Post #94,615
4/5/03 11:00:29 PM
|
Followup...
1. It appears that Konqueror 2.2.2 does not have "out of the box" SSL support.
It makes it kind of difficult to get into my.yahoo.com and banking sites
without SSL. (So I gotta work on that...)
2. My computer has two network cards because I use it as a firewall. I was
just trying to find a netconfig utility to config eth1, because it wasn't
configured when I first installed the O/S. I think I found a few of the
config files, but I always did this with some GUI tool under RH 7.1, so
I guess I need to read some manuals? Any suggestions?
3. I think Scott mentioned some "better" replacements for deselect, and I
guess I need to go find those.
4. It appears that apache (httpd) didn't install, or didn't install where
I would expect it to be. The /var/www directory was there. Is something
other than Apache installed?
|
Post #94,630
4/6/03 12:27:48 AM
4/6/03 7:54:36 PM
|
YEEEP!
3.) apt-get install aptitude great replacement Command-line. apt-get install synaptic for an X based replacement. 2.) [link|/forums/render/content/show?contentid=74573|An IPTABLES Script] I wrote... give you a good place to start. Also, /etc/network/interfaces will get you this: ### etherconf DEBCONF AREA. DO NOT EDIT THIS AREA OR INSERT TEXT BEFORE IT.\nauto lo eth0 eth1\n\niface lo inet loopback\n\niface eth0 inet dhcp\n\niface eth1 inet static\naddress 192.168.1.1\nnetmask 255.255.255.0\ngateway 192.168.1.1\n\n\n### END OF DEBCONF AREA. PLACE YOUR EDITS BELOW; THEY WILL BE PRESERVED.
1.) Once you install aptitude or synaptic you'll be able to browse really easy... and get what you need. 4.) Refer to #1, and yes it defaults to /var/www for content, /usr/lib/apache for modules /etc/apache for apache w/o ssl, /etc/apache-ssl for apache with ssl for confs. /var/log/apache and apache-ssl for logs also. You could check to see what is in /etc/init.d as those are the startup scripts. You might want to look at localepurge and a few other clean-up packages as well. A good one that comes to mind is debfoster. It will do you good, once you have the machine for a while... or when you change the role of the machine. It'll clean out the cruft build-up. b4k4^2
| [link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT | | [link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!] | | [link|http://www.eweek.com/article2/0,3959,857673,00.asp|Microsoft develops apps for Linux by 2004] | Heimatland Geheime Staatspolizei reminds:
These [link|http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf|Civilian General Orders], please memorize them.
"Questions" will be asked at checkpoints. |
|
Post #94,955
4/7/03 10:24:57 PM
4/7/03 10:25:39 PM
|
Item two
I'm still unable to get my "private network" computers to access the Internet from my Debian computer.
I can ping both adapters on the Debian system from the private network, I can't ping the public network router, it gets timed out messages. I can't ping "external" sites like yahoo.com either.
I can ping everthing from the Debian computer, both private network and Internet.
I'll try to get the interfaces file and the iptables file posted later tonight. Let me know if you need other files. The only mods I have to the iptables file is to actually specify the IP addresses of the DNS servers on the Internet, rather than the private IP address.
Edited by gdaustin
April 7, 2003, 10:25:39 PM EDT
|
Post #94,959
4/7/03 11:19:58 PM
|
Files
Interfaces file contains everything but the gateway statement on the private interface.
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface
auto lo eth0 eth1
iface lo inet loopback
# The first network card - this entry was created during the Debian installationiface eth0 inet dhcp
iface eth1 inet static
address 192.168.55.1
netmask 255.255.255.0
When I add the gateway statement to the private interface, then the routing table shows two default gateway routes and I lose the ability to "surf" the internet, even from the Debian machine.
So I added my own routing statement, here is my routing table.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.55.0 192.168.55.1 255.255.255.0 UG 0 0 0 eth1
192.168.55.0 * 255.255.255.0 U 0 0 0 eth1
12.237.234.0 * 255.255.254.0 U 0 0 0 eth0
default 12-237-234-1.cl 0.0.0.0 UG 0 0 0 eth0
Now my iptables file:
#!/bin/sh
#
# Notes: This shell script is for iptables v1.2.6+ and 2.4.12+ kernels, as
# there are glaring problems in previous versions. It may work, but
# I would not guarantee it to work completely right.
#
# I am assuming that the public interface is an ISP and the private
# interface is static. Firewall serves as Private DHCP server, and
# uses DNS from the internet. I included services that some like to
# foolishly run... ;) You can comment out mail, ftp and web. I would
# leave ssh for obvious reasons
#
# By default this script DROPS everything, the rules allow exception,
# using stateful checking and allowing exisiting conversation to
# continue, so you can run this script witout interruption of stuff.
# Also by default the script trusts the private interface, allows
# any traffic or conversation started by the private side. IOW, it
# will block anything trying to come in, without you asking for it.
# function check
#
check() {
if test ! -x "$1"; then
echo "$1 not found or is not executable"
exit 1
fi
}
# function log
#
log() {
if test -x "$LOGGER"; then
logger -p info "$1"
fi
}
# exec locations
#
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"
# making sure they exist
# and are executable
#
check $MODPROBE
check $IPTABLES
check $IP
# PUB_IF assumed ISP_dynamic
#
PUB_IF="eth0"
#PUB_IP="10.0.0.1"
#PUB_SNM="255.0.0.0"
#PUB_NET="10.0.0.0"
#PUB_SNML="8"
# PRIV_IF assumed static
#
PRIV_IF="eth1"
PRIV_IP="192.168.55.1"
PRIV_SNM="255.255.255.0"
PRIV_NET="192.168.55.0"
PRIV_SNML="24"
cd /etc || exit 1
# sending to syslog
#
log "Activating firewall script"
# turning off forwarding (temp)
#
echo "0" > /proc/sys/net/ipv4/ip_forward
# setting good defaults for traffic
#
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
# flushing the toilet
#
$IP -4 neigh flush dev $PRIV_IF
# setting default policies of DROP
#
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
# getting rid of any exisitng chains and tables
#
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
# loading all the iptables modules
#
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\\.o.*$//')`
for module in $(echo $MODULES); do
if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" ]; then
$MODPROBE ${module} || exit 1
fi
done
# Rule NAT
#
$IPTABLES -t nat -A POSTROUTING -o $PUB_IF -s $PRIV_NET/$PRIV_SNML -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $PRIV_IF -s $PRIV_NET/$PRIV_SNML -j SNAT --to-source $PRIV_IP
# Setting stateful inspection and allow already
# connected conversations to continue
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# public interface anti-spoofing rule so baddies claiming
# to be from the prviate network interface, can't make it in.
#
$IPTABLES -A INPUT -i $PUB_IF -s $PRIV_NET/$PRIV_SNML -j DROP
$IPTABLES -A FORWARD -i $PUB_IF -s $PRIV_NET/$PRIV_SNML -j DROP
# block fragments, a sure sign baddies are trying
#
$IPTABLES -A OUTPUT -p ip -f -j DROP
$IPTABLES -A INPUT -p ip -f -j DROP
$IPTABLES -A FORWARD -p ip -f -j DROP
# firewall uses DNS server on internet
#
$IPTABLES -A INPUT -p tcp -s 204.127.202.4 --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 216.148.227.68 --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp -s 204.127.202.4 --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp -s 216.148.227.68 --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --destination-port 53 -m state --state NEW -j ACCEPT
# firewall serves as DHCP server for LAN (listen rule)
#
$IPTABLES -A INPUT -p udp -m multiport -s $PRIV_IP --destination-ports 68,67
-m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m multiport -d $PRIV_IP --destination-ports 68,67 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp -m multiport -s $PRIV_NET/$PRIV_SNML --destination-ports 68,67 -m state --state NEW -j ACCEPT
# firewall serves as DHCP server for LAN (response rule)
#
$IPTABLES -A INPUT -p udp -m multiport -s $PRIV_IP --destination-ports 68,67
-m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m multiport -d $PRIV_IP --destination-ports 68,67 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m multiport -d $PRIV_NET/$PRIV_SNML --destination-ports 68,67 -m state --state NEW -j ACCEPT
# 'masquerading' rule
#
$IPTABLES -A INPUT -s $PRIV_IP -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s $PRIV_NET/$PRIV_SNML -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s $PRIV_NET/$PRIV_SNML -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s $PRIV_NET/$PRIV_SNML -j MASQUERADE
$IPTABLES -A FORWARD -i eth0 -j MASQ
# firewall serves as mail server (for those that do this)
#
$IPTABLES -A OUTPUT -p tcp -m multiport -d $PRIV_IP --destination-ports 143,993,110,25,465 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --destination-ports 143,993,110,25,465
-m state --state NEW -j ACCEPT
# firewall serves as mail relay (for those that do this)
#
$IPTABLES -A INPUT -p tcp -m multiport -s $PRIV_IP --destination-ports 143,993,110,25,465 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m multiport --destination-ports 143,993,110,25,465 -m state --state NEW -j ACCEPT
# firewall serves as web-server (for those that do this)
#
$IPTABLES -A OUTPUT -p tcp -m multiport -d $PRIV_IP --destination-ports 80,443 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --destination-ports 80,443 -m state --state NEW -j ACCEPT
# firewall serves as ftp-server (for those that do this)
#
$IPTABLES -A OUTPUT -p tcp -m multiport -d $PRIV_IP --destination-ports 20,21 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --destination-ports 20,21 -m state --state NEW -j ACCEPT
# Identd from firewall (for those that do this)
#
$IPTABLES -A OUTPUT -p tcp -d $PRIV_IP --destination-port 113 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --destination-port 113 -m state --state NEW -j ACCEPT
# ssh access to firewall (yes it's a global thing)
#
$IPTABLES -A OUTPUT -p tcp -d $PRIV_IP --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
# 'catch all' rule to make sure
#
$IPTABLES -A OUTPUT -j DROP
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
# turning forwarding back on
#
echo 1 > /proc/sys/net/ipv4/ip_forward
The goal here is to allow people on the private network to browse the public Internet from the private network, and to do things like ping, ssl, ftp from private to public (and disallow spoofing).
However, I want prevent everyone from getting in from the public internet, except to come in using ssl and http and ssl.
Here is my ipchains configuration which I got off the Internet from my "old" system. Based on the documentation, it appeared to do what I wanted to do.
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A forward -s 192.168.55.0/24 -j MASQ
-A forward -i eth0 -j MASQ
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT -l
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT -l
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 -d 0/0 -i eth0 -j ACCEPT
-A input -s 204.127.202.4 53 -d 0/0 -p udp -j ACCEPT
-A input -s 216.148.227.68 53 -d 0/0 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT
So, I think I need to rework Greg's script to look a little more like my ipchains. Since I know very little about this, I would appreciate any help I can get.
Thanks,
Glen Austin
|
Post #94,961
4/7/03 11:28:43 PM
|
Also...
Please run the script I wrote and then do an:
iptables-save and post the output.
If the Firewall can get to everything... I believe it's iproute needing to be installed.
b4k4^2
| [link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT | | [link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!] | | [link|http://www.eweek.com/article2/0,3959,857673,00.asp|Microsoft develops apps for Linux by 2004] | Heimatland Geheime Staatspolizei reminds:
These [link|http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf|Civilian General Orders], please memorize them.
"Questions" will be asked at checkpoints. |
|
Post #94,960
4/7/03 11:24:53 PM
|
Any error Spew from...
the script...
Also, you have to have iproute installed on the system (which supplies /sbin/ip) it is required to get packets through the machine... :)
Also, make sure you install iptables too.
Does the Private Interface come up now?
Did you edit the Script to match your environment?
This script has worked for many people... so if it doesn;t work for you PLEASE give me the error spew... :)
b4k4^2
| [link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT | | [link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!] | | [link|http://www.eweek.com/article2/0,3959,857673,00.asp|Microsoft develops apps for Linux by 2004] | Heimatland Geheime Staatspolizei reminds:
These [link|http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf|Civilian General Orders], please memorize them.
"Questions" will be asked at checkpoints. |
|
Post #94,964
4/8/03 12:01:32 AM
|
Re: Any error Spew from...
I put your script into /etc/default/iptables and rebooted the machine. I don't remember seeing any errors, but I'll have to go back to the boot messages and look.
But I need to get to bed at a decent time tonight. I've been sick for 5 days and need the rest.
As for iproute, I don't see it in /sbin or /usr/bin, so that is likely the problem.
I assume it's on one of the Debian disks.
Tomorrow night I'll try to get one of the new "deselect-like" programs loaded and get iproute installed.
Thanks for all your help.
|
Post #94,965
4/8/03 12:04:55 AM
|
Results of find and which
It appears iproute isn't installed on the machine.
|
Post #94,988
4/8/03 8:12:49 AM
|
tip - use locate instead of find
locate + grep is generally faster than having find go through a directory.
Other tip while I am at it. I love the -r option on GNU grep...
Cheers,
Ben
"good ideas and bad code build communities, the other three combinations do not"
- [link|http://archives.real-time.com/pipermail/cocoon-devel/2000-October/003023.html|Stefano Mazzocchi]
|
Post #95,030
4/8/03 11:47:08 AM
|
The script I wrote....
should actually be run after all is done... I usually run it from the console... then do an /etc/init.d/iptables save/etc/init.d/iptables save defaultThat then gives you the proper ruleset at the start... but you still need to add the other things needed... I just have the server run the script at the end of initialization... with RedHat that was easy... just add it to rc.local, with Debian... You have to edit /etc/init.d/bootmisc.sh. I put in this: \nif [ ! -e /tmp/fwscript.ran]\nthen\n echo "System Firewall Script running..."\n exec /etc/init.d/myfirewall.sh\n touch /tmp/fwscript.ran\nfi Just before the dmesg entries also it is after the cleaning of /tmp so it should be gone before it checks! Also, restore the original /etc/default/iptables as that is the one of the files that sets preferences. :) Hope this helps. b4k4^2
| [link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT | | [link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!] | | [link|http://www.eweek.com/article2/0,3959,857673,00.asp|Microsoft develops apps for Linux by 2004] | Heimatland Geheime Staatspolizei reminds:
These [link|http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf|Civilian General Orders], please memorize them.
"Questions" will be asked at checkpoints. |
|
Post #95,052
4/8/03 2:01:14 PM
4/8/03 2:09:58 PM
|
BINGO!!!
I tried installing iproute using dselect just before I went to bed. Retried the connection and it didn't help.
Then, I was up about 1:15am (after not being able to go to sleep due to coughing, after telling you I couldn't get this done tonight), took some meds, and sauntered over to the Debian box.
It then dawned on me that just because I replaced the iptables script in the /etc/default directory and rebooted didn't mean that I actually RAN IT. So, I ran the script, retried the connection from the private network and IT WORKED!!!
I still need to do the iptables save, but it appears to be working. I'll try some stuff with SSL to be sure, but it looks good so far!
Thanks guys!
Edited by gdaustin
April 8, 2003, 02:09:58 PM EDT
|
Post #95,056
4/8/03 2:41:08 PM
|
Great!!!!
Just remember the script should be run from bootmisc.sh as well...
Mainly due to the setting of /proc setting and packet forwarding and so on...
The reason you have a saved set of IPTABLES is for start-up anyway so the network interfaces come up with a set already in place.
The script then sets the default to deny and the flushes everything, then puts it all back in place, plus adding in all the routes, settings in /proc and so on.
Glad to hear everything went well in the end. You should really never have to re-install Linux on the machine again... That is the beauty of Debian, incremental maintenance never have to run an "installer boot" again. Maybe a reboot for a new Kernel... but that is about it...
TTFN!
b4k4^2
| [link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT | | [link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!] | | [link|http://www.eweek.com/article2/0,3959,857673,00.asp|Microsoft develops apps for Linux by 2004] | Heimatland Geheime Staatspolizei reminds:
These [link|http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf|Civilian General Orders], please memorize them.
"Questions" will be asked at checkpoints. |
|
Post #94,631
4/6/03 12:31:30 AM
|
Re: Followup...
1. It appears that Konqueror 2.2.2 does not have "out of the box" SSL support. su -apt-get updateapt-get install mozilla3. I think Scott mentioned some "better" replacements for deselect, and I guess I need to go find those. apt-get install aptitudeapt-get install synaptic4. It appears that apache (httpd) didn't install, or didn't install where I would expect it to be. The /var/www directory was there. Is something other than Apache installed? To see if apache is installed: dpkg -l apacheOutput if it is installed should look like this: [root@halfadozen ~]$ dpkg -l apache
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii apache 1.3.27-0.1 Versatile, high-performance HTTP server
If the status there is "ii" then it's installed. If it's not, then it's not. Apache is usually controlled now by the apachectl command. Do a which apachectl. It should be in /usr/sbin. Looks like most of the real apache stuff is installed in /usr/share. Suggestions: 1) Get familiar with the suite of apt command-line tools. apt-get (install|remove) <packagename> and apt-cache search <search term that doesn't need to be a package name>. These will help you with getting/removing packages (the first part) and searching for packages even if you don't know the name (the second part.) 2) Play around with Synaptic and Aptitude. Both are basically the same thing, but Synaptic's got a gui on it. Aptitude doesn't. 3) Dink with the dpkg command. Get to know what all the different result codes (like the "ii" above) mean. This is an easy way to tell if packages are installed or not. 4) apt-get install deborphan. Nice tool for keeping a clean system. It finds orphaned packages (packages that you have installed on your system, but that nothing relies on) and gives you a nice interface to remove 'em. Its command is deborphan. -YendorMike
[link|http://www.hope-ride.org/|http://www.hope-ride.org/]
|
Post #94,693
4/6/03 5:42:29 PM
|
Konqueror SSL: kdebase-crypto
First lesson: learn your tools. apt-cache search ssl | grep kde gives you kdebase-crypto - KDE crypto control module. Note that in many cases, crypto capabilities are disaggregated due to restrictions in many jurisdictions on import/export or merely access to strong crypto. \r\n\r\n You'll want aptitude (as Greg indicated). apt-cache allows searching archives for terms (only within text fields of the package description, however). There's a package search utility at the Debian website (under packages). And apt-file lets you search for any file in any Debian package, installed or not. You'll need to update the apt-file archive periodically, of course. --\r\n
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]\r\n
[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]\r\n
What part of "gestalt" don't you understand?\r\n
[link|http://twiki.iwethey.org/twiki/bin/view/Main/|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n
\r\n
Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
|
