firewall preventing access to wifi network?

dtw · 2005-03-08 09:20:23

i configure my iptables set up with gShield. I "normally" use ppp and a modem to connect to the web but recently i have been using wireless networks more and more.

However, when i try to access a wireless net my firewall always stops me and i can only connect when I stop iptables.

i think it is something do with DHCP but i dunno where to even start.

I have only changed the most basic settings in gShield - i don't do any port forwarding as i don't have any service running on my machine.

Another thing - some nmap actions fail as well while the firewall is up

tomk · 2005-03-09 12:59:22

Wouldn't be any kind of an expert here, dibb, but do gShield and/or iptables generate logs anywhere? Specifically, can you see what traffic is being stopped when your connection attempt fails?

I run an IPCop firewall myself, and anytime I fail to connect for any reason, I can examine the logs to see if anything didn't get through, then adjust the IPCop config accordingly.

puntmuts · 2005-03-09 13:44:53

gShield (on my Slack 9.1 box) logs to the console and to the syslog. IIRC you will have to set the interface connecting to the Internet in the config file. The variable is called LOCALIF in gShield.conf.

dtw · 2005-03-10 11:05:44

puntnuts - yup - i got that covered

tomk - i look for logs but i can't find the buggers that i would expect - i don't actually run the gShield.rc as my firewall - i save the output to iptable.rules and use iptables - but i just can't find the output logs anywhere - i checked the gShield settings to see if i missed a logging option.

i've also checked the usual logs and seen some firewall activity but nothing that seems to make sense re my setup

dtw · 2005-03-28 05:59:27

still can;t find any logs from gShield - am going to try qtables and guarddog - why ain't guarddog in the repos? It's like the kde equivalent of firestarter

i3839 · 2005-03-28 10:00:52

Perhaps it helps if you put here your iptables config, so someone can tell what's wrong with it. If it's too big then remove the unnecessary and unimportant rules.

dtw · 2005-03-28 10:21:00

ok - here it is:

# Generated by iptables-save v1.3.1 on Sat Mar 19 21:08:43 2005
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [1:59]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE 
COMMIT
# Completed on Sat Mar 19 21:08:43 2005
# Generated by iptables-save v1.3.1 on Sat Mar 19 21:08:43 2005
*mangle
:PREROUTING ACCEPT [14:964]
:INPUT ACCEPT [14:964]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14:964]
:POSTROUTING ACCEPT [14:964]
-A PREROUTING -m state --state INVALID -j LOG --log-prefix "gShield (INVALID drop) " 
-A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 
-A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 
-A PREROUTING -p tcp -m tcp --sport 23 -j TOS --set-tos 0x10 
-A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos 0x08 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x08 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 119 -j TOS --set-tos 0x08 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 119 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 110 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 143 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 6660:6669 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7000 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7500 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7501 -j TOS --set-tos 0x10 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7777 -j TOS --set-tos 0x10 
COMMIT
# Completed on Sat Mar 19 21:08:43 2005
# Generated by iptables-save v1.3.1 on Sat Mar 19 21:08:43 2005
*filter
:ACCEPTnLOG - [0:0]
:BLACKLIST - [0:0]
:BLOCK_OUT - [0:0]
:CLIENT - [0:0]
:CLOSED - [0:0]
:DHCP - [0:0]
:DMZ - [0:0]
:DNS - [0:0]
:DROPICMP - [0:0]
:DROPnLOG - [0:0]
:HIGHPORT - [0:0]
:INPUT DROP [2:118]
:FORWARD DROP [0:0]
:MON_OUT - [0:0]
:MULTICAST - [0:0]
:OPENPORT - [0:0]
:OUTPUT ACCEPT [14:964]
:PUBLIC - [0:0]
:RESERVED - [0:0]
:SCAN - [0:0]
:SERVICEDROP - [0:0]
:STATEFUL - [0:0]
:loopback - [0:0]
-A ACCEPTnLOG -j LOG --log-prefix "gShield (accept) " --log-level 1 
-A ACCEPTnLOG -j ACCEPT 
-A BLACKLIST -j LOG --log-prefix "gShield (blacklisted drop) " --log-level 1 
-A BLACKLIST -j DROP 
-A BLOCK_OUT -j DROP 
-A CLIENT -j ACCEPT 
-A CLOSED -j LOG --log-prefix "gShield (closed port drop) " --log-level 1 
-A CLOSED -p tcp -j DROP 
-A CLOSED -p udp -j REJECT --reject-with icmp-port-unreachable 
-A CLOSED -j DROP 
-A DHCP -j LOG --log-prefix "gShield (DHCP accept) " --log-level 1 
-A DHCP -j ACCEPT 
-A DMZ -j LOG --log-prefix "gShield (DMZ drop) " --log-level 1 
-A DMZ -j DROP 
-A DNS -j ACCEPT 
-A DROPICMP -j DROP 
-A DROPnLOG -p udp -m udp --dport 137:139 -j DROP 
-A DROPnLOG -p tcp -m tcp --sport 80 --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A DROPnLOG -d 255.255.255.255 -p udp -m udp --sport 67 --dport 68 -j DROP 
-A DROPnLOG -m limit --limit 20/min -j LOG --log-prefix "gShield (default drop) " --log-level 1 
-A DROPnLOG -p 47 -m limit --limit 20/min -j LOG --log-prefix "gShield (default drop / GRE) " --log-level 1 
-A DROPnLOG -p tcp -j DROP 
-A DROPnLOG -p udp -j REJECT --reject-with icmp-port-unreachable 
-A DROPnLOG -j DROP 
-A HIGHPORT -j ACCEPT 
-A INPUT -i lo -j loopback 
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT 
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j RESERVED 
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j RESERVED 
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.1 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.2 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.4 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.5 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.6 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.9 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.13 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.15 -i eth0 -j RESERVED 
-A INPUT -s 224.0.0.1 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.2 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.4 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.5 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.6 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.9 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.13 -i eth0 -j MULTICAST 
-A INPUT -s 224.0.0.15 -i eth0 -j MULTICAST 
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A INPUT -p icmp -j DROPICMP 
-A INPUT -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT 
-A INPUT -s 192.168.1.1 -i eth0 -p udp -m udp --sport 67 --dport 68 -j DHCP 
-A INPUT -s 132.163.135.130 -p udp -m udp --sport 123 --dport 1024:65535 -j ACCEPT 
-A INPUT -s 128.118.25.3 -p udp -m udp --sport 123 --dport 1024:65535 -j ACCEPT 
-A INPUT -s 131.107.1.10 -p udp -m udp --sport 123 --dport 1024:65535 -j ACCEPT 
-A INPUT -s 192.168.1.1 -p udp -m udp --sport 53 -j DNS 
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -j STATEFUL 
-A FORWARD -o eth0 -p tcp -m tcp --dport 137 -j BLOCK_OUT 
-A FORWARD -o eth0 -p udp -m udp --dport 137 -j BLOCK_OUT 
-A FORWARD -o eth0 -p tcp -m tcp --dport 138 -j BLOCK_OUT 
-A FORWARD -o eth0 -p udp -m udp --dport 138 -j BLOCK_OUT 
-A FORWARD -o eth0 -p tcp -m tcp --dport 139 -j BLOCK_OUT 
-A FORWARD -o eth0 -p udp -m udp --dport 139 -j BLOCK_OUT 
-A FORWARD -j STATEFUL 
-A MON_OUT -j ACCEPT 
-A MULTICAST -j DROP 
-A OPENPORT -j ACCEPT 
-A OUTPUT -o lo -j loopback 
-A OUTPUT -p icmp -m state --state INVALID -j DROP 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 137 -j BLOCK_OUT 
-A OUTPUT -o eth0 -p udp -m udp --dport 137 -j BLOCK_OUT 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 138 -j BLOCK_OUT 
-A OUTPUT -o eth0 -p udp -m udp --dport 138 -j BLOCK_OUT 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 139 -j BLOCK_OUT 
-A OUTPUT -o eth0 -p udp -m udp --dport 139 -j BLOCK_OUT 
-A PUBLIC -j ACCEPT 
-A RESERVED -p tcp -j DROP 
-A RESERVED -p udp -j REJECT --reject-with icmp-port-unreachable 
-A RESERVED -j DROP 
-A SCAN -j LOG --log-prefix "gShield (possible port scan) " --log-level 1 
-A SCAN -j DROP 
-A SERVICEDROP -j LOG --log-prefix "gShield (service drop) " --log-level 1 
-A SERVICEDROP -p tcp -j DROP 
-A SERVICEDROP -p udp -j REJECT --reject-with icmp-port-unreachable 
-A SERVICEDROP -j DROP 
-A STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A STATEFUL -i ! eth0 -m state --state NEW -j ACCEPT 
-A STATEFUL -j DROPnLOG 
-A loopback -i lo -j ACCEPT 
COMMIT
# Completed on Sat Mar 19 21:08:43 2005

i3839 · 2005-03-28 11:02:58

DHCP uses UDP on port 67, so if you allow all incomming packets from that port then DHCP should work.

phrakture · 2005-03-28 16:26:38

nice one, i3839

i3839 · 2005-03-28 17:53:31

Not really, I didn't read his awfully long rules well enough, and missed the:

-A INPUT -s 192.168.1.1 -i eth0 -p udp -m udp --sport 67 --dport 68 -j DHCP

The problem with the rules seems to be that the network is hardcoded to 192.168.1.0, while it can be something else.

dtw · 2005-03-29 07:14:50

thanks i3839 - as i said, these rules are generated by gShield - i don't exactly know what they are all for tho i do know what they do - hence my listing all of them! gShield supposed to be able to account for DHCP i think and are you saying it has set a static IP too? Cos that ain't right!

i3839 · 2005-03-29 13:22:26

It hardcodes the network to 192.168.1.0 and the DHCP to 192.168.1.1, which is bad because it can be anything at all. Just make only device specific rules for eth0 etc. and remove all the hardcoded IP's, maybe that helps. Also disable masquerading, I doubt your laptop is going to be a NAT router.

dtw · 2005-03-30 05:58:12

i3839 - i think i'll just stopping using gShield for my iptable rule gen!

i3839 · 2005-03-30 13:21:35

Good idea, making your own iptables rules isn't that hard if you don't try anything too fancy.

Arch Linux

#1 2005-03-08 09:20:23

firewall preventing access to wifi network?

#2 2005-03-09 12:59:22

Re: firewall preventing access to wifi network?

#3 2005-03-09 13:44:53

Re: firewall preventing access to wifi network?

#4 2005-03-10 11:05:44

Re: firewall preventing access to wifi network?

#5 2005-03-28 05:59:27

Re: firewall preventing access to wifi network?

#6 2005-03-28 10:00:52

Re: firewall preventing access to wifi network?

#7 2005-03-28 10:21:00

Re: firewall preventing access to wifi network?

#8 2005-03-28 11:02:58

Re: firewall preventing access to wifi network?

#9 2005-03-28 16:26:38

Re: firewall preventing access to wifi network?

#10 2005-03-28 17:53:31

Re: firewall preventing access to wifi network?

#11 2005-03-29 07:14:50

Re: firewall preventing access to wifi network?

#12 2005-03-29 13:22:26

Re: firewall preventing access to wifi network?

#13 2005-03-30 05:58:12

Re: firewall preventing access to wifi network?

#14 2005-03-30 13:21:35

Re: firewall preventing access to wifi network?

Board footer