Although, not part of the standard distribution of iptables, I believe that several users use the rc.firewall scripts on their websites so, I am copying the iptables user mailing list to document the problem with the iptables.firewall script.
Chris: The iptables script is an open source script I use (as a baseline) for our DMZ/intranet firewall. The script is not used as a default in any systems that I am aware of. I found the problem when I was designing a website for a Realtor. They wanted a link to their listings on desertareamls.com and I was having trouble accessing their site from behind my firewall. I suspect that anyone with enough knowledge to use the script would also be able to find the problem pretty quickly. The URL of the original source code is http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/ and was based on Jean-Sebastien Morisset's ipchains script which no longer seems to be readily available. I am sure they will fix the problem promptly. The ranges included in the RESERVED_NET list are set to prevent spoofed attacks from IP addresses not assigned by Arin. The firewall script was written before Arin started allocating the 67.0.0.0/7 range sometime last year. See http://www.ripe.net/ripe/mail-archives/eof-list/20010401-20010701/msg00015.html for more information. -- Joel Griffiths Sr. Internet Engineer Aver Drivetronics joelg at averdrivetronics.com http://www.averdrivetronics.com/ 760-568-4351 On Thursday 28 February 2002 11:53 pm, you wrote: > Hi Joel, thanks for noticing this...hopefully sentry.net will be able to > take care of it. Can you give me a little bit more detail as to what > they've done? It seems as if they've done some sort of supernetting or > other filtering that is blocking access to our address range...also, how > did you discover this? Thanks! > > -Chris Sherwood > Systems Administrator > Rapattoni Corporation > [EMAIL PROTECTED] > > > -----Original Message----- > From: Joel Griffiths [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 28, 2002 2:23 PM > To: [EMAIL PROTECTED] > Cc: Chris Sherwood > Subject: 67.0.0.0 filter filters out valid ip addresses > > Hello: > > I found that the ip address 67.0.0.0/8 in your iptables script filters out > valid internet addresses. An example is www.desertareamls.com > > [joelg@taz prucal]$ host www.desertareamls.com > www.desertareamls.com. has address 67.97.95.48 > [joelg@taz prucal]$ whois desertareamls.com > [whois.crsnic.net] > > Whois Server Version 1.3 > > Domain names in the .com, .net, and .org domains can now be registered > with many different competing registrars. Go to http://www.internic.net > for detailed information. > > Domain Name: DESERTAREAMLS.COM > Registrar: NETWORK SOLUTIONS, INC. > Whois Server: whois.networksolutions.com > Referral URL: http://www.networksolutions.com > Name Server: DNS1.RAPMLS.COM > Name Server: DNS2.RAPATTONI.COM > Updated Date: 10-jan-2002 > > >>> Last update of whois database: Thu, 28 Feb 2002 05:25:39 EST <<< > > The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and > Registrars. > > > [whois.networksolutions.com] > The Data in the VeriSign Registrar WHOIS database is provided by VeriSign > for information purposes only, and to assist persons in obtaining > information about > or related to a domain name registration record. VeriSign does not > guarantee its accuracy. Additionally, the data may not reflect updates to > billing contact > information. By submitting a WHOIS query, you agree to use this Data only > for lawful purposes and that under no circumstances will you use this Data > to: (1) allow, enable, or otherwise support the transmission of mass > unsolicited, commercial advertising or solicitations via e-mail, telephone, > or facsimile; or > (2) enable high volume, automated, electronic processes that apply to > VeriSign (or its computer systems). The compilation, repackaging, > dissemination or other use of this Data is expressly prohibited without the > prior written consent of VeriSign. VeriSign reserves the right to > terminate your access to the VeriSign Registrar WHOIS database in its sole > discretion, including without limitation, for excessive querying of the > WHOIS database or for failure > to otherwise abide by this policy. VeriSign reserves the right to modify > these > terms at any time. By submitting this query, you agree to abide by this > policy. > > > Registrant: > RAPATTONI CORPORATION (DESERTAREAMLS-DOM) > 98 West Cochran Street > SIMI VALLEY, CA 93065 > US > > Domain Name: DESERTAREAMLS.COM > > Administrative Contact, Technical Contact: > Sherwood, Chris (CS24906) [EMAIL PROTECTED] > Rapattoni Corporation > 98 West Cochran St. > Simi Valley, CA 93065 > US > 805-520-9755 123 123 1234 > Billing Contact: > RAPATTONI CORPORATION (J6272-OR) [EMAIL PROTECTED] > RAPATTONI CORPORATION > 98 West Cochran Street > SIMI VALLEY, CA 93065 > US > 805 520 9755 fax: 805 520 9894 > > Record last updated on 10-Jan-2002. > Record expires on 01-Feb-2003. > Record created on 01-Feb-2001. > Database last updated on 28-Feb-2002 04:00:00 EST. > > Domain servers in listed order: > > DNS1.RAPMLS.COM 67.97.95.2 > DNS2.RAPATTONI.COM 67.97.95.67 > > > [joelg@taz prucal]$
