Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ipchains question: opening ports on firewall/gateway

Status
Not open for further replies.
tahoe2

tahoe2

IS-IT--Management
Dec 30, 2002
495
US
Hi all.
We have a Linux version 2.0.35 firewall/gateway that I inherited and have to maintain.
The problem is that I know nothing about Linux, like how I find out if this is manually configured as a firewall, or is it running some preconfigured script, or what version of anything am I running, or if there is a GUI interface.

I know some commands (google is a wonderful thing!), and have logged in as root and tried to see stuff (not change it).

Right now, only ports 25 and 80 are open, and we need a couple more for various programs. It is not possible to get in touch with the creator of this box, so it's up to me to figure out.

IPTABLES is an unknown command.
IPCHAINS, when run as "ipchains -L" gets the response:
CANNOT OPEN FILE /proc/net/ip_fwnames

What does this mean, and how do I open ports? Is it simple?


Thanks,
Corie
 
Sort by date Sort by votes
Kernel 2.0.x? Whoa.
The ipchains code has been totally rewritten and
several vulnerabilities in the code have been ironed
out in the meantime. The best thing here, and I hate to
suggest it, is to look at replacing this installation. The current install, while it may be convenient, is almost certainly providing you with a false sense of security.

The error message is due to your permissions.
The easy way out, and to migrate, is to reinstall after
saving your ruleset with ipchains-save(if available)
or a dump of
rules that can be reconstructed by a knowledgeable expert,
with a more modern linux.
I have 2.4.x running on an 120mhz P1 box as a firewall
and it works well. Modest hardware, but keep up to date.
 
Upvote 0 Downvote
Exactly as I thought.
This system is so old there is no "-save" option under IPCHAINS.
If I type this at the cursor, what will happen:
/sbin/ipchains -I input -p 4899 -j accept

We'll probably get a new firewall in the coming months, but for now, ports 4899 and 443 need to be open.

Thanks!
Corie

 
Upvote 0 Downvote
Corie,

I'm extremely comfortable in Linux and pretty familiar with iptables on the command line, but I *never* write my firewall rules by hand.

First of all, as marsd says, you should really consider upgrading your kernel. However, I know that's a huge undertaking if a linux novitiate.

I would highly recommend finding a second machine, installing one of the dedicated firewall installations of linux like IPCops or Jay's Firewall. These distros are up to date using the latest kernel and iptables vs. ipchains, light-weight enough to run on pretty much any hardware (my firewall is a 333MHz Pentuim II laptop), extremely easy to configure through graphical or web interfaces and, of course, free.

In the mean time, we can help you figure out why you can't access the current config and walk you through updating it to allow more traffic.

Could you post the following information? Log in as root and show us the output of:

lsmod
ls -l /etc/init.d
ifconfig -a
ipchains -L

I know you say you can't run ipchains, so after you run that, can you tail your /var/log/messages file and see if there are any messages in there that could help.

ipchains is ancient, I haven't used it in 5 years so in the meantime, you may want to look into scrounging up an old machine that can hold 2 network cards and we can help you get a newer distro installed. It would honestly take you about 2 hours start to finish and most of that time is burning the CD and installing the OS.
 
Upvote 0 Downvote
results:

lsmod:
Module Pages Used By
ip_masq_ftp 1 0
3c59x 4 3

ls -l /etc/init.d/bin/ls:
/etc/init.d no such file or directory

ifconfig -a:
eth0 Link encap: Ethernet HWaddr 00:50:DA:5F:29:8E
inet addr:67.113.144.162 bcast:67.113.144.167 mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 METRIC:1
rx packets:33054 errors:0 dropped:0 overruns:0 Frame:0
tx packets:33054 errors:0 dropped:0 overruns:0 carrier:0
collisions: 8
interrupt:9 BaseAddress:0xe400

eth1 Link encap: Ethernet HWaddr 00:50:DA:5E:ED:C5
inet addr:192.168.0.1 bcast:192.168.0.255 mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 METRIC:1
rx packets:19549 errors:0 dropped:0 overruns:0 Frame:0
tx packets:32357 errors:0 dropped:0 overruns:0 carrier:0
collisions: 9
interrupt:5 BaseAddress:0xe800

eth2 Link encap: Ethernet HWaddr 00:50:DA:5E:ED:C5
inet addr:192.168.1.1 bcast:192.168.1.255 mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 METRIC:1
rx packets:0 errors:0 dropped:0 overruns:0 Frame:0
tx packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions: 0
interrupt:11 BaseAddress:0xec00


ipchains -L:
CANNOT OPEN FILE /proc/net/ip_fwnames

tail /var/log/messages:
OCT 22 03:29:46 Linuxbox kernel: enabling bus-master transmits and whole-frame receives
OCT 22 03:49:45 linuxbox --MARK --
(six more of these)

_______________________________________________________

The reason for 3 nics is that we had a second (training) domain that was put to rest before I came on board. That's the 192.168.1.1 domain. I can definitely put together a machine with 2 nic's. P2 300 with 128 meg ram enough?
The current box is a Celeron MMX with 64 meg ram, could I reinstall over the current kernel? Or is it too old?

Thank you for your help!
Corie
 
Upvote 0 Downvote
Yeah, your current setup is screwed (that's a technical term).

You could certainly use the existing machine, it would benefit from a little more RAM. I figured you wouldn't want to take your firewall down during the reinstall which was why I suggested a new machine.

I personally don't use a dedicated firewall distribution, I use a barebones Fedora installation and fwbuilder ( to maintain my firewall rules. But that's because it allows me to centrally manage all four of my firewalls for home and business. So, my recommendations are based on pure research and the recommendations of other people who I respect.

I have read the reviews and customer testimonials for IPCop and will probably install it the next time I upgrade my FW OS. IPCop also has a commercial version and the associated support options. See
Another member of this forum is a big fan of Jay's Firewall ( I haven't ever used it or done much reading on it, but theDaver (find his name next to mine in the MVP list of this forum) is particularly fond of it, and I know and respect his opinions from participating in this forum.

I suggest you check out their respective sites, grab one and toss it on that spare box. You could probably have your new firewall up and running today.
 
Upvote 0 Downvote
Talk about taking your own medicine. I just read the Change log on the latest 1.4 release of IPCop and the support of PPTP VPNs and I'm downloading the ISO right now. :)

I forgot that my FW was still running RH9 and a "feature" of the config tools just pissed me off, so it's going away this weekend.
 
Upvote 0 Downvote
All right. New machine it is. I'll build it today, it'll have a P2 350 with 196 meg ram.
From there, it will have a 6 gig IDE hd. After I fdisk and format, I'll repost.

Thanks for your help so far!
Corie
 
Upvote 0 Downvote
Dude, if you are looking for a great linux firewall that is completely web based yet still runs under linux, take a look at (the 0 are Zero's not O's). Anyways, i used to use ipcop and i had to do a bunch of editing on the firwall scripts all the time and i got tired of it. I found m0n0wall which runs on a stiped version of freebsd and it completely written in php. Anyways, you control everything write over a web interface. You have nat, ipsec, pptp, firewall rules creation, qos, etc. Everything you would possibly need is in this software, it is by far the best linux-based firwall i have used. And i have used a bunch. And it runs on small platforms. The ISO image is only like 6 megs. I happen to have it running on a celeron 800 with 256ram and 3 nics, but i wanted more juice since i have many vpn connections running but you dont need that much power. So take a look at the site and look at the screen shots, trust me it is worth it. Let me know if you need any help.

Later,

Eddie Fernandez
CCNA, Network+, A+, MCP
 
Upvote 0 Downvote
I'm game... 5.02 megabytes for the ISO, I'm already done downloading it. :)

If it supports my pcmcia ethernet card (it lists support for the wireless pc card) I think it'll work fine.
 
Upvote 0 Downvote
OK, got a machine with 2 identical NIC's (3com 905b), clean formatted 6 gig HD.
What next? I found instructions and disks for freeBSD, is this what I want?

Thanks,
Corie
 
Upvote 0 Downvote
You need to download the generic-pc image for version 1.1 of m0n0wall. The size should be 4.84mb.

Eddie Fernandez
CCNA, Network+, A+, MCP
 
Upvote 0 Downvote
Hi. I had to do some other projects, but I'm back to the firewall. I downloaded the generic PC image file. What version of linux works best to run this on? Will RH 9 work?

If so, how do I install it from there?

Thanks,
Corie
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AbidingDude
  • Locked
  • Question
Newbie Apache Cache Question
Replies
5
Views
649
AbidingDude
AbidingDude
bhuv560
  • Locked
  • Question
Postfix Installation on EC2 AWS Linux
Replies
0
Views
279
bhuv560
bhuv560
gregor weertman
  • Locked
  • Question
set samba "template shell" dependent on group
Replies
0
Views
323
gregor weertman
gregor weertman
lslamp
  • Locked
  • Question
Bash Onliner ... 1
Replies
2
Views
483
lslamp
lslamp
audiopro
  • Locked
  • Question
Gateway Timeout
Replies
0
Views
256
audiopro
audiopro

Part and Inventory Search

Sponsor

Back
Top