0

My DNS server has a Firestarter firewall. When the firewall runs, only addresses on the same network as the DNS server can get a response from DNS/FTP/SSH. When I boot without the firewall, anyone can access them - as well as everything else!.

This is my first foray into IPTables, but the following IPTables entries should, I believe, allow access from anyone to DNS, SSH and FTP:

ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:20 flags:!0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:53

Something else must be blocking access from outside of xx.yyy.zz/26 and there is a lot in the tables that I do not understand. Below is the output from iptables -L -n (I removed some entries I feel do not contribute to the issue). Can someone tell me what causes the blockage?

Thanks,

Angus.

ns2:/sbin# ./iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- 0.0.0.0/0 0.0.0.0/0 unclean
ACCEPT tcp -- 67.154.209.206 0.0.0.0/0 tcp flags:!0x16/0x02
ACCEPT udp -- 67.154.209.206 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 xx.yyy.zz.128/26 limit: avg 10/sec burst 5
LD all -- 0.0.0.0/8 xx.yyy.zz.128/26
LD all -- 1.0.0.0/8 xx.yyy.zz.128/26
LD all -- 2.0.0.0/8 xx.yyy.zz.128/26
LD all -- 5.0.0.0/8 xx.yyy.zz.128/26
LD all -- 7.0.0.0/8 xx.yyy.zz.128/26

... more similar nnn.0.0.0/8 entries are here ...

LD all -- 187.0.0.0/8 xx.yyy.zz.128/26
LD all -- 189.0.0.0/8 xx.yyy.zz.128/26
LD all -- 190.0.0.0/8 xx.yyy.zz.128/26
LD all -- 192.0.2.0/24 xx.yyy.zz.128/26
LD all -- 192.168.0.0/16 xx.yyy.zz.128/26
LD all -- 197.0.0.0/8 xx.yyy.zz.128/26
LD all -- 198.18.0.0/15 xx.yyy.zz.128/26
LD all -- 223.0.0.0/8 xx.yyy.zz.128/26
LD all -- 224.0.0.0/3 xx.yyy.zz.128/26
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:31337 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:33270 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:16660 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:60001 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:135 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:135 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:1524 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:27444 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:31335 limit: avg 2/min burst 5
LD all -- 224.0.0.0/8 0.0.0.0/0
LD all -- 0.0.0.0/0 224.0.0.0/8
LD all -- 255.255.255.255 0.0.0.0/0
LD all -- 0.0.0.0/0 0.0.0.0
DROP all -- 10.0.0.255 0.0.0.0/0
DROP all -- 0.0.0.0 0.0.0.0/0
DROP all -- 0.0.0.0/0 255.255.255.255
DROP all -- 0.0.0.0/0 0.0.0.0
LD all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
LD all -f 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:20 flags:!0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:53
LD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpts:513:65535 flags:!0x16/0x02 state RELATED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:20 dpts:1023:65535 flags:!0x16/0x02 state RELATED
STATE tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpts:1023:65535
LD all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- 0.0.0.0/0 0.0.0.0/0 unclean
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:31337 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:33270 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:16660 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:60001 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:135 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:135 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:1524 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:27444 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:31335 limit: avg 2/min burst 5
LD all -- 224.0.0.0/8 0.0.0.0/0
LD all -- 0.0.0.0/0 224.0.0.0/8
LD all -- 255.255.255.255 0.0.0.0/0
LD all -- 0.0.0.0/0 0.0.0.0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
all -- 0.0.0.0/0 0.0.0.0/0 TTL match TTL == 64
ACCEPT icmp -- xx.yyy.zz.128/26 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain LD (146 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain SANITY (0 references)
target prot opt source destination
LD all -- 0.0.0.0/0 0.0.0.0/0

Chain STATE (1 references)
target prot opt source destination
LD all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LD all -- 0.0.0.0/0 0.0.0.0/0

Chain UNCLEAN (2 references)
target prot opt source destination
LD all -- 0.0.0.0/0 0.0.0.0/0
ns2:/sbin#

2
Contributors
2
Replies
4
Views
10 Years
Discussion Span
Last Post by Mix
0

I hacked the firewall script and by a process of elimination found that it was the very records I thought were irrelevant that were causing the problem - each one blocked all traffic from an entire network not just the non-routable addresses as implied by the firewall script comments.

0

At least you have Firestarter working. I cant get it installed on Slackware..

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.