NET::HTTP behind a firewall?

Discussion in 'Ruby' started by Joe Regular, Oct 3, 2006.

  1. Joe Regular

    Joe Regular Guest

    I recently deployed an app to my production server that accesses other
    websites via NET::HTTP. Due to my firewall (iptables), the app is unable
    to access the other sites.

    What ports should I open/changes should I make to my firewall config
    script (KISS) to enable ruby to make the appropriate outgoing requests?

    Thanks,
    Kris

    --
    Posted via http://www.ruby-forum.com/.
     
    Joe Regular, Oct 3, 2006
    #1
    1. Advertising


  2. > On 10/3/06, Joe Regular <> wrote:
    >>
    >> I recently deployed an app to my production server that accesses
    >> other
    >> websites via NET::HTTP. Due to my firewall (iptables), the app is
    >> unable
    >> to access the other sites.
    >>
    >> What ports should I open/changes should I make to my firewall config
    >> script (KISS) to enable ruby to make the appropriate outgoing
    >> requests?

    >


    Outgoing connections are almost always made on high ports. It doesn't
    matter what you're using to connect out, the fact that you're making
    a client request to some remote server on some port, will cause your
    client ip:port to be <ip you're going out over>:<some high port,
    probably over 10000>.

    So be sure you open up say 10000 - 65535 outgoing tcp

    If this still doesn't work, there's probably some sort of transparent
    firewall between your router and your destination blocking this.

    --
    Jeremy Tregunna
     
    Jeremy Tregunna, Oct 3, 2006
    #2
    1. Advertising

  3. Joe Regular

    Joe Regular Guest

    Jeremy Tregunna wrote:
    >>> requests?

    >>

    >
    > Outgoing connections are almost always made on high ports. It doesn't
    > matter what you're using to connect out, the fact that you're making
    > a client request to some remote server on some port, will cause your
    > client ip:port to be <ip you're going out over>:<some high port,
    > probably over 10000>.
    >
    > So be sure you open up say 10000 - 65535 outgoing tcp
    >
    > If this still doesn't work, there's probably some sort of transparent
    > firewall between your router and your destination blocking this.



    Jeremy, thanks for the help. I knew the outgoing connections were made
    on higher ports but I was not sure which range of ports they would be
    made on and I wanted to keep my config as tight as possible. I also
    wanted to know if there was a way to allow a specific process (such as
    the one running ruby) to access all outgoing ports.

    Francis, thanks for your support.

    --
    Posted via http://www.ruby-forum.com/.
     
    Joe Regular, Oct 3, 2006
    #3
  4. On 06-10-03, at 18:32, Joe Regular wrote:

    > Jeremy, thanks for the help. I knew the outgoing connections were made
    > on higher ports but I was not sure which range of ports they would be
    > made on and I wanted to keep my config as tight as possible. I also
    > wanted to know if there was a way to allow a specific process (such as
    > the one running ruby) to access all outgoing ports.


    I'm not familiar with iptables, so I cannot tell you. But considering
    that for instance, OpenBSD's pf allows you to specify user, I would
    be shocked if iptables hasn't copied that idea.

    --
    Jeremy Tregunna
     
    Jeremy Tregunna, Oct 3, 2006
    #4
  5. Joe Regular

    Joe Regular Guest

    Joe Regular wrote:
    > Jeremy Tregunna wrote:
    >>>> requests?
    >>>

    >>
    >> Outgoing connections are almost always made on high ports. It doesn't
    >> matter what you're using to connect out, the fact that you're making
    >> a client request to some remote server on some port, will cause your
    >> client ip:port to be <ip you're going out over>:<some high port,
    >> probably over 10000>.
    >>
    >> So be sure you open up say 10000 - 65535 outgoing tcp
    >>
    >> If this still doesn't work, there's probably some sort of transparent
    >> firewall between your router and your destination blocking this.

    >
    >
    > Jeremy, thanks for the help. I knew the outgoing connections were made
    > on higher ports but I was not sure which range of ports they would be
    > made on and I wanted to keep my config as tight as possible. I also
    > wanted to know if there was a way to allow a specific process (such as
    > the one running ruby) to access all outgoing ports.
    >
    > Francis, thanks for your support.



    Francis, I do not know much about iptables so I am using the KISS script
    to manage iptables. I am not that stupid and have obviously tried to
    open 80 and 443. I suppose I could read more about configuring iptables
    manually but KISS has worked fine for all the other applications I am
    running for a year and I would rather stick with it. If you don't mind,
    I would appreciate it if you could tell me if their is a problem with
    KISS config that is causing iptables to constrain outbound traffic based
    on the local port. Here is my kiss config...

    #!/bin/bash
    #
    # http://www.geocities.com/steve93138/
    #
    #

    ##############################################################################
    #
    # Optional KISS Configurtion Variables:
    #
    BLOCK_LIST=""
    TCP_IN="20 21 25 53 80 110 143 443 995 3306 8443 10000 19638"
    TCP_OUT="21 22 25 37 43 53 80 443 55000"
    UDP_IN="53"
    UDP_OUT="53"
    TCP_IN_TRUSTED="22"
    TRUSTED_IPS="0.0.0.0/0"
    SERVER_IPS="0.0.0.0/0"

    ##############################################################################
    #
    PUB_IFACE="eth1"
    PRIV_IFACE="eth0"

    #####
    # Please note that only the PRIVATE_IP needs to be found as PUB_IFACE
    # IP is detected in the MAIN_IP variable below.
    #####
    if [ ! "$PRIV_IFACE" == "" ]; then
    PRIVATE_IP=`ifconfig $PRIV_IFACE | grep "inet addr" | cut -d: -f2 | awk
    '{print $1}'`
    fi


    ##############################################################################
    #
    # ALL DONE WITH CONFIGURATIONS!
    #
    # No real need to modify anything for the remainder of this file except
    to
    # maybe remove the comments from certains lines at the end of this file.
    #

    # Some variables here. Modify if needed for your system.
    IPTABLES="/sbin/iptables"
    MODPROBE="/sbin/modprobe"
    LOOPBACK="127.0.0.0/8"
    CLASS_A="10.0.0.0/8"
    CLASS_B="172.16.0.0/12"
    CLASS_C="192.168.0.0/16"
    CLASS_D_MULTICAST="224.0.0.0/4"
    CLASS_E_RESERVED_NET="240.0.0.0/4"
    BROADCAST_SRC="0.0.0.0"
    BROADCAST_DEST="255.255.255.255"
    PRIVPORTS="0:1023"
    UNPRIVPORTS="1024:65535"


    ##############################################################################
    # Determine if iptables and modprobe exist
    #
    if [ ! -e "$IPTABLES" ]; then
    echo "$IPTABLES does not exist. Firewall script aborted!"
    exit 1
    fi
    if [ ! -e "$MODPROBE" ]; then
    echo "$MODPROBE does not exist. Firewall script aborted!"
    exit 1
    fi


    ##############################################################################
    # Determine MAIN_IP & SERVER_IPS if needed
    #
    MAIN_IP=`ifconfig $PUB_IFACE | grep "inet addr" | cut -d: -f2 | awk
    '{print $1}'`
    if [ "$MAIN_IP" == "" ]; then
    echo "Could not determine MAIN_IP. Firewall script aborted!"
    exit 1
    fi
    if [ "$SERVER_IPS" == "" ]; then
    SERVER_IPS=$MAIN_IP
    fi
    if [ "$SERVER_IPS" == "" ]; then
    echo "Could not determine SERVER_IPS. Firewall script aborted!"
    exit 1
    fi


    ##############################################################################

    # Arguments:
    if [ "$1" == "stop" ] || [ "$1" == "-stop" ] || [ "$1" == "--stop" ];
    then
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -F
    $IPTABLES -L -n
    echo ""
    echo ""
    echo -e "\033[31mKISS My Firewall - Stopped!"
    echo -e -n "\033[0m "
    echo ""
    exit 0
    fi
    if [ "$1" == "status" ] || [ "$1" == "-status" ] || [ "$1" == "--status"
    ]; then
    NUM_LINES=`$IPTABLES -L -n | wc -l | awk '{print $1}'`
    $IPTABLES -L -n
    echo ""
    echo ""
    if [ "$NUM_LINES" -le "15" ]; then
    echo -e "\033[31mKISS My Firewall - Stopped!"
    else
    echo -e "\033[32mKISS My Firewall - Running!"
    fi
    echo -e -n "\033[0m "
    echo ""
    exit 0
    fi


    ##############################################################################

    # We don't want ipchains loaded:
    IPCHAINS=`/sbin/lsmod | grep ipchains`
    if [ ! "$IPCHAINS" == "" ]; then
    /sbin/rmmod ipchains
    fi



    ##############################################################################

    # Note: KISS requires that ip_tables, ipt_state, and ipt_multiport
    exist:
    if [ ! -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ] || [ ! -e
    "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ] || [
    ! -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
    echo "Since the ip_tables, ipt_state, and/or ipt_multiport modules
    do not exist, KISS can not function. Firewall script aborted!"
    exit 1
    fi

    # All is well, load modules:
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ]; then
    $MODPROBE ip_tables
    fi
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ]; then
    $MODPROBE ipt_state
    fi
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
    $MODPROBE ipt_multiport
    fi
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ]; then
    $MODPROBE ip_tables
    fi
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ]; then
    $MODPROBE ipt_state
    fi
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
    $MODPROBE ipt_multiport
    fi
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/iptable_filter.ko" ]; then
    $MODPROBE iptable_filter
    fi
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ipt_unclean.ko" ]; then
    $MODPROBE ipt_unclean
    fi
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ipt_limit.ko" ]; then
    $MODPROBE ipt_limit
    fi
    if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_LOG.ko"
    ]; then
    $MODPROBE ipt_LOG
    fi
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ipt_REJECT.ko" ]; then
    $MODPROBE ipt_REJECT
    fi
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ip_conntrack.ko" ]; then
    $MODPROBE ip_conntrack
    fi
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ip_conntrack_irc.ko" ]; then
    $MODPROBE ip_conntrack_irc
    fi
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko" ]; then
    $MODPROBE ip_conntrack_ftp
    fi
    if [ -e "/lib/modules/$(uname
    -r)/kernel/net/ipv4/netfilter/iptable_mangle.ko" ]; then
    $MODPROBE iptable_mangle
    fi


    ##############################################################################

    # Remove any existing rules from all chains
    $IPTABLES --flush
    $IPTABLES -t nat --flush
    $IPTABLES -t mangle --flush

    # Allow unlimited traffic on the loopback interface
    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -j ACCEPT

    # Set the default policy to DROP
    $IPTABLES --policy INPUT DROP
    $IPTABLES --policy OUTPUT DROP
    $IPTABLES --policy FORWARD DROP

    # DO NOT MODIFY THESE!
    #
    # If you set these to DROP, you will be locked out of your server.
    #
    $IPTABLES -t nat --policy PREROUTING ACCEPT
    $IPTABLES -t nat --policy OUTPUT ACCEPT
    $IPTABLES -t nat --policy POSTROUTING ACCEPT
    $IPTABLES -t mangle --policy PREROUTING ACCEPT
    $IPTABLES -t mangle --policy OUTPUT ACCEPT

    # Remove any pre-existing user-defined chains
    $IPTABLES --delete-chain
    $IPTABLES -t nat --delete-chain
    $IPTABLES -t mangle --delete-chain


    ##############################################################################

    # Enable broadcast echo Protection
    if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    fi

    # Disable Source Routed Packets
    if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
    fi

    # Enable TCP SYN Cookie Protection
    if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    fi

    # Disable ICMP Redirect Acceptance
    if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
    fi

    # Don't send Redirect Messages
    if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
    echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
    fi


    # Drop Spoofed Packets coming in on an interface, which if replied to,
    would
    # result in the reply going out a different interface.
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
    fi

    # Log packets with impossible addresses
    if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
    fi


    # Reduce DoS'ing ability by reducing timeouts
    if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]; then
    echo "1800" > /proc/sys/net/ipv4/tcp_fin_timeout
    fi
    if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]; then
    echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
    fi
    if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then
    echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
    fi
    if [ -e /proc/sys/net/ipv4/tcp_sack ]; then
    echo "0" > /proc/sys/net/ipv4/tcp_sack
    fi


    ##############################################################################
    # Silently Drop Stealth Scans

    # All of the bits are cleared
    $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

    # SYN and FIN are both set
    $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

    # SYN and RST are both set
    $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

    # FIN and RST are both set
    $IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

    # FIN is the only bit set, without the expected accompanying ACK
    $IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

    # PSH is the only bit set, without the expected accompanying ACK
    $IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

    # URG is the only bit set, without the expected accompanying ACK
    $IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP


    ##############################################################################
    # Provide some syn-flood protection
    #
    # THIS CODE SLOWS DOWN WEB PAGE LOADS DRAMATICALLY!!!
    #
    # Only enable this code if you find that you are the victim of a
    syn-flood
    # attack!
    #
    #$IPTABLES -N syn-flood
    #$IPTABLES -A INPUT -p tcp --syn -j syn-flood
    #$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
    #$IPTABLES -A syn-flood -j DROP
    #


    ##############################################################################
    # BLOCK_LIST
    #
    # To add someone to this block list, use the BLOCK_LIST configuration
    variable
    # above.
    #
    # We block here, before our stateful packet inspection below, because if
    the
    # offender is already logged in, he won't be kicked out. Note also that
    we
    # include the offender's IP in the OUTPUT chain. This should help to
    reduce
    # the threat a little bit more.
    #
    for blocked_ip in $BLOCK_LIST; do
    # Lock him out:
    $IPTABLES -A INPUT -s $blocked_ip -j DROP
    # Make sure that he never hears from us again:
    $IPTABLES -A OUTPUT -d $blocked_ip -j DROP
    done

    ##############################################################################
    #
    # To define your private network, use the PRIV_IFACE configuration
    # variable above.
    #
    # We allow all traffic in and out of the private network
    if [ ! "$PRIV_IFACE" == ""]; then
    $IPTABLES -A INPUT -s 0/0 -e $PRIV_IFACE -d $PRIVATE_IP -p ALL -j
    ACCEPT
    fi

    ##############################################################################
    # Use Connection State to Bypass Rule Checking
    #
    # By accepting established and related connections, we don't need to
    # explicitly set various input and output rules. For example, by
    accepting an
    # established and related output connection, we don't need to specify
    that
    # the firewall needs to open a hole back out to client when the client
    # requests SSH access.
    #
    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    $IPTABLES -A INPUT -m state --state INVALID -j DROP
    $IPTABLES -A OUTPUT -m state --state INVALID -j DROP


    ##############################################################################
    # Source Address Spoofing and Other Bad Addresses

    # Refuse Spoofed packets pretending to be from the external interface's
    IP
    #for server_ips in $SERVER_IPS; do
    # $IPTABLES -A INPUT -i $PUB_IFACE -s $server_ips -j DROP
    #done
    #for server_ips in $SERVER_IPS; do
    # for subnet_broadcast in $SUBNET_BROADCAST; do
    # $IPTABLES -A INPUT -i $PUB_IFACE -s $server_ips -d
    !$subnet_broadcast -j DROP
    # done
    #done

    # Refuse packets claiming to be from a Class A private network
    $IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_A -j DROP

    # Refuse packets claiming to be from a Class B private network
    $IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_B -j DROP

    # Refuse packets claiming to be from a Class C private network
    #$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_C -j DROP

    # Refuse packets claiming to be from the loopback interface
    $IPTABLES -A INPUT -i $PUB_IFACE -s $LOOPBACK -j DROP

    # Refuse malformed broadcast packets
    $IPTABLES -A INPUT -i $PUB_IFACE -s $BROADCAST_DEST -j DROP
    $IPTABLES -A INPUT -i $PUB_IFACE -d $BROADCAST_SRC -j DROP

    # Refuse directed broadcasts
    # Used to map networks and in Denial of Service attacks
    #for subnet_base in $SUBNET_BASE; do
    # $IPTABLES -A INPUT -i $PUB_IFACE -d $subnet_base -j DROP
    #done
    #for subnet_broadcast in $SUBNET_BROADCAST; do
    # $IPTABLES -A INPUT -i $PUB_IFACE -d $subnet_broadcast -j DROP
    #done

    # Refuse limited broadcasts
    $IPTABLES -A INPUT -i $PUB_IFACE -d $BROADCAST_DEST -j DROP

    # Refuse Class D multicast addresses - illegal as a source address
    #$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_D_MULTICAST -j DROP
    #$IPTABLES -A INPUT -i $PUB_IFACE -p ! udp -d $CLASS_D_MULTICAST -j DROP
    #$IPTABLES -A INPUT -i $PUB_IFACE -p udp -d $CLASS_D_MULTICAST -j ACCEPT
    #
    $IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_D_MULTICAST -j DROP
    $IPTABLES -A INPUT -i $PUB_IFACE -p udp -d $CLASS_D_MULTICAST -j ACCEPT
    $IPTABLES -A INPUT -i $PUB_IFACE -p 2 -d $CLASS_D_MULTICAST -j ACCEPT
    $IPTABLES -A INPUT -i $PUB_IFACE -p all -d $CLASS_D_MULTICAST -j DROP


    # Refuse Class E reserved IP addresses
    $IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_E_RESERVED_NET -j DROP

    # Refuse addresses defined as reserved by the IANA
    # 0.*.*.* - Can't be blocked unilaterally with DHCP
    # 169.254.0.0/16 - Link Local Networks
    # 192.0.2.0/24 - TEST-NET
    $IPTABLES -A INPUT -i $PUB_IFACE -s 0.0.0.0/8 -j DROP
    $IPTABLES -A INPUT -i $PUB_IFACE -s 169.254.0.0/16 -j DROP
    $IPTABLES -A INPUT -i $PUB_IFACE -s 192.0.2.0/24 -j DROP



    ##############################################################################
    # Now we can open up some holes in our firewall...
    #


    ##############################################################################
    # If we are not accepting 113 (ident), then we explicitly reject it!
    #
    if [ "$(echo $IN_PORTS | tr ',' '\n' | grep -w 113)" == "" ]; then
    $IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --dport 113 -j REJECT
    $IPTABLES -A INPUT -p udp -s 0/0 -d 0/0 --dport 113 -j REJECT
    fi


    ##############################################################################
    # TCP IN
    #
    for tcp_in in $TCP_IN; do
    for server_ips in $SERVER_IPS; do
    $IPTABLES -A INPUT -i $PUB_IFACE -s 0/0 -d $server_ips -p tcp -m
    state --state NEW --sport $UNPRIVPORTS --dport $tcp_in -j ACCEPT
    done
    done

    ##############################################################################
    # TCP OUT
    #
    for tcp_out in $TCP_OUT; do
    $IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp -m state --state NEW
    --sport $UNPRIVPORTS --dport $tcp_out -j ACCEPT
    done

    ##############################################################################
    # UDP IN
    #
    for udp_in in $UDP_IN; do
    for server_ips in $SERVER_IPS; do
    $IPTABLES -A INPUT -i $PUB_IFACE -s 0/0 -d $server_ips -p udp -m
    state --state NEW --sport $UNPRIVPORTS --dport $udp_in -j ACCEPT
    done
    done

    ##############################################################################
    # UDP OUT
    #
    for udp_out in $UDP_OUT; do
    $IPTABLES -A OUTPUT -o $PUB_IFACE -p udp -m state --state NEW
    --sport $UNPRIVPORTS --dport $udp_out -j ACCEPT
    done

    ##############################################################################
    # TCP IN TRUSTED
    #
    #for tcp_in_trusted in $TCP_IN_TRUSTED; do
    # for server_ips in $SERVER_IPS; do
    # for trusted_ips in $TRUSTED_IPS; do
    # $IPTABLES -A INPUT -i $PUB_IFACE -s $trusted_ips -d
    $server_ips -p tcp -m state --state NEW --sport $UNPRIVPORTS --dport
    $tcp_in_trusted -j ACCEPT
    # done
    # done
    #done
    for tcp_in_trusted in $TCP_IN_TRUSTED; do
    for trusted_ips in $TRUSTED_IPS; do
    $IPTABLES -A INPUT -i $PUB_IFACE -s $trusted_ips -d $MAIN_IP -p
    tcp -m state --state NEW --sport $UNPRIVPORTS --dport $tcp_in_trusted -j
    ACCEPT
    done
    done


    ##############################################################################
    # Allow pinging of this server's MAIN_IP by trusted IPs only.
    #
    for trusted_ips in $TRUSTED_IPS; do
    $IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i $PUB_IFACE -m
    state --state NEW -p icmp --icmp-type ping -j ACCEPT
    done


    ##############################################################################
    # OUTPUT - PORT 113 - IDENTD
    #
    #for server_ips in $SERVER_IPS; do
    # $IPTABLES -A OUTPUT -o $PUB_IFACE -s $server_ips -p tcp --syn --sport
    $UNPRIVPORTS --dport 113 -m state --state NEW -j REJECT --reject-with
    tcp-reset
    #done


    ##############################################################################
    # Uncomment to allow DNS zone transfers
    #
    $IPTABLES -A INPUT -i $PUB_IFACE -p udp --sport 53 --dport 53 -m state
    --state NEW -j ACCEPT
    $IPTABLES -A INPUT -i $PUB_IFACE -p tcp --sport 53 --dport 53 -m state
    --state NEW -j ACCEPT
    $IPTABLES -A OUTPUT -o $PUB_IFACE -p udp --sport 53 --dport 53 -m state
    --state NEW -j ACCEPT
    $IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp --sport 53 --dport 53 -m state
    --state NEW -j ACCEPT


    ##############################################################################
    # Uncomment to allow for outgoing ping
    #
    #$IPTABLES -A OUTPUT -o $PUB_IFACE -s $MAIN_IP -m state --state NEW -p
    icmp --icmp-type ping -j ACCEPT


    ##############################################################################
    # Uncomment to allow outgoing traceroutes
    #
    #$IPTABLES -A OUTPUT -o $PUB_IFACE -p udp -s $MAIN_IP --sport
    32769:65535 --dport 33434:33523 -m state --state NEW -j ACCEPT

    $IPTABLES -L -n
    echo ""
    echo ""
    echo -e "\033[32mKISS My Firewall - Running!"
    echo -e -n "\033[0m "
    echo ""

    exit 0



    --
    Posted via http://www.ruby-forum.com/.
     
    Joe Regular, Oct 3, 2006
    #5
  6. Joe Regular

    Joe Regular Guest

    Yes, eth1 is the public nic. I can not ping anything with the firewall
    enabled. I can access all the tcp_in ports from external machines.
    tracert is not working on my workstation right now, it times out to any
    host on the second hop.

    My code works properly on my workstations, development servers, and even
    the production server without the firewall config enabled.

    Is it possible that NET:HTTP is attempting to use a local port that is
    lower than NPRIVPORTS allows?

    Thanks for your help Francis.

    Thanks,
    Kris



    Francis Cianfrocca wrote:
    > On 10/3/06, Joe Regular <> wrote:
    >>
    >> Joe Regular wrote:

    >
    >
    >
    > # TCP OUT
    > #
    > for tcp_out in $TCP_OUT; do
    > $IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp -m state --state NEW
    > --sport $UNPRIVPORTS --dport $tcp_out -j ACCEPT
    > done
    >
    >
    > Is your routing is configured such that your external servers are
    > reachable
    > through eth1? Can you ping anything from this server? Can you telnet to
    > the
    > affected external web servers on port 80? Can you traceroute to them
    > (either
    > using ICMP or UDP)? Did your code work correctly on a test server that
    > didn't have this firewall config? What's the output from iptables -L? As
    > far
    > as the local (ephemeral) port is concerned, this rule will let anything
    > out
    > that is locally bound to any port higher than 1024, which should be ok.



    --
    Posted via http://www.ruby-forum.com/.
     
    Joe Regular, Oct 4, 2006
    #6
  7. Joe Regular

    Joe Regular Guest

    and here is the output of iptables -L...


    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    DROP tcp -- anywhere anywhere tcp
    flags:FIN,SYN,R
    ST,PSH,ACK,URG/NONE
    DROP tcp -- anywhere anywhere tcp
    flags:FIN,SYN/F
    IN,SYN
    DROP tcp -- anywhere anywhere tcp
    flags:SYN,RST/S
    YN,RST
    DROP tcp -- anywhere anywhere tcp
    flags:FIN,RST/F
    IN,RST
    DROP tcp -- anywhere anywhere tcp
    flags:FIN,ACK/F
    IN
    DROP tcp -- anywhere anywhere tcp
    flags:pSH,ACK/P
    SH
    DROP tcp -- anywhere anywhere tcp
    flags:ACK,URG/U
    RG
    ACCEPT all -- anywhere anywhere state
    RELATED,ESTAB
    LISHED
    DROP all -- anywhere anywhere state
    INVALID
    DROP all -- 10.0.0.0/8 anywhere
    DROP all -- 172.16.0.0/12 anywhere
    DROP all -- 127.0.0.0/8 anywhere
    DROP all -- 255.255.255.255 anywhere
    DROP all -- anywhere 0.0.0.0
    DROP all -- anywhere 255.255.255.255
    DROP all -- 224.0.0.0/4 anywhere
    ACCEPT udp -- anywhere 224.0.0.0/4
    ACCEPT igmp -- anywhere 224.0.0.0/4
    DROP all -- anywhere 224.0.0.0/4
    DROP all -- 240.0.0.0/4 anywhere
    DROP all -- 0.0.0.0/8 anywhere
    DROP all -- 169.254.0.0/16 anywhere
    DROP all -- 192.0.2.0/24 anywhere
    REJECT tcp -- anywhere anywhere tcp
    dpt:auth reject
    -with icmp-port-unreachable
    REJECT udp -- anywhere anywhere udp
    dpt:auth reject
    -with icmp-port-unreachable
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:ftp-data
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:ftp
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:smtp
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:domain
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:http
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:pop3
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:imap
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:https
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:pop3s
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:mysql
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:8443
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:10000
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:19638
    ACCEPT udp -- anywhere anywhere state NEW
    udp spts:
    1024:65535 dpt:domain
    ACCEPT tcp -- anywhere **mydomain*** state NEW tcp
    spts:
    1024:65535 dpt:ssh
    ACCEPT icmp -- anywhere **mydomain*** state NEW icmp
    echo
    -request
    ACCEPT udp -- anywhere anywhere udp
    spt:domain dpt:
    domain state NEW
    ACCEPT tcp -- anywhere anywhere tcp
    spt:domain dpt:
    domain state NEW

    Chain FORWARD (policy DROP)
    target prot opt source destination

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state
    RELATED,ESTAB
    LISHED
    DROP all -- anywhere anywhere state
    INVALID
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:ftp
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:ssh
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:smtp
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:time
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:nicname
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:domain
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:http
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:https
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:
    1024:65535 dpt:55000
    ACCEPT udp -- anywhere anywhere state NEW
    udp spts:
    1024:65535 dpt:domain
    ACCEPT udp -- anywhere anywhere udp
    spt:domain dpt:
    domain state NEW
    ACCEPT tcp -- anywhere anywhere tcp
    spt:domain dpt:
    domain state NEW
    [root@ptp1 ~]# iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    DROP tcp -- anywhere anywhere tcp
    flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    DROP tcp -- anywhere anywhere tcp
    flags:FIN,SYN/FIN,SYN
    DROP tcp -- anywhere anywhere tcp
    flags:SYN,RST/SYN,RST
    DROP tcp -- anywhere anywhere tcp
    flags:FIN,RST/FIN,RST
    DROP tcp -- anywhere anywhere tcp
    flags:FIN,ACK/FIN
    DROP tcp -- anywhere anywhere tcp
    flags:pSH,ACK/PSH
    DROP tcp -- anywhere anywhere tcp
    flags:ACK,URG/URG
    ACCEPT all -- anywhere anywhere state
    RELATED,ESTABLISHED
    DROP all -- anywhere anywhere state
    INVALID
    DROP all -- 10.0.0.0/8 anywhere
    DROP all -- 172.16.0.0/12 anywhere
    DROP all -- 127.0.0.0/8 anywhere
    DROP all -- 255.255.255.255 anywhere
    DROP all -- anywhere 0.0.0.0
    DROP all -- anywhere 255.255.255.255
    DROP all -- 224.0.0.0/4 anywhere
    ACCEPT udp -- anywhere 224.0.0.0/4
    ACCEPT igmp -- anywhere 224.0.0.0/4
    DROP all -- anywhere 224.0.0.0/4
    DROP all -- 240.0.0.0/4 anywhere
    DROP all -- 0.0.0.0/8 anywhere
    DROP all -- 169.254.0.0/16 anywhere
    DROP all -- 192.0.2.0/24 anywhere
    REJECT tcp -- anywhere anywhere tcp
    dpt:auth reject-with icmp-port-unreachable
    REJECT udp -- anywhere anywhere udp
    dpt:auth reject-with icmp-port-unreachable
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:ftp-data
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:ftp
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:smtp
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:domain
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:http
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:pop3
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:imap
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:https
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:pop3s
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:mysql
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:8443
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:10000
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:19638
    ACCEPT udp -- anywhere anywhere state NEW
    udp spts:1024:65535 dpt:domain
    ACCEPT tcp -- anywhere **mydomain** state NEW tcp
    spts:1024:65535 dpt:ssh
    ACCEPT icmp -- anywhere **mydomain** state NEW icmp
    echo-request
    ACCEPT udp -- anywhere anywhere udp
    spt:domain dpt:domain state NEW
    ACCEPT tcp -- anywhere anywhere tcp
    spt:domain dpt:domain state NEW

    Chain FORWARD (policy DROP)
    target prot opt source destination

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state
    RELATED,ESTABLISHED
    DROP all -- anywhere anywhere state
    INVALID
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:ftp
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:ssh
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:smtp
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:time
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:nicname
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:domain
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:http
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:https
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp spts:1024:65535 dpt:55000
    ACCEPT udp -- anywhere anywhere state NEW
    udp spts:1024:65535 dpt:domain
    ACCEPT udp -- anywhere anywhere udp
    spt:domain dpt:domain state NEW
    ACCEPT tcp -- anywhere anywhere tcp
    spt:domain dpt:domain state NEW



    Joe Regular wrote:
    > Yes, eth1 is the public nic. I can not ping anything with the firewall
    > enabled. I can access all the tcp_in ports from external machines.
    > tracert is not working on my workstation right now, it times out to any
    > host on the second hop.
    >
    > My code works properly on my workstations, development servers, and even
    > the production server without the firewall config enabled.
    >
    > Is it possible that NET:HTTP is attempting to use a local port that is
    > lower than NPRIVPORTS allows?
    >
    > Thanks for your help Francis.
    >
    > Thanks,
    > Kris
    >
    >
    >
    > Francis Cianfrocca wrote:
    >> On 10/3/06, Joe Regular <> wrote:
    >>>
    >>> Joe Regular wrote:

    >>
    >>
    >>
    >> # TCP OUT
    >> #
    >> for tcp_out in $TCP_OUT; do
    >> $IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp -m state --state NEW
    >> --sport $UNPRIVPORTS --dport $tcp_out -j ACCEPT
    >> done
    >>
    >>
    >> Is your routing is configured such that your external servers are
    >> reachable
    >> through eth1? Can you ping anything from this server? Can you telnet to
    >> the
    >> affected external web servers on port 80? Can you traceroute to them
    >> (either
    >> using ICMP or UDP)? Did your code work correctly on a test server that
    >> didn't have this firewall config? What's the output from iptables -L? As
    >> far
    >> as the local (ephemeral) port is concerned, this rule will let anything
    >> out
    >> that is locally bound to any port higher than 1024, which should be ok.



    --
    Posted via http://www.ruby-forum.com/.
     
    Joe Regular, Oct 4, 2006
    #7
  8. Joe Regular

    ruby grl Guest

    Re: Recommend a hosting company?

    I was hosting with site5 but their support was terrible I finally had to
    cancel service, they never responded to support questions. I finally spent
    some money a dedicated host running rails on suse linux with redplaid
    hosting and it has been so much more reliable.

    On 3/12/06, "Michael Gorsuch" <michael.gorsuch gmail.com> wrote:
    >I use site5 (http://www.site5.com). They're enthusiatic Ruby users so
    >their support is quite good.
    >
    >On 3/11/06, Stephen Kellett <snail / objmedia.demon.co.uk> wrote:
    >Hi Folks,
    >
    >I have an idea for a website. I want to develop it using Ruby on Rails,
    >so ultimately I'll need a website hosting company.
    >
    >I'm going to be putting together a different take on the various
    >websites that host music for musical instrument players for learning new
    >tunes - this isn't a software idea and is nothing linked to my day job
    >with Object Media/Software Verification. As a result hosting costs may
    >be an issue if the host is expensive until the idea pays for itself.
    >
    >I've done a bit of web-searching on this subject, but really I'd like
    >recommendations from those of you already doing this. You know which
    >companies you've used and which you use again, which were expensive and
    >good value, which were expensive and bad value, which were cheap and
    >good value, etc.
    >
    >Please recommend some hosting companies.
    >
    >Thanks
    >
    >Stephen
    >(reply to newgroup or by email, both are fine)
    >--
    >Stephen Kellett
    >Object Media Limited http://www.objmedia.demon.co.uk/software.html
    >Computer Consultancy, Software Development
    >Windows C++, Java, Assembler, Performance Analysis, Troubleshooting
    >
    >
     
    ruby grl, Oct 4, 2006
    #8
  9. Joe Regular

    Joe Regular Guest

    Not sure what is going on with this thread but hopefully this post makes
    it to the correct location...

    I checked the logs and all it says is basically that NET::HTTP cannot
    resolve the host, so there isn't enough information to figure out
    exactly why the connection is failing. I will give the SYN flag a try
    and also look into understanding iptables on my own without the KISS
    script. Thanks again for your help.

    Francis Cianfrocca wrote:
    > On 10/3/06, Joe Regular <> wrote:
    >
    > Sorry, I meant you won't be able to complete TCP connections that you
    > initiate.



    --
    Posted via http://www.ruby-forum.com/.
     
    Joe Regular, Oct 4, 2006
    #9
  10. Joe Regular

    Joe Regular Guest

    I tried removing the SYN rules and various other ones with no luck. I
    also tried allowing all outgoing ports above 10000 with no luck. However
    when I allowed outgoing ports below 10000 it worked. Not sure why yet
    but I will attempt to figure out the exact port it needs a little later.


    Joe Regular wrote:
    > Not sure what is going on with this thread but hopefully this post makes
    > it to the correct location...
    >
    > I checked the logs and all it says is basically that NET::HTTP cannot
    > resolve the host, so there isn't enough information to figure out
    > exactly why the connection is failing. I will give the SYN flag a try
    > and also look into understanding iptables on my own without the KISS
    > script. Thanks again for your help.
    >
    > Francis Cianfrocca wrote:
    >> On 10/3/06, Joe Regular <> wrote:
    >>
    >> Sorry, I meant you won't be able to complete TCP connections that you
    >> initiate.



    --
    Posted via http://www.ruby-forum.com/.
     
    Joe Regular, Oct 4, 2006
    #10
  11. Joe Regular

    Amos King Guest

    Re: Recommend a hosting company?

    This site has a one free year deal that I used. It works great and
    after your ap is running if you need more space or bandwidth you can
    always upgrade. Every time I've sent their support an e-mail I get a
    response that day. They truly are a good hosting company.


    http://www.hostingrails.com/home/112330218




    On 10/3/06, ruby grl <> wrote:
    >
    > I was hosting with site5 but their support was terrible I finally had to
    > cancel service, they never responded to support questions. I finally spent
    > some money a dedicated host running rails on suse linux with redplaid
    > hosting and it has been so much more reliable.
    >
    > On 3/12/06, "Michael Gorsuch" <michael.gorsuch gmail.com> wrote:
    > >I use site5 (http://www.site5.com). They're enthusiatic Ruby users so
    > >their support is quite good.
    > >
    > >On 3/11/06, Stephen Kellett <snail / objmedia.demon.co.uk> wrote:
    > >Hi Folks,
    > >
    > >I have an idea for a website. I want to develop it using Ruby on Rails,
    > >so ultimately I'll need a website hosting company.
    > >
    > >I'm going to be putting together a different take on the various
    > >websites that host music for musical instrument players for learning new
    > >tunes - this isn't a software idea and is nothing linked to my day job
    > >with Object Media/Software Verification. As a result hosting costs may
    > >be an issue if the host is expensive until the idea pays for itself.
    > >
    > >I've done a bit of web-searching on this subject, but really I'd like
    > >recommendations from those of you already doing this. You know which
    > >companies you've used and which you use again, which were expensive and
    > >good value, which were expensive and bad value, which were cheap and
    > >good value, etc.
    > >
    > >Please recommend some hosting companies.
    > >
    > >Thanks
    > >
    > >Stephen
    > >(reply to newgroup or by email, both are fine)
    > >--
    > >Stephen Kellett
    > >Object Media Limited http://www.objmedia.demon.co.uk/software.html
    > >Computer Consultancy, Software Development
    > >Windows C++, Java, Assembler, Performance Analysis, Troubleshooting
    > >
    > >

    >
    >
    >
    >



    --
    Amos King
    USPS
    Programmer/Analyst
    St. Louis, MO
     
    Amos King, Oct 4, 2006
    #11
  12. Joe Regular

    James Cribbs Guest

    Re: Recommend a hosting company?

    I highly recommend Rails Playground. Joe Clarke has responded to every
    email request I have sent in a timely, courteous manner. Once, on a
    Sunday afternoon, I sent a request to install a gem. Within a couple of
    hours, Joe responded saying it was it done. On a Sunday!

    That's just one example of the outstanding customer service I have
    received from Rails Playground.

    Jamey Cribbs

    Amos King wrote:
    > This site has a one free year deal that I used. It works great and
    > after your ap is running if you need more space or bandwidth you can
    > always upgrade. Every time I've sent their support an e-mail I get a
    > response that day. They truly are a good hosting company.
    >
    >
    > http://www.hostingrails.com/home/112330218
    >
    >
    >
    >
    > On 10/3/06, ruby grl <> wrote:
    >>
    >> I was hosting with site5 but their support was terrible I finally had to
    >> cancel service, they never responded to support questions. I finally
    >> spent
    >> some money a dedicated host running rails on suse linux with redplaid
    >> hosting and it has been so much more reliable.
    >>
    >> On 3/12/06, "Michael Gorsuch" <michael.gorsuch gmail.com> wrote:
    >> >I use site5 (http://www.site5.com). They're enthusiatic Ruby users so
    >> >their support is quite good.
    >> >
    >> >On 3/11/06, Stephen Kellett <snail / objmedia.demon.co.uk> wrote:
    >> >Hi Folks,
    >> >
    >> >I have an idea for a website. I want to develop it using Ruby on Rails,
    >> >so ultimately I'll need a website hosting company.
    >> >
    >> >I'm going to be putting together a different take on the various
    >> >websites that host music for musical instrument players for learning

    >> new
    >> >tunes - this isn't a software idea and is nothing linked to my day job
    >> >with Object Media/Software Verification. As a result hosting costs may
    >> >be an issue if the host is expensive until the idea pays for itself.
    >> >
    >> >I've done a bit of web-searching on this subject, but really I'd like
    >> >recommendations from those of you already doing this. You know which
    >> >companies you've used and which you use again, which were expensive and
    >> >good value, which were expensive and bad value, which were cheap and
    >> >good value, etc.
    >> >
    >> >Please recommend some hosting companies.
    >> >
    >> >Thanks
    >> >
    >> >Stephen
    >> >(reply to newgroup or by email, both are fine)
    >> >--
    >> >Stephen Kellett
    >> >Object Media Limited http://www.objmedia.demon.co.uk/software.html
    >> >Computer Consultancy, Software Development
    >> >Windows C++, Java, Assembler, Performance Analysis, Troubleshooting
    >> >
    >> >

    >>
    >>
    >>
    >>

    >
    >
     
    James Cribbs, Oct 4, 2006
    #12
  13. Joe Regular

    Joe Regular Guest

    Hi Francis,

    Thanks, it turns out that my previous fix was only temporary which made
    me realize that this actually is a problem with DNS since it was
    probably caching the host lookups and that is why it works for a little
    while.

    I can not do a dig when the firewall is active(just hangs). However, my
    external DNS servers appear to be ips on my private network and it looks
    like there is a rule in my config to allow all traffic/protocals across
    eth0(private nic) so I am not sure what is going on. I also have port 53
    open to tcp/udp on both devices.

    Thanks again for all your help.

    Thanks,
    Kris




    Francis Cianfrocca wrote:
    > On 10/4/06, Joe Regular <> wrote:
    >>
    >> Not sure what is going on with this thread but hopefully this post makes
    >> it to the correct location...
    >>
    >> I checked the logs and all it says is basically that NET::HTTP cannot
    >> resolve the host, so there isn't enough information to figure out
    >> exactly why the connection is failing. I will give the SYN flag a try
    >> and also look into understanding iptables on my own without the KISS
    >> script. Thanks again for your help.

    >
    >
    > There you go, that's good information. You need to look at how the
    > server is
    > doing DNS. DNS works on port 53, usually by UDP (which rules out an
    > interaction with TCP packet flags like SYN and ACK), but also
    > occasionally
    > by TCP. Additionally, you need to make sure that /etc/resolv.conf looks
    > proper, and that you have routes (through eth1) and firewall rules (port
    > 53
    > outbound udp/tpc) to your DNS servers. Since you're using iptables,
    > you're
    > also probably using Linux. Make sure that dig is installed on the box,
    > and
    > then try to run dig against the hostnames of your external HTTP servers.
    > That should give you a lot of useful information. Addtionally, go back
    > and
    > try Net::HTTP with raw IP addresses instead of hostnames. If that works,
    > then you've confirmed it's a DNS problem.
    >
    > For what it's worth, I work with highly-secure perimeter-facing
    > installations all the time- my company makes remote access appliances.
    > DNS
    > misconfiguration (especially when split-horizon is involved) is one of
    > the
    > biggest problems I see on a daily basis. Right up there with bad cabling
    > ("Of course we checked the cables!"), dead switch ports ("No, we didn't
    > change anything else in the DC"), and missing routes to LDAP servers
    > ("but I
    > can ping that server from everywhere else!").



    --
    Posted via http://www.ruby-forum.com/.
     
    Joe Regular, Oct 4, 2006
    #13
  14. Joe Regular

    Joe Regular Guest

    I beleive this rule should enable me to reach the DNS servers from eth0
    since PRIV_IFACE is set to eth0. Do you see anything wrong with it?

    ##############################################################################
    #
    # To define your private network, use the PRIV_IFACE configuration
    # variable above.
    #
    # We allow all traffic in and out of the private network
    if [ ! "$PRIV_IFACE" == ""]; then
    $IPTABLES -A INPUT -s 0/0 -e $PRIV_IFACE -d $PRIVATE_IP -p ALL -j
    ACCEPT
    fi



    Francis Cianfrocca wrote:
    >
    > I think I remember seeing a rule that inhibited outbound connections of
    > any
    > kind except from the public interface (eth1). If your DNS servers are on
    > a
    > different network, then you won't be able to reach them. If dig just
    > hangs,
    > then you know it's a connectivity problem. Do you have any DNS servers
    > you
    > can access (like from your ISP) from your public interface?



    --
    Posted via http://www.ruby-forum.com/.
     
    Joe Regular, Oct 4, 2006
    #14
  15. Joe Regular

    Joe Regular Guest

    In the output of kiss when it starts I noticed there appears to be an
    error.

    "/usr/sbin/kiss: line 341: [: eth0: unary operator expected"

    Line 341:
    > if [ ! "$PRIV_IFACE" == ""]; then
    > $IPTABLES -A INPUT -s 0/0 -e $PRIV_IFACE -d $PRIVATE_IP -p ALL -j
    > ACCEPT
    > fi


    I will have to brush up on my shell scripting sytax to see what is wrong
    with comparison but hopefully that does the trick!

    Thanks


    Joe Regular wrote:
    > I beleive this rule should enable me to reach the DNS servers from eth0
    > since PRIV_IFACE is set to eth0. Do you see anything wrong with it?
    >
    > ##############################################################################
    > #
    > # To define your private network, use the PRIV_IFACE configuration
    > # variable above.
    > #
    > # We allow all traffic in and out of the private network
    > if [ ! "$PRIV_IFACE" == ""]; then
    > $IPTABLES -A INPUT -s 0/0 -e $PRIV_IFACE -d $PRIVATE_IP -p ALL -j
    > ACCEPT
    > fi
    >
    >
    >
    > Francis Cianfrocca wrote:
    >>
    >> I think I remember seeing a rule that inhibited outbound connections of
    >> any
    >> kind except from the public interface (eth1). If your DNS servers are on
    >> a
    >> different network, then you won't be able to reach them. If dig just
    >> hangs,
    >> then you know it's a connectivity problem. Do you have any DNS servers
    >> you
    >> can access (like from your ISP) from your public interface?



    --
    Posted via http://www.ruby-forum.com/.
     
    Joe Regular, Oct 4, 2006
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. demonhunter
    Replies:
    3
    Views:
    2,155
  2. Brian McGonigle
    Replies:
    1
    Views:
    563
    Andrew Kavanaugh
    Aug 20, 2004
  3. Simon Gorski

    file behind firewall?

    Simon Gorski, Jan 29, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    343
    Simon Gorski
    Jan 29, 2004
  4. Robert Dodier
    Replies:
    6
    Views:
    2,405
    Matthias Kraft
    Sep 14, 2004
  5. Kumarforg

    Web Service invocation from behind proxy behind firewall

    Kumarforg, Aug 3, 2004, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    207
    Kumarforg
    Aug 3, 2004
Loading...

Share This Page