Professional Web Applications Themes

X & Gnome crashes the system with iptables - Linux Setup, Configuration & Administration

Hello, My system is : - Debian 3r1, - kernel 2.4.21, - XFree 4.1.0 (on Debian CD 3r1, I'm not connected to internet) : i use Gnome. I spent a lot of time to write rules for iptables to obtain a good firewall. I join 2 files : - the iptables rules : /etc/iptables.rules, - the script to run it: /etc/init.d/iptables. If i launch the firewall : - i connect to Gnome ctrl+F7 ( it starts with the boot of the computer), - i write login, password, - gnome deskptop starts, displays task bar, - nothing, i can just move ...

  1. #1

    Default X & Gnome crashes the system with iptables

    Hello,

    My system is :
    - Debian 3r1,
    - kernel 2.4.21,
    - XFree 4.1.0 (on Debian CD 3r1, I'm not connected to internet) : i use
    Gnome.

    I spent a lot of time to write rules for iptables to obtain a good firewall.
    I join 2 files :
    - the iptables rules : /etc/iptables.rules,
    - the script to run it: /etc/init.d/iptables.

    If i launch the firewall :
    - i connect to Gnome ctrl+F7 ( it starts with the boot of the computer),
    - i write login, password,
    - gnome deskptop starts, displays task bar,
    - nothing, i can just move the cursor of the mouse,keybord doesn't answer,
    - frozen system.

    If i don't launch the firewall, i havn't any trouble with Gnome.

    I don't know what i can do ? ideas, advice welcome.

    Sincerely yours,

    Jeannot Lelapin

    ================================================== =========
    ================================================== =========
    ================================================== =========
    /etc/iptables.rules
    ================================================== =========
    ================================================== =========
    ================================================== =========

    ## ================================================== ==========
    #!/bin/bash

    ## ================================================== =========
    ## Load modules

    IPTABLES="/sbin/iptables"
    DEPMOD="/sbin/depmod"
    MODPROBE="/sbin/modprobe"

    # Load all required IPTables modules
    # Needed to initially load modules
    $DEPMOD -a
    # Load appropriate modules.
    $MODPROBE ip_tables
    # Support for connection tracking
    $MODPROBE ip_conntrack
    $MODPROBE ip_conntrack_ftp

    # MODIF BEGIN
    $MODPROBE ip_conntrack_irc
    # Adds some $IPTABLES targets like LOG, REJECT and MASQUARADE.
    $MODPROBE ipt_LOG
    $MODPROBE ipt_REJECT
    $MODPROBE ipt_MASQUERADE
    # Support for owner matching
    $MODPROBE ipt_owner
    # MODIF END

    ## ================================================== =========
    ## Reset all configurations
    #
    # These lines are here in case rules are already in place and the script
    is ever rerun on the fly.
    # We want to :
    # - remove all rules,
    # - remove pre-exisiting user defined chains,
    # - zero the counters.
    # before we implement new rules.

    $IPTABLES -F
    $IPTABLES -X
    $IPTABLES -Z

    ## ================================================== =========
    ## Default Policy
    #
    # Set up a default DROP policy for the built-in chains.
    # If we modify and re-run the script mid-session then (because we have a
    default DROP
    # policy), what happens is that there is a small time period when
    packets are denied until
    # the new rules are back in place. There is no period, however small,
    when packets we
    # don't want are allowed.
    $IPTABLES -P INPUT DROP
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P OUTPUT DROP

    ## ================================================== =========
    ## Some definitions:

    # Le DNS primaire du fournisseur d'accès Free
    NAMESERVER_1="212.27.32.5"
    # Le DNS secondaire du fournisseur d'accès Free
    NAMESERVER_2="212.27.32.6"

    # Note : si je mets des FQDN, iptables essaye de les résoudre. Comme le
    réseau n'est pas encore branché, ca tombe à l'eau.
    # Il faudra peut etre prévoir le fait rejouer les règles avec des FDQN
    une fois la connexion ADSL ou PPP établie.

    # Le serveur de courrier POP du fournisseur d'accès Free
    # Le FQDN : pop.free.fr : 213.228.0.14, 213.228.0.141, 213.228.0.142,
    213.228.0.165 213.228.0.12
    INCOMINGMAILSERVER_1="213.228.0.14"
    # Le serveur de courrier POP du fournisseur d'accès Club-Internet
    # Le FQDN : mail.club-internet.fr : 195.36.166.10, 195.36.162.10
    INCOMINGMAILSERVER_2="195.36.166.10"
    # Le serveur de courrier SMTP du fournisseur d'accès Free
    # Le FQDN : smtp.free.fr : 213.228.0.44, 213.228.0.62, 213.228.0.169,
    213.228.0.176
    OUTGOINGMAILSERVER="213.228.0.44"

    # Les serveurs de temps
    # Le FQDN : ntp.uvsq.fr : 193.51.24.1
    TIMESERVER_1="193.51.24.1"
    # Le FQDN : delphi.phys.univ-tours.fr : 193.52.212.3
    TIMESERVER_2="193.52.212.3"
    # Le FQDN : ntp0.oleane.net : 194.2.0.28
    TIMESERVER_3="194.2.0.28"
    # Le FQDN : ntp1.oleane.net : 94.2.0.58
    TIMESERVER_4="94.2.0.58"
    # Le FQDN : ntp.via.ecp.fr : 138.195.130.71
    TIMESERVER_5="138.195.130.71"
    # Le FQDN : ntp.chronos.org : 129.186.121.29
    TIMESERVER_6="129.186.121.29"

    LOOPBACK="127.0.0.0/8"
    BROADCAST="x.x.x.255"
    CLASS_A="10.0.0.0/8"
    CLASS_B="172.16.0.0/12"
    CLASS_C="192.168.0.0/16"
    CLASS_D_MULTICAST="224.0.0.0/4"
    CLASS_E_RESERVED_NET="240.0.0.0/5"
    P_PORTS="0:1023"
    UP_PORTS="1024:65535"
    TR_SRC_PORTS="32769:65535"
    TR_DEST_PORTS="33434:33523"

    ## ================================================== ==========
    ## Kernel flags
    #
    # To dynamically change kernel parameters and variables on the fly you need
    # CONFIG_SYSCTL defined in your kernel. I would advise the following:

    # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable
    this
    # option. This enables dynamic-ip address hacking in IP MASQ, making the
    connection
    # with Diald and similar programs much easier.
    # MODIF BEGIN
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
    # MODIF END

    # Disable response to ping.
    /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

    # Disable response to broadcasts.
    # You don't want yourself becoming a Smurf amplifier.
    /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    # Don't accept source routed packets. Attackers can use source routing
    to generate
    # traffic pretending to be from inside your network, but which is routed
    back along
    # the path from which it came, namely outside, so attackers can
    compromise your
    # network. Source routing is rarely used for legitimate purposes.
    /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

    # Disable ICMP redirect acceptance. ICMP redirects can be used to alter
    your routing
    # tables, possibly to a bad end.
    /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

    # Enable bad error message protection.
    /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    # Turn on reverse path filtering. This helps make sure that packets use
    # legitimate source addresses, by automatically rejecting incoming packets
    # if the routing table entry for their source address doesn't match the
    network
    # interface they're arriving on. This has security advantages because it
    prevents
    # so-called IP spoofing, however it can pose problems if you use
    asymmetric routing
    # (packets from you to a host take a different path than packets from
    that host to you)
    # or if you operate a non-routing host which has several IP addresses on
    different
    # interfaces. (Note - If you turn on IP forwarding, you will also get this).
    for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
    /bin/echo "1" > ${interface}
    done

    # Log spoofed packets, source routed packets, redirect packets.
    /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

    # Make sure that IP forwarding is turned off. We only want this for a
    multi-homed host.
    /bin/echo "0" > /proc/sys/net/ipv4/ip_forward

    # Note: With connection tracking, all fragments are reassembled before being
    # passed to the packet-filtering code so there is no ip_always_defrag
    switch as there
    # was in the 2.2 kernel.

    ## ================================================== ==========
    # RULES

    ## SYN-FLOODING PROTECTION
    # This rule maximises the rate of incoming connections. In order to do
    this we divert tcp
    # packets with the SYN bit set off to a user-defined chain. Up to
    limit-burst connections
    # can arrive in 1/limit seconds ..... in this case 4 connections in one
    second. After this, one
    # of the burst is regained every second and connections are allowed
    again. The default limit
    # is 3/hour. The default limit burst is 5.
    #
    $IPTABLES -N syn-flood
    $IPTABLES -A INPUT -p tcp --syn -j syn-flood
    $IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
    $IPTABLES -A syn-flood -j DROP

    ## FRAGMENTS
    # I have to say that fragments scare me more than anything.
    # Sending lots of non-first fragments was what allowed Jolt2 to
    effectively "drown"
    # Firewall-1. Fragments can be overlapped, and the subsequent
    interpretation of such
    # fragments is very OS-dependent (see this paper for details).
    # I am not going to trust any fragments.
    # Log fragments just to see if we get any, and deny them too.
    $IPTABLES -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
    $IPTABLES -A INPUT -f -j DROP

    ## SPOOFING
    # Most of this anti-spoofing stuff is theoretically not really necessary
    with the flags we
    # have set in the kernel above ........... but you never know there
    isn't a bug somewhere in
    # your IP stack.
    #
    # Refuse spoofed packets pretending to be from your IP address.
    # ( CETTE REGLE SERA MISE EN OEUVRE LORSQUE JE RECUPERERAI L'ADRESSE IP
    DES INTERFACES CONCERNEES )
    #$IPTABLES -A INPUT -s $IPADDR -j DROP
    # Refuse packets claiming to be from a Class A private network.
    $IPTABLES -A INPUT -s $CLASS_A -j DROP
    # Refuse packets claiming to be from a Class B private network.
    $IPTABLES -A INPUT -s $CLASS_B -j DROP
    # Refuse packets claiming to be from a Class C private network.
    $IPTABLES -A INPUT -s $CLASS_C -j DROP
    # Refuse Class D multicast addresses. Multicast is illegal as a source
    address.
    $IPTABLES -A INPUT -s $CLASS_D_MULTICAST -j DROP
    # Refuse Class E reserved IP addresses.
    $IPTABLES -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
    # Refuse packets claiming to be to the loopback interface.
    # Refusing packets claiming to be to the loopback interface protects against
    # source quench, whereby a machine can be told to slow itself down by an
    icmp source
    # quench to the loopback.
    $IPTABLES -A INPUT -d $LOOPBACK -j DROP
    # Refuse broadcast address packets.
    # ( CETTE REGLE SERA MISE EN OEUVRE LORSQUE JE RECUPERERAI L'ADRESSE DES
    SOUS RESEAUX DES INTERFACES CONCERNEES )
    #$IPTABLES -A INPUT -d $BROADCAST -j DROP

    ## TELNET
    # Allow telnet outbound.
    #$IPTABLES -A INPUT -p tcp --sport 23 -m state --state ESTABLISHED -j
    ACCEPT
    #$IPTABLES -A OUTPUT -p tcp --dport 23 -m state --state NEW,ESTABLISHED
    -j ACCEPT

    ## FTP
    # Allow ftp outbound.
    #$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
    ACCEPT
    #$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED
    -j ACCEPT
    # Now for the connection tracking part of ftp. This is discussed more
    completely in my section
    # on connection tracking to be found here.
    # 1) Active ftp.
    # This involves a connection INbound from port 20 on the remote machine,
    to a local port
    # passed over the ftp channel via a PORT command. The ip_conntrack_ftp
    module recognizes
    # the connection as RELATED to the original outgoing connection to port
    21 so we don't
    # need NEW as a state match.
    #$IPTABLES -A INPUT -p tcp --sport 20 -m state --state
    ESTABLISHED,RELATED -j ACCEPT
    #$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j
    ACCEPT
    # 2) Passive ftp.
    # This involves a connection outbound from a port >1023 on the local
    machine, to a port >1023
    # on the remote machine previously passed over the ftp channel via a
    PORT command. The
    # ip_conntrack_ftp module recognizes the connection as RELATED to the
    original outgoing
    # connection to port 21 so we don't need NEW as a state match.
    #$IPTABLES -A INPUT -p tcp --sport $UP_PORTS --dport $UP_PORTS -m
    state --state ESTABLISHED -j ACCEPT
    #$IPTABLES -A OUTPUT -p tcp --sport $UP_PORTS --dport $UP_PORTS -m
    state --state ESTABLISHED,RELATED -j ACCEPT

    ## Make sure NEW tcp connections are SYN packets
    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

    ## LOOPBACK
    # Allow unlimited traffic on the loopback interface.
    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -j ACCEPT

    ## DNS
    # NOTE: DNS uses tcp for zone transfers, for transfers greater than 512
    bytes (possible, but unusual), and on certain
    # platforms like AIX (I am told), so you might have to add a copy of
    this rule for tcp if you need it
    # Allow UDP packets in for DNS client from nameservers.
    $IPTABLES -A INPUT -p udp -s $NAMESERVER_1 --sport 53 -m state --state
    ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -p udp -s $NAMESERVER_2 --sport 53 -m state --state
    ESTABLISHED -j ACCEPT
    # Allow UDP packets to DNS servers from client.
    $IPTABLES -A OUTPUT -p udp -d $NAMESERVER_1 --dport 53 -m state --state
    NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p udp -d $NAMESERVER_2 --dport 53 -m state --state
    NEW,ESTABLISHED -j ACCEPT

    ## WWW
    # Allow www outbound to 80.
    $IPTABLES -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j
    ACCEPT
    $IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED
    -j ACCEPT

    # Allow www outbound to 443. JE METS LE SERVEUR SSH SUR CE PORT
    #$IPTABLES -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j
    ACCEPT
    #$IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state
    NEW,ESTABLISHED -j ACCEPT

    ## SSH
    # Allow ssh outbound.
    $IPTABLES -A INPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED
    -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED
    -j ACCEPT

    ## SMTP
    # Allow smtp outbound.
    $IPTABLES -A INPUT -p tcp -s $OUTGOINGMAILSERVER --sport 25 -m state
    --state ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp -d $OUTGOINGMAILSERVER --dport 25 -m state
    --state NEW,ESTABLISHED -j ACCEPT

    ## POP
    # Allow pop outbound.
    $IPTABLES -A INPUT -p tcp -s $INCOMINGMAILSERVER_1 --sport 110 -m
    state --state ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -p tcp -s $INCOMINGMAILSERVER_2 --sport 110 -m
    state --state ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp -d $INCOMINGMAILSERVER_1 --dport 110 -m
    state --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp -d $INCOMINGMAILSERVER_2 --dport 110 -m
    state --state NEW,ESTABLISHED -j ACCEPT

    ## AUTH server
    # Reject ident probes with a tcp reset.
    # I need to do this for a broken mailhost that won't accept my mail if I
    just drop its ident probe.
    $IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

    ## TRACEROUTE
    # Outgoing traceroute anywhere.
    # The reply to a traceroute is an icmp time-exceeded which is dealt with
    by the next rule.
    $IPTABLES -A OUTPUT -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS
    -m state --state NEW -j ACCEPT

    ## NTP
    # Allow ntp outbound.
    $IPTABLES -A INPUT -p tcp -s $TIMESERVER_1 --sport 123 -m state
    --state ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -p udp -s $TIMESERVER_1 --sport 123 -m state
    --state ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -p tcp -s $TIMESERVER_2 --sport 123 -m state
    --state ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -p udp -s $TIMESERVER_2 --sport 123 -m state
    --state ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -p tcp -s $TIMESERVER_3 --sport 123 -m state
    --state ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -p udp -s $TIMESERVER_3 --sport 123 -m state
    --state ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -p tcp -s $TIMESERVER_4 --sport 123 -m state
    --state ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -p udp -s $TIMESERVER_4 --sport 123 -m state
    --state ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -p tcp -s $TIMESERVER_5 --sport 123 -m state
    --state ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -p udp -s $TIMESERVER_5 --sport 123 -m state
    --state ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -p tcp -s $TIMESERVER_6 --sport 123 -m state
    --state ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -p udp -s $TIMESERVER_6 --sport 123 -m state
    --state ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_1 --dport 123 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_1 --dport 123 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_2 --dport 123 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_2 --dport 123 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_3 --dport 123 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_3 --dport 123 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_4 --dport 123 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_4 --dport 123 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_5 --dport 123 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_5 --dport 123 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_6 --dport 123 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_6 --dport 123 -m state
    --state NEW,ESTABLISHED -j ACCEPT

    # ICMP
    # We accept icmp in if it is "related" to other connections (e.g a time
    exceeded (11)
    # from a traceroute) or it is part of an "established" connection (e.g.
    an echo reply (0)
    # from an echo-request (8)).
    $IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
    # We always allow icmp out.
    $IPTABLES -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j
    ACCEPT

    ## LOGGING
    # You don't have to split up your logging like I do below, but I prefer
    to do it this way
    # because I can then grep for things in the logs more easily. One thing
    you probably want
    # to do is rate-limit the logging. I didn't do that here because it is
    probably best not too
    # when you first set things up ................. you actually really
    want to see everything going to
    # the logs to work out what isn't working and why. You cam implement
    logging with
    # "-m limit --limit 6/h --limit-burst 5" (or similar) before the -j LOG
    in each case.
    #
    # Any udp not already allowed is logged and then dropped.
    $IPTABLES -A INPUT -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
    $IPTABLES -A INPUT -p udp -j DROP
    $IPTABLES -A OUTPUT -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
    $IPTABLES -A OUTPUT -p udp -j DROP
    # Any icmp not already allowed is logged and then dropped.
    $IPTABLES -A INPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
    $IPTABLES -A INPUT -p icmp -j DROP
    $IPTABLES -A OUTPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
    $IPTABLES -A OUTPUT -p icmp -j DROP
    # Any tcp not already allowed is logged and then dropped.
    $IPTABLES -A INPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
    $IPTABLES -A INPUT -p tcp -j DROP
    $IPTABLES -A OUTPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
    $IPTABLES -A OUTPUT -p tcp -j DROP
    # Anything else not already allowed is logged and then dropped.
    # It will be dropped by the default policy anyway ........ but let's be
    paranoid.
    $IPTABLES -A INPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
    $IPTABLES -A INPUT -j DROP
    $IPTABLES -A OUTPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
    $IPTABLES -A OUTPUT -j DROP

    # THE END
    # ================================================== ================



    ================================================== =========
    ================================================== =========
    ================================================== =========
    /etc/init.d/iptables
    ================================================== =========
    ================================================== =========
    ================================================== =========

    #!/bin/sh
    #
    # chkconfig: 2345 08 92
    #

    IPTABLES_CONFIG=/etc/iptables.rules

    # check we have the iptables executable
    if [ ! -x /sbin/iptables ]; then
    exit 0
    fi

    # check we have the right kernel version
    KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
    KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
    if [ "$KERNELMAJ" -lt 2 ] ; then
    exit 0
    fi
    if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
    exit 0
    fi

    if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
    # Don't do both
    exit 0
    fi

    start() {
    # don't do squat if we don't have the script
    if [ -f $IPTABLES_CONFIG ]; then
    echo "Applying iptables firewall rules:"
    /etc/iptables.rules
    touch /var/lock/subsys/iptables
    fi
    }

    stop() {
    echo "Flushing all chains:"
    iptables -F
    echo "Removing user defined chains:"
    iptables -X
    echo "Resetting built-in chains to the default ACCEPT policy:"
    iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -P
    OUTPUT ACCEPT &&
    # IL FAUT RECUPERER LE RESULTAT DE L'EXECUTION ET FAIRE LES ECHOS EN
    CONSEQUENCE
    # success "Resetting built-in chains to the default ACCEPT policy" ||
    # failure "Resetting built-in chains to the default ACCEPT policy"
    rm -f /var/lock/subsys/iptables
    }

    case "$1" in
    start)
    start
    ;;

    stop)
    stop
    ;;

    restart)
    # "restart" is really just "start" as this isn't a daemon,
    # and "start" clears any pre-defined rules anyway.
    # This is really only here to make those who expect it happy
    start
    ;;

    status)
    iptables --list
    ;;

    panic)
    echo "Changing target policies to DROP: "
    iptables -P INPUT DROP && iptables -P FORWARD DROP && iptables -P
    OUTPUT DROP
    # IL FAUT RECUPERER LE RESULTAT DE L'EXECUTION ET FAIRE LES ECHOS
    EN CONSEQUENCE
    # success "Changing target policies to DROP" || \
    # failure "Changing target policies to DROP"
    echo
    echo "Flushing all chains:"
    iptables -F INPUT && iptables -F FORWARD && iptables -F OUTPUT
    echo
    echo "Removing user defined chains:"
    iptables -X
    ;;

    *)
    echo "Usage: $0 {start|stop|restart|status|panic}"
    exit 1
    esac

    exit 0

    Jeannot Lelapin Guest

  2. #2

    Default Re: X & Gnome crashes the system with iptables

    Thanks a lot,

    I have a rule which drops all loopback traffic.
    $IPTABLES -A INPUT -d lo -j DROP
    I was tired tired when I wrote iptables.rules.

    I place
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    after the policy rules.
    Then it works fine.

    Jeannot Lelapin

    Jeannot Lelapin Guest

Similar Threads

  1. Setting Gnome preferences system wide
    By Greg Folkert in forum Debian
    Replies: 2
    Last Post: August 5th, 04:00 PM
  2. Gnome Panel and Gnome 2 migration in sarge; user problems
    By Manuel Bilderbeek in forum Debian
    Replies: 1
    Last Post: July 22nd, 03:07 AM
  3. Replies: 0
    Last Post: July 3rd, 08:20 AM
  4. Gnome 2.0 on Solaris 8 crashes on startup
    By Mothra in forum Sun Solaris
    Replies: 0
    Last Post: July 1st, 09:09 AM
  5. Gnome2 (Sid) gnome-panel crashes
    By SYNeR in forum Debian
    Replies: 0
    Last Post: June 29th, 07:50 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139