Re: [Dnsmasq-discuss] iptables configuration drops packets
On Fri May 16 2008 13:30:01 Adam Hardy wrote: I set up iptables myself today after using an obtusely written script for some time. I don't think this one is much better. :( Start simpler. A good starting point is Rusty's Packet Filtering HOWTO, Really Quick Guide: http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-5.html I am trying to work out whether everything is in order and I am seeing logs from iptables saying that it is dropping packets from the Routine logging is an easy way to DoS yourself. When you have it all working, stop the -j LOG rules. machine every 12 minutes, which doesn't make sense - here's a line from the log: May 16 19:21:10 isengard kernel: dropped from OUTPUT IN= OUT=eth1 SRC=192.168.0.2 DST=192.168.0.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=217 Assuming that the --log-prefix is correct and that your iptables machine's IP address is 192.168.0.2, do tell, WHY are you blocking OUTPUT? What is your threat model? My rule of thumb: if you have to ask for help with iptables, you need ACCEPT policy (and no blocking) in OUTPUT. The machine is running dhclient3 and dnsmasq and it acts as a Irrelevant. I'm trying to find out what the broadcast address is for and I'm pretty much in the dark despite looking around the mailing list and google. This is the old Netbios protocol, kludged up by Microsoft in the 1990's, to enable peer-to-peer file sharing on IP networks without proper DNS services. I think you can turn it off in Samba's nmbd(8). But your best bet is to just stop blocking OUTPUT. You most likely also do not want much if any filtering on your LAN interface. You should only filter INPUT and FORWARD traffic on your external interface. If you really have a threat inside your RFC 1918 netblocks, I would suggest a physical approach: pull the plug on it. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] iptables configuration drops packets
/dev/rob0 on 17/05/08 00:36, wrote: On Fri May 16 2008 13:30:01 Adam Hardy wrote: I set up iptables myself today after using an obtusely written script for some time. I don't think this one is much better. :( Start simpler. A good starting point is Rusty's Packet Filtering HOWTO, Really Quick Guide: http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-5.html I can appreciate minimalism, thanks. I'll definitely peruse that. My script is based on the obtuse script I had earlier (generated by fwbuilder) but rationalised by myself - we're talking rationalised as far as my understanding of iptables goes, rather than what I desire for the end result. I'm pretty close though I think. I am trying to work out whether everything is in order and I am seeing logs from iptables saying that it is dropping packets from the Routine logging is an easy way to DoS yourself. When you have it all working, stop the -j LOG rules. machine every 12 minutes, which doesn't make sense - here's a line from the log: May 16 19:21:10 isengard kernel: dropped from OUTPUT IN= OUT=eth1 SRC=192.168.0.2 DST=192.168.0.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=217 Assuming that the --log-prefix is correct and that your iptables machine's IP address is 192.168.0.2, do tell, WHY are you blocking OUTPUT? What is your threat model? Basically I have 3 housemates who I allow on the wireless LAN with their laptops, and of course they all run windows, so I just want to make sure. I'd rather not run the risk of someone leaving their PC on with a spam cannon trojan running. I've forbidden Outlook and MSIE, so perhaps I'm being too keen, but I figured I'd log what OUTPUT drops and figure out where it's coming from and whether it's kosher or not, and adapt when necessary. And I've seen the buffering config that can prevent log flooding, so I should be OK vis a vis DoS. I'm trying to find out what the broadcast address is for and I'm pretty much in the dark despite looking around the mailing list and google. This is the old Netbios protocol, kludged up by Microsoft in the 1990's, to enable peer-to-peer file sharing on IP networks without proper DNS services. I think you can turn it off in Samba's nmbd(8). But your best bet is to just stop blocking OUTPUT. You most likely also do not want much if any filtering on your LAN interface. You should only filter INPUT and FORWARD traffic on your external interface. If you really have a threat inside your RFC 1918 netblocks, I would suggest a physical approach: pull the plug on it. Point taken - if I takes me too long to figure out the rule I need, I may just go that way. Thanks Adam
Re: [Dnsmasq-discuss] iptables configuration drops packets
On Sat May 17 2008 11:18:38 Adam Hardy wrote: Assuming that the --log-prefix is correct and that your iptables machine's IP address is 192.168.0.2, do tell, WHY are you blocking OUTPUT? What is your threat model? Basically I have 3 housemates who I allow on the wireless LAN with their laptops, and of course they all run windows, so I just want to make sure. I'd rather not run the risk of someone leaving their PC on with a spam cannon trojan running. I've forbidden Outlook and MSIE, so perhaps I'm being too keen, but I figured I'd log what OUTPUT drops and figure out where it's coming from and whether it's kosher or not, and adapt when necessary. In that case, as best as I can tell, you are not understanding what OUTPUT is. Built-in chains in the filter table: INPUT :Packets destined to the iptables machine OUTPUT :Packets originated from the iptables machine FORWARD:All other (neither source nor dest. is local) Any given packet hits exactly one chain, with the exception of the loopback interface, which first hits OUTPUT and then INPUT. Note also that the PREROUTING and OUTPUT chains in the nat table can change the filter chain any given packet would hit. Your housemates would be sending FORWARD traffic, coming in the LAN interface, going out the Internet/external one. Here's a good netfilter help site: http://danieldegraaf.afraid.org/info/iptables/examples Unfortunately seems to be down now, but it's in the Google cache. (Dynamic IP, I think it will be back later.) -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
