Reply from 69.30.225.10: bytes=32 time=42ms TTL=53
>
> Yes, it's working from here now, too.  Changes definitely happened
> on the OP's server's side.
>
> I did a TCPTraceRoute to your server on port 80 it makes it across all
hops but says the port is closed on the server.

tcptraceroute 69.30.225.10
Selected device wlo1, address 192.168.105.250, port 38109 for outgoing
packets
Tracing the path to 69.30.225.10 on TCP port 80 (http), 30 hops max
1  192.168.105.156  7.422 ms  3.828 ms  3.985 ms
2  17.sub-66-174-63.myvzw.com (66.174.63.17)  340.678 ms  692.027 ms
 185.134 ms
3  194.sub-69-83-70.myvzw.com (69.83.70.194)  107.194 ms  596.305 ms
 257.465 ms
4  * * *
5  242.sub-69-83-70.myvzw.com (69.83.70.242)  556.143 ms  57.157 ms  47.478
ms
6  * * *
7  * * *
8  * * *
9  153.sub-69-83-66.myvzw.com (69.83.66.153)  184.145 ms  61.027 ms  48.539
ms
10  * * *
11  * * *
12  * be3083.ccr41.dca01.atlas.cogentco.com (154.54.30.53) 445.471 ms
 97.201 ms
13  be2891.ccr21.cle04.atlas.cogentco.com (154.54.82.249)  106.103 ms * *
14  * * *
15  * * be2831.ccr21.mci01.atlas.cogentco.com (154.54.42.165) 96.672 ms
16  be2546.rcr01.b073673-0.mci01.atlas.cogentco.com (154.54.30.242)  97.542
ms  89.655 ms *
17  * * *
18  * * *
19  100ge13-1.edge-a.clay.as33387.net (69.30.209.195)  725.149 ms  578.818
ms  414.786 ms
20  * * *
21  * * *
22  * server.pcstar1.com (69.30.225.10) [closed] 379.939 ms  413.809 ms

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

>
>
> ssh gives me a login prompt
>
>
Btw, I highly recommend:
* Block SSH access from any IP except one you are going to use to manage
this server
* If you have dynamic IP, you can add all your ISP network, or, at least,
your country: (list can be downloaded here
 
https://blog.ip2location.com/knowledge-base/how-to-block-ip-addresses-from-a-country-using-ipset/

)
* Deny password access and use keys only (use EdDSA, not RSA if possible).
Passwords should never be used
* Disable root access
* Get rid of SHA-1 and other weak things:
https://sshcheck.com/server/69.30.225.10/

You have your ssh server opened to the whole world and there are zillions
of bots trying to guess your password now.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Greg Wooledge]

On Sun, May 29, 2022 at 11:50:44PM +, Lee wrote:
> On 5/29/22, Greg Wooledge  wrote:
> > Second, I cannot ping this IP address, nor can I telnet to port 80 of it.
> 
> For whatever it's worth..
> 
> Pinging 69.30.225.10 with 32 bytes of data:
> Reply from 69.30.225.10: bytes=32 time=43ms TTL=53
> Reply from 69.30.225.10: bytes=32 time=42ms TTL=53
> Reply from 69.30.225.10: bytes=32 time=43ms TTL=53
> Reply from 69.30.225.10: bytes=32 time=42ms TTL=53

Yes, it's working from here now, too.  Changes definitely happened
on the OP's server's side.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Lee]

On 5/29/22, Greg Wooledge  wrote:
> On Sun, May 29, 2022 at 03:39:05PM -0500, Tom Browder wrote:
>> I have not intentionally hidden anything, Greg--I just never saw the need
>> for
>> mentioning it given the dialogue--x.y.z.w is just shorthand. If you
>> must know the exact IP address, it is 69.30.225.10.
>
> OK.  Now we can actually start helping.
>
> First of all, this is a regular old routable IPv4 address.  It's not one
> of the non-routables, like 192.168.* or 10.*.  This is good.  It
> eliminates a whole class of problems like "My machine's IP address says
> 192.168.1.2 but I can't reach it from outside my network", all of which
> were still on the table until now.
>
> Second, I cannot ping this IP address, nor can I telnet to port 80 of it.

For whatever it's worth..

Pinging 69.30.225.10 with 32 bytes of data:
Reply from 69.30.225.10: bytes=32 time=43ms TTL=53
Reply from 69.30.225.10: bytes=32 time=42ms TTL=53
Reply from 69.30.225.10: bytes=32 time=43ms TTL=53
Reply from 69.30.225.10: bytes=32 time=42ms TTL=53

I had wireshark running while trying to telnet there and I get a RST ~
45ms after sending the SYN

ssh gives me a login prompt

Lee

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sun, May 29, 2022 at 15:55 Greg Wooledge  wrote:
...

Thanks, Greg. It looks like my server was blocked from ports 80 and 443
upstream from it (as you and others suspected), so I asked my provider to
reinstall the OS and ensure it has public access to ports 80 and 443.

Best regards,

-Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Greg Wooledge]

On Sun, May 29, 2022 at 03:39:05PM -0500, Tom Browder wrote:
> I have not intentionally hidden anything, Greg--I just never saw the need for
> mentioning it given the dialogue--x.y.z.w is just shorthand. If you
> must know the exact IP address, it is 69.30.225.10.

OK.  Now we can actually start helping.

First of all, this is a regular old routable IPv4 address.  It's not one
of the non-routables, like 192.168.* or 10.*.  This is good.  It
eliminates a whole class of problems like "My machine's IP address says
192.168.1.2 but I can't reach it from outside my network", all of which
were still on the table until now.

Second, I cannot ping this IP address, nor can I telnet to port 80 of it.
(Nor port 22.)

I don't get an error, though -- just a hang/timeout.

If you can ping this, or ssh to it, or reach it on ANY port at all,
from the public Internet, then that's a huge red flag pointing to a
firewall that filters incoming connections based on source IP.  Such
a firewall could be on the host itself, or on a router which protects
the host.

If you can't do any of those things, then we don't get as much information
out of it.  It could simply be the wrong IP address for all we know
at that point.  Or it could be a misconfigured firewall, or the machine
could be crashed, or the network cable fell out, or any number of other
issues.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sun, May 29, 2022 at 2:21 PM Greg Wooledge  wrote:
>
> > > > btw, are you able to ping server?
> > >
> > > Yes.
> >
> > It is always better to show the command and the output instead of saying
> > yes/no! :)
>
> Except it should be abundantly clear by now that you're dealing with
> someone who believes that they must hide every single detail from
> the ones who would offer help.

I have not intentionally hidden anything, Greg--I just never saw the need for
mentioning it given the dialogue--x.y.z.w is just shorthand. If you
must know the exact IP address, it is 69.30.225.10. (And you could have
asked for it at any time--I don't remember anyone asking for it--but I will
do so the next time I ask for this kind of help again.)

GIven all the advice, I'm leaning towards the popular hypothesis that
my provider has somehow locked out the two ports in question (a first
for them). The machine is now inaccessible, and I have asked them to
reinstall Debian 11 on it and ENSURE that ports 80 and 443 are
accessible from the internet.

Thanks for all the help, and I consider this thread closed.

-Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Greg Wooledge]

> > > btw, are you able to ping server?
> > 
> > Yes.
> 
> It is always better to show the command and the output instead of saying
> yes/no! :)

Except it should be abundantly clear by now that you're dealing with
someone who believes that they must hide every single detail from
the ones who would offer help.

Never mind that the details are REQUIRED to diagnose the problem.

What's important is that their WEB SERVER which is by definition supposed
to be AVAILABLE TO THE ENTIRE WORLD must remain secret and hidden from
the people trying to help.

Have fun continuing to try pulling teeth on this.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

>
>
> I must say, I can not realy understand how you can ping and not
> telnet/access your web server.
>
>
Some router between OP and his server has something like

-I FORWARD -j REJECT --reject-with icmp-host-unreachable

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[john doe]

On 5/29/2022 7:20 PM, Tom Browder wrote:

On Sun, May 29, 2022 at 11:39 IL Ka  wrote:


btw, are you able to ping server?



Yes.



It is always better to show the command and the output instead of saying
yes/no! :)

I must say, I can not realy understand how you can ping and not
telnet/access your web server.

--
John Doe

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sun, May 29, 2022 at 11:39 IL Ka  wrote:

> btw, are you able to ping server?
>

Yes.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[tomas]

On Sun, May 29, 2022 at 05:41:59AM -0500, Tom Browder wrote:
> On Sat, May 28, 2022 at 20:06 IL Ka  wrote:
> ...
> 
> 3. You should also check that Apache is running and listening to this port,
> > use ``ss -lt``.
> > For this command you _may_ use sudo to get process names (``sudo ss
> > -ltp``). Read ``ss --help``
> >
> > If you were able to connect on this host, then try to connect to this
> > machine from outside using public IP
> >
> 
> I can ssh in to the remote host. Then I tried telnet to port 80 on the same
> host from the outside with the public IP and got no good response:
> 
> $ telnet x.y.z.w 80
> Trying x.y.z.w...
> telnet: Unable to connect to remote host: No route to host

I may be off, but I think a firewall shouldn't do that [1]. It can
lead to a "connection refused", which amounts to replying with a RST,
which corresponds to the REJECT treatment, and it can just not answer,
which leads to a timeout, corresponding to DROP.

What you are seeing is some router in the middle telling you it
doesn't know which way this x.y.z.w is (with an ICMP "Destination
unreachable"). Of course this can happen at your workstation, but
then it'd be quite probable you can't access x.y.z.w with ssh
either.

Firewalls can be configured to lie [2] in this way, alas. It very
much looks like your provider has a firewall between your rental
host and the rest of the world.

But take all that with a grain of salt or two.
Cheers

[1] and I believe your Linux firewall won't do that by default.
   You'd have to tell it so.
[2] Now destination port unreachable would be less of a lie,
   no?
-- 
t


signature.asc
Description: PGP signature

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

btw, are you able to ping server?

On Sun, May 29, 2022 at 7:26 PM Tom Browder  wrote:

> On Sun, May 29, 2022 at 10:33 AM IL Ka  wrote:
> >
> >
> >> When running those, I'm told neither the arptablrs nor the ebtables are
> registered (not installed). Should I install them?
> >
> > No.
> >
> > So, you now have legacy (classic) iptables, right?
>
> Yes.
>
> > What is the output of ``iptables -L -v -n``
>
> Chain INPUT (policy ACCEPT 279 packets, 36670 bytes)
>  pkts bytes target prot opt in out source
> destination
>  1387  150K f2b-sshd   tcp  --  *  *   0.0.0.0/0
> 0.0.0.0/0multiport dports 22
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 260 packets, 35768 bytes)
>  pkts bytes target prot opt in out source
> destination
>
> Chain f2b-sshd (1 references)
>  pkts bytes target prot opt in out source
> destination
>22  1768 REJECT all  --  *  *   43.154.179.253
> 0.0.0.0/0reject-with icmp-port-unreachable
>  1069  126K RETURN all  --  *  *   0.0.0.0/0
> 0.0.0.0/0
>
> > and ``iptables -S`` ?
>
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A f2b-sshd -s 61.177.173.50/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 61.177.173.7/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 43.154.179.253/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -j RETURN
>

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

>
>
> > and ``iptables -S`` ?
>
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A f2b-sshd -s 61.177.173.50/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 61.177.173.7/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 43.154.179.253/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -j RETURN
>

I do not see any rule that returns "no route to host".

You can use ``tcmpdump`` to see who is answering "no route to host" for
your "telnet [ip] 80" session.
I am pretty sure this is not your firewall problem

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sun, May 29, 2022 at 10:33 AM IL Ka  wrote:
>
>
>> When running those, I'm told neither the arptablrs nor the ebtables are 
>> registered (not installed). Should I install them?
>
> No.
>
> So, you now have legacy (classic) iptables, right?

Yes.

> What is the output of ``iptables -L -v -n``

Chain INPUT (policy ACCEPT 279 packets, 36670 bytes)
 pkts bytes target prot opt in out source
destination
 1387  150K f2b-sshd   tcp  --  *  *   0.0.0.0/0
0.0.0.0/0multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 260 packets, 35768 bytes)
 pkts bytes target prot opt in out source
destination

Chain f2b-sshd (1 references)
 pkts bytes target prot opt in out source
destination
   22  1768 REJECT all  --  *  *   43.154.179.253
0.0.0.0/0reject-with icmp-port-unreachable
 1069  126K RETURN all  --  *  *   0.0.0.0/0
0.0.0.0/0

> and ``iptables -S`` ?

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-sshd -s 61.177.173.50/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.7/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 43.154.179.253/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

> When running those, I'm told neither the arptablrs nor the ebtables are
> registered (not installed). Should I install them?
>
No.

So, you now have legacy (classic) iptables, right?
What is the output of ``iptables -L -v -n`` and ``iptables -S`` ?

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sun, May 29, 2022 at 09:51 IL Ka  wrote:

>
>>> Do I have to switch all four *legacy *tables?
>>
>
> yes
>

When running those, I'm told neither the arptablrs nor the ebtables are
registered (not installed). Should I install them?

>

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

>
>
>> Do I have to switch all four *legacy *tables?
>

yes

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sat, May 28, 2022 at 17:24 IL Ka  wrote:

> ...

I am not familiar with nft, bit you can switch to iptables using
>> ``update-alternatives``
>>
>
> # update-alternatives --set iptables /usr/sbin/iptables-legacy
> # update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
> # update-alternatives --set arptables /usr/sbin/arptables-legacy
> # update-alternatives --set ebtables /usr/sbin/ebtables-legacy
>

Do I have to switch all four *legacy *tables?

-Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Erwan David]

Le 29/05/2022 à 13:22, Tom Browder a écrit :

On Sun, May 29, 2022 at 05:41 Tom Browder  wrote:

Does anyone have a good reason for me to NOT install and enable UFW?

-Tom


 good reason would be that thtere is obviously already something on 
your server magaing the firewalling. Having 2 different systems will 
lead to inconsistency and erratic behiaviour. First thing is to identify 
what is putting the rules you showed us. (rules that do not block ports 
80 and 443)

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

>
>
>
> Good to know. But does fail2ban require ipset?
>
No, but having several thousand rules is not convenient, so I prefer ipset


> They never have before in over 15 years, and, before I got this server
> started, its mate was serving fine. But if the ufw doesn't work, I'll ask
> them.
>

I'd start by switching to legacy iptables and running ``iptables -L -v
-n``.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sun, May 29, 2022 at 07:06 IL Ka  wrote:

> Does anyone have a good reason for me to NOT install and enable UFW?
>>
>
> ufw can't be used with ipset AFAIK, and I use ipset for many reasons
> (fail2ban, block access outside of my country etc).
> But If you only SSH your host from one static IP, you probably do not need
> fail2ban at all.
>

Good to know. But does fail2ban require ipset?

Anyway, I am not sure that port 80 is blocked by your firewall and not your
> hosting firewall
>

They never have before in over 15 years, and, before I got this server
started, its mate was serving fine. But if the ufw doesn't work, I'll ask
them.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

>
>
>
> Does anyone have a good reason for me to NOT install and enable UFW?
>
>
ufw can't be used with ipset AFAIK, and I use ipset for many reasons
(fail2ban, block access outside of my country etc).
But If you only SSH your host from one static IP, you probably do not need
fail2ban at all.

Anyway, I am not sure that port 80 is blocked by your firewall and not your
hosting firewall

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

>
> $ telnet x.y.z.w 80
> Trying x.y.z.w...
> telnet: Unable to connect to remote host: No route to host
>
But you can ssh to this host, right?

Well, that means the firewall blocks your request and sends the ICMP
message "no route to host".

Switch to the legacy iptables using ``update-alternatives`` and check
``iptables -L -v -n`` again.
If no rule blocks this port, ask your hosting company.



>
>
>
>

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sun, May 29, 2022 at 05:41 Tom Browder  wrote:

Does anyone have a good reason for me to NOT install and enable UFW?

-Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sat, May 28, 2022 at 20:06 IL Ka  wrote:
...

3. You should also check that Apache is running and listening to this port,
> use ``ss -lt``.
> For this command you _may_ use sudo to get process names (``sudo ss
> -ltp``). Read ``ss --help``
>
> If you were able to connect on this host, then try to connect to this
> machine from outside using public IP
>

I can ssh in to the remote host. Then I tried telnet to port 80 on the same
host from the outside with the public IP and got no good response:

$ telnet x.y.z.w 80
Trying x.y.z.w...
telnet: Unable to connect to remote host: No route to host

-Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sat, May 28, 2022 at 20:06 IL Ka  wrote:

>
>> $ sudo su
>> # telnet 80
>> Trying 0.0.0.80...
>>
>
> 1. You are using telnet wrong: it should be "telnet [host] [port]". Please
> read "man telnet".
> 2. You do not need sudo to use telnet, do not do that
> 3. You should also check that Apache is running and listening to this
> port, use ``ss -lt``.
> For this command you _may_ use sudo to get process names (``sudo ss
> -ltp``). Read ``ss --help``
>
> If you were able to connect on this host, then try to connect to this
> machine from outside using public IP
>

Thanks, I will try that tomorrow.

-Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

>
>
> $ sudo su
> # telnet 80
> Trying 0.0.0.80...
>

1. You are using telnet wrong: it should be "telnet [host] [port]". Please
read "man telnet".
2. You do not need sudo to use telnet, do not do that
3. You should also check that Apache is running and listening to this port,
use ``ss -lt``.
For this command you _may_ use sudo to get process names (``sudo ss
-ltp``). Read ``ss --help``

If you were able to connect on this host, then try to connect to this
machine from outside using public IP

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sat, May 28, 2022 at 19:10 Timothy M Butterworth <
timothy.m.butterwo...@gmail.com> wrote:
…

On the local host try running `telnet 127.0.0.1 80`
>

I was able to connect, thanks, Timothy!

Now what? I would really like to use ufw.

-Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sat, May 28, 2022 at 19:01 Greg Wooledge  wrote:

> On Sat, May 28, 2022 at 05:51:38PM -0500, Tom Browder wrote:
> …
>
> ... wow.  Just wow.  How can such a short excerpt contain so many failures?


Greg, calm down.  I get it, but I haven’t unlearned years of muscle
memory—sorry.

And the telnet thing was something I haven’t done for MANY years and it was
a “shot in the dark—again, forgive me.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Timothy M Butterworth]

On Sat, May 28, 2022 at 7:52 PM Tom Browder  wrote:

>
>
> On Sat, May 28, 2022 at 17:51 Tom Browder  wrote:
>
>> On Sat, May 28, 2022 at 17:30 IL Ka  wrote:
>>
>>> I am running an Apache server and using Qualys Lab’s server checker. It
 shows no access to the server.

 Have you tried to telnet to port 80 from home? Do you see apache
>>> listening this port using ``ss``?
>>>
>>
>> On the new host I did:
>>
>> $ sudo su
>> # telnet 80
>> Trying 0.0.0.80...
>>
>>
>> and gave up waiting.
>>
>
On the local host try running `telnet 127.0.0.1 80` If you can not connect
to the web server on the local host then it is likely not running. Try
running `sudo service --status-all` `sudo systemctl enable apache2` and
`sudo service apache2 start`




> Maybe I should remove all firewall progs and start from zero.
>
>

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Greg Wooledge]

On Sat, May 28, 2022 at 05:51:38PM -0500, Tom Browder wrote:
> $ sudo su
> # telnet 80
> Trying 0.0.0.80...

... wow.  Just wow.  How can such a short excerpt contain so many failures?

1) "sudo su" is stupid.  You don't need TWO setuid programs to get a root
   shell.  Either use "sudo -s" or "su".  Hell, even "sudo bash" would
   make more sense and would be less wasteful.

2) As you can PLAINLY SEE in the output of telnet, you messed up the
   arguments.  You supplied "80" as a hostname/address, instead of a
   port number.  If you wanted to probe port 80 of your web server, you
   need to supply the web server's hostname/address as the first argument,
   and 80 (the port number) as the second argument.

3) You don't need to be root to telnet to another host (or the same host,
   if you're giving "localhost" as the hostname) in the first place.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sat, May 28, 2022 at 17:51 Tom Browder  wrote:

> On Sat, May 28, 2022 at 17:30 IL Ka  wrote:
>
>> I am running an Apache server and using Qualys Lab’s server checker. It
>>> shows no access to the server.
>>>
>>> Have you tried to telnet to port 80 from home? Do you see apache
>> listening this port using ``ss``?
>>
>
> On the new host I did:
>
> $ sudo su
> # telnet 80
> Trying 0.0.0.80...
>
>
> and gave up waiting.
>

Maybe I should remove all firewall progs and start from zero.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sat, May 28, 2022 at 17:30 IL Ka  wrote:

> I am running an Apache server and using Qualys Lab’s server checker. It
>> shows no access to the server.
>>
>> Have you tried to telnet to port 80 from home? Do you see apache
> listening this port using ``ss``?
>

On the new host I did:

$ sudo su
# telnet 80
Trying 0.0.0.80...


and gave up waiting.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

>
> I am running an Apache server and using Qualys Lab’s server checker. It
> shows no access to the server.
>
> Have you tried to telnet to port 80 from home? Do you see apache
listening this port using ``ss``?



>
> Whatever attempt I make to change the ports disappears when I reboot.
>
> Sure, because you need netfilter-persistent (at least for iptables)



> -Tom
>

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Dan Ritter]

Tom Browder wrote: 
> On Sat, May 28, 2022 at 14:11 Tom Browder  wrote:
> 
> > As the bare-iron server came from my long-time cloud provider (since
> > Debian 6), incoming ports 80 and 443 are blocked.
> 
> 
> A little more digging shows the new server is using fail2ban and nft
> tables, so I
> need help on how to properly allow https and http inbound.

We have established that you do not have a firewall on your
machine blocking ports. iptables and nftables control the same
underlying mechanism, and you have clearly set the policy to
ACCEPT.

Therefore, something outside of your machine is blocking the
ports, or you are misreading or misusing the tools that are
telling you the ports are blocked.

Tell us how you are checking the ports.

-dsr-

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sat, May 28, 2022 at 17:08 Dan Ritter  wrote:
…

Therefore, something outside of your machine is blocking the
> ports, or you are misreading or misusing the tools that are
> telling you the ports are blocked.


Tell us how you are checking the ports


I am running an Apache server and using Qualys Lab’s server checker. It
shows no access to the server.

And my server leasing company blocks no ports outside each host’s own
settings.

Whatever attempt I make to change the ports disappears when I reboot.

-Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

>
>
>
> A little more digging shows the new server is using fail2ban and nft
> tables, so I
> need help on how to properly allow https and http inbound.
>
>
I am not familiar with nft, bit you can switch to iptables using
``update-alternatives``

# update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
# update-alternatives --set arptables /usr/sbin/arptables-legacy
# update-alternatives --set ebtables /usr/sbin/ebtables-legacy

I am using iptables on my servers. nfs is good, but I do not have time (for
now) to learn it

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Tom Browder]

On Sat, May 28, 2022 at 14:11 Tom Browder  wrote:

> As the bare-iron server came from my long-time cloud provider (since
> Debian 6), incoming ports 80 and 443 are blocked.


A little more digging shows the new server is using fail2ban and nft
tables, so I
need help on how to properly allow https and http inbound.

Thanks.

-Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[IL Ka]

>
>
>
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 167.172.187.120/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 43.156.124.69/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 43.154.46.209/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 122.160.233.137/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -j RETURN
>


This is fail2ban chain to block bots, but I strongly suggest to use ipset
and not to store each network as separate rule.

On my Debian server I use netfilter-persistent with ipset plugin and
fail2ban.
Works like charm!

https://dhtar.com/make-ipset-and-iptables-configurations-persistent-in-debianubuntu.html


But since policy is "ACCEPT", other ports are open.


> My usual incantation and response:
>
> # sudo iptables -A IN_public_allow -p tcp -m tcp --dport  80 -m
> conntrack --ctstate NEW,UNTRACKED -j ACCEPT
> iptables: No chain/target/match by that name.
>
>
What is "IN_public_allow"
I do not see chain with this name. Do you?




> # sudo iptables -S
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j
> ACCEPT
> -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate
> ...
> But no open ports in spite of the output shown.
>

Hmm, I see 80 and 443 are open here. How did you check?
(I suggest to use multiple ports rule (multiport), btw)


> I am considering moving to ufw

It is up to you. I see no reason to use ufw. At least, it doesn't support
ipset:)

Also, check (using update-alternatives) if you are using iptables of nft


You may be interested in good iptables tutorial:
https://tldp.org/LDP/nag2/nag2.pdf
(section 9.8)

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Georgi Naplatanov]

On 5/28/22 22:11, Tom Browder wrote:
> As the bare-iron server came from my long-time cloud provider (since
> Debian 6), incoming ports 80 and 443 are blocked.
> 
> I ran my usual iptables command for new servers from them, but this
> time the default settings were different so it didn't work.

Try to flush the tables and (re)set default policies for the existing
chains.

> Output from "sudo iptables -S" before my attempt:
> 
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 167.172.187.120/32 -j REJECT --reject-with 
> icmp-port-unreachable
> -A f2b-sshd -s 43.156.124.69/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 43.154.46.209/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 122.160.233.137/32 -j REJECT --reject-with 
> icmp-port-unreachable
> -A f2b-sshd -j RETURN
> 
> My usual incantation and response:
> 
> # sudo iptables -A IN_public_allow -p tcp -m tcp --dport  80 -m
> conntrack --ctstate NEW,UNTRACKED -j ACCEPT
> iptables: No chain/target/match by that name.

You have no chain "IN_public_allow". Probably you should create it.


> Then I tried:
> 
> # sudo iptables -A  INPUT -p tcp -m tcp --dport  80 -m conntrack
> --ctstate NEW,UNTRACKED -j ACCEPT
> # sudo iptables -A  INPUT -p tcp -m tcp --dport  443 -m conntrack
> --ctstate NEW,UNTRACKED -j ACCEPT

It's a good practice to set input/output network interfaces.

> Again checking status:
> 
> # sudo iptables -S
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j 
> ACCEPT
> -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate
> NEW,UNTRACKED -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j 
> ACCEPT

You have second rule for port 80/tcp, do you need it?

> -A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 167.172.187.120/32 -j REJECT --reject-with 
> icmp-port-unreachable
> -A f2b-sshd -s 43.156.124.69/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 43.154.46.209/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 122.160.233.137/32 -j REJECT --reject-with 
> icmp-port-unreachable
> -A f2b-sshd -j RETURN
> 
> But no open ports in spite of the output shown.
> 
> I am considering moving to ufw but am reluctant due to the possibility
> of getting locked-out of my remote server. I am used to logging in
> with two separate terminals to avoid that during initial setup but
> want to make sure that is safe.
> 

Kind regards
Georgi

Re: Firewall blocking my new Debian 11 server ports 80 and 443

[Dan Ritter]

Tom Browder wrote: 
> As the bare-iron server came from my long-time cloud provider (since
> Debian 6), incoming ports 80 and 443 are blocked.
> 
> I ran my usual iptables command for new servers from them, but this
> time the default settings were different so it didn't work.
> 
> Output from "sudo iptables -S" before my attempt:
> 
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 167.172.187.120/32 -j REJECT --reject-with 
> icmp-port-unreachable
> -A f2b-sshd -s 43.156.124.69/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 43.154.46.209/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with icmp-port-unreachable
> -A f2b-sshd -s 122.160.233.137/32 -j REJECT --reject-with 
> icmp-port-unreachable
> -A f2b-sshd -j RETURN

This is strongly suggestive of having fail2ban installed.

The -P statements set default policy for each of the default
chains: if nothing else happens to a packet, that's the policy.

> My usual incantation and response:
> 
> # sudo iptables -A IN_public_allow -p tcp -m tcp --dport  80 -m
> conntrack --ctstate NEW,UNTRACKED -j ACCEPT
> iptables: No chain/target/match by that name.

IN_public_allow hasn't been created and isn't a default.

> Then I tried:
> 
> # sudo iptables -A  INPUT -p tcp -m tcp --dport  80 -m conntrack
> --ctstate NEW,UNTRACKED -j ACCEPT
> # sudo iptables -A  INPUT -p tcp -m tcp --dport  443 -m conntrack
> --ctstate NEW,UNTRACKED -j ACCEPT

Which is fine, but remember that the default policies all the
way around are ACCEPT, so this doesn't change anything until you
change the policy.

> Again checking status:

[normal output]


> But no open ports in spite of the output shown.

1. How are you checking that?

2. Have you asked the cloud provider if they need an extra step
on their end to open up the ports? It's likely on their side.

> I am considering moving to ufw but am reluctant due to the possibility
> of getting locked-out of my remote server. I am used to logging in
> with two separate terminals to avoid that during initial setup but
> want to make sure that is safe.

The cloud provider should provide console access via emulated
serial port or similar for you to get in without going through
the VM's network.

-dsr-

Re: Firewall iptables qui ne bloque pas le port 53

[Bernard Schoenacker]

- Mail original - 

> De: "JUPIN Alain" 
> À: "Liste Debian" 
> Envoyé: Jeudi 21 Avril 2022 09:26:49
> Objet: Firewall iptables qui ne bloque pas le port 53

> Bonjour,

> Je vous soumet un petit problème ... sur une install Debian 11, j'ai
> installé pi-hole (pour bloquer les pubs)

> Pihole fonctionne, mais (il y a toujours un mais), je cherche a
> bloquer son usage que pour quelques IP (vu qu'il est sur une IP
> publique).
> Voici donc les règles de mon firewall

> # Politique par defaut
> iptables -t filter -P INPUT DROP
> iptables -t filter -P FORWARD DROP
> iptables -t filter -P OUTPUT ACCEPT
> ip6tables -t filter -P INPUT DROP
> ip6tables -t filter -P FORWARD DROP
> ip6tables -t filter -P OUTPUT ACCEPT

> # Autoriser le Loopback
> iptables -t filter -A INPUT -i lo -j ACCEPT
> iptables -t filter -A OUTPUT -o lo -j ACCEPT
> ip6tables -t filter -A INPUT -i lo -j ACCEPT
> ip6tables -t filter -A OUTPUT -o lo -j ACCEPT

> ###
> # INBOUND TRAFIC #
> ###

> # On accepte les paquets déjà établis
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

> # PING (ICMP)
> iptables -A INPUT -p icmp -j ACCEPT
> ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

> # SSH
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

> # DNS
> iptables -A INPUT -p tcp -s monIPv4 --dport 53 -j ACCEPT
> iptables -A INPUT -p udp -s monIPv4 --dport 53 -j ACCEPT
> ip6tables -A INPUT -p tcp -s monIPv6 --dport 53 -j ACCEPT
> ip6tables -A INPUT -p udp -s monIPv6 --dport 53 -j ACCEPT

> # HTTP(S)
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
> ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT

> # On bloque tout le reste
> iptables -A INPUT -p tcp -j DROP
> ip6tables -A INPUT -p tcp -j DROP
> iptables -A INPUT -p udp -j DROP
> ip6tables -A INPUT -p udp -j DROP

> Le problème est que même activé, le port 53 n'est pas "bloqué" et
> tout le monde peut accéder à mon pi-hole !
> J'ai ajouté les 4 dernière lignes, mais sans effet !

> Bref, je dois bien passer a coté de quelques choses mais je ne vois
> pas quoi !

> Merci d'avance pour votre aide.

> --
> Alain JUPIN

Bonjour Alain,

Pour ton problème de port DNS, je t'invite à simplement consulter les pages 
sur le site du sieur Bortzmeyer et tu trouveras ton bonheur...

Et je n'ai pas compris la raison pour laquelle tu souhaites 
bloquer ce port, la seule chose intelligente serait de rediriger 
le trafic tcp 53 sur la partie udp 53 et de consulter la doc
pour DNSSEC

Merci pour ton aimable attention

Bien à toi

Bernard

Re: Firewall POSTROUTING problem

[Lucas Castro]

On 8/11/21 7:01 PM, Alain D D Williams wrote:

On Wed, Aug 11, 2021 at 11:50:30PM +0200, deloptes wrote:

Alain D D Williams wrote:


iptables -A FORWARD -j ACCEPT


and the OUTPUT?

OUTOUT is also ACCEPT, however this is not, I think, important as the packets
come from 10.239.239.23 (via br0) and go to the Internet - thus FORWARD is what
is important. Anyway: I see (on the modem) the packets with source 10.239.239.23


and this is not a problem ... evidence is outgoing packets with source
address 10.239.239.23

ah, ok, I misinterpreted it.

The important stuff from ifconfig is:

br0: flags=4163  mtu 1500
 inet 10.239.239.254  netmask 255.255.255.0  broadcast 10.239.239.255
 inet6 fe80::7ca1:36ff:fe12:7402  prefixlen 64  scopeid 0x20
 ether ee:3c:27:eb:c0:4f  txqueuelen 1000  (Ethernet)
 RX packets 31632  bytes 2596968 (2.4 MiB)
 RX errors 0  dropped 0  overruns 0  frame 0
 TX packets 2065  bytes 374487 (365.7 KiB)
 TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp3s0: flags=4163  mtu 1500
 inet 192.168.108.2  netmask 255.255.255.0  broadcast 192.168.108.255
 inet6 2001:4d48:ad51:2f00::2:2  prefixlen 112  scopeid 0x0
 inet6 fe80::922b:34ff:fe12:6470  prefixlen 64  scopeid 0x20
 ether 90:2b:34:12:64:70  txqueuelen 1000  (Ethernet)
 RX packets 922014  bytes 240006341 (228.8 MiB)
 RX errors 0  dropped 0  overruns 0  frame 0
 TX packets 562616  bytes 80027668 (76.3 MiB)
 TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


The steps to get routing working on GNU/Linux


check ip_forward is enabled

cat /proc/sys/net/ipv4/ip_forward - it must be 1


In your case, your outgoing is 192.168.108.2 on enp3s0

and your lan network is 10.239.239.254

so the forwarding nat rule should be

iptables -t nat -A POSTROUTING  -s 10.239.239.0/24 -o enp3s0 -j SNAT 
--to  192.168.108.2


No need for INPUT/OUTPUT rules to forward packts, only FORWARD rules


iptables -A FORWARD -s 10.239.239.0/24 -i br0 -o  enp3s0 -m state 
--state NEW -j ACCEPT


To accept the incoming packts for related connections.

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT


you need to be sure there is default route on the router, or trick the 
route using 'ip rule'


but check if the router is set any default route

'ip route list' or 'ip route list table default'

---
Lucas Castro

Re: Firewall POSTROUTING problem

[Alain D D Williams]

On Thu, Aug 12, 2021 at 01:28:57AM +0300, IL Ka wrote:
> >
> >
> >
> > > > iptables -A FORWARD -j ACCEPT
> >
> 
> Are you sure your packets are forwarded via netfilter?
> Try to disable forwarding (with sysctl) or change rulte to -j DROP and
> check traffic with sniffer (no packet should be forwarded from virt machine
> to the Internet)

It now works all of a sudden  I am scratching my head to see what I have
changed. The only thing is rebooting the virtual machine that I was testing
from. I cannot see that that should have made a difference. I was changing the
firewall ...

Anyway: thanks for now, I am sorry if I have wasted anyone's time :-(

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: 
https://www.phcomp.co.uk/Contact.html
#include 

Re: Firewall POSTROUTING problem

[IL Ka]

>
>
>
> > > iptables -A FORWARD -j ACCEPT
>

Are you sure your packets are forwarded via netfilter?
Try to disable forwarding (with sysctl) or change rulte to -j DROP and
check traffic with sniffer (no packet should be forwarded from virt machine
to the Internet)

Re: Firewall POSTROUTING problem

[Alain D D Williams]

On Wed, Aug 11, 2021 at 11:50:30PM +0200, deloptes wrote:
> Alain D D Williams wrote:
> 
> > iptables -A FORWARD -j ACCEPT
> > 
> 
> and the OUTPUT?

OUTOUT is also ACCEPT, however this is not, I think, important as the packets
come from 10.239.239.23 (via br0) and go to the Internet - thus FORWARD is what
is important. Anyway: I see (on the modem) the packets with source 10.239.239.23

> > and this is not a problem ... evidence is outgoing packets with source
> > address 10.239.239.23
> 
> ah, ok, I misinterpreted it.

The important stuff from ifconfig is:

br0: flags=4163  mtu 1500
inet 10.239.239.254  netmask 255.255.255.0  broadcast 10.239.239.255
inet6 fe80::7ca1:36ff:fe12:7402  prefixlen 64  scopeid 0x20
ether ee:3c:27:eb:c0:4f  txqueuelen 1000  (Ethernet)
RX packets 31632  bytes 2596968 (2.4 MiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 2065  bytes 374487 (365.7 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp3s0: flags=4163  mtu 1500
inet 192.168.108.2  netmask 255.255.255.0  broadcast 192.168.108.255
inet6 2001:4d48:ad51:2f00::2:2  prefixlen 112  scopeid 0x0
inet6 fe80::922b:34ff:fe12:6470  prefixlen 64  scopeid 0x20
ether 90:2b:34:12:64:70  txqueuelen 1000  (Ethernet)
RX packets 922014  bytes 240006341 (228.8 MiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 562616  bytes 80027668 (76.3 MiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: 
https://www.phcomp.co.uk/Contact.html
#include 

Re: Firewall POSTROUTING problem

[deloptes]

Alain D D Williams wrote:

> iptables -A FORWARD -j ACCEPT
> 

and the OUTPUT?

> and this is not a problem ... evidence is outgoing packets with source
> address 10.239.239.23

ah, ok, I misinterpreted it.

-- 
FCD6 3719 0FFB F1BF 38EA 4727 5348 5F1F DCFE BCB0

Re: Firewall POSTROUTING problem

[Alain D D Williams]

On Wed, Aug 11, 2021 at 11:32:51PM +0200, deloptes wrote:

> I remember it was not only the POSTROUTING. May be I am wrong, but I think
> FORWARD and OUTPUT is important.
> I also wonder why you are mixing up the -s and --to-source. You should be
> using the local address for -s and --to-source the translation (the
> outgoing addresses 10.239.239.23)

This says that anything with a source address 10.239.239.0/24 (ie virtual
machine) will have the source address changed to 192.168.108.2; this is so that
the BB modem does another NAT setting the source address to my external IP
address.

While I am debugging this, to avoid complication, I have set:

iptables -A FORWARD -j ACCEPT

and this is not a problem ... evidence is outgoing packets with source address
10.239.239.23

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: 
https://www.phcomp.co.uk/Contact.html
#include 

Re: Firewall POSTROUTING problem

[deloptes]

Alain D D Williams wrote:

> Hi,
> 
> I have problems getting POSTROUTING to work on a Debian 10 box.
> 
> Setup:
> 
> INTERNET ... Broadband modem 192.168.108.1
> 
> Network internal to the Debian box for virtual machines 10.239.239.0/24
> 
> Debian has address 192.168.108.2 (interface enp3s0) and 10.239.239.254
> (interface br0)
> 
> Processes on Debian 10 can talk to the Internet
> 
> Processes on virtual machines (eg 10.239.239.23) can talk to the Debian
> machine (ie 192.168.108.2) on which they are hosted.
> 
> If on 10.239.239.23 I ping the BBC (212.58.249.145) and look with a packet
> sniffer on the BB modem I see outgoing addresses 10.239.239.23
> 
> This should not happen. I am running an iptables firewall that should fix
> this with the rule below:
> 
> iptables -t nat -A POSTROUTING -s 10.239.239.0/24 -j SNAT --to-source
> 192.168.108.2
> 
> I have tried variations like:
> iptables -t nat -A POSTROUTING -o enp3s0 -j SNAT --to-source 192.168.108.2
> 
> 
> It is as if the POSTROUTING rule is being ignored.
> 
> This seems to be confirmed by the output below which shows that 0 packets
> have been through POSTROUTING.
> 
> Can anyone shed any light on this ?

I remember it was not only the POSTROUTING. May be I am wrong, but I think
FORWARD and OUTPUT is important.
I also wonder why you are mixing up the -s and --to-source. You should be
using the local address for -s and --to-source the translation (the
outgoing addresses 10.239.239.23)

I later switched to shorewall and since it is doing the iptables rules for
me, so now I just have to put some values in a config and would have
something like

# iptables-save  | grep eth0
:eth0_masq - [0:0]
-A PREROUTING -i eth0 -j net_dnat
-A POSTROUTING -o eth0 -j eth0_masq
-A eth0_masq -s 192.168.xxx.0/24 -j SNAT --to-source 10.0.xxx.1
-A INPUT -i eth0 -j net-fw
-A FORWARD -i eth0 -j net_frwd
-A OUTPUT -o eth0 -j ACCEPT
-A dmz_frwd -o eth0 -j dmz-net
-A loc_frwd -o eth0 -j ACCEPT
-A vpn_frwd -o eth0 -j vpn-net


-- 
FCD6 3719 0FFB F1BF 38EA 4727 5348 5F1F DCFE BCB0

Re: Firewall o Filtro de Contenidos en modo Bridge.

[Ramses]

El 31 de julio de 2018 19:52:29 CEST, JCMD  escribió:
>Si,
>
>Tienes que buscar Open bridge transparent proxy.
>
>Saludos
>
>El mar., 31 de jul. de 2018 1:50 PM, Ramses 
>escribió:
>
>> Hola a tod@s,
>>
>> Los firewalls FortiGate tienen un modo de funcionamiento, Bridge, en
>el
>> que lo insertas, entre el router del Operador y la LAN, y actúan como
>> Firewall / Filtro de Contenidos sin tener que cambiar configuración
>ninguna
>> en el router ni en los equipos de la LAN.
>>
>> ¿Sabéis si ese mismo comportamiento lo puedo reproducir con un equipo
>con
>> 2 interfaces sin tener que configurarlo como router?
>>
>>
>> Saludos y gracias,
>>
>> Ramsés
>>
>>

Gracias JCMD, echaré un vistazo.


Saludos,

Ramsés 

Re: Firewall o Filtro de Contenidos en modo Bridge.

[Ramses]

El 31 de julio de 2018 19:54:17 CEST, Itzcoalt Alvarez  
escribió:
>Pfsense podria ser la opcion
>
>El 31 de julio de 2018, 12:50, Ramses 
>escribió:
>
>> Hola a tod@s,
>>
>> Los firewalls FortiGate tienen un modo de funcionamiento, Bridge, en
>el
>> que lo insertas, entre el router del Operador y la LAN, y actúan como
>> Firewall / Filtro de Contenidos sin tener que cambiar configuración
>ninguna
>> en el router ni en los equipos de la LAN.
>>
>> ¿Sabéis si ese mismo comportamiento lo puedo reproducir con un equipo
>con
>> 2 interfaces sin tener que configurarlo como router?
>>
>>
>> Saludos y gracias,
>>
>> Ramsés
>>
>>
>
>
>--

Itzcoalt, buenas noches y gracias por contestar.

¿Y pfsense puede actuar como Firewall y Filtro de Contenidos configurado en 
modo Bridge?

Existen ya appliances específicos con pfsense embebidos, ¿cierto?.

¿Sabéis si esos appliances están abiertos como para desarrollar un Front-End 
específico o si existen routers neutros a los que se les pueda echar Linux y 
pfsense?


Saludos y gracias,

Ramsés

Re: Firewall o Filtro de Contenidos en modo Bridge.

[JCMD]

Si,

Tienes que buscar Open bridge transparent proxy.

Saludos

El mar., 31 de jul. de 2018 1:50 PM, Ramses 
escribió:

> Hola a tod@s,
>
> Los firewalls FortiGate tienen un modo de funcionamiento, Bridge, en el
> que lo insertas, entre el router del Operador y la LAN, y actúan como
> Firewall / Filtro de Contenidos sin tener que cambiar configuración ninguna
> en el router ni en los equipos de la LAN.
>
> ¿Sabéis si ese mismo comportamiento lo puedo reproducir con un equipo con
> 2 interfaces sin tener que configurarlo como router?
>
>
> Saludos y gracias,
>
> Ramsés
>
>

Re: firewall rules for NAT

[Igor Cicimov]

On 1 Jul 2017 7:31 pm, "Pascal Hambourg"  wrote:

Le 01/07/2017 à 03:25, Igor Cicimov a écrit :

>
> You know what, i just checked the iptables rules the op sent again and
> realized this:
>
> -A POSTROUTING -d 10.7.33.109/32  -p tcp -m tcp
>
> --dport 25 -j SNAT --to-source 10.7.33.100
>
> is NOT how you would do SNAT with DNAT, you normally would need:
>
> A POSTROUTING -s 10.7.33.109/32  -p tcp -m tcp -
> -j SNAT --to-source 10.7.33.100
>

These two rules do not have the same purpose at all.

The OP's rule applies to incoming SMTP connections forwarded to the server,
in order to workaround the routing flaw (wrong gateway).

Your rule applies to outgoing connexions from the server,

so 1) is useless for incoming connections


That's my point, i misread his rule and thought it was the one I posted.

and 2) would be ignored in the original setup because the server did not
use the router as its default gateway.


Yep, but not if the source ip was being changed to the one of the router in
which case the reply would not go to the dgw.


PS. Igor, the plain text version of your posts does not properly mark the
quoted text from the message you reply to : it appears as if it was your
text, without any quotation marks.

Re: firewall rules for NAT

[Brad Rogers]

On Sat, 1 Jul 2017 13:25:30 +0200
Pascal Hambourg  wrote:

Hello Pascal,

>Are you sure that your mailer displays the plain text version, not the 
>HTML version ?

I'll change my answer;  I only looked at a couple of Igor's messages and
they were fine.  However, further study shows that in some posts, quoted
text isn't quoted.

-- 
 Regards  _
 / )   "The blindingly obvious is
/ _)radnever immediately apparent"
Walking through town is quite scary
I Predict A Riot - Kaiser Chiefs


signature.asc
Description: OpenPGP digital signature

Re: firewall rules for NAT

[Brad Rogers]

On Sat, 1 Jul 2017 13:25:30 +0200
Pascal Hambourg  wrote:

Hello Pascal,

>Are you sure that your mailer displays the plain text version, not the 
>HTML version ?

Positive.  I use Claws Mail *without* any HTML plugin.

-- 
 Regards  _
 / )   "The blindingly obvious is
/ _)radnever immediately apparent"
He signed up for just three years, it seemed a small amount
Tin Soldiers - Stiff Little Fingers


signature.asc
Description: OpenPGP digital signature

Re: firewall rules for NAT

[Pascal Hambourg]

Le 01/07/2017 à 12:54, Brad Rogers a écrit :

On Sat, 1 Jul 2017 11:30:41 +0200
Pascal Hambourg  wrote:

Hello Pascal,


PS. Igor, the plain text version of your posts does not properly mark
the quoted text from the message you reply to : it appears as if it was
your text, without any quotation marks.


It's fine here.


Are you sure that your mailer displays the plain text version, not the 
HTML version ?
The HTML version is fine but in the plain text version, the only 
quotation marks ">" are the ones that were already present in the quoted 
message.

Re: firewall rules for NAT

[Brad Rogers]

On Sat, 1 Jul 2017 11:30:41 +0200
Pascal Hambourg  wrote:

Hello Pascal,

>PS. Igor, the plain text version of your posts does not properly mark 
>the quoted text from the message you reply to : it appears as if it was 
>your text, without any quotation marks.

It's fine here.

-- 
 Regards  _
 / )   "The blindingly obvious is
/ _)radnever immediately apparent"
Loaded like a freight train flyin' like an aeroplane
Nightrain - Guns 'N' Roses


signature.asc
Description: OpenPGP digital signature

Re: firewall rules for NAT

[Pascal Hambourg]

Le 01/07/2017 à 03:25, Igor Cicimov a écrit :


You know what, i just checked the iptables rules the op sent again and
realized this:

-A POSTROUTING -d 10.7.33.109/32  -p tcp -m tcp
--dport 25 -j SNAT --to-source 10.7.33.100

is NOT how you would do SNAT with DNAT, you normally would need:

A POSTROUTING -s 10.7.33.109/32  -p tcp -m tcp -
-j SNAT --to-source 10.7.33.100


These two rules do not have the same purpose at all.

The OP's rule applies to incoming SMTP connections forwarded to the 
server, in order to workaround the routing flaw (wrong gateway).


Your rule applies to outgoing connexions from the server, so 1) is 
useless for incoming connections and 2) would be ignored in the original 
setup because the server did not use the router as its default gateway.


PS. Igor, the plain text version of your posts does not properly mark 
the quoted text from the message you reply to : it appears as if it was 
your text, without any quotation marks.

Re: firewall rules for NAT

[Igor Cicimov]

On 1 Jul 2017 7:13 am, "Pascal Hambourg"  wrote:

Le 30/06/2017 à 15:09, Igor Cicimov a écrit :

> On Fri, Jun 30, 2017 at 3:50 PM, Pascal Hambourg 
> wrote:
>
>>
>> Stateful NAT requires symmetric routing, i.e. reply packets go through the
>> router that did the NAT operations on original packets and keeps the state
>> for these NAT operations.
>>
>> With the host as gateway and without the SNAT rule, routing is asymmetric
>> :
>> client -> router VM (DNAT) -> server VM
>> server VM -> host -> client
>>
>> Reply trafic cannot be un-DNATed and communication fails.
>>
>
> I completely agree with that and that's what I would expect to happen.
> However, as per OP's initial email (I cite):
>
> "*It works like a charm*, but there is one problem: my mail server receives
>
> all the connections from the router, which has its own private IP address
> (10.7.33.100), so the mail server can't enforce SPF policies nor DNS RBL
> rules on incoming mail connections."
>
> his setup was working "like a charm" and the only problem was that the
> source IP the email server was seeing was the one from the router vm and
> not the client one, nothing about failing connections.
>

In his second mail, after admitting that the problem was caused by the SNAT
rule, the OP also wrote :


"The problem is that without that rule things do not work at all
(connections time out)."

This of course rang a bell. As we all know, NAT is most often used to work
around routing flaws. But, as we can see again, it also brings its own
flaws.

You know what, i just checked the iptables rules the op sent again and
realized this:

-A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT
--to-source 10.7.33.100

is NOT how you would do SNAT with DNAT, you normally would need:

A POSTROUTING -s 10.7.33.109/32 -p tcp -m tcp - -j SNAT --to-source
10.7.33.100

*sigh* sorry for the noise

Re: firewall rules for NAT

[Pascal Hambourg]

Le 30/06/2017 à 15:09, Igor Cicimov a écrit :

On Fri, Jun 30, 2017 at 3:50 PM, Pascal Hambourg 
wrote:


Stateful NAT requires symmetric routing, i.e. reply packets go through the
router that did the NAT operations on original packets and keeps the state
for these NAT operations.

With the host as gateway and without the SNAT rule, routing is asymmetric :
client -> router VM (DNAT) -> server VM
server VM -> host -> client

Reply trafic cannot be un-DNATed and communication fails.


I completely agree with that and that's what I would expect to happen.
However, as per OP's initial email (I cite):

"*It works like a charm*, but there is one problem: my mail server receives
all the connections from the router, which has its own private IP address
(10.7.33.100), so the mail server can't enforce SPF policies nor DNS RBL
rules on incoming mail connections."

his setup was working "like a charm" and the only problem was that the
source IP the email server was seeing was the one from the router vm and
not the client one, nothing about failing connections.


In his second mail, after admitting that the problem was caused by the 
SNAT rule, the OP also wrote :


"The problem is that without that rule things do not work at all 
(connections time out)."


This of course rang a bell. As we all know, NAT is most often used to 
work around routing flaws. But, as we can see again, it also brings its 
own flaws.

Re: firewall rules for NAT

[Igor Cicimov]

On Fri, Jun 30, 2017 at 3:50 PM, Pascal Hambourg 
wrote:

> Le 30/06/2017 à 00:38, Igor Cicimov a écrit :
>
>> On 29 Jun 2017 6:32 pm, "Lucio Crusca"  wrote:
>>
>>>
>>> Il 27/06/2017 23:35, Pascal Hambourg ha scritto:
>>>
>>> Le 27/06/2017 à 13:29, Lucio Crusca a écrit :

 -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT
> --to-source 10.7.33.100
>
> If this rule is required, then your routing setup is wrong.

>>>
>>> Thank you very much, that was the problem. My VMs were using the host
>>> system as gateway instead of the router VM.
>>>
>>
>> Ok, not sure though how does that change anything. As you said the email
>> vm
>> was receiving traffic with the ip of the router vm as source and since
>> they
>> are both on the same lan and connected to the same bridge I dont see how
>> the default gateway can make any difference? The return traffic was
>> already
>> going through the router vm hence the need of the SNAT rule on it.
>>
>
> Stateful NAT requires symmetric routing, i.e. reply packets go through the
> router that did the NAT operations on original packets and keeps the state
> for these NAT operations.
>
> With the host as gateway and without the SNAT rule, routing is asymmetric :
> client -> router VM (DNAT) -> server VM
> server VM -> host -> client
>
> Reply trafic cannot be un-DNATed and communication fails.
>

I completely agree with that and that's what I would expect to happen.
However, as per OP's initial email (I cite):

"*It works like a charm*, but there is one problem: my mail server receives
all the connections from the router, which has its own private IP address
(10.7.33.100), so the mail server can't enforce SPF policies nor DNS RBL
rules on incoming mail connections."

his setup was working "like a charm" and the only problem was that the
source IP the email server was seeing was the one from the router vm and
not the client one, nothing about failing connections. As if there was
maybe a routing rule on the host like:

10.7.33.0/24 dev virbr10 scope host src 10.7.33.100

Something does not add up ...

The SNAT rule is a way to force reply traffic through the router VM, making
> the routing symmetric :
> client -> router VM (DNAT+SNAT) -> server VM
> server VM -> router VM (un-DNAT+un-SNAT) -> client
>
> Making the router VM the default gateway for the server VM also makes
> routing symmetric without the need of SNAT :
> client -> router VM (DNAT) -> server VM
> server VM -> router VM (un-DNAT) -> client
>
>

Re: firewall rules for NAT

[Pascal Hambourg]

Le 30/06/2017 à 00:38, Igor Cicimov a écrit :

On 29 Jun 2017 6:32 pm, "Lucio Crusca"  wrote:


Il 27/06/2017 23:35, Pascal Hambourg ha scritto:


Le 27/06/2017 à 13:29, Lucio Crusca a écrit :


-A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT
--to-source 10.7.33.100


If this rule is required, then your routing setup is wrong.


Thank you very much, that was the problem. My VMs were using the host
system as gateway instead of the router VM.


Ok, not sure though how does that change anything. As you said the email vm
was receiving traffic with the ip of the router vm as source and since they
are both on the same lan and connected to the same bridge I dont see how
the default gateway can make any difference? The return traffic was already
going through the router vm hence the need of the SNAT rule on it.


Stateful NAT requires symmetric routing, i.e. reply packets go through 
the router that did the NAT operations on original packets and keeps the 
state for these NAT operations.


With the host as gateway and without the SNAT rule, routing is asymmetric :
client -> router VM (DNAT) -> server VM
server VM -> host -> client

Reply trafic cannot be un-DNATed and communication fails.
The SNAT rule is a way to force reply traffic through the router VM, 
making the routing symmetric :

client -> router VM (DNAT+SNAT) -> server VM
server VM -> router VM (un-DNAT+un-SNAT) -> client

Making the router VM the default gateway for the server VM also makes 
routing symmetric without the need of SNAT :

client -> router VM (DNAT) -> server VM
server VM -> router VM (un-DNAT) -> client

Re: firewall rules for NAT

[Igor Cicimov]

On 29 Jun 2017 6:32 pm, "Lucio Crusca"  wrote:

Il 27/06/2017 23:35, Pascal Hambourg ha scritto:

> Le 27/06/2017 à 13:29, Lucio Crusca a écrit :
>
>>
>> -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT
>> --to-source 10.7.33.100
>>
>>
> If this rule is required, then your routing setup is wrong.
>

Thank you very much, that was the problem. My VMs were using the host
system as gateway instead of the router VM.


Ok, not sure though how does that change anything. As you said the email vm
was receiving traffic with the ip of the router vm as source and since they
are both on the same lan and connected to the same bridge I dont see how
the default gateway can make any difference? The return traffic was already
going through the router vm hence the need of the SNAT rule on it.

Re: firewall rules for NAT

[Lucio Crusca]

Il 27/06/2017 23:35, Pascal Hambourg ha scritto:

Le 27/06/2017 à 13:29, Lucio Crusca a écrit :


-A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT
--to-source 10.7.33.100



If this rule is required, then your routing setup is wrong.


Thank you very much, that was the problem. My VMs were using the host 
system as gateway instead of the router VM.

Re: firewall rules for NAT

[Igor Cicimov]

On 27 Jun 2017 9:29 pm, "Lucio Crusca"  wrote:

Il 26/06/2017 11:35, Dan Purgert ha scritto:

> That shouldn't be happening -- you may have an errant rule you didn't
> show
>

I think I did show that rule:


-A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT
--to-source 10.7.33.100


Yes you do need that rule, in case when not using MASQUERADE you have to
use SNAT or you'll get timeouts as you found out.

Your problem is that something changes the source ip of the packets sent
from the router vm to the mail server one NOT the other way around. The
only candidate i can see in your config, assuming you have shown us the
full configs, are these rules:

-A POSTROUTING -s 10.7.33.0/24 ! -d 10.7.33.0/24 -p tcp -j MASQUERADE
--to-ports 1024-65535
-A POSTROUTING -s 10.7.33.0/24 ! -d 10.7.33.0/24 -p udp -j MASQUERADE
--to-ports 1024-65535
-A POSTROUTING -s 10.7.33.0/24 ! -d 10.7.33.0/24 -j MASQUERADE

but they look ok to me to be honest, they change the source ip of the
packets but only if the destination is not 10.7.33.0/24 subnet which should
not cause the issue you are seeing.


The problem is that without that rule things do not work at all
(connections time out).

For example, I've tried adding only the DNAT rule for TCP port 26, without
the SNAT rule above, forwarded to the same mail server.

Then from the client I've tried to open a TCP connection on port 26:

echo hello | netcat 1.2.3.4 26

In the phisycal host system I get:

Jun 27 13:21:09 hostmachine kernel: [2479354.931255] IN=eth0 OUT=
MAC=74:d0:2b:99:a1:f5:2c:21:31:28:a6:fb:08:00 SRC=217.61.166.36 DST=1.2.3.4
LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18186 DF PROTO=TCP SPT=51600 DPT=26
WINDOW=29200 RES=0x00 SYN URGP=0

In the router virtual machine I get:

Jun 27 13:21:34 router kernel: [2479319.331492] IN=eth0 OUT=
MAC=52:54:00:02:90:d2:52:54:00:f0:37:ba:08:00 SRC=217.61.166.36
DST=10.7.33.100 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=18186 DF PROTO=TCP
SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0

In the mail server virtual machine I get

Jun 27 13:21:09 mx kernel: [2479308.578043] IN=ens2 OUT=
MAC=52:54:00:8d:4c:2a:52:54:00:02:90:d2:08:00 SRC=217.61.166.36
DST=10.7.33.109 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=18186 DF PROTO=TCP
SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0

So the packet actually reaches the mail server as expected. However the
client never gets a reply.

Re: firewall rules for NAT

[Pascal Hambourg]

Le 27/06/2017 à 13:29, Lucio Crusca a écrit :


-A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT
--to-source 10.7.33.100

The problem is that without that rule things do not work at all
(connections time out).


If this rule is required, then your routing setup is wrong.
What is the routing table on the router and the server ?

Re: firewall rules for NAT

[Lucio Crusca]

Il 26/06/2017 11:35, Dan Purgert ha scritto:

That shouldn't be happening -- you may have an errant rule you didn't
show


I think I did show that rule:

-A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT 
--to-source 10.7.33.100


The problem is that without that rule things do not work at all 
(connections time out).


For example, I've tried adding only the DNAT rule for TCP port 26, 
without the SNAT rule above, forwarded to the same mail server.


Then from the client I've tried to open a TCP connection on port 26:

echo hello | netcat 1.2.3.4 26

In the phisycal host system I get:

Jun 27 13:21:09 hostmachine kernel: [2479354.931255] IN=eth0 OUT= 
MAC=74:d0:2b:99:a1:f5:2c:21:31:28:a6:fb:08:00 SRC=217.61.166.36 
DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18186 DF PROTO=TCP 
SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0


In the router virtual machine I get:

Jun 27 13:21:34 router kernel: [2479319.331492] IN=eth0 OUT= 
MAC=52:54:00:02:90:d2:52:54:00:f0:37:ba:08:00 SRC=217.61.166.36 
DST=10.7.33.100 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=18186 DF PROTO=TCP 
SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0


In the mail server virtual machine I get

Jun 27 13:21:09 mx kernel: [2479308.578043] IN=ens2 OUT= 
MAC=52:54:00:8d:4c:2a:52:54:00:02:90:d2:08:00 SRC=217.61.166.36 
DST=10.7.33.109 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=18186 DF PROTO=TCP 
SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0


So the packet actually reaches the mail server as expected. However the 
client never gets a reply.

Re: firewall rules for NAT

[Dan Purgert]

Lucio Crusca wrote:
>[...]
> It works like a charm, but there is one problem: my mail server receives 
> all the connections from the router, which has its own private IP 
> address (10.7.33.100), so the mail server can't enforce SPF policies nor 
> DNS RBL rules on incoming mail connections.

That shouldn't be happening -- you may have an errant rule you didn't
show from one of the hosts in there that's doing this to you (perhaps
NAT Hairpin).

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Firewall

[Gonzalo Rivero]

El mié, 15-03-2017 a las 16:49 -0400, luis godoy escribió:
> Hola, se puede usar o instalar un firewall en una versión live?
> (Versión 8)

si

(http://www.netfilter.org/documentation/index.html)

Fwd: Re: firewall para novatos

[divagante]

hola!

El 26/11/16 a las 14:20, R Calleja escribió:

Lo mejor es iptables, sirve para todas las distribuciones linux y es
muy configurable, mucho mejor que los graficos.

Abajo un scrip de firewall para un servidor, con algunas
modificaciones puede servir:


#!/bin/bash

# Dirección IP del servidor
IP="192.168.145.32"

# Vaciar todas las cadenas y contadores
iptables -F
iptables -X
iptables -Z

# Activar diferentes protecciones a nivel kernel
#
# Ignorar broadcasts icmp
echo -n '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Deshabilitar Source Routing
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
# Deshabilitar ICMP redirects
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_redirects
# Proteger contra "bad error messages"
echo -n '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Deshabilitar ip forwarding
echo -n '0' > /proc/sys/net/ipv4/ip_forward
# Loguear sospechosos, "source routed" y redirects
echo -n '1' >/proc/sys/net/ipv4/conf/all/log_martians

# Por defecto, bloquear todo en las cadenas INPUT y FORWARD
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Permitir todo el tráfico saliente
iptables -P OUTPUT ACCEPT

# Bloquear conexiones TCP nuevas que no comiencen con SYN
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -m limit
--limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "TCP
RST,ACK,FIN"
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

# Bloquear fragmentos entrantes
iptables -A INPUT -i eth0 -f -m limit --limit 5/m --limit-burst 7 -j
LOG --log-level 4 --log-prefix "Fragment Packets"
iptables -A INPUT -i eth0 -f -j DROP

# Bloquear paquetes malformados
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Bloquear NULL packets
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -m limit --limit
5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP

# Bloquear paquetes "Christmas tree" malformados
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit
--limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS
Packets"
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Bloquear ataques Fin Scan
iptables -A INPUT -i eth0 -p tcp --tcp-flags FIN,ACK FIN -m limit
--limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin
Packets Scan"
iptables -A INPUT -i eth0 -p tcp --tcp-flags FIN,ACK FIN -j DROP

# Validar flags TCP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG
-j DROP

# Bloquear paquetes inválidos
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Permitir todo en la interfaz loopback
iptables -A INPUT -i lo -j ACCEPT

# Permitir paquetes de conexiones establecidas
iptables -A INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT

# Permitir ping
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j
ACCEPT

# Permitir conexiones hacia el puerto 22 (SSH)
iptables -A INPUT -p tcp -d $IP --sport 1024:65535 --dport 22 -m state
--state NEW -j ACCEPT

# Permitir conexiones hacia el puerto 80 y 443 (HTTP y HTTPS)
iptables -A INPUT -p tcp -d $IP --sport 1024:65535 --dport 80 -m state
--state NEW -j ACCEPT
iptables -A INPUT -p tcp -d $IP --sport 1024:65535 --dport 443 -m
state --state NEW -j ACCEPT

# Loguear y rechazar el resto
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A INPUT -j DROP

Copias el scrip y lo ejecutas, Tambien necesitas instalar
netfilter-persistent para que se guarde al reiniciar.
Salu2


Super interesante!! ya lo copio y lo guardo -el asuntillo es que no
entiendo un pomo! jaja.-.
 ..Puedo estudiarlo de a poco, si señor! faltan unos meses para el
server...

Muchas Gracias!



El 26 de noviembre de 2016, 14:35, divagante
> escribió:

Hola gente!

 Bueno, por conveniencia para quien quiera ayudarme con algun dato
dire que soy un usuario de debian de 7 años de antiguedad, pero
que aun no encontre el tiempo o las ganas de conocer profundamente
la administracion de sistemas unix o redes...
 No hago scrips ni entiendo sobre redes mas alla de configurar con
alguna guia de ayuda /etc/network/interfaces. Algo que hace rato
ni hago debido a los gestores como wicd o gnome.

 Si bien no descarto en un futuro leer y meterme con iptables,
quisiera empezar al montar un futuro servidor de radio streaming,
con un firewall intuitivo, facil de manejar y con interfaz grafica.

 Nota: recuerdo que hace ya algunos años usando windows y el
antivirus kaspersky instale el firewall de este ultimo, y la
verdad me resulto super intuitivo y manejable. Se veian claramente
las peticiones de algun programa freeware hacia internet y como
este las denegaba si uno con 

Re: firewall para novatos

[divagante]

El 26/11/16 a las 14:57, Laotrasolucion escribió:


El 26/11/16 a las 10:35, divagante escribió:

Hola gente!

  Bueno, por conveniencia para quien quiera ayudarme con algun dato dire
que soy un usuario de debian de 7 años de antiguedad, pero que aun no
encontre el tiempo o las ganas de conocer profundamente la
administracion de sistemas unix o redes...
  No hago scrips ni entiendo sobre redes mas alla de configurar con
alguna guia de ayuda /etc/network/interfaces. Algo que hace rato ni hago
debido a los gestores como wicd o gnome.

  Si bien no descarto en un futuro leer y meterme con iptables, quisiera
empezar al montar un futuro servidor de radio streaming, con un firewall
intuitivo, facil de manejar y con interfaz grafica.

  Nota: recuerdo que hace ya algunos años usando windows y el antivirus
kaspersky instale el firewall de este ultimo, y la verdad me resulto
super intuitivo y manejable. Se veian claramente las peticiones de algun
programa freeware hacia internet y como este las denegaba si uno con
algunos clicks lo determinaba asi.

  Muchas gracias por su ayuda.



Hola,

Yo la verdad que no he usado mucho las GUI para iptables, pero la pagina
de iptables tiene un apartado con algunos.

http://www.iptables.info/en/iptables-gui.html


Bueno... ya lo estoy viendo, quizas alguno convenga como para ir 
administrando.


Yo personalmente he usado alguna vez fwbuilder, que esta bastante bien.
Hay bastante documentación y videos explicativos.
Casualmente en estos dias cai en esta misma aplicacion. fwbuilder. Y 
claro, como lo anunciaba su mismo nombre nombre, sirve para construir un 
entorno de reglas que luego se aplican en iptables u otros... 
entendiendo esto lo deje en espera.



No se si algunos de los que existe pueda complacer tus requerimientos
tal como lo hizo don kaspersky, pero dejame decirte que armar un
firewall no es una tarea tan complicada, siempre y cuando entiendas los
conceptos.

jeje.. don kaspersky lo use de curioso y me satisfizo en su momento por 
dar una idea de lo que ocurria con las aplicaciones en windows.
 Digo... da mucho placer decirle a un freeeware (el cual uno no sabe 
que cara%$ hace)
CHIST! que esta haciendo? si sos un reproductor de video, para que te 
vas a ese IP?. Jejeje! es genial!, y segun el caso, libertario o 
patriotico tambien!


 Saludos y gracias.

Re: firewall para novatos

[Ricardo Adolfo Sánchez Arboleda]

Firestarter

http://robersoft.blogcindario.com/2011/01/00010-firewall-cortafuegos-en-ubuntu.html





*Saludes;*

rasa.

El 27 de noviembre de 2016, 17:08, Alejandro Gutiérrez <
alexfile...@gmail.com> escribió:

> Algo simple e intuitivo podría ser Gufw, la interfaz gráfica de ufw.
>
> El 27/11/16 a las 11:09, Ricardo Adolfo Sánchez Arboleda escribió:
> > Mira
> > https://es.wikipedia.org/wiki/PfSense
> > https://pfsense.org/
> >
> >
> >
> > *Saludes;*
> >
> > rasa.
> >
> > El 26 de noviembre de 2016, 12:57, Laotrasolucion
> > > escribió:
> >
> >
> >
> > El 26/11/16 a las 10:35, divagante escribió:
> > > Hola gente!
> > >
> > >  Bueno, por conveniencia para quien quiera ayudarme con algun dato
> > dire
> > > que soy un usuario de debian de 7 años de antiguedad, pero que aun
> no
> > > encontre el tiempo o las ganas de conocer profundamente la
> > > administracion de sistemas unix o redes...
> > >  No hago scrips ni entiendo sobre redes mas alla de configurar con
> > > alguna guia de ayuda /etc/network/interfaces. Algo que hace rato
> > ni hago
> > > debido a los gestores como wicd o gnome.
> > >
> > >  Si bien no descarto en un futuro leer y meterme con iptables,
> > quisiera
> > > empezar al montar un futuro servidor de radio streaming, con un
> > firewall
> > > intuitivo, facil de manejar y con interfaz grafica.
> > >
> > >  Nota: recuerdo que hace ya algunos años usando windows y el
> antivirus
> > > kaspersky instale el firewall de este ultimo, y la verdad me
> resulto
> > > super intuitivo y manejable. Se veian claramente las peticiones de
> > algun
> > > programa freeware hacia internet y como este las denegaba si uno
> con
> > > algunos clicks lo determinaba asi.
> > >
> > >  Muchas gracias por su ayuda.
> > >
> > >
> >
> > Hola,
> >
> > Yo la verdad que no he usado mucho las GUI para iptables, pero la
> pagina
> > de iptables tiene un apartado con algunos.
> >
> > http://www.iptables.info/en/iptables-gui.html
> > 
> >
> > Yo personalmente he usado alguna vez fwbuilder, que esta bastante
> bien.
> > Hay bastante documentación y videos explicativos.
> > No se si algunos de los que existe pueda complacer tus requerimientos
> > tal como lo hizo don kaspersky, pero dejame decirte que armar un
> > firewall no es una tarea tan complicada, siempre y cuando entiendas
> los
> > conceptos.
> >
> >
>
>

Re: firewall para novatos

[Alejandro Gutiérrez]

Algo simple e intuitivo podría ser Gufw, la interfaz gráfica de ufw.

El 27/11/16 a las 11:09, Ricardo Adolfo Sánchez Arboleda escribió:
> Mira
> https://es.wikipedia.org/wiki/PfSense
> https://pfsense.org/
> 
> 
> 
> *Saludes;*
> 
> rasa.
> 
> El 26 de noviembre de 2016, 12:57, Laotrasolucion
> > escribió:
> 
> 
> 
> El 26/11/16 a las 10:35, divagante escribió:
> > Hola gente!
> >
> >  Bueno, por conveniencia para quien quiera ayudarme con algun dato
> dire
> > que soy un usuario de debian de 7 años de antiguedad, pero que aun no
> > encontre el tiempo o las ganas de conocer profundamente la
> > administracion de sistemas unix o redes...
> >  No hago scrips ni entiendo sobre redes mas alla de configurar con
> > alguna guia de ayuda /etc/network/interfaces. Algo que hace rato
> ni hago
> > debido a los gestores como wicd o gnome.
> >
> >  Si bien no descarto en un futuro leer y meterme con iptables,
> quisiera
> > empezar al montar un futuro servidor de radio streaming, con un
> firewall
> > intuitivo, facil de manejar y con interfaz grafica.
> >
> >  Nota: recuerdo que hace ya algunos años usando windows y el antivirus
> > kaspersky instale el firewall de este ultimo, y la verdad me resulto
> > super intuitivo y manejable. Se veian claramente las peticiones de
> algun
> > programa freeware hacia internet y como este las denegaba si uno con
> > algunos clicks lo determinaba asi.
> >
> >  Muchas gracias por su ayuda.
> >
> >
> 
> Hola,
> 
> Yo la verdad que no he usado mucho las GUI para iptables, pero la pagina
> de iptables tiene un apartado con algunos.
> 
> http://www.iptables.info/en/iptables-gui.html
> 
> 
> Yo personalmente he usado alguna vez fwbuilder, que esta bastante bien.
> Hay bastante documentación y videos explicativos.
> No se si algunos de los que existe pueda complacer tus requerimientos
> tal como lo hizo don kaspersky, pero dejame decirte que armar un
> firewall no es una tarea tan complicada, siempre y cuando entiendas los
> conceptos.
> 
> 

Re: firewall para novatos

[Ricardo Adolfo Sánchez Arboleda]

Mira
https://es.wikipedia.org/wiki/PfSense
https://pfsense.org/



*Saludes;*

rasa.

El 26 de noviembre de 2016, 12:57, Laotrasolucion 
escribió:

>
>
> El 26/11/16 a las 10:35, divagante escribió:
> > Hola gente!
> >
> >  Bueno, por conveniencia para quien quiera ayudarme con algun dato dire
> > que soy un usuario de debian de 7 años de antiguedad, pero que aun no
> > encontre el tiempo o las ganas de conocer profundamente la
> > administracion de sistemas unix o redes...
> >  No hago scrips ni entiendo sobre redes mas alla de configurar con
> > alguna guia de ayuda /etc/network/interfaces. Algo que hace rato ni hago
> > debido a los gestores como wicd o gnome.
> >
> >  Si bien no descarto en un futuro leer y meterme con iptables, quisiera
> > empezar al montar un futuro servidor de radio streaming, con un firewall
> > intuitivo, facil de manejar y con interfaz grafica.
> >
> >  Nota: recuerdo que hace ya algunos años usando windows y el antivirus
> > kaspersky instale el firewall de este ultimo, y la verdad me resulto
> > super intuitivo y manejable. Se veian claramente las peticiones de algun
> > programa freeware hacia internet y como este las denegaba si uno con
> > algunos clicks lo determinaba asi.
> >
> >  Muchas gracias por su ayuda.
> >
> >
>
> Hola,
>
> Yo la verdad que no he usado mucho las GUI para iptables, pero la pagina
> de iptables tiene un apartado con algunos.
>
> http://www.iptables.info/en/iptables-gui.html
>
> Yo personalmente he usado alguna vez fwbuilder, que esta bastante bien.
> Hay bastante documentación y videos explicativos.
> No se si algunos de los que existe pueda complacer tus requerimientos
> tal como lo hizo don kaspersky, pero dejame decirte que armar un
> firewall no es una tarea tan complicada, siempre y cuando entiendas los
> conceptos.
>
>

Re: firewall para novatos

[Laotrasolucion]

El 26/11/16 a las 10:35, divagante escribió:
> Hola gente!
> 
>  Bueno, por conveniencia para quien quiera ayudarme con algun dato dire
> que soy un usuario de debian de 7 años de antiguedad, pero que aun no
> encontre el tiempo o las ganas de conocer profundamente la
> administracion de sistemas unix o redes...
>  No hago scrips ni entiendo sobre redes mas alla de configurar con
> alguna guia de ayuda /etc/network/interfaces. Algo que hace rato ni hago
> debido a los gestores como wicd o gnome.
> 
>  Si bien no descarto en un futuro leer y meterme con iptables, quisiera
> empezar al montar un futuro servidor de radio streaming, con un firewall
> intuitivo, facil de manejar y con interfaz grafica.
> 
>  Nota: recuerdo que hace ya algunos años usando windows y el antivirus
> kaspersky instale el firewall de este ultimo, y la verdad me resulto
> super intuitivo y manejable. Se veian claramente las peticiones de algun
> programa freeware hacia internet y como este las denegaba si uno con
> algunos clicks lo determinaba asi.
> 
>  Muchas gracias por su ayuda.
> 
> 

Hola,

Yo la verdad que no he usado mucho las GUI para iptables, pero la pagina
de iptables tiene un apartado con algunos.

http://www.iptables.info/en/iptables-gui.html

Yo personalmente he usado alguna vez fwbuilder, que esta bastante bien.
Hay bastante documentación y videos explicativos.
No se si algunos de los que existe pueda complacer tus requerimientos
tal como lo hizo don kaspersky, pero dejame decirte que armar un
firewall no es una tarea tan complicada, siempre y cuando entiendas los
conceptos.



signature.asc
Description: OpenPGP digital signature

Re: Firewall de baixo custo com Debian

[Sinval Júnior]

Em casa uso um raspberry 2 funciona 100%. Pode usar 2 ou 3.E como o consumo
de bateria é baixo.

Ao encaminhar esta mensagem, por favor:
1 - Apague meu endereço eletrônico;
2 - Encaminhe como Cópia Oculta (Cco ou BCc) aos seus destinatários.
Dificulte assim a disseminação de vírus, spams e banners.

#=+
#!/usr/bin/env python
nome = 'Sinval Júnior'
email = 'sinvalju arroba gmail ponto com'
print nome
print email
#==+

Em 16 de agosto de 2016 20:52, Rodrigo Cunha 
escreveu:

> Srs. quero montar um firewall/squid e VPN para a minha residencia com o
> intuito de distribuir internet gratis para duas ruas proximas a minha
> residencia.
> Meu objetivo é além de prover internet, melhorar meu conhecimento com
> squid e iptables para locais com poucos usuários.
>
> Meu intuito é gatar o minimo possivel com hardware, uma vez que precisarei
> gastar com Cabo de rede, tenho intenção de colocar 2 PCS para funcionar, um
> como firewall e um secundario como um servidor de impressão e arquivos
> feitos com o samba.
>
> Alguém me indica um PC que aguente o trampo e seja o mais barato possivel?
> PS: Preciso de um PC com no minimo 2 SLOTS PCI para uma eventual queima
> das interfaces de rede.
>
> --
> Atenciosamente,
> Rodrigo da Silva Cunha
>
>

Re: Firewall de baixo custo com Debian

[Marcos Carraro]

Se alguém tiver interesse tenho um mini pc parado em casa que usava como
lab, tem um atom, 2 ou 4 gb de ram, disco sata 120gb, 1 porta giga,
wireless, usava ele com uma switch gerenciável.
Atendia muito bem o que eu precisava, e o bom dele é o baixo consumo de
energia e não ocupar espaço, pois ele é do tamanho de um roteador.




*--*
Att
Marcos Carraro 


Em 26 de agosto de 2016 13:41, Guimarães Faria Corcete DUTRA, Leandro <
l...@dutras.org> escreveu:

> 2016-08-26 11:51 GMT-03:00 Diego Neves :
> > Em 26 de agosto de 2016 11:33, Tiago Pigazao 
> escreveu:
> >> Rodrigo, No meu ambiente eu tenho um solução bem parecida com o que
> você pretende fazer... no meu caso eu uso um K6-2 500mhz, 128ram, 40GB HD ,
> nele esta rodando um debian 5
> >
> > Vamos atualizar isso ai hem.
>
> Para quê?  Ele falou que é para estudos e testes apenas, e para uma
> rede pequena.  Está bom.  Eu só colocaria mais memória ou talvez um
> disco mais rápido, se possível, mas nem deve valer a pena.
>
>
> >> segurando numa boa os seguintes serviços: apache(zabbix e sarg do
> squid), squid (acls e cache) ,iptables(somente filtro), pptpd (vpn), samba
> , minidlna(midia server) ,bind (dns somente interno), tenho até um mysql
> nele heheh pra segurar o zabbix server 2.2...
>
> Com PostgreSQL, se o Zabbix suportar, deve ficar mais rápido e leve ainda.
>
>
> > claro isso é o longe de ser o ideal, essa bagunça toda é apenas para
> estudos/testes mesmo , más acabo usando no meu ambiente de casa de modo
> efetivo , onde temos 4 maquinas que o usa como proxy , e compartilhamento
> de arquivos no geral
> >
> > Como disse antes, seria muito bom tentar fazer um upgrade desses
> softwares, até porque, se você usa para estudos e testes, o debian 5 já ta
> sem suporte já faz muito tempo, e muita coisa mudou
>
> Provavelmente o Debian estável e até o de testes (/testing/) suporta a
> máquina dele, então poderia continuar a mesma.
>
>
> >> Em 17 de agosto de 2016 02:12, Rodrigo Cunha 
> escreveu:
> >>>
>  Meu intuito é gatar o minimo possivel com hardware, uma vez que
> precisarei gastar com Cabo de rede, tenho intenção de colocar 2 PCS para
> funcionar, um como firewall e um secundario como um servidor de impressão e
> arquivos feitos com o samba.
>
> Poderia ser um apenas.
>
>
>  Alguém me indica um PC que aguente o trampo e seja o mais barato
> possivel?
>
> Para esse uso, é impossível conseguir um que não agüente.  Pode
> comprar o mais barato que achar.
>
> Eu procuraria também silêncio e economia de energia, então talvez
> colocar a mais barata unidade de armazenamento em memória /flash/
> (SSD) possa valer a pena.
>
>
> --
> skype:leandro.gfc.dutra?chat  Yahoo!: ymsgr:sendIM?lgcdutra
> +55 (61) 3546 7191  gTalk: xmpp:leand...@jabber.org
> +55 (61) 9302 2691ICQ/AIM: aim:GoIM?screenname=61287803
> BRAZIL GMT−3  MSN: msnim:chat?contact=lean...@dutra.fastmail.fm
>
>

Re: Firewall de baixo custo com Debian

[Guimarães Faria Corcete DUTRA , Leandro]

2016-08-26 11:51 GMT-03:00 Diego Neves :
> Em 26 de agosto de 2016 11:33, Tiago Pigazao  escreveu:
>> Rodrigo, No meu ambiente eu tenho um solução bem parecida com o que você 
>> pretende fazer... no meu caso eu uso um K6-2 500mhz, 128ram, 40GB HD , nele 
>> esta rodando um debian 5
>
> Vamos atualizar isso ai hem.

Para quê?  Ele falou que é para estudos e testes apenas, e para uma
rede pequena.  Está bom.  Eu só colocaria mais memória ou talvez um
disco mais rápido, se possível, mas nem deve valer a pena.


>> segurando numa boa os seguintes serviços: apache(zabbix e sarg do squid), 
>> squid (acls e cache) ,iptables(somente filtro), pptpd (vpn), samba , 
>> minidlna(midia server) ,bind (dns somente interno), tenho até um mysql nele 
>> heheh pra segurar o zabbix server 2.2...

Com PostgreSQL, se o Zabbix suportar, deve ficar mais rápido e leve ainda.


> claro isso é o longe de ser o ideal, essa bagunça toda é apenas para 
> estudos/testes mesmo , más acabo usando no meu ambiente de casa de modo 
> efetivo , onde temos 4 maquinas que o usa como proxy , e compartilhamento de 
> arquivos no geral
>
> Como disse antes, seria muito bom tentar fazer um upgrade desses softwares, 
> até porque, se você usa para estudos e testes, o debian 5 já ta sem suporte 
> já faz muito tempo, e muita coisa mudou

Provavelmente o Debian estável e até o de testes (/testing/) suporta a
máquina dele, então poderia continuar a mesma.


>> Em 17 de agosto de 2016 02:12, Rodrigo Cunha  
>> escreveu:
>>>
 Meu intuito é gatar o minimo possivel com hardware, uma vez que precisarei 
 gastar com Cabo de rede, tenho intenção de colocar 2 PCS para funcionar, 
 um como firewall e um secundario como um servidor de impressão e arquivos 
 feitos com o samba.

Poderia ser um apenas.


 Alguém me indica um PC que aguente o trampo e seja o mais barato possivel?

Para esse uso, é impossível conseguir um que não agüente.  Pode
comprar o mais barato que achar.

Eu procuraria também silêncio e economia de energia, então talvez
colocar a mais barata unidade de armazenamento em memória /flash/
(SSD) possa valer a pena.


-- 
skype:leandro.gfc.dutra?chat  Yahoo!: ymsgr:sendIM?lgcdutra
+55 (61) 3546 7191  gTalk: xmpp:leand...@jabber.org
+55 (61) 9302 2691ICQ/AIM: aim:GoIM?screenname=61287803
BRAZIL GMT−3  MSN: msnim:chat?contact=lean...@dutra.fastmail.fm

Re: Firewall

[Camaleón]

El Wed, 24 Aug 2016 10:49:31 -0700, Luis Ernesto Garcia escribió:

> Deseo contruir una minidmz o sea tres pc una con tres tarjetas de red
> una tarjeta para el adsl una para la lan y otra para la dmz, en un
> comienzo pienso debian con un iptables y un dns para el server
> principal, y dentro de la dmz un server con correo y proxy, alguien
> tiene idea de como puedo comenzar a armar los servicios o donde
> encontrar información al respecto

Puedes empezar por aquí:

https://www.google.com/webhp?complete=0=en_rd=cr#complete=0=en=debian+dmz

Saludos,

-- 
Camaleón

Re: Firewall

[Eduardo R . Barrera Pérez]

El 24/08/16 a las 13:49, Luis Ernesto Garcia escribió:

Deseo contruir una minidmz o sea tres pc una con tres tarjetas de red una 
tarjeta para el adsl una para la lan y otra para la dmz, en un comienzo pienso 
debian con un iptables y un dns para el server principal, y dentro de la dmz un 
server con correo y proxy, alguien tiene idea de como puedo comenzar a armar 
los servicios o donde encontrar información al respecto


Te recomiendo que pongas un pfsense con 3 interfaces de red como mismo 
quieres hacer y que en la DMZ, pongas 1 o 2 Nodos Proxmox y montes sobre 
ellos los server que quieras, ya sea con ubuntu o debian.


--
___
Ing. Eduardo R. Barrera Pérez
Administrador de Redes y Servicios
Pinar del Rí­o
Email:  ebpr...@yahoo.es
Jabber: eb...@jabber.org
Móvil:  +53-58531759

  __ ___
  ___| |__  _ __  _ __ ___|___  ( _ )
 / _ \ '_ \| '_ \| '__|_  /  / // _ \
|  __/ |_) | |_) | |   / /  / /| (_) |
 \___|_.__/| .__/|_|  /___|/_/  \___/
   |_|

Re: Firewall de baixo custo com Debian

[Rodrigo Cunha]

vlw  Thiago!

Em 16 de agosto de 2016 21:29, Thiago Zoroastro <
thiago.zoroas...@yahoo.com.br> escreveu:

> Boa noite,
>
> Gostaria de indicar a você buscar por Dual Core, de preferência um E7500,
> que é 2.93 GHZ e tem um desempenho bastante satisfatório. E é bastante
> econômico no gasto de energia.
>
> De custo benefício no mercado é o melhor que havia, porque é barato e
> bastante eficiente: Intel® Core™2 Duo Processor E7500 (3M Cache, 2.93
> GHz, 1066 MHz FSB) Especificações
> 
>
>
> [image: image]
> 
>
>
>
>
>
> Intel® Core™2 Duo Processor E7500 (3M Cache, 2.93 GHz, 1...
> 
> Intel® Core™2 Duo Processor E7500 (3M Cache, 2.93 GHz, 1066 MHz FSB)
> Especificações guia de referência rápida, que contém especificações,
> recursos, cálculo de preço...
> Visualizar em ark.intel.com
> 
> Visualizado por Yahoo
>
>
>
> Em Terça-feira, 16 de Agosto de 2016 20:52, Rodrigo Cunha <
> rodrigo.root...@gmail.com> escreveu:
>
>
> Srs. quero montar um firewall/squid e VPN para a minha residencia com o
> intuito de distribuir internet gratis para duas ruas proximas a minha
> residencia.
> Meu objetivo é além de prover internet, melhorar meu conhecimento com
> squid e iptables para locais com poucos usuários.
>
> Meu intuito é gatar o minimo possivel com hardware, uma vez que precisarei
> gastar com Cabo de rede, tenho intenção de colocar 2 PCS para funcionar, um
> como firewall e um secundario como um servidor de impressão e arquivos
> feitos com o samba.
>
> Alguém me indica um PC que aguente o trampo e seja o mais barato possivel?
> PS: Preciso de um PC com no minimo 2 SLOTS PCI para uma eventual queima
> das interfaces de rede.
>
> --
> Atenciosamente,
> Rodrigo da Silva Cunha
>
>
>
>


-- 
Atenciosamente,
Rodrigo da Silva Cunha

Re: Firewall de baixo custo com Debian

[Lucas Castro]

On 16-08-2016 20:52, Rodrigo Cunha wrote:
> Srs. quero montar um firewall/squid e VPN para a minha residencia com
> o intuito de distribuir internet gratis para duas ruas proximas a
> minha residencia.
> Meu objetivo é além de prover internet, melhorar meu conhecimento com
> squid e iptables para locais com poucos usuários.
>
> Meu intuito é gatar o minimo possivel com hardware, uma vez que
> precisarei gastar com Cabo de rede, tenho intenção de colocar 2 PCS
> para funcionar, um como firewall e um secundario como um servidor de
> impressão e arquivos feitos com o samba.
Na minha casa tenho um atom 1.6, funcionando muito bem.
Meu consumo diário aproxima a 10G/dia. Acho que a economia começaria em
não comprar 2 PCs,
configurar tudo na mesma máquina acho que não seria problema.
> Alguém me indica um PC que aguente o trampo e seja o mais barato
> possivel?
> PS: Preciso de um PC com no minimo 2 SLOTS PCI para uma eventual
> queima das interfaces de rede.
>
> -- 
> Atenciosamente,
> Rodrigo da Silva Cunha
>
-- 
Lucas Castro


signature.asc
Description: OpenPGP digital signature

Re: Firewall de baixo custo com Debian

[Thiago Zoroastro]

Boa noite,

Gostaria de indicar a você buscar por Dual Core, de preferência um E7500, que é 
2.93 GHZ e tem um desempenho bastante satisfatório. E é bastante econômico no 
gasto de energia.

De custo benefício no mercado é o melhor que havia, porque é barato e bastante 
eficiente: Intel® Core™2 Duo Processor E7500 (3M Cache, 2.93 GHz, 1066 MHz FSB) 
Especificações

|   |
|   |  |   |   |   |   |   |
| Intel® Core™2 Duo Processor E7500 (3M Cache, 2.93 GHz, 1...Intel® Core™2 Duo 
Processor E7500 (3M Cache, 2.93 GHz, 1066 MHz FSB) Especificações guia de 
referência rápida, que contém especificações, recursos, cálculo de preço... |
|  |
| Visualizar em ark.intel.com | Visualizado por Yahoo |
|  |
|   |

 

Em Terça-feira, 16 de Agosto de 2016 20:52, Rodrigo Cunha 
 escreveu:
 

 Srs. quero montar um firewall/squid e VPN para a minha residencia com o 
intuito de distribuir internet gratis para duas ruas proximas a minha 
residencia.
Meu objetivo é além de prover internet, melhorar meu conhecimento com squid e 
iptables para locais com poucos usuários.

Meu intuito é gatar o minimo possivel com hardware, uma vez que precisarei 
gastar com Cabo de rede, tenho intenção de colocar 2 PCS para funcionar, um 
como firewall e um secundario como um servidor de impressão e arquivos feitos 
com o samba.

Alguém me indica um PC que aguente o trampo e seja o mais barato possivel? 
PS: Preciso de um PC com no minimo 2 SLOTS PCI para uma eventual queima das 
interfaces de rede.

-- 
Atenciosamente,
Rodrigo da Silva Cunha



  

Re: Firewall - basic config?

[Harris Paltrowitz]

On 04/27/2016 05:22 AM, Jonathan Dowland wrote:

On Sat, Apr 23, 2016 at 01:04:36PM -0400, Harris Paltrowitz wrote:

2. I found that "ufw" works as a line-command-based-front-end to iptables.

Good call. ufw is (IMHO) one of the best iptables-frontends for basic FWs.
I am particularly fond of how easy it makes adding a rate-limiting rule.


3. So after having installed and enabled ufw, here's the output of my
"iptables -L" command.

Others have picked over the bones of this, but I'd be more interested in
seeing the output of "ufw status"



Okay, here's the output of "ufw status verbose":

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

-Harris

Re: Firewall - basic config?

[Jonathan Dowland]

On Sat, Apr 23, 2016 at 01:04:36PM -0400, Harris Paltrowitz wrote:
> 2. I found that "ufw" works as a line-command-based-front-end to iptables.

Good call. ufw is (IMHO) one of the best iptables-frontends for basic FWs.
I am particularly fond of how easy it makes adding a rate-limiting rule.

> 3. So after having installed and enabled ufw, here's the output of my
> "iptables -L" command.

Others have picked over the bones of this, but I'd be more interested in
seeing the output of "ufw status"

-- 
Jonathan Dowland
Please do not CC me, I am subscribed to the list.

Re: Firewall - basic config?

[cbannister]

On Sat, Apr 23, 2016 at 01:04:36PM -0400, Harris Paltrowitz wrote:
> Hi List,
> 
> I have a question regarding how I've configured my iptables to act as a very
> basic "firewall", i.e., one that simply prevents any and all incoming
> connections.  Now, from my readings over the past several days I think I've
> learned that at least some of my outgoing requests will have responses that
> should be allowed to come back in -- but aside from that, I essentially want
> my firewall to act in a very "default" method, i.e., the way a complete
> neophyte would expect his or her firewall to work within Windows or Mac.

Have a look at shorewall, it saves you from having to worry about all that 
nonsense.

[snipped all that nonsense.]

-- 
The media's the most powerful entity on earth. 
They have the power to make the innocent guilty 
and to make the guilty innocent, and that's power.
 -- Malcolm X