•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Shell Scripting section within the Software Development category of DaniWeb, a massive community of 456,428 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 2,575 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our Shell Scripting advertiser: Programming Forums
Views: 1112 | Replies: 0
 |
•
•
Join Date: Apr 2007
Posts: 5
Reputation: 
Rep Power: 0
Solved Threads: 0
Newbie Poster
Hi all, anyone tried HLS firewall? http://homelansecurity.sourceforge.net/
Basically, i am designing a web based front end (using php) for this program so i have completely 'turned off' custom.conf. The idea is that for instance if i want to block icmp pings, i'll just click a check box say, which then calls the icpm function from the script or say i want to disable DNS then i'll click a check box on the GUI which theb calls DNS_WAN from the shell script.
My Problem:
When i run the program it still allows DNS queries for instance albeit all targets are set to DROP.
something like:
[code]
$IPT -A OUTPUT -o $WANIFACE -p tcp --sport 53 \
> --m state --state NEW,ESTABLISHED --dport 53 -j DROP
> $IPT -A INPUT -o $WANIFACE -p tcp --sport 53 \
> --m state --state ESTABLISHED --dport 53 -j DROP
>
[\code]
Output of iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ICMP icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-reply state ESTABLISHED
INVALID tcp -- anywhere anywhere
BASIC all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp spt:ssh dpt:ssh state ESTABLISHED
DROP tcp -- anywhere 192.168.114.128 tcp spts:1024:65535 dpt:domain
DROP tcp -- anywhere 192.168.114.128 tcp spts:1024:65535 dpt:http
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp spt:ssh dpt:ssh state NEW,ESTABLISHED
DROP tcp -- 192.168.114.128 anywhere tcp spt:domain dpts:1024:65535
DROP tcp -- 192.168.114.128 anywhere tcp spt:http dpts:32768:61001
Chain BASIC (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
DROP all -- 192.168.114.128 anywhere
DROP all -- localhost.localdomain anywhere
RETURN all -- anywhere anywhere
Chain ICMP (1 references)
target prot opt source destination
Chain INVALID (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags
YN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flagsYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flagsYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flagsYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
RETURN all -- anywhere anywhere
NB: I am using just one interface (eth0) ie. its not a gateway or router at all
any help will be immensely appreciated. thanks
Basically, i am designing a web based front end (using php) for this program so i have completely 'turned off' custom.conf. The idea is that for instance if i want to block icmp pings, i'll just click a check box say, which then calls the icpm function from the script or say i want to disable DNS then i'll click a check box on the GUI which theb calls DNS_WAN from the shell script.
My Problem:
When i run the program it still allows DNS queries for instance albeit all targets are set to DROP.
something like:
[code]
$IPT -A OUTPUT -o $WANIFACE -p tcp --sport 53 \
> --m state --state NEW,ESTABLISHED --dport 53 -j DROP
> $IPT -A INPUT -o $WANIFACE -p tcp --sport 53 \
> --m state --state ESTABLISHED --dport 53 -j DROP
>
[\code]
Output of iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ICMP icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-reply state ESTABLISHED
INVALID tcp -- anywhere anywhere
BASIC all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp spt:ssh dpt:ssh state ESTABLISHED
DROP tcp -- anywhere 192.168.114.128 tcp spts:1024:65535 dpt:domain
DROP tcp -- anywhere 192.168.114.128 tcp spts:1024:65535 dpt:http
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp spt:ssh dpt:ssh state NEW,ESTABLISHED
DROP tcp -- 192.168.114.128 anywhere tcp spt:domain dpts:1024:65535
DROP tcp -- 192.168.114.128 anywhere tcp spt:http dpts:32768:61001
Chain BASIC (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
DROP all -- 192.168.114.128 anywhere
DROP all -- localhost.localdomain anywhere
RETURN all -- anywhere anywhere
Chain ICMP (1 references)
target prot opt source destination
Chain INVALID (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags
YN,RST/SYN,RST DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags
YN,RST/SYN,RST DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags
YN,RST/SYN,RST DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags
YN,RST/SYN,RST DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
RETURN all -- anywhere anywhere
NB: I am using just one interface (eth0) ie. its not a gateway or router at all
any help will be immensely appreciated. thanks
|
•
•
•
•
•
•
•
•
DaniWeb Shell Scripting Marketplace
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
Similar Threads
- Unneeded outgoing connections - Tiny Personal Firewall issue (Windows NT / 2000 / XP / 2003)
- redhat 8.0 firewall issue (*nix Software)
Other Threads in the Shell Scripting Forum
- Previous Thread: learning shell scripting
- Next Thread: functions in bash
