Menu
▾
▴
[Snort-inline-users] Issues with iptables and snort_inline
|
From: Tim P. <tpo...@vo...> - 2005-02-16 20:41:38
|
Q1: I have a system (that happens to have nocat on it) that I am able to ssh into the box and wget any files I need from any remote host. When I startup snort_inline I can no longer get out using wget. I made some modifications to allow port 22 (ssh) to come in and that works fine but I can't seem to figure out how to let wget out (port 80 as far as I know). Q2: A secondary problem I have is when snort_inline is having traffic routed through it (as a queue) it seems to corrupt http requests because I get some very strange errors when loading google (google page is displayed but it says "bad request") and yahoo gives an url that is not yahoo (it sends me to http://www.yahoo.akadns.net and complains about "the page you requested is forbidden). When I turn off the queuing and just let the user get to the internet in the "normal" way I don't have this error, just with the queuing. I can traceroute to both google and yahoo without problems with the queue on or off with no problems. I am currently running snort_inline 2.2.0a I realize that maybe I am the first to try this setup and that's ok, any ideas on how to go about troubleshooting this would be a great help. Here is my firewall script: #!/bin/sh ## # # Custom firewall integrating NoCat and Snort_inline # Rules that existed in NoCat that reside in this file have been commented out in initialize.fw # ## # Enable IP forwarding and rp_filter (to kill IP spoof attempts). echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter # Load the kernel modules we need and some we don't for module in ip_tables ipt_REDIRECT ipt_MASQUERADE ipt_MARK ipt_REJECT \ ipt_TOS ipt_LOG iptable_mangle iptable_filter iptable_nat ip_nat_ftp \ ip_conntrack ip_conntrack_ftp ip_conntrack_irc ip_queue\ ip_nat_irc ipt_mac ipt_state ipt_mark; do modprobe $module done echo -n "Starting Standard Chains" ######################################### # Create, Flush and Append our chains # ######################################### # -N creates new # # -F flushes chain # # -P sets default policy on chain # # -D deletes specified rule in chain # # -A appends a rule to specified chain # ######################################### iptables -t filter -N NoCat 2>/dev/null iptables -t filter -F NoCat iptables -t filter -D FORWARD -j NoCat 2>/dev/null iptables -t filter -A FORWARD -j QUEUE iptables -t filter -A FORWARD -j NoCat iptables -t filter -N NoCat_Ports 2>/dev/null iptables -t filter -F NoCat_Ports iptables -t filter -D NoCat -j NoCat_Ports 2>/dev/null iptables -t filter -A NoCat -j QUEUE iptables -t filter -A NoCat -j NoCat_Ports iptables -t filter -N NoCat_Inbound 2>/dev/null iptables -t filter -F NoCat_Inbound iptables -t filter -D NoCat -j NoCat_Inbound 2>/dev/null iptables -t filter -A NoCat -j QUEUE iptables -t filter -A NoCat -j NoCat_Inbound iptables -t nat -N NoCat_Capture 2>/dev/null iptables -t nat -F NoCat_Capture iptables -t nat -D PREROUTING -j NoCat_Capture 2>/dev/null # allow ssh access into the gateway iptables -t nat -A PREROUTING -p tcp -i br0 --dport 22 -j ACCEPT iptables -t nat -A PREROUTING -j QUEUE iptables -t nat -A PREROUTING -j NoCat_Capture iptables -t nat -N NoCat_NAT 2>/dev/null iptables -t nat -F NoCat_NAT iptables -t mangle -N NoCat 2>/dev/null iptables -t mangle -F NoCat iptables -t mangle -D PREROUTING -j NoCat 2>/dev/null # allow ssh access into the gateway iptables -t mangle -A PREROUTING -p tcp -i br0 --dport 22 -j ACCEPT iptables -t mangle -A PREROUTING -j QUEUE iptables -t mangle -A PREROUTING -j NoCat echo -n "Starting Testing Chains" ########################## #Rules I am still testing# ########################## #iptables -N INPUT iptables -F INPUT iptables -P INPUT ACCEPT #iptables -N OUTPUT iptables -F OUTPUT iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -o br0 --dport 80 -j ACCEPT iptables -A INPUT -p tcp -i br0 --dport 21 -j ACCEPT iptables -A INPUT -p tcp -i br0 --dport 22 -j ACCEPT iptables -A INPUT -p tcp -i br0 --dport 23 -j ACCEPT iptables -A INPUT -p tcp -i br0 --dport 80 -j ACCEPT iptables -A OUTPUT -o br0 -p ALL -j ACCEPT iptables -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -i br0 --dport 22 -j ACCEPT #iptables -t mangle -A PREROUTING -p tcp -i br0 --dport 80 -j ACCEPT ##### #END# ##### Thanks, Timmay |
