Re: Port forwarding with Ipmasq and DSA-389-1
On Sun, Sep 21, 2003 at 08:48:19PM +0000, Tom Goulet (UID0) wrote:
> On Sat, Sep 20, 2003 at 06:05:01PM -0400, Matt Zimmerman wrote:
> > Subject: [SECURITY] [DSA-389-1] New ipmasq packages fix insecure
> > packet filtering rules
>
> | #$IPTABLES -A FORWARD -o $i -i ${j%%:*} -d $IPOFIF/$NMOFIF -j ACCEPT
> | $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> This broke the port forwarding rules I have. I don't know what I'm
> doing, but now the forwarding rules I have in <rules/F10portfw.rul>
> don't help me (and if I reverse the comment above, things work again).
> | $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d $EXTIP --dport 515 \
> | -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> | $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 515 \
> | -j DNAT --to $PRINTERIP:515
>
> What should I do get port forwarding working with this security fix
> intact? Perhaps you only need to add "NEW" to the above state line?
>
> Please give me CCs, because I am not subscribed.
I'm not certain about the order in which these files are processed, but your
rules look OK and I would not expect them to have broken after the update.
Maybe there is a DROP rule somewhere between the first set of rules you
quoted and the second which is refusing the packets now?
--
- mdz
Reply to: