PDA

View Full Version : Firewall Policy at rebooting



Domsik
09-Jan-2012, 10:46
Hi!

I found on the Internet, no solution to my problem. I have a simple
firewall script with which I only want to do a icmp to "www.google.at",
with the PC behind the firewall.
I created my script in the folder "/ etc / init.d" and the links to "/
etc/rc.d/rc3.d" and on "rc5.d" with the names "S99fw_forward". For test
purposes, the file has "chmod 777" received.

When the Server is booting, I see how the script is executed. After
booting the variable "ip_forward" is set to 1 (If don't start my Script,
it would be 0). That means the script has been executed definitive.
However, I can not ping from the PC behind the firewall.

If i run my Script manually, i can make the icmp to "www.google.at" and
i can normaly use the Internet (with the PC behind the Firewall).

This is my current file (only a few things to test). Maybe that lines
are not correct for a Firewall, but its only a test.


Code:
--------------------
# / Bin / bash
#------------------------------------------------- -------------
# File: fw_forward
#------------------------------------------------- -------------
echo "- fw_forward starts"
echo "---------------------------"

R = "/ usr / sbin / iptables"
UNPRIVPORTS = "1025:65535"

#()----------------------------------------------- ------------
echo "- Routing Switch"
echo "1"> / proc/sys/net/ipv4/ip_forward

#()----------------------------------------------- ------------------------
echo "- remove all previous FORWARD rules (if already available)"
$ R-F FORWARD
$ R-P FORWARD DROP
$ R-P INPUT DROP
$ R-P OUTPUT DROP
$ R-F
$ R-F-t nat

#()----------------------------------------------- ------------------------
echo "- all through routes (Holiday)"
$ R-A FORWARD-j ACCEPT

#()----------------------------------------------- ------------------------
echo "- ping through routes"
$ R-A FORWARD-p icmp-j ACCEPT

#------------------------------------------------- ----------------------
echo "- fw_forward finished"
--------------------



Why is my script starting up on boot, but the function works only when
I start it manually?

It seems that any program oder function overwrite the iptables after my
script. The standard "SuseFirewall" ist definitely truned off. I also
can see that the "SuSeFirewall2" ist turned off in the
"Runlevel-Editor".
Are there any other things i have to configure or to deactivate?

I posted my problem in 2 other german linux and opensuse forums, but
there is no one that can help me.
I know crossposting is frowned, but i thought it would be better, if i
ask my question to a SLES Forum.

Thats the german postings (translated with google):
'Google ‹bersetzer'
(http://translate.google.com/translate?sl=de&tl=en&js=n&prev=_t&hl=de&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.opensuse-forum.de%2Ffirewall-script-beim-booten-systemprogramme-shell-programmierung%2Fthemen-f9%2Ft6579-f10%2F%23post37803&act=url)
'Google ‹bersetzer'
(http://translate.google.com/translate?hl=de&sl=de&tl=en&u=http%3A%2F%2Fwww.linux-forum.de%2Ffirwall-script-beim-booten-2008859.html)

Regards,
Domsi


--
Domsik
------------------------------------------------------------------------
Domsik's Profile: http://forums.novell.com/member.php?userid=122307
View this thread: http://forums.novell.com/showthread.php?t=450455

ab
09-Jan-2012, 15:55
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I cannot say for sure, but how is this system's networking setup? Is it
(presumably) using the traditional method of setting an IP address vs.
using Network Manager? Is the IP address statically defined or are you
using DHCP? Which version/patch of SLES, with which kernel? Could you
post your script again without what I'm guessing was some corruption
when you pasted? Some case (capitalization) and spacing issues appear
to exist in there that I think would prevent the script from ever
working so hopefully seeing the correct script may shed some light on
things.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPCwAHAAoJEF+XTK08PnB5/hcQAJXulTRbOUE4QsNw3KTDxfeN
IShRxn/aXVCnWGdG3yYWJbEvx4WIp2eh6bD0/GvgRvjHl4YZ0njDOuiqdfuNloFy
zCMiEMhk2OQMQk1uYNOjIZM4l+0Ui3IgrRODUbHxxx0HttL5vt Hk045kIz2ceQcw
zo8et5TpKtcB0+2XvL0HIEOWu1hnqSQjuCvzdXiT9vXprR+X8A yut10afnDVeFm2
faw8ZmZm+HYkbfnsWDqkx2UuVzUOhtMzP1pb+7yYicA9jniTJ7/IdeoBIPOKNc/1
K1+xUhf94AjRMVW6d/YGdZiETkLQz/i3ZaqtvnfdUXpZZuDq9t/YSLPRrY8ExKKH
HfkMi3FB0Cf1hDsmggacKVQ0AQ04vRFOBfOZaknYSqqXkBmcl7 yF5O0Vo3OfA0ug
z5bWebK8yGvvNqBI9/Qg1Qc3c2Eyla0acpBBT1WJXd36nozCOy1Yl/N/v3UulSoU
ULbXbPE4rztX2HAXW7p78SH11mHaWzcHqU3kPUNkQ60WUO8eLs +EHMSLGGHtoKxT
0yNXVixE/DShuEsopfDU+79VrfwOdZ/ghzSR5N6p2yRxUU3oidYG4Z3BVBEqYUn1
66Fdn2DmXl0+Rkfeo1fI0cNsGhjhz+nsxhEqqk/ZNZWhJFYkV0vZpUrQtH4modT1
gsPbtZGuuXkY2m9d5MXX
=Vr9o
-----END PGP SIGNATURE-----

Domsik
09-Jan-2012, 16:36
No i don't use a Network Manager, the IP address is statically defined.
SLES11 (i586) SP1, Version: 11.1.0.19
Kernel: 2.6.32.12-0.7-pae

Sorry, you are right was some corruption at the script when i posted
it! Sorry. Now I have copied it directly, without changing anything.


Code:
--------------------
#!/bin/bash
#--------------------------------------------------------------
# file: fw_forward
#--------------------------------------------------------------
echo "- fw_forward wird gestartet"
echo "---------------------------"

R="/usr/sbin/iptables"
UNPRIVPORTS="1025:65535"

#()-----------------------------------------------------------
echo "- Routing einschalten"
echo "1" > /proc/sys/net/ipv4/ip_forward

#()-----------------------------------------------------------------------
echo "- alle bisherigen FORWARD-Regeln entfernen (Falls bereits vorhanden)"
$R -F FORWARD
$R -P FORWARD DROP
$R -P INPUT DROP
$R -P OUTPUT DROP
$R -F
$R -F -t nat

#()-----------------------------------------------------------------------
echo "- alles durchrouten (Ferien)"
$R -A FORWARD -j ACCEPT

#()-----------------------------------------------------------------------
echo "- ping durchrouten"
$R -A FORWARD -p icmp -j ACCEPT

#-----------------------------------------------------------------------
echo "- fw_forward finished"

--------------------


--
Domsik
------------------------------------------------------------------------
Domsik's Profile: http://forums.novell.com/member.php?userid=122307
View this thread: http://forums.novell.com/showthread.php?t=450455

ab
09-Jan-2012, 17:50
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Try adding something like 'sleep 60' to the top of the script right
before the 'echo' statements. Maybe try 'sleep 30' if that helps. My
guess is that this is just running too quickly while something else is
also tinkering with the firewall stuff. Knowing what is showing up in
/var/log/firewall when things do NOT work may be useful. Getting the
output from /usr/sbin/iptables-save could be helpful when working/broken
to see what is different exactly.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPCxr7AAoJEF+XTK08PnB5fG4QAI2giqFFiE dBk5OA5t+Jqqbb
f/UJ14/lQ/BATZESUOe3jn0FLXhJbN91c/sqSvvzf6NbCSd/8hxUfbVoj+V21aLD
dResTkglolN9Uml/mfnN1sIVH6Z5jx7xuKbcFaNQSFO8slfMte3d0Kzb/itTRCjQ
5Lomq0ojj67ZGCOXYpkgzvXwCGklxyPEtJ8zNSiWXV57Rr0UNf w4s0zz2eynP/W1
IkC2bIXCi0x7YicjYMNIhSeK1VnKaykFP770WJM8v+m3Y99ZUq ANxx2lS/2/u7Ux
Ngz8R2OZwJvXu6fKfovlB5awl2pzN1r9VyNzXLHLnp9WQj3pCR gb1ktBDka59+9l
/9aSRBMPz/KBn9ud7oteU1v60jy/XChRe2eRuL2KwV+jcgbnnMQs8/hRWfxzvE+7
5PgV7nvsUXzloqqVxd0FJ2OTPjZTxtb6kClUcfaACl0QjvzMin p8fJxJhWJAwfSx
oGTAjNtyFoWEjZj4YjNzz8AuWT25Y/Uk85StJjZcZBp6qB7jV/dc//qc/UBKQtZu
fYSqv3+rqGAb69LXs/ZM3a0fiGtUBJQ5ASVFtnPm3W/IA5EGfbl63T9hEG+GPXbz
/202IWa4HojXeQv+TRBdMYNP2RXyj0QZFEyRhcUsOEzwQ/WlfmO/P2lrk1uDp02W
lqslgm7Mkuoq4QKZYFc9
=TZYR
-----END PGP SIGNATURE-----

Domsik
09-Jan-2012, 22:16
Ok thanks, I'll try it with 'sleep'.

I know 60 oder 30 seconds are short, but for a hacker it is maybe
enough time. (i will use SLES -after testing/learning- as a router).
So I think it will be necessary to do something about that. Is it
possible to deactivate eth0 at booting and activate eth0 at the end of
my script?
(i can/will search the commands on my own, i only need to know that it
works or whether it is a sensible solution with eth0)

Thanks thats a good tip with saving iptables and the logs.


--
Domsik
------------------------------------------------------------------------
Domsik's Profile: http://forums.novell.com/member.php?userid=122307
View this thread: http://forums.novell.com/showthread.php?t=450455

ab
09-Jan-2012, 23:41
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sure, you can control anything with your script. You may also be able
to setup what you are doing with Yast directly to avoid the need for
your script, but I have not tested exactly what you are doing with Yast
in the past. The /etc/sysconfig/SuSEfirewall2 config file controls
everything. Some options in there are not exposed in Yast but you can
still manipulate them by hand. Perhaps do some tinkering in there after
making a copy of the file.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPC21KAAoJEF+XTK08PnB5SF0QAKpbCQ913n eQW9Xpx7JllQZK
f5YqIQ2rylX7dIdGjvuQIYFE0Puk0rgapjJgxRpbmw9TJaf6XO BBa2nBHp5dp/jV
mi4WG9Yu3KH8lxnIVVYOlmF+krFvICuGGusnDAHS9dP35NhcTh hYpy7unq6gwAOW
dX+8+7KarCRlIBkMs/JP1GH4mBMowNDnixLjeyjxWJPuOeZ/iVoYy8gz5GRodWdx
OlVbDS0oMepC98dyVFN2SOFQ4uUXrxQ89JT5isrzB9iUz9A9Tw dsv/JlvuECynkR
TR8oB8Nfft+55fLax+LRlPbWFeqi86pf1/JIqE8R/HzYGKLH8ouzPgFWaRfcbbdd
11u4oTb83zs2xO8MtBX/qn2Vj61YtSwCchHTynfBq2+32rKnpiP99wC6AN4fmUYw
pSDHDboWXGRkX4/T2KJ15xZqd5jsAOiTE4fU0gV0TFwZlGZFswUtjL+irxl/43CK
0Kr7tYG0LJG2sDVnOZ4Z2rc87rqKB9bju/I7GbkN58HuVMkTvLZxlUuphrbd/025
2CaimYNBBzlGTsbA3unHKcX51vNFkfk1Rgh4cc4PdjORtkR0b6 EcDJWsln6mG4XZ
3e+qXkPA7ZVzu1hNGwKRBk4s+a+5ZV7hh3Fw+g3SywaXUS8xnT qUmPHY2TXRUzeX
iN+s/P0h3/oy8CUF92/x
=PeGF
-----END PGP SIGNATURE-----

Domsik
11-Jan-2012, 09:46
ok thanks, I'll try out your tips and let you know if it worked.


--
Domsik
------------------------------------------------------------------------
Domsik's Profile: http://forums.novell.com/member.php?userid=122307
View this thread: http://forums.novell.com/showthread.php?t=450455

mikewillis
11-Jan-2012, 13:16
A while ago I was trying to set up a firewall rule which I couldn't
figure out how to do in YaST(*) and found this useful
'How To Add Additional Ip Rules To Suse Firewall'
(http://forums.opensuse.org/archives/sls-archives/archives-linux-tweaks/archives-tips-tricks-tweaks/381772-how-add-additional-ip-rules-suse-firewall.html)


(*) Allow ssh connections but only from a certain IP address range and
limit the number of connections per minute.


--
mikewillis
------------------------------------------------------------------------
mikewillis's Profile: http://forums.novell.com/member.php?userid=7510
View this thread: http://forums.novell.com/showthread.php?t=450455

Domsik
21-Jan-2012, 18:26
Ok now I've found a solution. How "ab" already described, there is a
"/etc/sysconfig/SuSEfirewall2" config file.
I created a backup of this file and renamed it.

Now my script also works directly on boot.

My colleague starts his file every minute. He said he prevents that
other programs rewrite the IPTables permanently.

Is it useful to restart the crontab file every minute?


--
Domsik
------------------------------------------------------------------------
Domsik's Profile: http://forums.novell.com/member.php?userid=122307
View this thread: http://forums.novell.com/showthread.php?t=450455