#!/bin/sh
# A simple script firewall
set -e
# We need this for redirection
echo 1 > /proc/sys/net/ipv4/ip_forward
firewall_start() {
# Clean first
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
iptables -t raw -F
iptables -t raw -X
iptables -t raw -Z
# Default policy
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
# firewall rules INPUT
iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Bacula
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 9102:9104 -j ACCEPT
# Ssh
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Icmp
iptables -A INPUT -p icmp -m icmp --icmp-type 0 -s 0/0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -s 0/0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# Log on syslog
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
# Final input rules
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
}
firewall_stop() {
# Clean
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
iptables -t raw -F
iptables -t raw -X
iptables -t raw -Z
}
firewall_restart() {
firewall_stop
firewall_start
}
case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
And this is the ipf.conf of server
# block and quick everything by default but pass on lo0
block in log on bge0 all
pass in quick on lo0 all
# These rules will allow connections initiated from
# this host along with the return connection
pass out quick proto icmp all keep state
pass out quick proto tcp all keep state
pass out quick proto udp all keep state
# Allow SecureShell incoming connections on 2122 port
pass in quick proto tcp from any to any port = 2122 flags S keep state keep frags
# Allow SecureShell incoming connections on 22 port
pass in quick proto tcp from any to any port = 22 flags S keep state keep frags
# Allow Secure stunnel telnet incoming connections on 5860 port
pass in quick proto tcp from any to any port = 5860 flags S keep state keep frags
# Allow nfs 3 4
pass in quick proto tcp from 192.168.0.0/24 to any port = 2049 flags S keep state keep frags
pass in quick proto udp from 192.168.0.0/24 to any port = 2049 keep state
pass in quick proto tcp from 192.168.0.0/24 to any port = 4001 flags S keep state keep frags
pass in quick proto udp from 192.168.0.0/24 to any port = 4001 keep state
pass in quick proto tcp from 192.168.0.0/24 to any port = 111 flags S keep state keep frags
pass in quick proto udp from 192.168.0.0/24 to any port = 111 keep state
pass in quick proto tcp from 192.168.0.0/24 to any port = 48472 flags S keep state keep frags
pass in quick proto udp from 192.168.0.0/24 to any port = 48472 keep state
pass in quick proto tcp from 192.168.0.0/24 to any port = 8932 flags S keep state keep frags
pass in quick proto udp from 192.168.0.0/24 to any port = 8932 keep state
#Allow PING
pass in quick proto icmp from any to any keep state
# Samba
pass in quick proto udp from 192.168.0.0/24 to any port = 137 keep state
pass in quick proto udp from 192.168.0.0/24 to any port = 138 keep state
pass in quick proto udp from 192.168.0.0/24 to any port = 139 keep state
pass in quick proto udp from 192.168.0.0/24 to any port = 445 keep state
pass in quick proto tcp from 192.168.0.0/24 to any port = 137 flags S keep state keep frags
pass in quick proto tcp from 192.168.0.0/24 to any port = 138 flags S keep state keep frags
pass in quick proto tcp from 192.168.0.0/24 to any port = 139 flags S keep state keep frags
pass in quick proto tcp from 192.168.0.0/24 to any port = 445 flags S keep state keep frags
# Dns
pass in quick proto udp from 192.168.0.0/24 to any port = 53 keep state
pass in quick proto tcp from 192.168.0.0/24 to any port = 53 flags S keep state keep frags
What can I do to enable ping?The other works fine, dns and ssh
# Icmp
iptables -A INPUT -p icmp -m icmp --icmp-type 0 -s 0/0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -s 0/0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
a) ICMP is stateless. So defining the state is senseless
b) ICMP Subtype 8 is echo Request, which you correctly defined on the INPUT Chain. ICMP Subtype 0 is "echo Reply" which is regulated at the OUTPUT chain since it is sent from the local host to the pinging party
c) Defining source -s 0/0 is of no use. Omit that and you have no restriction of source addresses.
d) I would assume the module icmp is automatically loaded when you specifiy -p icmp, so you can omit this too.
You can trace your paket filter more closely with additional log-rules before and after important Rules in your filter-definition.
Oh. Wait. I misunterstood. iptables is the pinging party....
Since everything works, when you shutdown the firewall the most logical conclusion for me is that's the fw rules that is the problem.
---
Ok. Since I twisted in my unterstanding server and client, that's the following that would be needed:
client(slackware) must allow icmp-echo-reply(icmp subtype 0) inbound(INPUT-Chain)
client must allow icmp-echo-request outbound(OUTPUT-Chain), which is the case since you do not have any rules output and an accept-Policy
If you check the network packages at the client with tcpdump with this command(change eth0 to the correct device name!)...
tcpdump -i eth0 -n icmp
...you should see the echo request and echo reply packages even if the firewall is started and the ping fails. On the network level you should see them, even if they are blocked by the firewall rules, before they can get to the ping application.
This also would mean that the server is configured correctly to let icmp pass through.
As mext step I would add - as i recommended some debugging rules, like this into iptables:
The #1/#2/#3 means, that these rules should be laid out in the chain exactly in this order.
You can now restart your firewall at the client, start a ping in another terminal window and verify the rules that are matching with the packets by watching this command:
watch -n1 iptables -L INPUT -v -n
You can reset the counters(so diagnosis is easier) with iptables -Z .
And for having us to may have some insight on your situation and thus to be more able to help you, please provide the output of iptables -L -v -n here in the forum. It maybe better to the direct result of the ruleset not just the script creating ist, because the result may be not the way it was intended.