Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 3rd December 2011, 11:27 PM
FlyMyPG Offline
Registered User
 
Join Date: Jul 2006
Posts: 14
linuxubuntufirefox
Bad firewall from system-config-firewall

IP Masquerade suddenly stopped working on my Fedora 15 system just after I added a Brother printer/scanner (HL-2280DW) to my home network. I don't recall what I may have done, but I do know I didn't run iptables or system-config-firewall, though the driver installer from Brother could have tried to tweak the firewall.

Since my F15 system is headless (it's my home server, gateway and firewall), I did everything remotely via SSH from my main workstation, an Ubuntu 11.10 system. The only other system on my home LAN is a Windows HTPC. Both the Ubuntu and Windows systems lost internet connectivity after the printer was installed, though they could communicate with the F15 system, the new printer, and each other.

On the F15 system, eth0 connects to the Internet via a cable modem, and eth1 connects to the home LAN. The printer is connected to the LAN, and the Ubuntu and Windows systems connect to the LAN via an 802.11g access point (which works great). All systems are able to use the new printer and its scanner.

Let's start with the firewall state as it was on my system when the problem was initially found. Though I do understand general firewall and network concepts, I don't understand iptables, so I'm not sure what's going on here.

Code:
$ sudo iptables-save
# Generated by iptables-save v1.4.10
*nat
:PREROUTING ACCEPT [11940:764498]
:INPUT ACCEPT [203:35026]
:OUTPUT ACCEPT [8808:832053]
:POSTROUTING ACCEPT [17435:1306259]
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT
# Generated by iptables-save v1.4.10
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4531921:2029434194]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth1 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -p icmp -j ACCEPT 
-A FORWARD -i lo -j ACCEPT 
-A FORWARD -i eth1 -j ACCEPT 
-A FORWARD -o eth1 -j ACCEPT 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
I tried using system-config-firewall to correct the situation, but despite repeatedly enabling forwarding and making all other settings generic, the above firewall persisted, and IPMasq was still not working.

Note: To get system-config-firewall to run remotely over an X11-SSH connection, I had to use this command: "sudo -E system-config-firewall" I was unable to get the GUI to work any other way.

I am not presently using Fedora's new FirewallD daemon.

I was going to try using Firestarter, but was surprised to find it hasn't been part of Fedora for a long time (it works great with Ubuntu). I also used Shorewall long ago, but it has become very complex over the years.

I went online and searched for a minimal iptables rule set that would enable IP MASQ and little else, and implemented those rules on my system. (Note: Chrome is totally unusable running remotely over an X11-SSH connection - Firefox works *much* better.)

Code:
# /sbin/iptables -F
# /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
And here's the resulting firewall:

Code:
$ sudo iptables-save
# Generated by iptables-save v1.4.10
*nat
:PREROUTING ACCEPT [242:15844]
:INPUT ACCEPT [6:1277]
:OUTPUT ACCEPT [177:25557]
:POSTROUTING ACCEPT [42:7392]
-A POSTROUTING -o eth1 -j MASQUERADE 
-A POSTROUTING -o eth0 -j MASQUERADE 
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Generated by iptables-save v1.4.10
*filter
:INPUT ACCEPT [44193:16722873]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49498:29664447]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i eth1 -o eth0 -j ACCEPT 
COMMIT
The rules above permitted MASQ to work. I'm not sure why the eth0 MASQ line appears twice, but it didn't seem to hurt firewall operation. To make sure the firewall was at least minimally secure, I ran all of the GRC "Shields Up!!" checks, and all tests passed.

Next, I ran 'sudo -E system-config-firewall' once more, and it installed the bad firewall again!

So, what's wrong? Is the F15 system-config-firewall insane? It has always worked fine for me, though the last time I ran it was when I installed F15, and I don't know if it has been updated since. Could it resent being run over SSH, or via 'sudo -E'?

At some point, I'll drag a monitor over to the F15 system to see if things behave differently there, but for the moment I'm very confused.

TIA,

-BobC
Reply With Quote
Reply

Tags
bad, firewall, systemconfigfirewall

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
system-config-firewall conradin Servers & Networking 1 25th August 2010 10:48 PM
system-config-firewall freeze Catastrophe Servers & Networking 2 10th December 2009 02:47 AM
system-config-firewall hangs davidgf Using Fedora 4 31st May 2009 07:33 PM
system-config-firewall segfaults ArthurDent123 Using Fedora 23 15th November 2008 08:27 AM
system-config-firewall is down ?? demuytree Using Fedora 5 2nd November 2008 08:21 AM


Current GMT-time: 03:47 (Tuesday, 21-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Cikampek Photos on Instagram - Al Khaburah Photos on Instagram - Pierrefitte-sur-Seine Travel Photos on Instagram