VectorLinux
October 30, 2014, 08:22:28 am *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Visit our home page for VL info. To search the old message board go to http://vectorlinux.com/forum1. The first VL forum is temporarily offline until we can find a host for it. Thanks for your patience.
 
Now powered by KnowledgeDex.
   Home   Help Search Login Register  
Please support VectorLinux!
Pages: [1]
  Print  
Author Topic: firewall  (Read 3185 times)
mrmodolo
Member
*
Posts: 2


« on: October 16, 2007, 05:38:51 am »

Hi, I am new to vector...
I am trying to setup firewall, I do all the steps in documentation:
sudo /sbin/vfirewall
... new
... open ports (in this case ssh)

My lan is at 10.1.1.0
The machine with vector has ip 10.1.1.26

From machine with ip 10.1.1.25, I can not make ssh to 10.1.1.26.
But if I stop the firewall ssh works!!!
I look inside rc.firewall after open port ssh but can not find any rules for this port!!!

What I am doing wrong??

Thanks!!

Marcelo Módolo (Brasil - Rio de Janeiro)
Logged
bigpaws
Vectorian
****
Posts: 1856


« Reply #1 on: October 16, 2007, 10:42:02 am »

Which version of Vector Linux are you using?

To list your iptables use in the console as root
use this:

iptables -L

Bigpaws
Logged
mrmodolo
Member
*
Posts: 2


« Reply #2 on: October 17, 2007, 06:12:54 am »

Hi!!
I make some changes and now sshd works!!

1 - If I use vasm to create new firewall, open some ports, etc... Sshd do not work, I can not connect from other machines in my local network...

2 - I make this change in /etc/rc.d/init.d/firewall:
#PERMIT="192.168.0.0/24 445/tcp 137-139/tcp 445/udp 137-139/udp"
PERMIT="10.1.1.0/8 445/tcp 137-139/tcp 445/udp 137-139/udp
the line with # is the original, I know nothing about ipchains but I change the net to 10.1.1.0/8 and put ports 22 tcp/udp

3 - I put sshd to start in every runlevel with VASM but after inicialization and change ro rc.X the ssh daemon stop!! So i put /etc/rc.d/init.d/sshd start in file /etc/rc.d/rc.local!!

Now I can connect form other machines to Vector!!!

My Vector is Vector 5.8 GOLD
My iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpts:netbios-ns:netbios-ssn
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:microsoft-ds
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpts:netbios-ns:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ssh
ACCEPT     all  --  anywhere             anywhere           
TRUSTED    all  --  anywhere             anywhere            state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere            state INVALID

Chain TRUSTED (1 references)
target     prot opt source               destination         
ACCEPT     all  --  10.0.0.0/8           anywhere           
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
DROP       icmp --  anywhere             anywhere           
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

thanks!!
Marcelo Módolo (Brasil - Rio de Janeiro)

Logged
desmogiallo
Member
*
Posts: 15


« Reply #3 on: December 06, 2007, 12:03:17 am »

Hi! First of all: I'm running VL 5.8 std, I've got a dsl usb modem and (for now) I've got no local networks.
I have to get some ISOs via bittorrent, but it runs very slowly and notify it's being firewalled. I decided to edit iptables in order to open ports 6881:6889, and so I did.
Now the iptables output is:
Quote
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpts:netbios-ns:netbios-ssn
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:microsoft-ds
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpts:netbios-ns:netbios-ssn
ACCEPT     all  --  anywhere             anywhere
TRUSTED    all  --  anywhere             anywhere            state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6881
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6882
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6883
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6884
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6885
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6886
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6887
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6888

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       icmp --  anywhere             anywhere            state INVALID

Chain TRUSTED (1 references)
target     prot opt source               destination
ACCEPT     all  --  192.168.0.0/24       anywhere
ACCEPT     icmp --  anywhere             d83-184-26-133.cust.**** icmp echo-request
DROP       icmp --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
(ah, that's what I used to open ports: iptables -A INPUT -p tcp --dport 6881 -j ACCEPT )
The problem is.. nothing has changed. I restarted the firewall, I restarted the program, I opened /etc/rc.d/rc.firewall but I don't know how to edit it.
Any hints?
Thanks Smiley
Logged
Triarius Fidelis
Vecteloper
Vectorian
****
Posts: 2399


Domine, exaudi vocem meam


WWW
« Reply #4 on: December 06, 2007, 12:14:43 am »

(ah, that's what I used to open ports: iptables -A INPUT -p tcp --dport 6881 -j ACCEPT )
The problem is.. nothing has changed. I restarted the firewall, I restarted the program, I opened /etc/rc.d/rc.firewall but I don't know how to edit it.
Any hints?
Thanks Smiley

Were you in root mode at the time (i.e., logged in as root or under 'su')?
Logged

"Leatherface, you BITCH! Ho Chi Minh, hah hah hah!"

Formerly known as "Epic Fail Guy" and "Döden" in recent months
desmogiallo
Member
*
Posts: 15


« Reply #5 on: December 06, 2007, 12:17:38 am »

Oh, yes..I was root  Roll Eyes
Logged
bigpaws
Vectorian
****
Posts: 1856


« Reply #6 on: December 06, 2007, 06:44:52 am »

How did you find out it is firewalled?

Did you check the modem for a firewall?

Your rules are fine for allowing the ports which is
why I asked about the modem.

Bigpaws
Logged
desmogiallo
Member
*
Posts: 15


« Reply #7 on: December 06, 2007, 08:25:45 am »

I don't know....better, I don't think the modem is firewalled.. I use the eciadsl driver, and everytging works fine..no strange logs, I really don't know. It's not a router or anything, it's a simple kraun dsl modem via usb.
Could it be...
1)the lines about opening 6881:6889 ports are in the right section? I found on the web that it could be possible to use another argument (-I instead of -A, but I'm not sure)..
2) I didn't open the ports for outcomng connections... maybe bittorrent reports it's firewalled because of that..and it doesn't exchange the downloaded parts for that reason.
Could it be?


ps: I noticed bittorrent runs firewalled because there's the "firewalled" icon on, and the little dialog says that too. And in fact the connection speed is low and there are several hours with no upload nor download (even if the ISOs I looked for- live distros- have lots of seeders/leechers).
« Last Edit: December 06, 2007, 08:37:05 am by desmogiallo » Logged
Triarius Fidelis
Vecteloper
Vectorian
****
Posts: 2399


Domine, exaudi vocem meam


WWW
« Reply #8 on: December 06, 2007, 04:23:15 pm »

Oh, yes..I was root  Roll Eyes

So are you asking about which editor you should use to edit the file in root? Even something simple like 'mousepad' would suffice.
Logged

"Leatherface, you BITCH! Ho Chi Minh, hah hah hah!"

Formerly known as "Epic Fail Guy" and "Döden" in recent months
desmogiallo
Member
*
Posts: 15


« Reply #9 on: December 06, 2007, 11:12:04 pm »

Oh, no...I used adie, but this is not the point. The problem is that even if I opened some ports, bittorrent still runs firewalled. Iptables output is over there (but later I opened 6881:6889 even for outgoing traffic) , while I opened rc.firewall and everything seems ok (but I don't know what should I edit/change...so that's not an interesting news).
Logged
Triarius Fidelis
Vecteloper
Vectorian
****
Posts: 2399


Domine, exaudi vocem meam


WWW
« Reply #10 on: December 07, 2007, 06:32:48 am »

Oh, no...I used adie, but this is not the point. The problem is that even if I opened some ports, bittorrent still runs firewalled. Iptables output is over there (but later I opened 6881:6889 even for outgoing traffic) , while I opened rc.firewall and everything seems ok (but I don't know what should I edit/change...so that's not an interesting news).

Add the iptables -A INPUT -p tcp --dport 6881 -j ACCEPT to other lines where you see similar forms, I would guess.
Logged

"Leatherface, you BITCH! Ho Chi Minh, hah hah hah!"

Formerly known as "Epic Fail Guy" and "Döden" in recent months
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!