I was playing with iptables and set up this simple firewall and now i can't start up gnome. it just halts after the nvidia sign. i can still start up gnome with root though. once i flush the rules i can start up gnome with my normal user account. weird. here's my firewall file. any ideas as to what's wrong?


#!/bin/bash


# Load required modules, checks if already loaded, if not load module

# Test if ip_tables module is loaded, not likely at boot time
if [ -z "`lsmod|grep ip_tables`" ];
then
modprobe ip_tables
fi

# Test if iptable_conntrack module is loaded, not likely at boot time
if [ -z "`lsmod|grep ip_conntrack`" ];
then
modprobe ip_conntrack
fi

# Test if iptable_nat module is loaded, not likely at boot time
if [ -z "`lsmod|grep iptable_nat`" ];
then
modprobe iptable_nat
fi

# Test if ipt_MASQUERADE module is loaded, not likely at boot time
if [ -z "`lsmod|grep ipt_MASQUERADE`" ];
then
modprobe ipt_MASQUERADE
fi

# Test if iptable_filter is loaded, not likely at boot time
if [ -z "`lsmod|grep iptable_filter`" ];
then
modprobe iptable_filter
fi

# Then flush all rules
iptables -F
iptables -t nat -F


iptables -A INPUT -p tcp --syn -s 192.168.0.1/24 --destination-port telnet -j ACCEPT

iptables -A INPUT -p tcp --syn -s 192.168.0.100/24 --destination-port 80 -j ACCEPT

iptables -A INPUT -p tcp --syn -j DROP

did you try restarting your box without the script loading?

I cant imagine why that script would prevent gnome from starting...

how are you autoloading it?

Originally posted by dale10:
<STRONG>
iptables -A INPUT -p tcp --syn -s 192.168.0.1/24 --destination-port telnet -j ACCEPT
</STRONG>

are you sure you want to allow that?

If you just want to telnet to the box via YOUR network add -i eth0

cuz with that setup anyone can telnet in...

*edit*

...if a 3117 sKript kIddie spoofed their IP to be a 192.168.*.* ip address...

[ 03 December 2001: Message edited by: ralph wiggum ]

Thanks for the telnet tip. That was temporary anyway. I don't plan on leaving it there, I was just testing it over the LAN. If I remove the script it boots fine. Currently I have it symbolicly linked as S99firewall into the rc.d directory on boot up. This is weird, I can't imagine what's causing the hold up either.

very weird. I dont know alot about RC stuff and the whole numbering scheme, but is there another S99... file? If so that may be a problem. duplicate S99 files...

try loading it from the rc.local script (I believe its the last file loaded...)

iptables -A INPUT -p tcp --syn -j DROP

that's the line that's causing the problem. This is such a weird problem. Anyone else get this problem before?

Originally posted by ralph wiggum:
<STRONG>very weird. I dont know alot about RC stuff and the whole numbering scheme, but is there another S99... file? If so that may be a problem. duplicate S99 files...

try loading it from the rc.local script (I believe its the last file loaded...)</STRONG>

I'm about 95% sure that duplicate S99 files would not be a problem.

well, the problem seems to be only with one account. all the others work fine, which is really strange.

oh well.
so how do i star the script in rc.local?
do i just plop /etc/rc.d/rc.firewall in there somewhere?

well, i found out that if i add
-i ppp0
to that line i can start up gnome.

this is the weirdest, unexplainable problem i've ever had. It only affects 1 user, all others can start gnome fine. oh well, i doubt anyone else will ever have this problem, but if someone does, i hope this will help.

ok, so the problem is actually caused by the sound server. i GUESS because iptables drops tcp connections i suppose it drops whatever the sound server sends to itself????? does that make sense? well, i do know that if i disable the sound server i can start up gnome without any problems, but if it's enabled it freezes at start up.

So what does the sound server send out? how can i make my iptables firewall accept it?