[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Port forwarding with Ipmasq and DSA-389-1

On Sun, Sep 21, 2003 at 08:48:19PM +0000, Tom Goulet (UID0) wrote:

> On Sat, Sep 20, 2003 at 06:05:01PM -0400, Matt Zimmerman wrote:
> > Subject: [SECURITY] [DSA-389-1] New ipmasq packages fix insecure
> > packet filtering rules
> | #$IPTABLES -A FORWARD -o $i -i ${j%%:*} -d $IPOFIF/$NMOFIF -j ACCEPT
> This broke the port forwarding rules I have.  I don't know what I'm
> doing, but now the forwarding rules I have in <rules/F10portfw.rul>
> don't help me (and if I reverse the comment above, things work again). 
> | $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d $EXTIP --dport 515 \
> |         -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> | $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 515 \
> |         -j DNAT --to $PRINTERIP:515
> What should I do get port forwarding working with this security fix
> intact?  Perhaps you only need to add "NEW" to the above state line?
> Please give me CCs, because I am not subscribed.

I'm not certain about the order in which these files are processed, but your
rules look OK and I would not expect them to have broken after the update.

Maybe there is a DROP rule somewhere between the first set of rules you
quoted and the second which is refusing the packets now?

 - mdz

Reply to: