Author Topic: [Resolved] 12.04 - firewall issues? (Read 8895 times)

ardirtbiker · « **on:** July 27, 2014, 11:19:59 pm »

I installed 12.04 from the July 19th image 29194.

after install completed (hybrid core), the MD came up fine. In Firefox, I can navigate pages. Apt update/install works as well. When 'pinging' from core (ping ubuntu.org), the name gets resolved to an IP, but ping times out. Cannot ping localhost or dcerouter either. Pinging IPs fails too.

Additionally, a workstation getting an IP from the core (Non-MD) cannot ping anything.

I installed ufw... and ran the command 'ufw enable' followed by 'ufw reset'. Ping started working. However on reboot of the core, everything reverts back to LMCE default Firewall settings.

Is there a workaround? I didnt see any posts in the forums by others with same issue.

Dennis

Marie.O · « **Reply #1 on:** July 28, 2014, 07:15:48 am »

29194 should have the firewall fixes included. If things are not working get a hold of Alblasco1702 in irc to figure out what's still missing.

Alblasco1702 · « **Reply #2 on:** July 28, 2014, 01:43:09 pm »

ardirtbiker:
can you put the output of "sudo iptables -vnL" (without the " ") here?
So i can check the firewall config.

Thnx

ardirtbiker · « **Reply #3 on:** July 29, 2014, 03:35:44 am »

I did a re-install of 12.04 this evening and verified the same thing happens.

here is the output of iptables -nvL:

Quote

Chain INPUT (policy DROP 8041 packets, 2013K bytes)
pkts bytes target prot opt in out source destination
66532 78M BLOCKLIST all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x29
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x3F
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x06
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x03/0x03
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x11/0x01
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x37
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x1
6543 1173K ACCEPT tcp -- lo * 0.0.0.0/0 0.0.0.0/0 /* Allow_Loopback */
795 116K ACCEPT udp -- lo * 0.0.0.0/0 0.0.0.0/0 /* Allow_Loopback */
50860 75M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Allow_Established */
307 77973 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Allow_Established */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Allow_Established */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Allow_Established */
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 /* Allow_DHCP */
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:68 /* Allow_DHCP */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- lo lo 0.0.0.0/0 0.0.0.0/0 /* Allow_Loopback */
0 0 ACCEPT udp -- lo lo 0.0.0.0/0 0.0.0.0/0 /* Allow_Loopback */

Chain OUTPUT (policy ACCEPT 51507 packets, 4357K bytes)
pkts bytes target prot opt in out source destination

Chain BLOCKLIST (1 references)
pkts bytes target prot opt in out source destination
1 40 DROP all -- * * 218.77.79.0/24 0.0.0.0/0
0 0 DROP all -- * * 217.12.221.0/24 0.0.0.0/0
0 0 DROP all -- * * 198.20.69.0/24 0.0.0.0/0
0 0 DROP all -- * * 192.81.130.0/24 0.0.0.0/0
0 0 DROP all -- * * 185.56.80.0/24 0.0.0.0/0
0 0 DROP all -- * * 162.253.66.0/24 0.0.0.0/0
0 0 DROP all -- * * 125.96.160.0/24 0.0.0.0/0
0 0 DROP all -- * * 124.232.142.0/24 0.0.0.0/0
0 0 DROP all -- * * 93.180.5.0/24 0.0.0.0/0
0 0 DROP all -- * * 93.174.93.0/24 0.0.0.0/0
0 0 DROP all -- * * 84.200.17.0/24 0.0.0.0/0
0 0 DROP all -- * * 78.187.174.0/24 0.0.0.0/0
0 0 DROP all -- * * 71.6.216.0/24 0.0.0.0/0
0 0 DROP all -- * * 71.6.167.0/24 0.0.0.0/0
0 0 DROP all -- * * 71.6.165.0/24 0.0.0.0/0
0 0 DROP all -- * * 66.240.236.0/24 0.0.0.0/0
0 0 DROP all -- * * 66.240.192.0/24 0.0.0.0/0
0 0 DROP all -- * * 66.154.119.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.130.0/24 0.0.0.0/0
0 0 DROP all -- * * 41.135.113.0/24 0.0.0.0/0

and here is the output of 'host linuxmce.org'

Quote

linuxmce.org has address 193.200.112.137
linuxmce.org mail is handled by 10 mail.linuxmce.org.

and the output of 'ping linuxmce.org' (note that I had to kill the process.. it never stopped)

Quote

PING linuxmce.org (193.200.112.137) 56(84) bytes of data.

--- linuxmce.org ping statistics ---
940 packets transmitted, 0 received, 100% packet loss, time 946511ms

/etc/network/interfaces looks correct:

Quote

#####
# Loopback interface
#####
iface lo inet loopback

#####
# IPv4 network interfaces
#####

# --- External NIC ---
iface eth0 inet dhcp
   pre-up sysctl -q -e -w net.ipv6.conf.eth0.disable_ipv6=1

# --- Internal NIC ---
iface eth1 inet static
   address 192.168.80.1
   netmask 255.255.255.0
   pre-up sysctl -q -e -w net.ipv6.conf.eth1.disable_ipv6=1
# DNS Settings for Internal Net
dns-nameservers 192.168.80.1
dns-search LinuxMCE

#####
# Activating interfaces
#####
auto eth0 eth1 lo

Since 'host' command returns a result I know name resolution is working and I can get to the public internet. Ping returns a name resolution as well, but I do not get any 'ping' results back. I'm thinking this is something to do with the firewall... but I'm not all that experienced with firewalls to say for certain.

Dennis

ardirtbiker · « **Reply #4 on:** August 01, 2014, 10:21:15 pm »

Any ideas on this?

Dennis

Alblasco1702 · « **Reply #5 on:** August 04, 2014, 06:51:31 pm »

ardirtbiker,

yes try the new scripts i have atached on this post.

davegravy · « **Reply #6 on:** August 04, 2014, 07:01:24 pm »

I'm having the same issue on the 1204 install I did last night. Will test your scripts as soon as SWMBO allows.

davegravy · « **Reply #7 on:** August 05, 2014, 12:52:18 am »

The new scripts permit communication between the core and devices on the internal network. The core does not route internet traffic to the internal network unless the firewall is disabled via webadmin. Let me know what info I can provide.

Alblasco1702 · « **Reply #8 on:** August 05, 2014, 01:59:58 am »

Do you have strange firewall behavior please try a reset first.
to get some rules here are some basics.

from the outside to the internal lan like tcp port 770 on 192.168.80.17 do:
IP version   Rule Type     Protocol    Source Port    Destination Port Destination IP    Limit to IP   Rule policy   Description
ipv4 port_forward (NAT) tcp 770:770 192.168.80.17 ACCEPT A description that let you remember why you set the rule And/or what the rule does.

if you need a different port than the port on the core like packets come in from port 770 on the core and come in on port 8080 on the client do:
IP version   Rule Type     Protocol    Source Port    Destination Port Destination IP    Limit to IP   Rule policy   Description
ipv4 port_forward (NAT) tcp 770:8080 192.168.80.17 ACCEPT A description that let you remember why you set the rule And/or what the rule does.

to open ports to the core from outside like SSH do:
IP version   Rule Type    Protocol    Source Port    Destination Port Destination IP    Limit to IP   Rule policy   Description
ipv4/ipv6 input tcp 22 ACCEPT Allow SSH

Alblasco1702 · « **Reply #9 on:** August 05, 2014, 02:36:49 am »

A updated Network_Firewall.sh file attached to this post.
to fix a bug.

ardirtbiker · « **Reply #10 on:** August 05, 2014, 03:20:11 am »

Thanks Alblasco1702.

I will apply the scripts tomorrow and report back when I get a chance.

Dennis

ardirtbiker · « **Reply #11 on:** August 06, 2014, 02:17:22 am »

Gentlemen,
I applied the updated files supplied by Alblasco.

Network_Firewall.sh (from reply #9) to /usr/pluto/bin/Network_Firewall.sh (replacing original)
firewall.php (from reply #5) to /var/www/lmce-admin/operations/network/firewall.php (replacing original)

Rebooted core.

still unable to 'ping' an internet web page by name or address from the core OR a workstation getting IP from the core.

can anyone else confirm?

Thanks,
Dennis

Marie.O · « **Reply #12 on:** August 06, 2014, 02:58:03 am »

Did you go into the web firewall page, and reset all the rules.

davegravy · « **Reply #13 on:** August 06, 2014, 04:23:33 am »

Quote from: ardirtbiker on August 06, 2014, 02:17:22 am

Gentlemen,
I applied the updated files supplied by Alblasco.

Network_Firewall.sh (from reply #9) to /usr/pluto/bin/Network_Firewall.sh (replacing original)
firewall.php (from reply #5) to /var/www/lmce-admin/operations/network/firewall.php (replacing original)

Rebooted core.

still unable to 'ping' an internet web page by name or address from the core OR a workstation getting IP from the core.

can anyone else confirm?

Thanks,
Dennis

Alblasco's updated scripts worked for me, after a rule reset. I'm not an "IDIOT" but clicking that button did help matters

ardirtbiker · « **Reply #14 on:** August 17, 2014, 03:22:50 pm »

An update to this.

I could not get the updated scripts to 'fix' the firewall issues.

I did download the latest 12.04 snapshot and did a fresh install. This resolved the problem.

Thanks for the hard work guys...

now to see about creating an MD!!!

Dennis

News:

Author Topic: [Resolved] 12.04 - firewall issues? (Read 8895 times)

ardirtbiker

[Resolved] 12.04 - firewall issues?

Marie.O

Re: 12.04 - firewall issues?

Alblasco1702

Re: 12.04 - firewall issues?

ardirtbiker

Re: 12.04 - firewall issues?

ardirtbiker

Re: 12.04 - firewall issues?

Alblasco1702

Re: 12.04 - firewall issues?

davegravy

Re: 12.04 - firewall issues?

davegravy

Re: 12.04 - firewall issues?

Alblasco1702

Re: 12.04 - firewall issues?

Alblasco1702

Re: 12.04 - firewall issues?

ardirtbiker

Re: 12.04 - firewall issues?

ardirtbiker

Re: 12.04 - firewall issues?

Marie.O

Re: 12.04 - firewall issues?

davegravy

Re: 12.04 - firewall issues?

ardirtbiker

[Resolved] Re: 12.04 - firewall issues?