You are not logged in.

#1 2005-03-08 09:20:23

dtw
Forum Fellow
From: London, UK
Registered: 2004-08-03
Posts: 4,428
Website

firewall preventing access to wifi network?

i configure my iptables set up with gShield.  I "normally" use ppp and a modem to connect to the web but recently i have been using wireless networks more and more.

However, when i try to access a wireless net my firewall always stops me and i can only connect when I stop iptables.

i think it is something do with DHCP but i dunno where to even start.

I have only changed the most basic settings in gShield - i don't do any port forwarding as i don't have any service running on my machine.

Another thing - some nmap actions fail as well while the firewall is up

Offline

#2 2005-03-09 12:59:22

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,835

Re: firewall preventing access to wifi network?

Wouldn't be any kind of an expert here, dibb, but do gShield and/or iptables generate logs anywhere? Specifically, can you see what traffic is being stopped when your connection attempt fails?

I run an IPCop firewall myself, and anytime I fail to connect for any reason, I can examine the logs to see if anything didn't get through, then adjust the IPCop config accordingly.

Offline

#3 2005-03-09 13:44:53

puntmuts
Member
Registered: 2005-02-22
Posts: 138

Re: firewall preventing access to wifi network?

gShield (on my Slack 9.1 box) logs to the console and to the syslog. IIRC you will have to set the interface connecting to the Internet in the config file. The variable is called LOCALIF in gShield.conf.


Out / Gone
Mirgrating all my machines off ArchLinux . No longer part of the ArchLinux community / users .
Done. Goodbye.

Offline

#4 2005-03-10 11:05:44

dtw
Forum Fellow
From: London, UK
Registered: 2004-08-03
Posts: 4,428
Website

Re: firewall preventing access to wifi network?

puntnuts - yup - i got that covered smile

tomk - i look for logs but i can't find the buggers that i would expect - i don't actually run the gShield.rc as my firewall - i save the output to iptable.rules and use iptables - but i just can't find the output logs anywhere - i checked the gShield settings to see if i missed a logging option.

i've also checked the usual logs and seen some firewall activity but nothing that seems to make sense re my setup

Offline

#5 2005-03-28 05:59:27

dtw
Forum Fellow
From: London, UK
Registered: 2004-08-03
Posts: 4,428
Website

Re: firewall preventing access to wifi network?

still can;t find any logs from gShield - am going to try qtables and guarddog - why ain't guarddog in the repos?  It's like the kde equivalent of firestarter

Offline

#6 2005-03-28 10:00:52

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: firewall preventing access to wifi network?

Perhaps it helps if you put here your iptables config, so someone can tell what's wrong with it. If it's too big then remove the unnecessary and unimportant rules.

Offline

#7 2005-03-28 10:21:00

dtw
Forum Fellow
From: London, UK
Registered: 2004-08-03
Posts: 4,428
Website

Re: firewall preventing access to wifi network?

ok - here it is:

# Generated by iptables-save v1.3.1 on Sat Mar 19 21:08:43 2005
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [1:59]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE 
COMMIT
# Completed on Sat Mar 19 21:08:43 2005
# Generated by iptables-save v1.3.1 on Sat Mar 19 21:08:43 2005
*mangle
:PREROUTING ACCEPT [14:964]
:INPUT ACCEPT [14:964]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14:964]
:POSTROUTING ACCEPT [14:964]
-A PREROUTING -m state --state INVALID -j LOG --log-prefix "gShield (INVALID drop) " 
-A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 
-A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 
-A PREROUTING -p tcp -m tcp --sport 23 -j TOS --set-tos 0x10 
-A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos 0x08 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x08 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 119 -j TOS --set-tos 0x08 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 119 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 110 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 143 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 6660:6669 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7000 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7500 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7501 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7777 -j TOS --set-tos 0x10 
COMMIT
# Completed on Sat Mar 19 21:08:43 2005
# Generated by iptables-save v1.3.1 on Sat Mar 19 21:08:43 2005
*filter
:ACCEPTnLOG - [0:0]
:BLACKLIST - [0:0]
:BLOCK_OUT - [0:0]
:CLIENT - [0:0]
:CLOSED - [0:0]
:DHCP - [0:0]
:DMZ - [0:0]
:DNS - [0:0]
:DROPICMP - [0:0]
:DROPnLOG - [0:0]
:HIGHPORT - [0:0]
:INPUT DROP [2:118]
:FORWARD DROP [0:0]
:MON_OUT - [0:0]
:MULTICAST - [0:0]
:OPENPORT - [0:0]
:OUTPUT ACCEPT [14:964]
:PUBLIC - [0:0]
:RESERVED - [0:0]
:SCAN - [0:0]
:SERVICEDROP - [0:0]
:STATEFUL - [0:0]
:loopback - [0:0]
-A ACCEPTnLOG -j LOG --log-prefix "gShield (accept) " --log-level 1 
-A ACCEPTnLOG -j ACCEPT 
-A BLACKLIST -j LOG --log-prefix "gShield (blacklisted drop) " --log-level 1 
-A BLACKLIST -j DROP 
-A BLOCK_OUT -j DROP 
-A CLIENT -j ACCEPT 
-A CLOSED -j LOG --log-prefix "gShield (closed port drop) " --log-level 1 
-A CLOSED -p tcp -j DROP 
-A CLOSED -p udp -j REJECT --reject-with icmp-port-unreachable 
-A CLOSED -j DROP 
-A DHCP -j LOG --log-prefix "gShield (DHCP accept) " --log-level 1 
-A DHCP -j ACCEPT 
-A DMZ -j LOG --log-prefix "gShield (DMZ drop) " --log-level 1 
-A DMZ -j DROP 
-A DNS -j ACCEPT 
-A DROPICMP -j DROP 
-A DROPnLOG -p udp -m udp --dport 137:139 -j DROP 
-A DROPnLOG -p tcp -m tcp --sport 80 --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A DROPnLOG -d 255.255.255.255 -p udp -m udp --sport 67 --dport 68 -j DROP 
-A DROPnLOG -m limit --limit 20/min -j LOG --log-prefix "gShield (default drop) " --log-level 1 
-A DROPnLOG -p 47 -m limit --limit 20/min -j LOG --log-prefix "gShield (default drop / GRE) " --log-level 1 
-A DROPnLOG -p tcp -j DROP 
-A DROPnLOG -p udp -j REJECT --reject-with icmp-port-unreachable 
-A DROPnLOG -j DROP 
-A HIGHPORT -j ACCEPT 
-A INPUT -i lo -j loopback 
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT 
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j RESERVED 
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j RESERVED 
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.1 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.2 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.4 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.5 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.6 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.9 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.13 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.15 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.1 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.2 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.4 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.5 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.6 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.9 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.13 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.15 -i eth0 -j MULTICAST 
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A INPUT -p icmp -j DROPICMP 
-A INPUT -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT 
-A INPUT -s 192.168.1.1 -i eth0 -p udp -m udp --sport 67 --dport 68 -j DHCP 
-A INPUT -s 132.163.135.130 -p udp -m udp --sport 123 --dport 1024:65535 -j ACCEPT 
-A INPUT -s 128.118.25.3 -p udp -m udp --sport 123 --dport 1024:65535 -j ACCEPT 
-A INPUT -s 131.107.1.10 -p udp -m udp --sport 123 --dport 1024:65535 -j ACCEPT 
-A INPUT -s 192.168.1.1 -p udp -m udp --sport 53 -j DNS 
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -j STATEFUL 
-A FORWARD -o eth0 -p tcp -m tcp --dport 137 -j BLOCK_OUT 
-A FORWARD -o eth0 -p udp -m udp --dport 137 -j BLOCK_OUT 
-A FORWARD -o eth0 -p tcp -m tcp --dport 138 -j BLOCK_OUT 
-A FORWARD -o eth0 -p udp -m udp --dport 138 -j BLOCK_OUT 
-A FORWARD -o eth0 -p tcp -m tcp --dport 139 -j BLOCK_OUT 
-A FORWARD -o eth0 -p udp -m udp --dport 139 -j BLOCK_OUT 
-A FORWARD -j STATEFUL 
-A MON_OUT -j ACCEPT 
-A MULTICAST -j DROP 
-A OPENPORT -j ACCEPT 
-A OUTPUT -o lo -j loopback 
-A OUTPUT -p icmp -m state --state INVALID -j DROP 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 137 -j BLOCK_OUT 
-A OUTPUT -o eth0 -p udp -m udp --dport 137 -j BLOCK_OUT 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 138 -j BLOCK_OUT 
-A OUTPUT -o eth0 -p udp -m udp --dport 138 -j BLOCK_OUT 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 139 -j BLOCK_OUT 
-A OUTPUT -o eth0 -p udp -m udp --dport 139 -j BLOCK_OUT 
-A PUBLIC -j ACCEPT 
-A RESERVED -p tcp -j DROP 
-A RESERVED -p udp -j REJECT --reject-with icmp-port-unreachable 
-A RESERVED -j DROP 
-A SCAN -j LOG --log-prefix "gShield (possible port scan) " --log-level 1 
-A SCAN -j DROP 
-A SERVICEDROP -j LOG --log-prefix "gShield (service drop) " --log-level 1 
-A SERVICEDROP -p tcp -j DROP 
-A SERVICEDROP -p udp -j REJECT --reject-with icmp-port-unreachable 
-A SERVICEDROP -j DROP 
-A STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A STATEFUL -i ! eth0 -m state --state NEW -j ACCEPT 
-A STATEFUL -j DROPnLOG 
-A loopback -i lo -j ACCEPT 
COMMIT
# Completed on Sat Mar 19 21:08:43 2005

Offline

#8 2005-03-28 11:02:58

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: firewall preventing access to wifi network?

DHCP uses UDP on port 67, so if you allow all incomming packets from that port then DHCP should work.

Offline

#9 2005-03-28 16:26:38

phrakture
Arch Overlord
From: behind you
Registered: 2003-10-29
Posts: 7,879
Website

Re: firewall preventing access to wifi network?

nice one, i3839

Offline

#10 2005-03-28 17:53:31

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: firewall preventing access to wifi network?

Not really, I didn't read his awfully long rules well enough, and missed the:

-A INPUT -s 192.168.1.1 -i eth0 -p udp -m udp --sport 67 --dport 68 -j DHCP

The problem with the rules seems to be that the network is hardcoded to 192.168.1.0, while it can be something else.

Offline

#11 2005-03-29 07:14:50

dtw
Forum Fellow
From: London, UK
Registered: 2004-08-03
Posts: 4,428
Website

Re: firewall preventing access to wifi network?

thanks i3839 - as i said, these rules are generated by gShield - i don't exactly know what they are all for tho i do know what they do - hence my listing all of them!  gShield supposed to be able to account for DHCP i think and are you saying it has set a static IP too?  Cos that ain't right!

Offline

#12 2005-03-29 13:22:26

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: firewall preventing access to wifi network?

It hardcodes the network to 192.168.1.0 and the DHCP to 192.168.1.1, which is bad because it can be anything at all. Just make only device specific rules for eth0 etc. and remove all the hardcoded IP's, maybe that helps. Also disable masquerading, I doubt your laptop is going to be a NAT router.

Offline

#13 2005-03-30 05:58:12

dtw
Forum Fellow
From: London, UK
Registered: 2004-08-03
Posts: 4,428
Website

Re: firewall preventing access to wifi network?

i3839 - i think i'll just stopping using gShield for my iptable rule gen!

Offline

#14 2005-03-30 13:21:35

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: firewall preventing access to wifi network?

Good idea, making your own iptables rules isn't that hard if you don't try anything too fancy.

Offline

Board footer

Powered by FluxBB